2025-11-14T09:58:11.521609

Passwords and FIDO2 Are Meant To Be Secret: A Practical Secure Authentication Channel for Web Browsers

Gautam, Yadav, Smith et al.
Password managers provide significant security benefits to users. However, malicious client-side scripts and browser extensions can steal passwords after the manager has autofilled them into the web page. In this paper, we extend prior work by Stock and Johns, showing how password autofill can be hardened to prevent these local attacks. We implement our design in the Firefox browser and conduct experiments demonstrating that our defense successfully protects passwords from XSS attacks and malicious extensions. We also show that our implementation is compatible with 97% of the Alexa top 1000 websites. Next, we generalize our design, creating a second defense that prevents recently discovered local attacks against the FIDO2 protocols. We implement this second defense into Firefox, demonstrating that it protects the FIDO2 protocol against XSS attacks and malicious extensions. This defense is compatible with all websites, though it does require a small change (2-3 lines) to web servers implementing FIDO2.
academic

Passwords and FIDO2 Are Meant To Be Secret: A Practical Secure Authentication Channel for Web Browsers

Basic Information

  • Paper ID: 2509.02289
  • Title: Passwords and FIDO2 Are Meant To Be Secret: A Practical Secure Authentication Channel for Web Browsers
  • Authors: Anuj Gautam (University of Tennessee), Tarun Yadav (Brigham Young University), Garrett Smith (Brigham Young University), Kent Seamons (Brigham Young University), Scott Ruoti (University of Tennessee)
  • Classification: cs.CR (Cryptography and Security)
  • Publication Venue: CCS '25 (ACM SIGSAC Conference on Computer and Communications Security)
  • Paper Link: https://arxiv.org/abs/2509.02289

Abstract

Password managers provide significant security advantages to users, but malicious client-side scripts and browser extensions can steal passwords after password managers autofill them into web pages. This paper extends prior work by Stock and Johns, demonstrating how to harden password autofill to prevent these local attacks. The authors implement their design in the Firefox browser and conduct experiments proving that the defense successfully protects passwords against XSS attacks and malicious extensions. The research also demonstrates that the implementation maintains compatibility with 97% of the top 1000 Alexa websites. Furthermore, the authors generalize their design to create a second defense mechanism preventing recently discovered local attacks against the FIDO2 protocol.

Research Background and Motivation

Core Problem

Password managers have a significant security vulnerability: passwords are susceptible to theft during the time window between autofill into the browser and transmission to the website. This includes theft from the following threats:

  1. Web Trackers: May inadvertently collect password information
  2. Injection Attacks (e.g., XSS): Malicious scripts can directly read passwords from the DOM
  3. Malicious Browser Extensions: Extensions with appropriate permissions can access web page content and network requests
  4. Compromised JavaScript Libraries: Malicious code injection resulting from supply chain attacks

Problem Significance

  • These attacks are relatively prevalent; research shows that at least 2-3% of popular websites contain web trackers that leak passwords
  • XSS attacks continue to be listed by OWASP as among the top 10 web application security risks
  • The malicious browser extension problem is growing increasingly severe, with thousands of extensions possessing sufficient permissions to conduct such attacks existing in the Chrome Web Store

Limitations of Existing Approaches

Stock and Johns proposed a nonce-based password protection protocol a decade ago, but this protocol is incompatible with modern browser designs. Even Firefox, where the protocol worked at the time, quickly removed the relevant functionality, preventing protocol adoption and hindering subsequent research development.

Core Contributions

  1. Implementation of a Practical Nonce-Based Password Replacement API: Modified modern browsers to support a working implementation of the Stock and Johns protocol
  2. Extended Threat Model: Identified and addressed malicious browser extension threats not considered in the original protocol
  3. FIDO2 Secure Channel: Generalized the design to the FIDO2 protocol, protecting against recently discovered local attacks
  4. Practical Deployment Verification: Implemented and evaluated in Firefox, demonstrating 97% compatibility with mainstream websites

Methodology Details

Task Definition

Design a secure browser channel enabling password managers to safely transmit passwords to websites without allowing DOM scripts or browser extensions to access the actual password content.

Password Protection Architecture Design

Core API Design

Extended the existing WebRequest API by adding a new onRequestCredentials phase:

onRequestCredentials → onBeforeRequest → onBeforeSendHeaders → onSendHeaders → ...

Workflow

  1. Nonce Injection: Password manager fills the web page with a random password nonce rather than the actual password
  2. Callback Registration: Simultaneously registers an onRequestCredentials callback handler
  3. Security Verification: Upon page submission, performs the following security checks:
    • Verifies the web page is not displayed in an iFrame
    • Validates the submission channel uses a secure HTTPS connection
    • Confirms origin matches the password manager entry
    • Verifies the nonce does not appear in GET parameters
    • Checks field name validity
  4. Secure Replacement: If verification passes, the browser replaces the nonce with the actual password in the FormSubmission object

Design for Protecting Against Malicious Extensions

To address malicious extension threats, two key modifications were made:

  1. Move onRequestCredentials to occur after all phases where extensions can access requestBody
  2. Display the pre-replacement requestBody to extensions at this phase, concealing the actual password

FIDO2 Secure Channel Design

Threat Model

The FIDO2 protocol faces two classes of local attacks:

  1. DOM Value Modification: Rewriting webAuthn API calls through malicious JavaScript
  2. Request-Response Interception: Intercepting HTTP requests and responses through extensions

