How Not to Handle Keys: Timing Attacks on FIDO Authenticator Privacy. (arXiv:2205.08071v1 [cs.CR])

This paper presents a timing attack on the FIDO2 (Fast IDentity Online)
authentication protocol that allows attackers to link user accounts stored in
vulnerable authenticators, a serious privacy concern. FIDO2 is a new standard
specified by the FIDO industry alliance for secure token online authentication.
It complements the W3C WebAuthn specification by providing means to use a USB
token or other authenticator as a second factor during the authentication
process. From a cryptographic perspective, the protocol is a simple
challenge-response …

attacks authenticator fido keys privacy