On Wed, 2022-09-14 at 10:25 -0500, Michael Catanzaro wrote:
On Wed, Sep 14 2022 at 06:58:12 AM +0000, Tommy Nguyen remyabel@gmail.com wrote:
I'm not entirely convinced. See this paper: https://eprint.iacr.org/2020/1298.pdf
I only read the abstract of this paper, but looks like the researchers have found that FIDO is indeed unphishable. Seems their attack relies on websites allowing downgrade to weaker forms of 2FA.
Yup. The thrust of the paper is: in the real world FIDO2 is usually deployed alongside older/weaker forms of 2FA, so an attacker can pretend to the victim that FIDO auth didn't work and convince them to try a weaker method instead, then phish that.
Which is a reasonable point, but not necessarily relevant to us. We *could* require only strong auth and not have weaker fallback methods.