Protection Mechanisms

  1. Request Handling: Server places the actual FIDO2 payload in the webauthn_request header, with the page response containing a dummy value
  2. Header Interception: Browser removes sensitive headers before extensions can access them
  3. API Replacement: Replaces dummy values with actual values within the webAuthn API
  4. Response Protection: API return values are replaced with dummy values, with actual values stored securely
  5. Final Transmission: When sending requests to the designated endpoint, dummy values are replaced with the actual FIDO2 response

Experimental Setup

Test Environment

  • Browser: Mozilla Firefox 107.0 (password protection) and 104.0a1 (FIDO2 protection)
  • Password Manager: Modified Bitwarden
  • Test Websites: 573 websites with login pages from the top 1000 Alexa websites

Evaluation Metrics

  1. Compatibility: Percentage of websites functioning normally
  2. Security: Effectiveness of protection against DOM and extension attacks
  3. Performance Overhead: Increase in request processing time

Comparison Methods

  • Unmodified Firefox browser as baseline
  • Proxy server recording all outbound network requests for comparison

Experimental Results

Main Results

Password Protection Compatibility

  • 97% Compatibility: 554/573 websites fully compatible
  • 2% Partial Compatibility: 11/573 websites fail due to client-side password hash computation in DOM
  • 1% Incompatibility: 8/573 websites modify password format before submission

Security Verification

  • Successfully protected against all tested DOM attacks (XSS, malicious JavaScript injection)
  • Effectively blocked malicious extensions from stealing passwords via webRequest API
  • Identified and protected against reflection attack threats

Performance Overhead

  • Average request time when replacement needed: 4.5222 seconds
  • Replacement operation duration: 0.443 seconds (10.6% of total time)
  • No measurable performance impact when replacement not needed

FIDO2 Protection Results

  • 100% Website Compatibility (requiring 2-3 lines of server-side code modification)
  • Successfully protected against all tested DOM and extension attacks
  • Achieved complete session accountability

Related Work

Password Manager Security Research

Existing research primarily focuses on overall password manager security, including:

  • Security analysis of password generation, storage, and filling
  • Vulnerability identification in autofill processes
  • Security issues with password managers on mobile devices

Browser Security Mechanisms

Related browser security research includes:

  • Same-origin policy and content security policy
  • Browser extension permission models
  • WebAuthn and FIDO2 protocol security

Positioning of This Work

This paper provides the first working implementation of the Stock and Johns protocol, filling a decade-long research gap in this area, and extends protection to the FIDO2 protocol.

Conclusions and Discussion

Main Conclusions

  1. Practicality Demonstrated: Successfully implemented a secure password transmission channel in modern browsers
  2. Broad Compatibility: Compatible with the vast majority of mainstream websites, with high feasibility for practical deployment
  3. Enhanced Security: Effectively protects against multiple local attack threats
  4. Extensibility: Design generalizable to other browser-server interaction security protections

Limitations

  1. 3% Website Incompatibility: Primarily due to client-side password processing
  2. Performance Overhead: Replacement operations incur certain time costs
  3. Browser Modification Requirements: Requires adoption of API modifications by browser vendors
  4. FIDO2 Server Modifications: Although minimal, still requires server-side cooperation

Future Directions

  1. Improved Compatibility: Automatically identify and handle relevant JavaScript through program analysis
  2. Extension to Manual Input: Protect user-manually-entered passwords
  3. Attack Detection: Leverage nonce mechanisms to detect and report attacks
  4. Protection of Other APIs: Extend design to other browser APIs such as clipboard and file system

In-Depth Evaluation

Strengths

  1. High Practical Value: Addresses a real security problem affecting tens of millions of password manager users
  2. Complete Engineering Implementation: Provides a complete Firefox implementation and detailed porting guidelines
  3. Comprehensive Evaluation: Includes security, compatibility, and performance assessments
  4. Theoretical Generalization: Successfully generalizes the concept to the FIDO2 protocol
  5. Industry Feedback: Received positive feedback from browser vendors and password manager teams

Weaknesses

  1. Deployment Challenges: Requires cooperation from browser vendors, with uncertain promotion prospects
  2. Compatibility Issues: 3% of websites still have compatibility problems
  3. Threat Model Limitations: Does not protect against operating system-level attacks or TLS man-in-the-middle attacks
  4. User Confusion Risk: Users may be confused by the displayed random password nonce

Impact

  1. Academic Contribution: Reactivates a research direction stalled a decade ago
  2. Practical Value: Provides immediate security improvements for tens of millions of users
  3. Standardization Potential: Likely to drive widespread adoption through W3C standardization
  4. Research Inspiration: Provides a design paradigm for security protection of other browser APIs

Applicable Scenarios

  1. Enterprise Environments: High-security requirement enterprise deployments
  2. High-Value Accounts: Authentication for important services such as banks and government agencies
  3. Security-Conscious Users: User groups with higher privacy and security requirements
  4. Research Prototypes: Provides a foundational platform for further browser security research

References

This paper cites 47 related references, primarily including:

  • The original nonce replacement protocol paper by Stock and Johns
  • Related research on password manager security analysis
  • Empirical research on browser extension security threats
  • FIDO2 protocol security analysis literature
  • Current research on web trackers and XSS attacks

Overall Assessment: This is a systems security paper with significant practical value that successfully transforms theoretical design into a working prototype system and validates its effectiveness through comprehensive experiments. The paper not only addresses important real-world security problems but also opens new directions for future research. Despite challenges in deployment and compatibility, its technical contributions and practical value make it an important advance in browser security.