A recent analysis by Silverfort has shed light on a potential vulnerability in organizations that have implemented passwordless authentication using the FIDO2 standard. According to the analysis, these organizations may be unknowingly leaving themselves open to man-in-the-middle (MITM) attacks due to inadequate session security practices post-authentication.
FIDO2, known for making passwordless authentication a reality and being resilient against phishing attacks, may not always protect against MITM attacks as effectively as believed. Dor Segal, a security researcher at Silverfort, expressed concerns over the false sense of security that organizations may have regarding protection against MITM attacks when using FIDO2. While the authentication process itself is secure, the subsequent session is often left vulnerable.
FIDO2, an open authentication standard by the FIDO Alliance, offers various options for passwordless authentication such as biometrics, USB tokens, and passkeys. Despite being considered a robust protocol for preventing phishing and credential theft, FIDO2 implementations may fall short in protecting session tokens post-authentication.
The issue lies in the lack of protection for session tokens created after successful authentication, allowing MITM attackers to steal tokens and impersonate legitimate users. While Transport Layer Security (TLS) mechanisms have made MITM attacks more challenging, attackers can still exploit vulnerabilities such as DNS spoofing and ARP poisoning to intercept and manipulate network traffic.
Mike Kiser from SailPoint acknowledges the concerns raised by Silverfort but emphasizes that FIDO2 continues to fulfill its primary function of preventing credential theft and replay attacks. He advises organizations to maintain existing identity security measures, safeguard certificate stores, and follow security best practices to bolster their defenses.
Jason Soroko, from Sectigo, underscores the importance of re-evaluating token binding in FIDO2 implementations to strengthen session security. Token binding, a security mechanism that binds authentication tokens to TLS connections, can enhance the overall security posture of FIDO2-based SSO systems.
In response to these findings, Segal recommends organizations using FIDO2 to enable token-binding to secure SSO authentication sessions effectively. By raising awareness about the significance of securing both authentication and subsequent sessions, organizations can mitigate the risk of MITM attacks and safeguard sensitive data.
Overall, while FIDO2 offers a reliable means of passwordless authentication, organizations must remain vigilant and implement additional security measures to address potential vulnerabilities and ensure comprehensive protection against evolving threats. By staying informed and proactive, organizations can maximize the benefits of passwordless authentication while minimizing the risk of security breaches.