- FIDO is available on all browsers.
- FIDO is the only widely adopted phishing proof authentication protocol we have today
“How make sure 100% that server can authenticate the real user and not a phishing attacker?”
- Verify challenge — if fails, MITM detected
- Verify origin — if fails, phishing attack is detected
- Verify counter — if fails, replay attack is detected
- Verify signature — if fails, MITM or/and phishing attack is detected
- (OPTIONAL) Verify attestation against Metadata Statements that you have loaded from Metadata Service, to ensure that authenticator manufacturer is FIPS/CC or FIDO certified.
Does this answer your question?
I understand that this article might be too technical, so here are the slides on U2F. https://slides.com/herrjemand/fido-u2f-kiwipycon-2016
The schemas applicable to all of the FIDO protocols.
Here is the article version: https://research.aurainfosec.io/u2f-phishing-proof-2FA-for-general-human-beings/
If you would like to hear my terrible voice here is the video: https://www.youtube.com/watch?v=Mxk3ueCkZG8