Are hardware security keys (e.g ones supporting Fido2) “able to protect authentication” even in case of compromised devices?

Correct me if I am wrong, please.

I understand that 2FA (MFA) increases account security in case an attacker obtains a password which might be possible via various ways, e.g. phishing, database breach, brute-force, etc..

However, if the 2FA device is compromised (full system control) which can also be the very same device then 2FA is broken. It’s not as likely as opposed to only using a password but conceptually this is true.

Do hardware security keys protect against compromised devices? I read that the private key cannot be extracted from those devices. I think about protecting my ssh logins with a FIDO2 key. Taking ssh as an example, I would imagine that on a compromised device the ssh handshake and key exchange can be intercepted and the Fido2 key can be used for malicious things.

Additionally: Fido2 protects against phishing by storing the website it is setup to authenticate with. Does FIDO2 and openssh also additionally implement host key verification or doesn’t it matter because FIDO2 with openssh is already asymmetric encryption and thus not vulnerable to MitM attacks?

How do I prevent hackers that use developer apps to manipulate devices

I received a screen shot from someone that was intetionally setting me up to be hacked. The picture had some kind of hidden code that left my device venerable. Shortly after my device was completely taken over by hackers using code and developers apps. I tapped on the build number on my phone 8 times to access developer options. When I did I got a pop up saying I am already a developer. This has now been going on a long time and I have been able to narrow thinga down. I need assistance with cleaning out the device. If I restore the device it restores from an existing back up and makes it worse. Thank you

Can FIDO be implemented for a Use Case which Allows the Use of Shared Devices?

I am a part of an organization that is developing a website that required user authentication, and we are strongly considering FIDO compliance.

However, our use case requires users to be able to log-in from shared computers (i.e. father and son may share the same computer). And we cannot expect our user to carry around a FIDO authentication token (U2F key) as well.

In such a scenario, is it safe to use on-device biometric sensors (i.e. cameras, fingerprint scanner) on a shared device to authenticate multiple users?

Will dm-verity protect against firmware malware on storage devices likes HDD or SSD?

Malware on the firmware level can potentially mess with data on the storage device. There is no point in doing that for encrypted data except maybe corruption. But what about a smartphone or other device with dm-verity where the system partition is not encrypted. Could this kind of malware break dm-verity?

Getting the hostname of devices in the local lan

I’m trying to get the hostnames of devices on my LAN.

This network is not a Windows network.

Up until now I was able to sniff DHCP requests and extract the hostname from there, but it looks like Android devices starting from Android 10 stopped filling out that particular field.

(I’ve also tried sending a netbios query)

Is there another way to coerce devices to tell me their hostnames?

What Trusted Execution Environment (TEE) solutions exist for mobile devices?

A trusted execution environment (TEE) provides a way for one to deploy tamper-proof programs on a device. The most prominent example of TEEs seem to be Intel SGX for PCs.

What I wonder is, if there exists an equivalent solution for mobile devices. For example, I want to deploy an arbitrary application on a smartphone that even a malicious OS can’t tamper with. Is there such a solution at the moment?

Firewall for my devices (iPad, iPhone, surface) on a shared home WiFi network?

I am renting a room and using shared home WiFi network. The owner has setup a Netgear WiFi range extender for me. I have another roommate on the same network along with the owners. I use Nord VPN. Since a few months I have been getting weird emails…someone opens accounts (like Snapchat, SoundCloud, Pinterest etc.) in my name constantly. I close one account and two more gets opened. I accessed those accounts and they had photos and stuff, so someone had been using them. I noticed that date of birth in one account was a date of significance to me (not my dob) and year in the username was a significant year related to that date. So it is confirmed that I’m hacked. On top of that yesterday I accessed my new website hosting service and made some changes to start a website, today this person opened an account for hiring employees. I believe someone can access (Hack into) my devices through home WiFi. Is there a way to monitor who is accessing and stop it in real time like a firewall. I use iPad and surface pro. Any advice to secure my devices?