Cryptology ePrint Archive: Report 2020/1298

Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols

Enis Ulqinaku and Hala Assal and AbdelRahman Abdou and Sonia Chiasson and Srdjan Čapkun

Abstract: FIDO's Universal-2-Factor (U2F) is a web-authentication mechanism designed to provide resilience to real-time phishing—a class of attacks that undermines multi-factor authentication by allowing an attacker to relay second-factor one-time tokens from the victim user to the legitimate website in real-time. A U2F dongle is simple to use, and is designed to ensure users have complete mental models of proper usage. We show that social engineering attacks allow an adversary to downgrade FIDO’s U2F to alternative authentication mechanisms. Websites allow such alternatives to handle dongle malfunction or loss. All FIDO-supporting wesbites in Alexa's top 100 allow choosing alternatives to FIDO, and are thus vulnerable to real-time phishing attacks. We crafted a phishing website that mimics Google login’s page and implements a FIDO-downgrade attack. We then ran a carefully-designed user study to test the effect on users. We found that, while registering FIDO as their second authentication factor, 55 % of participants fell for real-time phishing, and another 35% would potentially be susceptible to the attack in practice.

Category / Keywords: applications / Phishing. Attacks and Defences. FIDO. Authentication. Social Engineering. User Studies. Human-centric Research.

Date: received 16 Oct 2020, last revised 10 Nov 2020

Contact author: abdou at scs carleton ca, enis ulqinaku@inf ethz ch

Available format(s): PDF | BibTeX Citation

Version: 20201110:162838 (All versions of this report)

Short URL: ia.cr/2020/1298


[ Cryptology ePrint archive ]