Comment by okanat
1 month ago
Those actually exist. Yubikeys, Nitrokeys (complete FOSS FW) or bank-approved code generators (For Germany these exist: https://www.reiner-sct.com/tan-generatoren/) are basically that. They provide independent assessment. So regardless of the OS or the browser both parties can make secure transactions.
Ah, so the computer doesn't need to be trusted at all, it's just an untrusted medium, just like when using encryption when sending data. All the trust would be at the vendor and inside external hardware device.
With bank key generators yes you are correct. With Yubikey and Nitrokey, their logic is standardized. With Yubikey you trust that their implementation is good just like Windows or Mac users trust their OS to implement cryptographic algorithms/TLS correctly (or via external company certifications, if any).
With Nitrokey's open source firmware plus quite a bit CS education (specializing on cryptography) you can check whether their implementation quality is good. However, that is a lot of effort which will probably result in also requiring a third party certification.