An Analysis of Attack Vectors Against FIDO2 Authentication

Computer Science > Cryptography and Security [Submitted on 22 Apr 2026] An Analysis of Attack Vectors Against FIDO2 Authentication Alexander Berladskyy, Andreas Aßmuth Phishing attacks remain one of the most prevalent threats to online security, with the Anti-Phishing Working Group reporting over 890,000 attacks in Q3 2025 alone. Traditional password-based authentication is particularly vulnerable to such attacks, prompting the development of more secure alternatives. This paper examines passkeys, also known as FIDO2, which claim to provide phishing-resistant authentication through asymmetric cryptography. In this approach, a private key is stored on a user's device, the authenticator, while the server stores the corresponding public key. During authentication, the server generates a challenge that the user signs with the private key; the server then verifies the signature and establishes a session. We present passkey workflows and review state-of-the-art attack vectors from related work alongside newly identified approaches. Two attacks are implemented and evaluated: the Infected Authenticator attack, which generates attacker-known keys on a corrupted authenticator, and the Authenticator Deception attack, which spoofs a target website by modifying the browser's certificate authority store, installing a valid certificate, and intercepting user traffic. An attacker relays a legitimate challenge from the real server to a user, who signs it, allowing the attacker to authenticate as the victim. Our results demonstrate that successful attacks on passkeys require substantial effort and resources. The claim that passkeys are phishing-resistant largely holds true, significantly raising the bar compared to traditional password-based authentication. Comments: 7 pages Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2604.20826 [cs.CR]   (or arXiv:2604.20826v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2604.20826 Focus to learn more Journal reference: Proc of the First International Conference on Cross-Domain Security in Distributed, Intelligent and Critical Systems (CROSS-SEC 2026), Lisbon, Portugal, pp.~77--83, April 2026 Submission history From: Andreas Aßmuth [view email] [v1] Wed, 22 Apr 2026 17:52:56 UTC (21 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-04 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)