In the new report of Verizon indicates that almost 30% of all recorded violations over the past 10 years has become the fault of stolen accounting data. This trend emphasizes how critical the role of passwords and other authentication means in modern digital threats has become.
Therefore, at the moment there is an increased interest in modern authentication methods such as FIDO2. This standard uses unique cryptographic certificates related to hardware devices – smartphones or PCs. Instead of traditional passwords, biometric data and multifactorial authentication through the technology of the Unified Entrance (Single Sign-on, SSO) are used here.
However, Silverfort stated that even such protective measures can be bypassed. The Silverfort technique, based on an attack like “man-in-the-Middle (MITM), allows you to intercept and copy user sessions in various applications using SSO solutions.
FIDO2 is designed to protect against phishing and MITM attacks, replacing vulnerable passwords with more reliable hardware keys and biometrics. However, this solution depends on external SSO systems that create authentication sessions that act as a bridge between the user and the application. The problem is that the protection provided by protocols like Transport Layer Security (TLS) does not apply to tokens and sessions that can be preserved and available for hours.
According to Silverfort, a successfully authenticated session can transmit sensitive data, while the session token can be copied and used many times without restrictions. It is noted that after passing authentication, the user receives almost unlimited access to resources, which increases the risks of abuse.
Researchers emphasize that although their methods identify some weaknesses in processes, standards like FIDO2 still significantly surpass passwords based on knowledge of the form of protection of personal data.
FIDO Alliance emphasized that the bypasses described in the study are technically true, but do not reflect vulnerabilities in FIDO authentication standards. The problem is the inability of the industry to develop a single approach to protecting authentication tokens from theft or abuse.
Nevertheless, the “Binding tokens” solution can solve this problem, but the wide implementation of such technology is still limited, and the only large browser that supports it is Microsoft Edge.