SAS is always active and can't be blocked by normal applications. Normally (ie. you're not in a UAC prompt) if you try to use the SAS, it brings up the windows security screen[1]. The UAC prompt is part of the operating system, and therefore it can block the SAS. Thus, if you see a password prompt, you do the SAS and the prompt is still there, then you can be sure the prompt is from the operating system. In fact there's a group policy[2] to force users to do this exact sequence to confirm whether they're entering passwords into a genuine OS dialog. Whether the policy actually works is questionable, because users are lazy/forgetful and an attacker can simply show a prompt that doesn't require the user to press the SAS, and the user would likely happily enter their password regardless.
If I'm not missing something, not all users would know to press the Ctrl+Alt+Del key when working with UAC prompts, and having to press it all the time to verify if it is a legitimate password prompt would be infeasible.
My point isn't that this is convenient for the average user, only that it's something that actually works and is secure. On macs the biometric option might be "secure", but there's nothing preventing a downgrade attack back to password entry.
For the average user security is ensured by not requiring them to enter a password at all, and making it impossible to use a password to get admin access. By default the user is only asked to click yes/no to approve the action. The approval itself is done by the operating system and can't be spoofed. Moreover, the operating system is designed in such a way where even if you somehow were able to phish the user password, it can't be used to get admin access. There's no "sudo" command that you can pipe a password into and get a root shell, for instance.
Ok, so the only way for the user to know is if it's required every time
By the way, can't attacker simply visually spoof SAS window on noticing SAS key press so the user would see the same image which might behave slightly different, but that would require more verification steps
>By the way, can't attacker simply visually spoof SAS window on noticing SAS key press so the user would see the same image which might behave slightly different, but that would require more verification steps
That doesn't work because the correct behavior for a genuine password prompt is that pressing the SAS causes nothing to happen. Having windows security popping up is an indicator that the prompt is fake. To summarize:
Genuine password prompt:
1. password prompt shows up
2. user presses the SAS
3. nothing happens, because the password prompt is from the OS and can block the SAS. Also all of this is displayed on a "secure desktop", so only the password prompt can be seen (the rest of the screen is dimmed and can't be interacted with), so a fake app can't place a fake password prompt next to a real one.
4. user is sure the password prompt is real and can enter in the password
Fake password prompt:
1. password prompt shows up
2. user presses the SAS
3. Windows security pops up. The app can't prevent this from happening, nor dismiss it programmatically. If the user sees this they know the prompt was fake.
thanks for the clarification, got my prompts logic mixed up, indeed, it's the absence that is telling! (and also you can't intercept SAS key press, that's that whole point of it being unique to the system, not user)
