{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T07:15:19Z","timestamp":1763968519652,"version":"3.40.3"},"publisher-location":"Cham","reference-count":39,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031254666"},{"type":"electronic","value":"9783031254673"}],"license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023]]},"DOI":"10.1007\/978-3-031-25467-3_5","type":"book-chapter","created":{"date-parts":[[2023,1,30]],"date-time":"2023-01-30T06:05:12Z","timestamp":1675058712000},"page":"70-87","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Protecting FIDO Extensions Against Man-in-the-Middle Attacks"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0138-366X","authenticated-orcid":false,"given":"Andre","family":"B\u00fcttner","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7360-8314","authenticated-orcid":false,"given":"Nils","family":"Gruschka","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,1,31]]},"reference":[{"key":"5_CR1","doi-asserted-by":"publisher","first-page":"3012","DOI":"10.1109\/TDSC.2020.3030213","volume":"18","author":"S Akter","year":"2020","unstructured":"Akter, S., Chellappan, S., Chakraborty, T., Khan, T.A., Rahman, A., Al Islam, A.A.: Man-in-the-middle attack on contactless payment over NFC communications: design implementation, experiments and detection. IEEE Trans. Depend. Secur. Comput. 18, 3012\u20133023 (2020)","journal-title":"IEEE Trans. Depend. Secur. Comput."},{"key":"5_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"441","DOI":"10.1007\/978-3-662-54970-4_26","volume-title":"Financial Cryptography and Data Security","author":"S Arshad","year":"2017","unstructured":"Arshad, S., Kharraz, A., Robertson, W.: Include me out: in-browser detection of malicious third-party content inclusions. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 441\u2013459. Springer, Heidelberg (2017). https:\/\/doi.org\/10.1007\/978-3-662-54970-4_26"},{"key":"5_CR3","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"125","DOI":"10.1007\/978-3-030-84252-9_5","volume-title":"Advances in Cryptology \u2013 CRYPTO 2021","author":"M Barbosa","year":"2021","unstructured":"Barbosa, M., Boldyreva, A., Chen, S., Warinschi, B.: Provable security analysis of FIDO2. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 125\u2013156. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-84252-9_5"},{"key":"5_CR4","doi-asserted-by":"crossref","unstructured":"Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? Deception and countermeasures in the android user interface. In: 2015 IEEE Symposium on Security and Privacy, pp. 931\u2013948. IEEE (2015)","DOI":"10.1109\/SP.2015.62"},{"key":"5_CR5","doi-asserted-by":"crossref","unstructured":"Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and ProVerif. Found. Trends\u00ae Priv. Secur. 1(1\u20132), 1\u2013135 (2016)","DOI":"10.1561\/3300000004"},{"key":"5_CR6","doi-asserted-by":"publisher","unstructured":"Bormann, C., Hoffman, P.E.: Concise Binary Object Representation (CBOR). RFC 8949, December 2020. https:\/\/doi.org\/10.17487\/RFC8949, https:\/\/rfc-editor.org\/rfc\/rfc8949.txt","DOI":"10.17487\/RFC8949"},{"key":"5_CR7","unstructured":"Bui, T., Rao, S.P., Antikainen, M., Bojan, V.M., Aura, T.: Man-in-the-machine: exploiting ill-secured communication inside the computer. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1511\u20131525 (2018)"},{"key":"5_CR8","unstructured":"B\u00fcttner, A., Gruschka, N.: Enhancing FIDO Transaction Confirmation with Structured Data Formats. In: Norsk IKT-konferanse for forskning og utdanning. No. 3 (2021)"},{"key":"5_CR9","series-title":"IFIP Advances in Information and Communication Technology","doi-asserted-by":"publisher","first-page":"332","DOI":"10.1007\/978-3-030-78120-0_22","volume-title":"ICT Systems Security and Privacy Protection","author":"A B\u00fcttner","year":"2021","unstructured":"B\u00fcttner, A., Nguyen, H.V., Gruschka, N., Lo Iacono, L.: Less is often more: header whitelisting as semantic gap mitigation in HTTP-based software systems. In: J\u00f8sang, A., Futcher, L., Hagen, J. (eds.) SEC 2021. IAICT, vol. 625, pp. 332\u2013347. