> The website already has guarantees against phishing because those are enforced by the managers.
There is no such guarantee if credential-stealing malware can export your private key material in plaintext!
> The website already has guarantees against phishing because those are enforced by the managers.
There is no such guarantee if credential-stealing malware can export your private key material in plaintext!
If the malware can orchestrate the managers, why wouldn't they simply use that power to orchestrate the offline export as they were going to do anyway? The RP ID makes the process a bit noisy, but it doesn't seem to change the fundamental vulnerability for the credential owner.