research-article

Open access

Evaluating the Security Posture of Real-World FIDO2 Deployments

Authors:

Frank LiAuthors Info & Claims

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Pages 2381 - 2395

https://doi.org/10.1145/3576915.3623063

Published: 21 November 2023 Publication History

Abstract

FIDO2 is a suite of protocols that combines the usability of local authentication (e.g., biometrics) with the security of public-key cryptography to deliver passwordless authentication. It eliminates shared authentication secrets (i.e., passwords, which could be leaked or phished) and provides strong security guarantees assuming the benign behavior of the client-side protocol components.

However, when this assumption does not hold true, such as in the presence of malware, client authentications pose a risk that FIDO2 deployments must account for. FIDO2 provides recommendations for deployments to mitigate such situations. Yet, to date, there has been limited empirical investigation into whether deployments adopt these mitigations and what risks compromised clients present to real-world FIDO2 deployments, such as unauthorized account access or registration.

In this work, we aim to fill in the gap by: 1) systematizing the threats to FIDO2 deployments when assumptions about the client-side protocol components do not hold, 2) empirically evaluating the security posture of real-world FIDO2 deployments across the Tranco Top 1K websites, considering both the server-side and client-side perspectives, and 3) synthesizing the mitigations that the ecosystem can adopt to further strengthen the practical security provided by FIDO2. Through our investigation, we identify that compromised clients pose a practical threat to FIDO2 deployments due to weak configurations, and known mitigations exhibit critical shortcomings and/or minimal adoption. Based on our findings, we propose directions for the ecosystem to develop additional defenses into their FIDO2 deployments. Ultimately, our work aims to drive improvements to FIDO2's practical security.

References

[1]

2017. Universal 2nd Factor (U2F) Overview. https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html.

[2]

2018. FIDO Alliance - Enterprise Adoption Best Practices. https://media.fidoallianc e.org/wp-content/uploads/Enterprise_Adoption_Best_Practices_Lifecycle_FID O_Alliance.pdf.

[3]

2018. FIDO TechNotes: The Truth about Attestation. https://fidoalliance.org/fido-technotes-the-truth-about-attestation/.

[4]

2021. Apple Private PKI. https://www.apple.com/certificateauthority/private/.

[5]

2021. FIDO Biometric Requirements. https://fidoalliance.org/specs/biometric/re quirements.

[6]

2022. Authenticator Level 1 - FIDO Alliance. https://fidoalliance.org/certification/ authenticator-certification-levels/authenticator-level-1.

[7]

2022. Authenticator Level 1 - FIDO Alliance. https://fidoalliance.org/authentica tor-level-1/.

[8]

2022. Authenticator Level 2 - FIDO Alliance. https://fidoalliance.org/certification/ authenticator-certification-levels/authenticator-level-2/.

[9]

2022. Authenticator Level 3 - FIDO Alliance. https://fidoalliance.org/certification/ authenticator-certification-levels/authenticator-level-3/.

[10]

2022. Authenticator Level 3 - FIDO Alliance. https://fidoalliance.org/certificatio n/authenticator-certification-levels/authenticator-level-3-plus/.

[11]

2022. Certified Authenticator Levels - FIDO Alliance. https://fidoalliance.org/cert ification/authenticator-certification-levels.

[12]

2022. Chromium Issue 1341134. https://bugs.chromium.org/p/chromium/issues/ detail?id=1341134.

[13]

2022. FIDO Authentication Specifications. https://fidoalliance.org/specifications /download.

[14]

2022. Okta Sign-in Widget. https://github.com/okta/okta-signin-widget/blob/ma ster/docs/classic.md.

[15]

2022. Passkeys. https://developer.apple.com/passkeys/.

[16]

2022. WebAuthn: Emulate authenticators - Chrome Developers. https://developer. chrome.com/docs/devtools/webauthn.

[17]

2023. Android Developers - SafetyNet Attestation API. https://developer.android. com/training/safetynet/attestation#use-response-server.

