Marco and I talked about CTRAPS with Stephen Sims from Off By One Security about CTRAPS: CTAP Impersonation and API Confusion on FIDO2.
Thank you Stephen and Randall for inviting us and keep up with the awesome content in your YouTube channel!
This week we presented at IEEE Euro S&P'25 CTRAPS: CTAP Impersonation and API Confusion on FIDO2, a paper about the security and privacy of FIDO2, a widespread standard used for single-factor and multi-factor authentication. We focus on the Client to Authenticator Protocol (CTAP), an application layer protocol spoken by a FIDO2 authenticator (e.g., a YubiKey) and a client (e.g., a smartphone or a laptop). We uncover seven CTAP design issues in the FIDO2 standard, including the lack of Client to Authenticator authentication, and eleven related new attacks we call CTRAPS.