Breaching Security Keys without Root: FIDO2 Deception Attacks via Overlays exploiting Limited Display Authenticators

Two-factor authentication (2FA) systems aim to secure user accounts, provided that either the password or the second factor device remains uncompromised. However, in this research, we challenge this perception and analyze the security of FIDO2 hardware security keys, which are increasingly used in 2FA and passwordless systems. Specifically, we develop an attack framework, analyze the underlying protocols of FIDO2, and examine the associated OS-level security. Through practical demonstrations, we illustrate how adversaries can exploit this framework and OS-level security measures to execute our designed attack, known as FIDOLA (<u>FI</u>DO2 <u>D</u>eception Attack via <u>O</u>verlays exploiting <u>L</u>imited Display <u>A</u>uthenticators).