[18]

2023. FIDO Alliance - Passkeys. https://fidoalliance.org/passkeys/.

[19]

2023. FIDO Alliance - PSD2 Compliance. https://fidoalliance.org/psd2-complian ce/.

[20]

2023. FIDO Alliance Metadata Service. https://fidoalliance.org/metadata/.

[21]

2023. Google DevTools: Debug JavaScript. https://developer.chrome.com/docs/de vtools/javascript.

[22]

2023. Google: Use a security key for 2-Step Verification. https://support.google.c om/accounts/answer/6103523.

[23]

2023. MDN: CredentialsContainer.create(). https://developer.mozilla.org/en- US/docs/Web/API/CredentialsContainer/create.

[24]

2023. PayPal: Two-Factor Authentication. https://developer.paypal.com/braintree /articles/risk-and-security/control-panel-security/two-factor-authentication.

[25]

2023. SAP Customer Data Cloud: accounts.auth.fido.register JS. https://help.sap.c om/docs/SAP_CUSTOMER_DATA_CLOUD/8b8d6fffe113457094a17701f63e3d6 a/4594b321af26476ba6156c3dafd8428f.html.

[26]

2023. Symantec Sitereview. https://sitereview.bluecoat.com/#/.

[27]

Lawrence Abrams. 2022. MFA Fatigue: Hackers' new favorite tactic in high-profile breaches. https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/.

[28]

Muhammad Ejaz Ahmed, Hyoungshick Kim, Seyit Camtepe, and Surya Nepal. 2021. Peeler: Profiling Kernel-Level Events to Detect Ransomware. In European Symposium on Research in Computer Security (ESORICS).

Digital Library

[29]

Furkan Alaca and Paul C Van Oorschot. 2016. Device fingerprinting for augmenting web authentication: classification and analysis of methods. In ACM Annual Computer Security Applications Conference (ACSAC).

Digital Library

[30]

Manuel Barbosa, Alexandra Boldyreva, Shan Chen, and Bogdan Warinschi. 2021. Provable Security Analysis of FIDO2. In Annual International Cryptology Conference. Springer.

Digital Library

[31]

Adam Bates, Ryan Leonard, Hannah Pruse, Daniel Lowd, and Kevin RB Butler. 2014. Leveraging USB to Establish Host Identity Using Commodity Devices. In Network and Distributed System Security Symposium (NDSS).

[32]

Nina Bindel, Cas Cremers, and Mang Zhao. 2023. FIDO2, CTAP 2.1, and WebAuthn 2: Provable security and post-quantum instantiation. In IEEE Symposium on Security and Privacy (IEEE S&P).

[33]

David Cerdeira, José Martins, Nuno Santos, and Sandro Pinto. 2022. REZONE: Disarming TrustZone with TEE Privilege Reduction. In USENIX Security Symposium.

[34]

David Cerdeira, Nuno Santos, Pedro Fonseca, and Sandro Pinto. 2020. SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems. In IEEE Symposium on Security and Privacy (S&P).

[35]

Sanjeev Das, Jan Werner, Manos Antonakakis, Michalis Polychronakis, and Fabian Monrose. 2019. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security. In IEEE Symposium on Security and Privacy (S&P).

[36]

Apple Developer. 2022. Touch ID - Attestation. https://developer.apple.com/fo rums/thread/708982.

[37]

Google Developers. 2022. Intent to Ship: WebAuthn minPinLength extension. https://groups.google.com/a/chromium.org/g/blink-dev/c/VnXR-U3jROc.

[38]

Periwinkle Doerfler, Kurt Thomas, Maija Marincenko, Juri Ranieri, Yu Jiang, Angelika Moscicki, and Damon McCoy. 2019. Evaluating Login Challenges as a Defense Against Account Takeover. In The World Wide Web Conference (WWW).

Digital Library

[39]

Saba Eskandarian, Jonathan Cogan, Sawyer Birnbaum, Peh Chang Wei Brandon, Dillon Franke, Forest Fraser, Gaspar Garcia, Eric Gong, Hung T Nguyen, Taresh K Sethi, et al. 2019. Fidelius: Protecting User Secrets from Compromised Browsers. In IEEE Symposium on Security and Privacy (S&P).

