Analysis of the strength of a man in the browser against the FIDO2 authentication mechanism.

Yet another school project.

This paper examines what harm a malicious browser extension can do to a FIDO2 authentication. Many investigations on the security of FIDO2 have been published but none of them scrutinizes browser extensions explicitly. However, browser extensions are fairly common and extremely powerful. Therefore, this study analyzes the threat of a malicious browser extension in theory and fortifies the findings with a practical proof of concept implementation. It identifies a rogue browser extension as a serious threat to the level of assurance of FIDO2 as the man-in-the-browser is able to register a forged public key and subsequently authenticate without user interaction at any time. Hence, the suitability of FIDO2, without an additional out of band verification, as authentication method in a high security context is questioned.

Read more

• Install Firefox, node 12, webpack 5 and web-ext 4.
• Clone the repo.
• Run npm run build to package the source.
• Then execute web-ext run to lauch Firefox with the extension.
• Navigate into the extensions console (!= the regular dev tools console).
• Register with your FIDO2 device on webauthn.io (attestation type none), then login.
• Check the extension console to see what happend.