Some of the new ZK PAKE[0] schemes are very cool and would prevent phishing attacks. You only share your password with a party which proves in ZK that it already knows your password. Kinda surprised someone hasn't built a startup around it: "Make your enterprise immune to phishing with our expensive auth appliance".
I really want Chrome to roll it out as some sort of browser mediated authentication scheme.
Unfortunately phishing is a social problem, not a technical one. Users will happily put their password into any random webpage which tells them they really really need to, regardless of how much you train them only to put it into a specific application.
It is trivial to make a phishing login where the login page that looks exactly like the legitimate login page. Of course under such conditions training will fail. The rules of the game are such that no amount of training is going users not make mistakes here.
Consider instead that passwords are only entered into some special and distinct OS controlled textbox* that webpages are prevented from mimicking (or even a physical device). This is a far easier training target (only enter passwords into boxes that look like X).
* The software behind this textbox ensures that the site knows the password before asking the user for the password.
> Consider instead that passwords are only entered into some special and distinct OS controlled textbox
No, I understood this already. This is the easy technological solution which doesn't actually solve the real problem: some users (or really all users some of the time) will always be willing to enter their password into some other box which looks nothing like the one that webpages are prevented from mimicking.
Hell, I did it myself today: I entered my work password into an intranet site which was showing a "certificate error", even though in past experience this site had valid certs. Could that have actually been someone who broke into the intranet and set up a honeypot? Absolutely. But I needed the resource that was behind that password box in order to do my job, so I entered my password anyways.
>some users (or really all users some of the time) will always be willing to enter their password into some other box which looks nothing like the one that webpages are prevented from mimicking.
Phishing sites mimick real user sites because that greatly increases the success rate. You can always find someone who will do something, the important question is how often.
I don't think we should just throw up our hands and say user problem are unsolvable with technology. Good UX solves user problems, compare an AppleII to a iPad.
We have two problems: 1. it is easy to mimic password prompts, 2. it is hard for computers to tell who is legitimate and should be sent the password. This solution solves both.
I really want Chrome to roll it out as some sort of browser mediated authentication scheme.
[0]: https://en.wikipedia.org/wiki/Password-authenticated_key_agr...