What @Dave 's screenshot is showing is the device's biotmetric login prompt.
The biometric login (via face or fingerprint etc.) is indeed only possible when QuickPass is active, this is by design!
Below on the left, you'll see the default login prompt (when QuickPass is not active). Here, we have full control over the design.
Whereas the biometric login prompt is device-specific, and we don't have full control over the layout. We can only supply a title, a subtitle and a description text, and the system is responsible for building the layout of the biometric prompt.
On the right, you can see how the fingerprint login looks on my OnePlus 5T:
Hope this helps clear up some confusion.
One thing we COULD do to make the domain stand our more is to switch the domain to the "title" and have something like "Please verify the the domain above before logging in" or something similar as the subtitle.
It's also showing the normal prompt in the background, dimmed. I'm seeing it that way too on my Pixel 2 XL. So just making it big and bold, and especially a bright color like red or orange, would still make it stand out.
As long as we're talking about altering the look of the domain, I'm wondering what font those wise sages that have been studying spoofing for a long time would recommend.
The Android platform provides lots of "stuff" with respect to how wide a string would be if represented in various fonts. It's not necessarily easy to get it right, but there is a ton of functionality.
I like the idea of putting the domain in the top of the biometric prompt. And under the domain we should have something simple and obvious like:
Actually that is not the important thing "does this url match the one in the browser you want to log into" or something clearer since you may be wanting to log into amazon.com, but the url is actually amaz0n.com (or you know some more clever look alike that actually looks alike), so in that case the client would display amazon.com while the spoofed site url would be amaz0n.com, and it is only the user that can detect that. Of course me saying this is a waste of words, since we all know that already, but it needs to be made clear to the user of the client, that they need to use their eyeballs to verify that. It really does not matter if you are asked to log into amaz0n.com in the client though, it can't be used to impersonate you to amazon.com, so the font in the client is less important than the one the browser uses, sadly.
Maybe we could make an animation, like a slot machine, where the letters would spin, momentarily replacing "o" with "0" and "l" with "i", and then after a second, it settles on the domain from the QR code, hehe! That way we'd call attention to what we'd like the user to be paying attention to.
Maybe offer an intro panel in the app that explains some things, with animations, maybe video. But anything like that needs to have a "I know what I am doing stop wasting my time" option but new users hopefully would look through it, and then should be able to call back that intro whenever they want, and also there might be help buttons added to places that explain the key concept they need to understand on that page. That is however a lot of work to put in, and needs to be done by someone who writes/speaks normal person language, not this lousy facsimile I write/speak.
One thing you might want to mention is that the forum also supports old fashioned login ID and password, so they don't think they need to have SQRL working to get into the forum to ask for help to get SQRL working.
(oops I forgot to click post reply before I hit bed...)
Yeah I think that is a great idea @kalaspuffar Not sure how compactly one can get them down into (if they are to be delivered with the app), but there could always be a link to the actual youtube channel/playlist with tutorials too or specific topic videos, to go along with some text based help (for the bandwidth impaired, and to keep the app tight) Also maybe two versions of the app (a light one with video on demand only, and the heavy version with videos included perhaps? Or some smart caching mechanism, I dunno, I am not an android coder so I don't know what the rules, capabilities and limitations and all that is for apps)