Critical vulnerabilities in FIDO2 protocols affect Google Titan Key and YubiKey passwordless authentication

Cybersecurity specialists published a report detailing the finding of what they describe as a “design flaw” in the Fast Identity Online (FIDO) passwordless authentication system. The report, titled “Provable Security Analysis of FIDO2,” was published by the International Association for Cryptologic Research.

The FIDO Alliance was launched in 2013 as an initiative promoted by technology providers such as Microsoft, Google, Facebook, and Apple, with the mission of developing and promoting alternative authentication standards for the use of passwords to improve the online user experience. This technology is used by multiple services and devices, such as Google Titan Key and YubiKey.

Passwordless authentication is based on two protocols: WebAuthn and CTAP2. While WebAuthn uses an authentication device (smartphones, tokens, etc.) to establish a private key, CTAP2 takes care of linking a trusted client to the authenticator. According to the researchers, the purpose of CTAP2 is to bind a trusted client to the configured authenticator, for which a user must provide a PIN; in this way, the authenticator will only accept commands authorized by the linked client.

The researchers have questioned the security of CTAP2, arguing that two specific factors could make this protocol vulnerable to some attack vectors.

Design flaws

In the first place, the experts mention that CTAP2 uses an unauthenticated Diffie-Hellman key exchange, which would allow two risk scenarios:

  • A Man-in-The-Middle (MiTM) attack that would give hackers access to security keys, compromising user communications
  • Threat actors could impersonate a client to the authenticator

The second potential flaw is that the smartphone or PC using FIDO2 to login generates a single “pinToken” at startup. This pinToken is used in all subsequent communications, which would put the user’s integrity if these sessions are compromised.

As a possible solution, the researchers recommended replacing the CTAP2 part of the FIDO2 protocol, replacing it with a scheme that can dispose of this data without leaving any loose ends in the process. Experts from the University of Porto, the Georgia Institute of Technology, the Technical University of Darmstadt, and the University of Bristol participated in the report.