FIDO2 and Passkeys
Over the past couple of months, there has been a notable increase in advanced phishing attacks, leveraging QR codes to bypass email protections and a technique known as “Adversary-in-the-Middle”.
Adversary-in-the-Middle is very difficult for the user to recognise and circumvents standard cybersecurity protections, including Multi-Factor Authentication (MFA).
-
The attack is commonly initiated via phishing, specifically an email with an external link (or an embedded QR code that redirects to an external link).
-
The link opens a phishing website that acts as a ”reverse proxy”, which forwards a legitimate login website to the user. For example, the Microsoft login webpage.
-
The phishing website (reverse proxy) is hosted on a domain controlled by the adversary, allowing them to closely mimic the URL, as well as present a valid certificate to the user.
-
The adversary transparently sits between the legitimate login website and the user, allowing them to access all unencrypted data flowing through the proxy. This includes the username and password, as well as the associated session cookie (enabling persistent access).
-
At the point in which the user approves the Multi-Factor Authentication (MFA) request, the attacker has successfully compromised the account, with the ability to persist access via the stolen session cookie.
Unfortunately, all traditional forms of Multi-Factor Authentication (MFA), including Phone Calls, SMS, Authenticator Apps, and Number Matching are susceptible.
Some controls can reduce the risk of compromise, for example, enforcing compliant devices, etc. However, these controls also reduce flexibility, potentially impacting productivity.
If you are an enterprise business leveraging Microsoft device management and/or cybersecurity capabilities, I would highly recommend reviewing the excellent article from Jeffery Appel, that outlines available Microsoft protections in 2023.
Even with these protections enabled, the goal of every business (small or large) should be to adopt new standards, such as FIDO2 and passkeys.
FIDO2
FIDO2 (Fast Identity Online 2) is, confusingly, the third iteration of the FIDO standard, building upon FIDO U2F and FIDO UAF. It is best known as “the passwordless standard”, emphasizing security, convenience, privacy, and scalability.
In the context of phishing and specifically Adversary-in-the-Middle, FIDO2 employs new techniques that are (at least today) considered to be breach resistant.
FIDO2 leverages standard public key cryptography keys and challenges to verify the legitimacy of the request, providing stronger authentication. Specifically, FIDO2 includes three steps:
-
During the registration process, the user client device creates a new key pair. It retains the private key and registers the public key with the target service.
-
Authentication is completed by the client device proving possession of the private key by signing a challenge.
-
The client’s private key can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished via a convenient and secure action such as biometrics, etc.
FIDO2 has also been designed to protect user privacy. The protocol does not provide information that can be used to collaborate and/or track users across. In addition, any biometric information, if used, remains on the user’s device.
Passkeys
Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure authentication.
In short, passkeys are a replacement for passwords. A password is something that can be remembered and typed, and a passkey is a secret stored on a user’s device, unlocked with biometrics.
Advantages of using a passkey include:
-
Intuitive: Creating and using a passkey is as simple as consenting to save and use them. No password is required.
-
Always Unique: By design, a passkey is unique per service (can not be reused).
-
Breach Resistant: A passkey is only stored on a user’s devices. Relying Party (RP) servers store public keys. Even servers that assist in the syncing of passkeys can never access or use the private keys.
-
Phishing Resistant: Passkeys can only ever be used to authenticate with the appropriate service, avoiding the need for human verification.
Conclusion
As previously stated, I highly recommend all businesses establish a roadmap to adopt FIDO2 and passkeys. If you are a Microsoft Entra ID customer, the team recently announced support for device-bound passkeys stored on computers and mobile devices coming in January 2024.
As an individual, Bitwarden are expected to release their passwordless compatibility this month (October 2023). This will allow users to store and use passkeys alongside traditional passwords in Bitwarden Password Manager.
In the interim, if you are Bitwarden user, I recommend enabling and using FIDO2 WebAuthn, which will at least protect your vault from Adversary-in-the-Middle attacks.