Web browsers’ password managers and FIDO2 authentication are vulnerable to local attacks—including malicious scripts and extensions—that can exfiltrate credentials or authentication data. Method: This paper designs and implements a lightweight, broadly compatible secure authentication channel. It introduces a dual-path defense mechanism: (1) a password autofill protection scheme leveraging DOM isolation and runtime safeguards—requiring only 2–3 lines of server-side code modification in Firefox and achieving 97% compatibility across the Alexa Top 1000 sites; and (2) the first FIDO2-specific local attack mitigation, enforcing client-side channel isolation to ensure universal site compatibility while effectively preventing credential theft via XSS and malicious extensions. Contribution/Results: Both techniques balance practicality and security, requiring minimal deployment effort and no user intervention. They significantly strengthen end-user–side protections for Web authentication without compromising usability or interoperability.

Password managers provide significant security benefits to users. However, malicious client-side scripts and browser extensions can steal passwords after the manager has autofilled them into the web page. In this paper, we extend prior work by Stock and Johns, showing how password autofill can be hardened to prevent these local attacks. We implement our design in the Firefox browser and conduct experiments demonstrating that our defense successfully protects passwords from XSS attacks and malicious extensions. We also show that our implementation is compatible with 97% of the Alexa top 1000 websites. Next, we generalize our design, creating a second defense that prevents recently discovered local attacks against the FIDO2 protocols. We implement this second defense into Firefox, demonstrating that it protects the FIDO2 protocol against XSS attacks and malicious extensions. This defense is compatible with all websites, though it does require a small change (2-3 lines) to web servers implementing FIDO2.