1. FIDO is available on all browsers.
  2. FIDO is the only widely adopted phishing proof authentication protocol we have today

“How make sure 100% that server can authenticate the real user and not a phishing attacker?”

You:

  1. Verify challenge — if fails, MITM detected
  2. Verify origin — if fails, phishing attack is detected
  3. Verify counter — if fails, replay attack is detected
  4. Verify signature — if fails, MITM or/and phishing attack is detected
  5. (OPTIONAL) Verify attestation against Metadata Statements that you have loaded from Metadata Service, to ensure that authenticator manufacturer is FIPS/CC or FIDO certified.
  6. PROFIT!!!

Does this answer your question?

I understand that this article might be too technical, so here are the slides on U2F. https://slides.com/herrjemand/fido-u2f-kiwipycon-2016

The schemas applicable to all of the FIDO protocols.

Here is the article version: https://research.aurainfosec.io/u2f-phishing-proof-2FA-for-general-human-beings/

If you would like to hear my terrible voice here is the video: https://www.youtube.com/watch?v=Mxk3ueCkZG8

Written by

FIDO, Identity, Standards

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store