I gave a talk about phishing at a few different conferences last year, and people occasionally ask me for the whitepaper and / or recording. They’re not very discoverable at the moment, so I figure I’ll link them here, and then I’ll have a better answer than “search my browser history”.
The most important takeaways from the talk are that we are all vulnerable to phishing, and that phishing training usually doesn’t help, but that with a small amount of inconvenience you can prevent yourself from being phished.
If you’re interested in learning more, there’s a Youtube recording of the talk, or a whitepaper, or slides.
There’s also been some interesting research done since my talk by Markus Vervier and Michele Orrù. This research focuses on how to bypass U2F browser protections and make your own FIDO requests to a security key from an untrusted domain. This isn’t due to a flaw in the FIDO protocol itself, but rather is an unexpected side effect of the new WebUSB protocol, and shows the constant tension between features and security.