Hey everyone,
Just wanted to share a concern about the current login and transaction flow on [nns.ic0.app]
Right now, when you log in with a passkey (e.g., Face ID or Touch ID), you’re instantly connected — which is great. But after that, you can send ICP or manage neurons with a single click, no additional confirmation required (no Face ID, no fingerprint, nothing).
Isn’t that a bit risky?
If the browser or a tab is compromised, an attacker could potentially trigger transactions without the user noticing — since the session is active and there’s no re-auth step for sensitive actions.
Wouldn’t it make sense to require biometric confirmation or some form of strong auth per transaction, similar to how Apple Pay or banking apps work?
Thanks!