[40]

Armstrong et al. 2022. Client to Authenticator Protocol (CTAP) - FIDO Alliance Proposed Standard. https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html.

[41]

Brand et al. 2019. Web Authentication: An API for accessing Public Key Credentials, Level 1. https://www.w3.org/TR/webauthn-1/.

[42]

Baghdasaryan et al. 2020. FIDO UAF Authenticator-Specific Module API - FIDO Alliance. https://fidoalliance.org/specs/fido-uaf-v1.2-ps-20201020/fido-uaf-asm-api-v1.2-ps-20201020.html.

[43]

Baghdasaryan et al. 2020. FIDO UAF Protocol Specification - FIDO Alliance Proposed Standard. https://fidoalliance.org/specs/fido-uaf-v1.2-ps-20201020/fido-uaf-protocol-v1.2-ps-20201020.html.

[44]

Baghdasaryan et al. 2022. FIDO Security Reference - FIDO Alliance Proposed Standard. https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-ps-20220523.html.

[45]

Bradley et al. 2022. Web Authentication: An API for accessing Public Key Credentials, Level 3. https://w3c.github.io/webauthn.

[46]

Hill et al. 2022. FIDO AppID and Facet Specification - FIDO Alliance Proposed Standard. https://fidoalliance.org/specs/common-specs/fido-appid-and-facets-v2.1-ps-20220523.html.

[47]

Jack et al. 2021. FIDO Metadata Service - FIDO Alliance Proposed Standard. https: //fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html.

[48]

Jones et al. 2022. Registries for Web Authentication - Internet Assigned Numbers Authority. https://www.iana.org/assignments/webauthn/webauthn.xhtml.

[49]

Florian M Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, and Markus Dürmuth. 2020. You still use the password after all - Exploring FIDO2 Security Keys in a Small Company. In Symposium on Usable Privacy and Security (SOUPS).

[50]

Apple Developer Forums. 2022. get webauthn attestation statement on Safari. https://developer.apple.com/forums/thread/713195.

[51]

David Freeman, Sakshi Jain, Markus Dürmuth, Battista Biggio, and Giorgio Giac- into. 2016. Who Are You? A Statistical Approach to Measuring User Authenticity. In Network and Distributed System Security Symposium (NDSS).

[52]

Anthony Gavazzi, Ryan Williams, Engin Kirda, Long Lu, Andre King, Andy Davis, and Tim Leek. 2023. A Study of Multi-Factor and Risk-Based Authentication Availability. In USENIX Security Symposium (USENIX Security).

[53]

Sanam Ghorbani Lyastani, Sven Bugiel, and Michael Backes. 2023. A Systematic Study of the Consistency of Two-Factor Authentication User Journeys on Top-Ranked Websites. In Network and Distributed System Security Symposium (NDSS).

[54]

GitHub. 2020. Remove unimplemented extensions. https://github.com/w3c/webau thn/issues/1386.

[55]

GitHub. 2022. google/openSK. https://github.com/google/OpenSK.

[56]

Jingjing Guan, Hui Li, Haisong Ye, and Ziming Zhao. 2022. A Formal Analysis of the FIDO2 Protocols. In European Symposium on Research in Computer Security (ESORICS).

Digital Library

[57]

Charlie Jacomme and Steve Kremer. 2021. An Extensive Formal Analysis of Multi-factor Authentication Protocols. In ACM Transactions on Privacy and Security (TOPS).

[58]

Mohammed Jubur, Prakash Shrestha, Nitesh Saxena, and Jay Prakash. 2021. By-passing push-based second factor and passwordless authentication with human-indistinguishable notifications. In ACM Asia Conference on Computer and Communications Security (AsiaCCS).

[59]

Ansgar Kellner, Micha Horlboge, Konrad Rieck, and Christian Wressnegger. 2019. False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps. In IEEE European Symposium on Security and Privacy (EuroS&P).

