Security evaluation of FIDO2 server implementations


Supervision: Vladislav Mladenov

Start date: immediately

More details:


More and more services nowadays support a two-factor authentication using specialized hardware authenticator devices called security keys. When such an authentication option is deployed on a web application, the client-side code uses the interfaces defined by the W3C Web Authentication (WebAuthn) standard. A web server that can validate an assertion created by the WebAuthn JavaScript API is called a FIDO2 server. The main goal of this thesis is the security evaluation of existing FIDO2 server implementations. This includes libraries that are meant to be integrated in existing web applications as well as web applications that come with a built-in FIDO2 functionality. Online services with FIDO2 support (Google, GitHub, etc.) are also in the scope of the thesis.

The thesis consists of three parts:

  • Setup: You have to identify the FIDO2 server implementations that are going to be tested. Good starting points are [1,2,3]. In the case of libraries and web applications for self-hosting, your task is set up test servers. With online services, you will create test accounts. For the activation of the FIDO2 authentication, virtual authenticators [4] can be used. Furthermore, physical security keys can be provided by the supervisors.
  • Attack Catalog: For the security analysis your task is to collect a comprehensive list of existing threats, Best Current Practice documents, and reported attacks. Using this list, you are going to create an attack catalog targeting server implementations.
  • Security Analysis: Finally, your task is to perform a comprehensive security analysis on the FIDO2 server implementations covering the previously defined attack catalog. A detailed documentation and evaluation of the results then forms the core of your thesis results.


  • Skills in administration, especially (but not limited to) Linux
  • Knowledge about common web server environments (PHP, Ruby, Java, etc.)
  • Familiarity with JavaScript
  • Experience with browser debugging tools and pentesting utilities (BurpSuite, OWASP ZAP, etc.)