title = {{Grunds{\"a}tzliche Funktionsweise biometrischer Verfahren}},
author = {{BSI}},
year = {2025},
journal = {Bundesamt f{\"u}r Sicherheit in der Informationstechnik},
urldate = {2025-07-23},
abstract = {Einleitung: Ziel einer biometrischer Erkennung ist stets, die Identit{\"a}t einer Person zu ermitteln (Identifikation) oder die behauptete Identit{\"a}t zu best{\"a}tigen oder zu widerlegen (Verifikation).},
title = {Defeating {{FIDO2}}/{{CTAP2}}/{{WebAuthn}} Using Browser in the Middle and Reflected Cross Site Scripting},
author = {Catalano, Christian and Chezzi, Andrea and Barletta, Vita Santa and Tommasi, Franco},
year = {2025},
journal = {Journal of Computer Virology and Hacking Techniques},
volume = {21},
number = {1},
publisher = {{Springer Science and Business Media LLC}},
issn = {2263-8733},
doi = {10.1007/s11416-025-00556-2},
urldate = {2025-07-14},
abstract = {In our modern digital landscape, web browsers play a crucial role as gateways to large amounts of information and services. However, recent developments have demonstrated that the very features that make browsing convenient and seamless can be exploited by malicious actors through a potent threat vector known as the ``Browser-in-the-Middle'' (BitM) attack. Most of the Multi-Factor Authen- tication (MFA) security measures are shown to be ineffective to prevent BitM attacks. However, the FIDO2 Project that includes CTAP2 protocol that works together with the Web Authentication API (WebAuthn API) has been proven to be a virtually unattackable MFA method by current state-of-the-art BitM implementations. At least until now. This work expands the range of applica- ble scenarios where BitM attack can be used by taking its technical architecture a step further: we show how the effectiveness of BitM---used along a Reflected XSS vulnerability exploitation---can be improved resulting in the novel BitM + attack that proves to be capable of defeating any available MFA method including FIDO2/WebAuthn solutions that rely on hardware dongles and represent the only method of authentication that went undefeated by virtually any phishing attack approach to date.},
file = {C:\Users\Dominik\Zotero\storage\PGFNMK29\Catalano et al. - 2025 - Defeating FIDO2CTAP2WebAuthn using browser in the middle and reflected cross site scripting.pdf}
}
@misc{deinhard2025,
title = {{Welche modernen Authentifizierungsm{\"o}glichkeiten gibt es?}},
author = {Deinhard, Florian},
year = {2025},
journal = {IT-Schulungen.com},
urldate = {2025-07-12},
abstract = {Moderne Authentifizierungsmethoden spielen eine zentrale Rolle in der Absicherung von IT-Infrastrukturen und Benutzerzugriffen. Durch die Entwicklung fortschrittlicher Techniken wie Multi-Faktor-Authentifizierung (MFA), biometrische Verfahren und},
title = {{CTAP: Protokoll f{\"u}r mehr Sicherheit \& Komfort im Web}},
shorttitle = {{CTAP}},
author = {{IONOS}},
year = {2021},
journal = {IONOS Digital Guide},
urldate = {2025-07-15},
abstract = {Mit FIDO2, WebAuthn und CTAP k{\"o}nnten Passw{\"o}rter bald der Vergangenheit angeh{\"o}ren. Neue Standards setzen stattdessen auf Hardware-Tokens und biometrische Daten.},
file = {C:\Users\Dominik\Zotero\storage\97CIRM6Z\Kebschull - 2023 - Computer Hacking Eine Einführung zur Verbesserung der Computersicherheit in komplexen IT-Infrastruk.pdf}
abstract = {Die Anmeldung in IT-Systemen erfolgt in 3 Phasen: Dateneingabe, Kontrolle und Freigabe. Alles {\"u}ber Authentisierung vs Authentifizierung {$\rightarrow$}},
title = {Multi-{{Factor Authentication}}: {{A Survey}}},
shorttitle = {Multi-{{Factor Authentication}}},
author = {Ometov, Aleksandr and Bezzateev, Sergey and M{\"a}kitalo, Niko and Andreev, Sergey and Mikkonen, Tommi and Koucheryavy, Yevgeni},
year = {2018},
month = jan,
journal = {Cryptography},
volume = {2},
number = {1},
pages = {1},
issn = {2410-387X},
doi = {10.3390/cryptography2010001},
urldate = {2025-05-29},
abstract = {Today, digitalization decisively penetrates all the sides of the modern society. One of the key enablers to maintain this process secure is authentication. It covers many different areas of a hyper-connected world, including online payments, communications, access right management, etc. This work sheds light on the evolution of authentication systems towards Multi-Factor Authentication (MFA) starting from Single-Factor Authentication (SFA) and through Two-Factor Authentication (2FA). Particularly, MFA is expected to be utilized for human-to-everything interactions by enabling fast, user-friendly, and reliable authentication when accessing a service. This paper surveys the already available and emerging sensors (factor providers) that allow for authenticating a user with the system directly or by involving the cloud. The corresponding challenges from the user as well as the service provider perspective are also reviewed. The MFA system based on reversed Lagrange polynomial within Shamir's Secret Sharing (SSS) scheme is further proposed to enable more flexible authentication. This solution covers the cases of authenticating the user even if some of the factors are mismatched or absent. Our framework allows for qualifying the missing factors by authenticating the user without disclosing sensitive biometric data to the verification entity. Finally, a vision of the future trends in MFA is discussed.},
file = {C:\Users\Dominik\Zotero\storage\JHXGLIBP\Pufahl et al. - 2024 - Cybersecurity für Manager Cybergefahren wirksam begegnen – das Kompetenzmodell für die Praxis.pdf}
title = {{Passwortlose Authentifizierung {\"u}ber FIDO2}},
author = {Schwabe, Caroline},
year = {2021},
journal = {Robin Data GmbH},
urldate = {2025-07-14},
abstract = {Passwortlose Authentifizierung {\"u}ber FIDO2, Webauthn \& CTAP. Warum das Passwort veraltet ist und welche Sicherheits-Standard g{\"a}ngig sind!},
title = {{Moderne Authentifizierung: {\"U}bersicht und Anwendungsf{\"a}lle}},
shorttitle = {{Moderne Authentifizierung}},
author = {Vigo, Jesus},
year = {2024},
urldate = {2025-07-13},
abstract = {Erfahren Sie, was moderne Authentifizierung ist und wie man sie implementiert. Erfahren Sie, wie Sie mit MFA, SSO, OAuth, OpenID Connect und mehr die Sicherheit Ihrer Organisation erh{\"o}hen k{\"o}nnen.},
