Manuel Barbosa
ABSTRACT
FIDO2 is becoming a defacto standard for passwordless authentication. Using FIDO2 and WebAuthn, web applications can enable users to associate cryptographic credentials to their profiles, and then rely on an external authenticator (e.g., a hardware token plugged into the USB port) to perform strong signature-based authentication when accessing their accounts. The security of FIDO2 has been theoretically validated, but these analyses follow the threat model adopted in the FIDO2 design and explicitly exclude some attack vectors as being out of scope. In this paper we show that two of these attacks, which appear to be folklore in the community, are actually straightforward to launch in practice (user PIN extraction, impersonation and rogue key registration). We demonstrate a deployment over vanilla Linux distributions and commercial FIDO2 authenticators. We discuss the potential impact of our results, which we believe will contribute to the improvement of future versions of the protocol.
- FIDO Alliance. 2022. Client to AAuthenticator Protocol (CTAP) – Proposed Standard. https://fidoalliance.org/specs/fido-v2.1-ps-20210615.Google Scholar
- Manuel Barbosa, Alexandra Boldyreva, Shan Chen, and Bogdan Warinschi. 2021. Provable Security Analysis of FIDO2. CRYPTO.Google Scholar
- Garret Bekker and Matthew Utter. 2021. Work-from-Home Policies Driving MFA Adoption, But Still Work to be Done. Technical Report. S&P Global Market Intelligence.Google Scholar
- Nina Bindel, Cas Cremers, and Mang Zhao. 2023. FIDO2, CTAP 2.1, and WebAuthn 2: Provable Security and Post-Quantum Instantiation. IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Jaime Blasco. 2012. Sykipot variant hijacks DOD and Windows smart cards. https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards.Google Scholar
- P. Hoffman C. Bormann. 2020. RFC 8949 Concise Binary Object Representation (CBOR). https://www.rfc-editor.org/rfc/rfc8949.htmlGoogle Scholar
- World Wide Web Consortium 2019. Web Authentication: An API for accessing Public Key Credentials Level 1 – W3C Recommendation. https://www.w3.org/TR/webauthn.Google Scholar
- Andrea Continella, Michele Carminati, Mario Polino, Andrea Lanzi, Stefano Zanero, and Federico Maggi. 2017. Prometheus: Analyzing WebInject-based information stealers. Journal of Computer Security 25, 2 (2017), 117–137.Google ScholarDigital Library
- Hui Li, Xuesong Pan, Xinluo Wang, Haonan Feng, and Chengjie Shi. 2020. Authenticator Rebinding Attack of the UAF Protocol on Mobile Devices. Wireless Communications and Mobile Computing (2020). https://doi.org/10.1155/2020/8819790 https://doi.org/10.1155/2020/8819790.Google ScholarCross Ref
- MITRE. 2021. T1111 - Multi-Factor Authentication Interception. https://attack.mitre.org/techniques/T1111/.Google Scholar
Index Terms
- Rogue key and impersonation attacks on FIDO2: From theory to practice
Recommendations
Rogue-key attacks on the multi-designated verifiers signature scheme
In 1996, Jakobsson, Sako, and Impagliazzo and, on the other hand, Chaum introduced the notion of designated verifier signatures to solve some of the intrinsic problems of undeniable signatures. The generalization of this concept was formally ...
Cryptanalysis of a provably secure cross-realm client-to-client password-authenticated key agreement protocol of CANS '09
CANS'11: Proceedings of the 10th international conference on Cryptology and Network SecurityIn this paper, we cryptanalyze the recent smart card based client-to-client password-authenticated key agreement (C2C-PAKA-SC) protocol for cross-realm settings proposed at CANS '09. While client-to-client password-authenticated key exchange (C2C-PAKE) ...
Attacks on a Universal Designated Verifier Signature Scheme
IAS '09: Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 01In literature [3], two new universal designated verifier signature proof schemes (UDVSP) based on hardness assumption of the discrete-logarithm problem were proposed at Asiacrypt '05. The UDVSP scheme were proven secure against impersonation attacks in ...
Comments