@TechBrandon @SeanWrightSec That should be much harder - the FIDO challenge is (or should be) tied to the session. You'd need the mark to go to login, FIDO & then do something which allows you to hijack their session. MITM might work if you can also poison DNS (need the same name), get a valid cert