While FIDO2 is “phishing-resistant” to credential stealing, it was also designed with the intent to further protect against session hijacking and man-in-the-middle (MiTM) attacks. Silverfort suggests that most applications do not protect the session tokens created after FIDO authentication is successful and that many identity providers are still vulnerable to MiTM and session hijacking attack types. Sysadmins are encouraged to review this post for a discussion on concerns with FIDO2 authentication. For more, please visit Silverfort.
H2Oex: In Person 1 day event/exercise. Thurs Dec 5th. Washington DC. Join us!