[60]

Namecheap Knowledgebase. 2022. How can I enable/disable Two-Factor Authenti-cation? https://www.namecheap.com/support/knowledgebase/article.aspx/9253/ 45/how-can-i-enabledisable-twofactor-authentication/.

[61]

Takashi Koide, Daiki Chiba, and Mitsuaki Akiyama. 2020. To Get Lost is to Learn the Way: Automatically Collecting Multi-step Social Engineering Attacks on the Web. In ACM Asia Conference on Computer and Communications Security (AsiaCCS).

Digital Library

[62]

Leona Lassak, Annika Hildebrandt, Maximilian Golla, and Blase Ur. 2021. "It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn. In USENIX Security Symposium.

[63]

Song Li and Yinzhi Cao. 2020. Who Touched My Browser Fingerprint?: A Large-scale Measurement Study and Classification of Fingerprint Dynamics. In ACM Internet Measurement Conference (IMC).

Digital Library

[64]

Rolf Lindemann and Bill Leddy. 2022. FIDO Transaction Confirmation White Paper. https://media.fidoalliance.org/wp-content/uploads/2020/08/FIDO-Alliance-Transaction-Confirmation-White-Paper-08-18-DM.pdf.

[65]

Sanam Ghorbani Lyastani, Michael Schilling, Michaela Neumayr, Michael Backes, and Sven Bugiel. 2020. Is FIDO2 the kingslayer of user authentication? A comparative usability study of FIDO2 passwordless authentication. In IEEE Symposium on Security and Privacy (S&P).

[66]

Philipp Markert, Daniel V Bailey, Maximilian Golla, Markus Dürmuth, and Adam J Aviv. 2020. This PIN can be easily guessed: Analyzing the security of smartphone unlock PINs. In IEEE Symposium on Security and Privacy (S&P).

[67]

Microsoft. 2022. Plan a passwordless authentication deployment in Azure Active Directory. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment.

[68]

Bank of America: Privacy and Security. 2022. Secured Transfer. https://www.ba nkofamerica.com/security-center/faq/additional-security-features/.

[69]

Kentrell Owens, Olabode Anise, Amanda Krauss, and Blase Ur. 2021. User perceptions of the usability and security of smartphones as FIDO2 roaming authenticators. In Symposium on Usable Privacy and Security (SOUPS).

[70]

Jay Prakash, Clarice Chua Qing Yu, Tanvi Ravindra Thombre, Andrei Bytes, Mohammed Jubur, Nitesh Saxena, Lucienne Blessing, Jianying Zhou, and Tony QS Quek. 2021. Countering Concurrent Login Attacks in ?Just Tap" Push-based Authentication: A Redesign and Usability Evaluations. In IEEE European Symposium on Security and Privacy (EuroS&P).

[71]

Florentin Putz, Steffen Schön, and Matthias Hollick. 2021. Future-proof web authentication: Bring your own FIDO2 extensions. In International Workshop on Emerging Technologies for Authorization and Authentication. Springer.

Digital Library

[72]

DUO Security. 2022. Guide to push phishing defense and best practices. https: //help.duo.com/s/article/7615.

[73]

Alon Shakevsky, Eyal Ronen, and Avishai Wool. 2022. Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design. In USENIX Security Symposium.

[74]

Yun Shen, Nathan Evans, and Azzedine Benameur. 2016. Insights into rooted and non-rooted android mobile devices with behavior analytics. In ACM Symposium on Applied Computing.

Digital Library

[75]

Rouslan Solomakhin and Stephen McGruer. 2022. Secure Payment Confirmation. https://www.w3.org/TR/secure-payment-confirmation/.

[76]

Chrome Web Store. 2022. WebDevAuthn. https://chrome.google.com/webstore/d etail/webdevauthn/aofdjdfdpmfeohecddhgdjfnigggddpd.

[77]

Avinash Sudhodanan and Andrew Paverd. 2022. Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web. In USENIX Security Symposium.

[78]

Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, et al. 2017. Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In ACM Conference on Computer and Communications Security (CCS).