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-78120-0_22"},{"issue":"1","key":"5_CR10","doi-asserted-by":"publisher","first-page":"29","DOI":"10.4018\/jaci.2012010103","volume":"4","author":"T Dougan","year":"2012","unstructured":"Dougan, T., Curran, K.: Man in the browser attacks. Int. J. Amb. Comput. Intell. (IJACI) 4(1), 29\u201339 (2012)","journal-title":"Int. J. Amb. Comput. Intell. (IJACI)"},{"key":"5_CR11","doi-asserted-by":"crossref","unstructured":"Feng, H., Li, H., Pan, X., Zhao, Z.: A formal analysis of the FIDO UAF protocol. In: Proceedings of 28th Network And Distributed System Security Symposium (NDSS) (2021)","DOI":"10.14722\/ndss.2021.24363"},{"key":"5_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1007\/978-3-662-54970-4_3","volume-title":"Financial Cryptography and Data Security","author":"E Fernandes","year":"2017","unstructured":"Fernandes, E., et al.: Android UI deception revisited: attacks and defenses. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 41\u201359. Springer, Heidelberg (2017). https:\/\/doi.org\/10.1007\/978-3-662-54970-4_3"},{"key":"5_CR13","unstructured":"FIDO Alliance: FIDO Transaction Confirmation White Paper. Technical report, August 2020. https:\/\/media.fidoalliance.org\/wp-content\/uploads\/2020\/08\/FIDO-Alliance-Transaction-Confirmation-White-Paper-08-18-DM.pdf"},{"key":"5_CR14","unstructured":"FIDO Alliance: Fido alliance metadata service (2021). https:\/\/fidoalliance.org\/metadata\/"},{"key":"5_CR15","unstructured":"FIDO Alliance: Fido alliance specifications overview (2021). https:\/\/fidoalliance.org\/specifications\/"},{"key":"5_CR16","unstructured":"FIDO Alliance: History of fido alliance (2021). https:\/\/fidoalliance.org\/overview\/history\/"},{"key":"5_CR17","doi-asserted-by":"crossref","unstructured":"Frymann, N., Gardham, D., Kiefer, F., Lundberg, E., Manulis, M., Nilsson, D.: Asynchronous remote key generation: an analysis of Yubico\u2019s proposal for W3C WebAuthn. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 939\u2013954 (2020)","DOI":"10.1145\/3372297.3417292"},{"key":"5_CR18","unstructured":"Gil, O.: Web cache deception attack. Black Hat USA 2017 (2017)"},{"key":"5_CR19","unstructured":"Google: Fido2 API for android (2020). https:\/\/developers.google.com\/identity\/fido\/android\/native-apps"},{"key":"5_CR20","unstructured":"Group, W.W.A.W.: Web authentication (webauthn) (2020). https:\/\/www.iana.org\/assignments\/webauthn\/webauthn.xhtml"},{"key":"5_CR21","unstructured":"Jakkal, V.: The passwordless future is here for your microsoft account (2021). https:\/\/www.microsoft.com\/security\/blog\/2021\/09\/15\/the-passwordless-future-is-here-for-your-microsoft-account\/"},{"key":"5_CR22","unstructured":"Kumar, A., Jones, J., Hodges, J., Jones, M., Lundberg, E.: Web authentication: an API for accessing public key credentials - level 2. In: W3C recommendation, W3C, April 2021. https:\/\/www.w3.org\/TR\/2021\/REC-webauthn-2-20210408\/"},{"key":"5_CR23","first-page":"59","volume-title":"Open Identity Summit 2021","author":"J Kunke","year":"2021","unstructured":"Kunke, J., Wiefling, S., Ullmann, M., Lo Iacono, L.: Evaluation of account recovery strategies with fido2-based passwordless authentication. In: Ro\u00dfnagel, H., Schunck, C.H., M\u00f6dersheim, S. (eds.) Open Identity Summit 2021, pp. 59\u201370. Gesellschaft f\u00fcr Informatik e.V, Bonn (2021)"},{"key":"5_CR24","series-title":"Communications in Computer and Information Science","doi-asserted-by":"publisher","first-page":"149","DOI":"10.1007\/978-3-030-65965-3_10","volume-title":"ECML PKDD 2020 Workshops","author":"A Lahmadi","year":"2020","unstructured":"Lahmadi, A., Duque, A., Heraief, N., Francq, J.: MitM attack detection in BLE networks using reconstruction and classification machine learning techniques. In: Koprinska, I., et al. (eds.) ECML PKDD 2020. CCIS, vol. 1323, pp. 149\u2013164. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-65965-3_10"},{"issue":"2","key":"5_CR25","doi-asserted-by":"publisher","first-page":"55","DOI":"10.1016\/S0167-4048(98)80005-8","volume":"3","author":"P Landrock","year":"1998","unstructured":"Landrock, P., Pedersen, T.: WYSIWYS?-What you see is what you sign? Inf. Secur. Techn. Rep. 3(2), 55\u201361 (1998)","journal-title":"Inf. Secur. Techn. Rep."