1C/ “Verifier Impersonation Resistance”

From IIW

"Verifier Impersonation Resistance" (anti phish) & OIDF EAP


Thursday 1C

Convener: Jim Fenton and John Bradley

Notes-taker(s): Tom Brown


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Phishing can occur by clicking a link to a phony site in an email or a link to a phony site from web search results


How do you present a credential to an RP/verifier without it being replayed?


If you don't have an audience restriction in the authentication token/assertion or bind the token to a channel, you are at risk


If you sign something, someone can replay it


Problem of bad guy posing as an RP cannot be solved with only challenge-response: Bad guy gets challenge from real RP and sends it to user agent and proxies response back to real RP


1. password S → RP

2. challenge response f(S,C) → RP

3. verifier impersonation resistance f(S,C,RP) → RP


Attack against #2 is real. E.g. Fancy Bear MIM attack on DNC (google authenticator)


BBVA – 10 million euros stolen. Hacked DNS and got certificate issued


If you can highjack cert (sophisticated attack), simple FIDO is vulnerable. Need to be able to detect that TLS channel 1 does not equal TLS channel 2 (see diagram)


LOA 4 – strong man-in-the-middle resistance


Browsers don't support mutual TLS well. Poor user experience.

Thu1C.jpg