But you can trick Bob into entering his credentials + using his security key on corp.bank.co.m and then use those credentials + security key interaction to log into corp.bank.com IF the security key interaction is domain agnostic (like you can do with the 2FA codes you get on your phone - if you can trick Bob into entering his password you can trick corp.bank.com into sending Bob a 2FA code which he will also give you).
The key requires physical feedback, the user needs to push the button when prompted by the software and that button pushing will only authorize a single authentication.
occams_chainsaw|7 years ago
pliny|7 years ago
zaarn|7 years ago