Breaking FIDO: Are Exploits in There?

Presented at Black Hat USA 2016, Aug. 4, 2016, 2:30 p.m. (25 minutes)

The state of authentication is in such disarray today that a black hat is no longer needed to wreak havoc. One avenue to authentication improvement is offered by the FIDO Alliance's open specifications built around public key cryptography. Does FIDO present a better mousetrap? Are there security soft spots for potential exploitation, such as man-in-the-middle attacks, exploits aimed at supporting architecture, or compromises targeting physical hardware? We will pinpoint where vulnerabilities are hidden in FIDO deployments, how difficult they are to exploit, and how enterprises and organizations can protect themselves.

Presenters:

• Jerrod Chong - Yubico
  Jerrod Chong is head of solutions at Yubico, where he helps organizations everywhere use YubiKeys. With over 15 years in the security industry, Jerrod is passionate about making strong authentication secure, simple, and scalable. If he's not convincing you that hardware-backed keys are cool, he is looking for good coffee.

Links:

• https://www.blackhat.com/us-16/briefings.html#breaking-fido-are-exploits-in-there
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/Breaking FIDO - Are Exploits in There.mp4
• https://www.youtube.com/watch?v=J53Ya7E5HGQ
• https://www.blackhat.com/docs/us-16/materials/us-16-Chong-Breaking-FIDO-Are-Exploits-In-There.pdf

Similar Presentations:

• HushCon Seattle 2022 / Phishing, FIDO, and the Future of AuthN
• Objective by the Sea version 4.0 (2021) / FIDO on MacOS: How it works, Attack Vectors and Other Learnings
• BSidesLV 2019 / Why FIDO Security Keys & WebAuthn are Awesome