Usually, for all types of authentications, we trust the registration process and assume there is no attack is happening Like in the case of FIDO2 registration. However, as the registration process is built within the browser and can be compromised by a chrome extension it is an unrealistic assumption. Google’s research shows that 1 out of 10 extensions that they publish is malicious and passes their filters. So, it’s pretty straightforward for them to compromise the registration process and get the capability to access the user account for a longer duration from any machine.
The attacker is able to do this because the registration process is built within the browser.
I think if we move the FIDO2 registration process in OS, we lessen the attack vector and the browser-related attacks cannot compromise a registration process, which makes the assumption of Trust during registration realistic. Is there any security or usability issue if we move the registration process to OS? The website initiates a call to a standalone application which communicates to the webserver and FIDO2 authenticator directly in the background and returns the session key after a successful registration.