The FIDO2 protocol aims to strengthen or replace password authentication using public-key cryptography. FIDO2 has primarily focused on defending against attacks from afar by remote attackers that compromise a password or attempt to phish the user. In this paper, we explore threats from local attacks on FIDO2 that have received less attention -- a browser extension compromise and attackers gaining physical access to an HSK. Our systematic analysis of current implementations of FIDO2 reveals four underlying flaws, and we demonstrate the feasibility of seven attacks that exploit those flaws. The flaws include (1) Lack of confidentiality/integrity of FIDO2 messages accessible to browser extensions, (2) Broken clone detection algorithm, (3) Potential for user misunderstanding from social engineering and notification/error messages, and (4) Cookie life cycle. We build malicious browser extensions and demonstrate the attacks on ten popular web servers that use FIDO2. We also show that many browser extensions have sufficient permissions to conduct the attacks if they were compromised. A static and dynamic analysis of current browser extensions finds no evidence of the attacks in the wild. We conducted two user studies confirming that participants do not detect the attacks with current error messages, email notifications, and UX responses to the attacks. We provide an improved clone detection algorithm and recommendations for relying part

翻译：FIDO2协议旨在利用公钥密码学加强或替代密码认证。当前FIDO2主要侧重于防御远程攻击者通过窃取密码或钓鱼攻击实施的远距离威胁。本文探讨了FIDO2所受的本地攻击威胁——这类威胁尚未得到充分关注，包括浏览器扩展入侵和攻击者物理接触HSK设备。通过对现有FIDO2实现的系统性分析，我们揭示了四项底层缺陷，并展示了利用这些缺陷实施七种攻击的可行性。这些缺陷包括：(1) 浏览器扩展可访问的FIDO2消息缺乏机密性/完整性保障；(2) 克隆检测算法存在缺陷；(3) 社交工程及通知/错误消息可能引发用户误解；(4) Cookie生命周期问题。我们构建了恶意浏览器扩展，并在十个使用FIDO2的流行Web服务器上演示了攻击过程。研究还表明，许多浏览器扩展若被入侵，它们拥有的权限足以实施这些攻击。通过对现有浏览器扩展的静态和动态分析，未发现野外攻击迹象。我们开展了两项用户研究，证实参与者无法通过当前错误消息、邮件通知及攻击响应的用户体验检测出攻击。最后，我们提出了改进的克隆检测算法，并为依赖方提供了改进建议。