Since the **challenge request** is allowed to be transferred over a medium that is disconnected from the **service provider** it is possible for an attacker to fetch an authentication request that gives them access, and then present this to the user in a way that tricks the user into believing that they are legitimately interacting with the original **service provider** rather than the attacker.