WF-S-2 — Phishing page mimics wallet UI to capture WebAuthn challenge
Component: Wallet Frontend. Mitigations: WebAuthn origin binding (RP ID = registered domain). Action: Enforce strict RP ID; avoid wildcard subdomains
| Property | Value |
|---|---|
| Section | Spoofing |
| Owner | platform |
Mapped Controls
| Control | Title |
|---|---|
| SID-AUTH-01 | FIDO2/WebAuthn Passwordless Authentication |
Source: STRIDE analysis (April 2026), architecture/stride-threat-model.md