>By the way, can't attacker simply visually spoof SAS window on noticing SAS key press so the user would see the same image which might behave slightly different, but that would require more verification steps
That doesn't work because the correct behavior for a genuine password prompt is that pressing the SAS causes nothing to happen. Having windows security popping up is an indicator that the prompt is fake. To summarize:
Genuine password prompt:
1. password prompt shows up
2. user presses the SAS
3. nothing happens, because the password prompt is from the OS and can block the SAS. Also all of this is displayed on a "secure desktop", so only the password prompt can be seen (the rest of the screen is dimmed and can't be interacted with), so a fake app can't place a fake password prompt next to a real one.
4. user is sure the password prompt is real and can enter in the password
Fake password prompt:
1. password prompt shows up
2. user presses the SAS
3. Windows security pops up. The app can't prevent this from happening, nor dismiss it programmatically. If the user sees this they know the prompt was fake.
thanks for the clarification, got my prompts logic mixed up, indeed, it's the absence that is telling! (and also you can't intercept SAS key press, that's that whole point of it being unique to the system, not user)
That doesn't work because the correct behavior for a genuine password prompt is that pressing the SAS causes nothing to happen. Having windows security popping up is an indicator that the prompt is fake. To summarize:
Genuine password prompt:
1. password prompt shows up
2. user presses the SAS
3. nothing happens, because the password prompt is from the OS and can block the SAS. Also all of this is displayed on a "secure desktop", so only the password prompt can be seen (the rest of the screen is dimmed and can't be interacted with), so a fake app can't place a fake password prompt next to a real one.
4. user is sure the password prompt is real and can enter in the password
Fake password prompt:
1. password prompt shows up
2. user presses the SAS
3. Windows security pops up. The app can't prevent this from happening, nor dismiss it programmatically. If the user sees this they know the prompt was fake.