GlobalSupervision: Dennis Felsch, Vladislav Mladenov Start date: immediately More details:
The thesis consists of three parts:
- Setup: You have to identify the FIDO2 server implementations that are going to be tested. Good starting points are [1,2,3]. In the case of libraries and web applications for self-hosting, your task is set up test servers. With online services, you will create test accounts. For the activation of the FIDO2 authentication, virtual authenticators  can be used. Furthermore, physical security keys can be provided by the supervisors.
- Attack Catalog: For the security analysis your task is to collect a comprehensive list of existing threats, Best Current Practice documents, and reported attacks. Using this list, you are going to create an attack catalog targeting server implementations.
- Security Analysis: Finally, your task is to perform a comprehensive security analysis on the FIDO2 server implementations covering the previously defined attack catalog. A detailed documentation and evaluation of the results then forms the core of your thesis results.
- : https://webauthn.io/
- : https://github.com/herrjemand/awesome-webauthn
- : https://twofactorauth.org/, search for tfa:hardware
- : https://chrome.google.com/webstore/detail/virtual-authenticators-ta/gafbpmlmeiikmhkhiapjlfjgdioafmja
- Skills in administration, especially (but not limited to) Linux
- Knowledge about common web server environments (PHP, Ruby, Java, etc.)
- Experience with browser debugging tools and pentesting utilities (BurpSuite, OWASP ZAP, etc.)