Enhancing the Security of WebAuthn Implementations: Addressing the Threat of Phishing Attacks from Subdomains

Abstract

The Fast IDentity Online (FIDO2) standard and its WebAuthn specification provide a robust framework for passwordless authentication, emphasising resistance to phishing attacks. Despite this, subdomain takeover vulnerabilities in real-world applications pose a potential risk to WebAuthn’s claim of phishing resistance. This thesis investigates the feasibility and prevalence of phishing attacks originating from subdomains against WebAuthn implementations. Our Proof of Concept (PoC) demonstrates that WebAuthn implementations can be configured to be vulnerable to phishing attacks originating from subdomains. The demonstration highlights critical conditions that make such an attack successful. An analysis of 135 real-world Relying Party identifiers (RP IDs) revealed over 100,000 subdomains. Among these, numerous dangling DNS records were identified, indicating potential vulnerabilities. However, no evidence of current exploitation was identified during the analysis. Additionally, an evaluation of server-side WebAuthn libraries revealed strong adherence to secure origin validation, which strictly ensures authentication requests come from trusted sources. These findings demonstrate that WebAuthn significantly enhances protection against traditional phishing attacks. However, mitigating more advanced threats, such as those originating from subdomains, requires secure configurations and careful developer practices. Despite the potential risks, WebAuthn remains a strong step forward in the evolution of authentication methods, offering robust security improvements over traditional password-based systems.