The FIDO2 authentication method, developed by FIDO Alliance to enhance security and prevent various cyber attacks, has recently been found to have a critical flaw that may expose users to risks of unauthorized access and malicious activities. This flaw allows attackers to bypass the authentication process and perform activities such as removing FIDO2 registered devices.
FIDO2 utilizes a physical or embedded key for authentication, but the flaw in the system enables attackers to carry out two types of attacks: session hijacking and Man-in-the-Middle attacks on the Identity Provider (IdP). This poses a serious threat to the security of user data and sensitive information.
The authentication mechanism of FIDO2 is based on public key cryptography and the WebAuthn authentication flow. When a user signs in using FIDO2, the client generates a private and public key, which is then sent to the relying party for verification. However, researchers have identified vulnerabilities in this process that could be exploited by attackers with malicious intent.
In certain test use cases, such as in the Yubico Playground scenario, attackers can exploit the flaw in the FIDO2 authentication process to gain access to the user’s private area, remove security keys, and perform unauthorized actions. Similarly, in the Entra ID SSO and PingFederate cases, vulnerabilities in the system allow attackers to bypass authentication mechanisms and carry out malicious activities.
To mitigate these vulnerabilities, researchers recommend implementing Token Binding, adding binding to FIDO2 authentication, and limiting the use of OIDC or SAML tokens to ensure better security. Application managers are advised to require Token binding on FIDO2 authentication and understand threat attribution to prevent unauthorized access to user data.
Overall, the discovery of this critical flaw in the FIDO2 authentication mechanism underscores the importance of continuously evaluating and improving cybersecurity measures to protect user data and prevent unauthorized access. It is essential for organizations to stay vigilant and implement the necessary precautions to safeguard against potential cyber threats and attacks.