[79]

Enis Ulqinaku, Hala Assal, AbdelRahman Abdou, Sonia Chiasson, and Srdjan Capkun. 2021. Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols. In USENIX Security Symposium.

[80]

Roman Unuchek. 2017. Kaspersky Daily: Rooting your Android. https://usa.kasp ersky.com/blog/android-root-faq/11581/.

[81]

Tara Whalen, Thibault Meunier, Mrudula Kodali, Alex Davidson, Marwan Fayed, Armando Faz-Hernández, Watson Ladd, Deepak Maram, Nick Sullivan, Benedikt Christoph Wolters, et al. 2022. Let The Right One In: Attestation as a Usable CAPTCHA Alternative. In Symposium on Usable Privacy and Security (SOUPS).

[82]

Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono. 2021. What's in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication Characteristics. In International Conference on Financial Cryptography and Data Security (FC).

Digital Library

[83]

Stephan Wiefling, Luigi Lo Iacono, and Markus Dürmuth. 2019. Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In IFIP International Conference on ICT Systems Security and Privacy Protection. Springer.

[84]

Stephan Wiefling, Tanvi Patil, Markus Dürmuth, and Luigi Lo Iacono. 2020. Eval-uation of risk-based re-authentication methods. In IFIP International Conference on ICT Systems Security and Privacy Protection. Springer.

[85]

Leon Würsching, Florentin Putz, Steffen Haesler, and Matthias Hollick. 2023. FIDO2 the Rescue? Platform vs. Roaming Authentication on Smartphones. In Conference on Human Factors in Computing Systems (CHI).

[86]

Luyi Xing, Xiaorui Pan, Rui Wang, Kan Yuan, and XiaoFeng Wang. 2014. Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating. In IEEE Symposium on Security and Privacy (S&P).

Digital Library

[87]

Hang Zhang, Dongdong She, and Zhiyun Qian. 2015. Android Root and its Providers: A Double-Edged Sword. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

Cited By

Domingues PFrade MNegrao M(2024)Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11Proceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664496(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664496
Angelogianni APolitis IXenakis C(2024)How many FIDO protocols are needed? Analysing the technology, security and complianceACM Computing Surveys10.1145/365466156:8(1-51)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3654661

Index Terms

Evaluating the Security Posture of Real-World FIDO2 Deployments
1. Security and privacy

Recommendations

Rogue key and impersonation attacks on FIDO2: From theory to practice
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

FIDO2 is becoming a defacto standard for passwordless authentication. Using FIDO2 and WebAuthn, web applications can enable users to associate cryptographic credentials to their profiles, and then rely on an external authenticator (e.g., a hardware ...
To Attest or Not to Attest, This is the Question – Provable Attestation in FIDO2
Advances in Cryptology – ASIACRYPT 2023
Abstract
FIDO2 is currently the main initiative for passwordless authentication in web servers. It mandates the use of secure hardware authenticators to protect the authentication protocol’s secrets from compromise. However, to ensure that only secure ...
Evaluating Attacker Risk Behavior in an Internet of Things Ecosystem
Decision and Game Theory for Security
Abstract
In cybersecurity, attackers range from brash, unsophisticated script kiddies and cybercriminals to stealthy, patient advanced persistent threats. When modeling these attackers, we can observe that they demonstrate different risk-seeking and risk-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

November 2023

3722 pages

ISBN:9798400700507

DOI:10.1145/3576915

General Chairs:
Weizhi Meng
Technical University of Denmark
,
Christian D. Jensen
Technical University of Denmark
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Engin Kirda
Khoury College of Computer Sciences

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2023

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26 - 30, 2023

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
778
Total Downloads

Downloads (Last 12 months)778
Downloads (Last 6 weeks)117

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Domingues PFrade MNegrao M(2024)Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11Proceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664496(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664496
Angelogianni APolitis IXenakis C(2024)How many FIDO protocols are needed? Analysing the technology, security and complianceACM Computing Surveys10.1145/365466156:8(1-51)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3654661

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents