A Security and Usability Analysis of Local Attacks Against FIDO2
Tarun Kumar Yadav
Network and Distributed System Security (NDSS) Symposium 2024 · Day 3 · Authentication & E-Commerce
FIDO2, a cornerstone of modern web authentication, primarily focuses on defending against remote threats like phishing and password compromise. However, a critical gap exists in its security posture concerning local attacks. This research, presented by Tarun Kumar Yadav at the NDSS Symposium, delves into the overlooked vulnerabilities arising from malicious browser extensions, cross-site scripting (XSS), and physical hardware security key (HSK) cloning. The work systematically analyzes these local attack vectors, revealing fundamental flaws in FIDO2's design and implementation that allow adversaries to bypass its robust security mechanisms.