Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Explore a comprehensive security assessment of FIDO2's Client-to-Authenticator Protocol (CTAP) in this 37-minute DEF CON 33 conference talk. Delve into the critical vulnerabilities discovered in CTAP and its Authenticator API, which handles credentials and authenticator settings in passwordless and 2FA authentication systems. Examine both standard FIDO2 setups where credentials are stored by relying parties and the most secure configurations with authenticator-stored credentials protected from data breaches. Learn how FIDO2 security mechanisms still depend on phishable elements like PINs and suffer from unclear security boundaries that trust unauthenticated clients. Discover eleven newly identified CTRAPS attacks categorized into Client Impersonation and API Confusion classes that exploit CTAP vulnerabilities to wipe credentials, perform unauthorized factory resets, and track users. Witness practical demonstrations using an open-source toolkit that implements these attacks across Android apps, Electron applications, and Proxmark3 scripts, supporting both USB HID and NFC transports. See real-world exploitation examples targeting popular authenticators like YubiKeys and major relying parties including Microsoft and Apple, providing crucial insights for security professionals working with FIDO2 implementations.