},{"key":"5_CR26","unstructured":"Linhart, C., Klein, A., Heled, R., Steve, O.: HTTP Request Smuggling (2005). https:\/\/www.cgisecurity.com\/lib\/HTTP-Request-Smuggling.pdf"},{"key":"5_CR27","unstructured":"McGruer, S., Solomakhin, R.: Secure Payment Confirmation. In: W3C working draft, W3C, August 2021. https:\/\/www.w3.org\/TR\/2021\/WD-secure-payment-confirmation-20210831\/"},{"key":"5_CR28","unstructured":"Owens, K., Anise, O., Krauss, A., Ur, B.: user perceptions of the usability and security of smartphones as FIDO2 roaming authenticators. In: Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021), pp. 57\u201376 (2021)"},{"key":"5_CR29","unstructured":"Pfeffer, K., et al.: On the usability of authenticity checks for hardware security tokens. In: 30th USENIX Security Symposium (USENIX Security 2021) (2021)"},{"key":"5_CR30","unstructured":"Porter, J.: Safari to support password-less logins via face id and touch id later this year (2020). https:\/\/www.theverge.com\/2020\/6\/24\/21301509\/apple-safari-14-browser-face-touch-id-logins-webauthn-fido2"},{"key":"5_CR31","unstructured":"Raspberry Pi Ltd: Raspberry Pi Documentation - Raspberry Pi Pico (2022). https:\/\/www.raspberrypi.com\/documentation\/microcontrollers\/raspberry-pi-pico.html"},{"key":"5_CR32","doi-asserted-by":"publisher","unstructured":"Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https:\/\/doi.org\/10.17487\/RFC8446, https:\/\/rfc-editor.org\/rfc\/rfc8446.txt","DOI":"10.17487\/RFC8446"},{"key":"5_CR33","doi-asserted-by":"publisher","unstructured":"Schaad, J.: CBOR Object Signing and Encryption (COSE). RFC 8152, July 2017. https:\/\/doi.org\/10.17487\/RFC8152, https:\/\/rfc-editor.org\/rfc\/rfc8152.txt","DOI":"10.17487\/RFC8152"},{"key":"5_CR34","unstructured":"Selander, G., Mattsson, J.P., Palombini, F.: Ephemeral Diffie-Hellman Over COSE (EDHOC). Internet-Draft draft-ietf-lake-edhoc-12, Internet Engineering Task Force, October 2021. https:\/\/datatracker.ietf.org\/doc\/html\/draft-ietf-lake-edhoc-12. (work in Progress)"},{"issue":"1","key":"5_CR35","doi-asserted-by":"publisher","first-page":"55","DOI":"10.1007\/s00779-017-1081-6","volume":"22","author":"DZ Sun","year":"2018","unstructured":"Sun, D.Z., Mu, Y., Susilo, W.: Man-in-the-middle attacks on secure simple pairing in Bluetooth standard V5. 0 and its countermeasure. Pers. Ubiquit. Comput. 22(1), 55\u201367 (2018)","journal-title":"Pers. Ubiquit. Comput."},{"key":"5_CR36","unstructured":"Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving ssh-style host authentication with multi-path probing. In: USENIX Annual Technical Conference, vol. 8, pp. 321\u2013334 (2008)"},{"key":"5_CR37","doi-asserted-by":"publisher","first-page":"32","DOI":"10.1016\/j.future.2021.06.034","volume":"125","author":"P Xu","year":"2021","unstructured":"Xu, P., Sun, R., Wang, W., Chen, T., Zheng, Y., Jin, H.: SDD: a trusted display of FIDO2 transaction confirmation without trusted execution environment. Future Gener. Comput. Syst. 125, 32\u201340 (2021)","journal-title":"Future Gener. Comput. Syst."},{"key":"5_CR38","doi-asserted-by":"crossref","unstructured":"Zhang, Y., Wang, X., Zhao, Z., Li, H.: Secure display for FIDO transaction confirmation. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 155\u2013157 (2018)","DOI":"10.1145\/3176258.3176946"},{"key":"5_CR39","doi-asserted-by":"crossref","unstructured":"Zhang, Z., Diao, W., Hu, C., Guo, S., Zuo, C., Li, L.: An empirical study of potentially malicious third-party libraries in Android apps. In: Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 144\u2013154 (2020)","DOI":"10.1145\/3395351.3399346"}],"container-title":["Lecture Notes in Computer Science","Emerging Technologies for Authorization and Authentication"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-25467-3_5","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,1,30]],"date-time":"2023-01-30T06:06:08Z","timestamp":1675058768000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-25467-3_5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"ISBN":["9783031254666","9783031254673"],"references-count":39,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-25467-3_5","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2023]]},"assertion":[{"value":"31 January 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ETAA","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Workshop on Emerging Technologies for Authorization and Authentication","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Copenhagen","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Denmark","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30 September 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30 September 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"5","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"etaa2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/hosting.services.iit.cnr.it\/etaa2022\/index.html","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Easychair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"10","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"8","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"80% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}