Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols
Abstract
FIDO’s U2F is a web-authentication mechanism designed to mitigate real-time phishing-an attack that undermines multi-factor authentication by allowing an attacker to relay second-factor one-time tokens from the victim user to the legitimate website in real-time. A U2F dongle is simple to use, and is designed to restrain users from using it incorrectly. We show that social engineering attacks allow an adversary to downgrade FIDO’s U2F to alternative authentication mechanisms. Websites allow such alternatives to handle dongle malfunction or loss. All FIDO-supporting websites in Alexa’s top 100 allow choosing alternatives to FIDO, and are thus potentially vulnerable to real-time phishing attacks. We crafted a phishing website that mimics Google login’s page and implements a FIDO-downgrade attack. We then ran a carefullydesigned user study to test the effect on users. We found that, when using FIDO as their second authentication factor, 55% of participants fell for real-time phishing, and another 35% would potentially be susceptible to the attack in practice.
People
BibTex
@INPROCEEDINGS{ulqinaku2021real-time,
isbn = {978-1-939133-24-3},
copyright = {In Copyright - Non-Commercial Use Permitted},
year = {2021-08},
booktitle = {Proceedings of the 30th USENIX Security Symposium (USENIX Security 21)},
type = {Conference Paper},
author = {Ulqinaku, Enis and Assal, Hala and AbdelRahman, Abdou and Chiasson, Sonia and Capkun, Srdjan},
size = {19 p.},
abstract = {FIDO's U2F is a web-authentication mechanism designed to mitigate real-time phishing-an attack that undermines multi-factor authentication by allowing an attacker to relay second-factor one-time tokens from the victim user to the legitimate website in real-time. A U2F dongle is simple to use, and is designed to restrain users from using it incorrectly. We show that social engineering attacks allow an adversary to downgrade FIDO's U2F to alternative authentication mechanisms. Websites allow such alternatives to handle dongle malfunction or loss. All FIDO-supporting websites in Alexa's top 100 allow choosing alternatives to FIDO, and are thus potentially vulnerable to real-time phishing attacks. We crafted a phishing website that mimics Google login's page and implements a FIDO-downgrade attack. We then ran a carefullydesigned user study to test the effect on users. We found that, when using FIDO as their second authentication factor, 55% of participants fell for real-time phishing, and another 35% would potentially be susceptible to the attack in practice.},
language = {en},
address = {Berkeley, CA},
publisher = {USENIX Association},
DOI = {10.3929/ethz-b-000521513},
title = {Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols},
PAGES = {3811 - 3828},
Note = {30th USENIX Security Symposium (USENIX Security 2021); Conference Location: Online; Conference Date: August 11–13, 2021}
}
Research Collection: 20.500.11850/546769