On Wed, 2022-09-14 at 10:25 -0500, Michael Catanzaro wrote:
On Wed, Sep 14 2022 at 06:58:12 AM +0000, Tommy Nguyen
> I'm not entirely convinced. See this paper:
I only read the abstract of this paper, but looks like the researchers
have found that FIDO is indeed unphishable. Seems their attack relies
on websites allowing downgrade to weaker forms of 2FA.
Yup. The thrust of the paper is: in the real world FIDO2 is usually
deployed alongside older/weaker forms of 2FA, so an attacker can
pretend to the victim that FIDO auth didn't work and convince them to
try a weaker method instead, then phish that.
Which is a reasonable point, but not necessarily relevant to us. We
*could* require only strong auth and not have weaker fallback methods.
IRC: adamw | Twitter: adamw_ha