Passwords and FIDO2 Are Meant To Be Secret: A Practical Secure Authentication Channel for Web Browsers
Anuj Gautam, Tarun Yadav, Garrett Smith, Kent Seamons, Scott Ruoti
TL;DR
This work targets the persistent risk of password exfiltration after autofill by introducing a practical nonce-based replacement channel that operates inside the browser. The authors implement the API in Firefox with Bitwarden and demonstrate that it blocks DOM-based and extension-based attacks while remaining compatible with 97% of Alexa Top 1000 sites. They further generalize the approach to secure the FIDO2/WebAuthn flow, presenting a secure browser channel that prevents local attacks with minimal server changes, and validate its effectiveness in a Firefox prototype. Together, these contributions deliver an immediately actionable enhancement to password-based authentication and establish a foundation for extending nonce-based protection to a broader set of browser APIs and authentication protocols.
Abstract
Password managers provide significant security benefits to users. However, malicious client-side scripts and browser extensions can steal passwords after the manager has autofilled them into the web page. In this paper, we extend prior work by Stock and Johns, showing how password autofill can be hardened to prevent these local attacks. We implement our design in the Firefox browser and conduct experiments demonstrating that our defense successfully protects passwords from XSS attacks and malicious extensions. We also show that our implementation is compatible with 97% of the Alexa top 1000 websites. Next, we generalize our design, creating a second defense that prevents recently discovered local attacks against the FIDO2 protocols. We implement this second defense into Firefox, demonstrating that it protects the FIDO2 protocol against XSS attacks and malicious extensions. This defense is compatible with all websites, though it does require a small change (2-3 lines) to web servers implementing FIDO2.