Privacy by design with browser-managed E2E encryption with FIDO Protocol and Hardware keys

[ghost]

Hi all!

1. feature-name

Privacy by design with browser-managed E2E encryption with FIDO Protocol and Hardware keys

2. feature-description

2.1 In summary

1. I open an issue here 1170559926 talking about some technical stuff, some abstract views and concepts.
2. Open a new issue here to make these points of view clearer and more objective

2.2 Concepts

The security/privacy risk is still present: compromised front-end code can still intercept user data (even with E2E encrypted apps: listening to DOM changes is enough)

• If the browser is integrated with an offline authentication device, would it be possible to solve this security issue?
• In case of logging in without passwords, we can usually authenticate with a usb device.
• If the browser has E2E on an offline device - maybe it increases security?

A new threat model emerge, where web apps may leak data via QR codes, file system access, and so on. These threats
already exists, but they risk to become more intrusive than before. Anyway, web apps already get flagged as
malicious when they try to harm users so mitigation already available.

• Maybe 'E2E encryption into web browsers+FIDO Protocol and Hardware keys' can be an alternative to solve this kind of problem?

2.3. Notes

1. I would like to know if this idea is good or bad
2. My goal is to help this communities: PrivacyCG, Solid, W3C, WIGC, WebAuthn, KeepPass, Browsers(Brave, Vivaldi, Opera, Mozilla Firefox, Libre Wolf, Google Chrome etc)
3. I didn't find any link, resource for this here in PrivacyCG Community
4. I'm not promoting any company, service, product, solution, idea here - just adding the bibliographic reference links
5. If I'm wrong about something, speak up, criticize, correct

3. References

• Privacy by design with browser-managed E2E encryption and Fenced Frames #31 (comment)