research-article

A web tool for analyzing FIDO2/WebAuthn Requests and Responses

Authors:

Athanasios Vasileios Grammatopoulos,

Christos XenakisAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 125, Pages 1 - 10

https://doi.org/10.1145/3465481.3469209

Published: 17 August 2021 Publication History

Abstract

Passwords are a problem in today's digital world. FIDO2, through WebAuthn, brought alternative password-less authentication that is more usable and secure than classic password-based systems, for web applications and services. In this work, we give a brief overview of FIDO2, and we present WebDevAuthn, a novel FIDO2/WebAuthn requests and responses analyser web tool. This tool can be used to help developers understand how FIDO2 works, aid in the development processes by speeding debugging using the WebAuthn traffic analyser and to test the security of an application through penetration testing by editing the WebAuhn requests or responses.

References

[1]

.M. Bromiley, “Bye Bye Passwords: New Ways to Authenticate,” SANS Report, July 2019, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3y9UJ

[2]

A. Angelogianni, I. Politis, F. Mohammadi and C. Xenakis, "On Identifying Threats and Quantifying Cybersecurity Risks of Mnos Deploying Heterogeneous Rats," in IEEE Access, vol. 8, pp. 224677-224701, 2020.

[3]

FIDO Alliance - Open Authentication Standards More Secure than Passwords, https://fidoalliance.org/

[4]

K. Papadamou, "Killing the Password and Preserving Privacy With Device-Centric and Attribute-Based Authentication," in IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2183-2193, 2020.

[5]

M. Jones, R. Lindemann, A. Kumar, J. Hodges, J.C. Jones, H. Liao, A. Czeskis, E. Lundberg and D. Balfanz, “Web Authentication:An API for accessing Public Key Credentials Level 1,” W3C Recommendation, March 2019, https://www.w3.org/TR/2019/REC-webauthn-1-20190304/

[6]

A. Simons, “A breakthrough year for passwordless technology,” Microsoft Article, December 2020, https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/

[7]

M. West, “Credential Management Level 1,” W3C Working Draft, January 2019, https://www.w3.org/TR/2019/WD-credential-management-1-20190117/

[8]

Window.postMessage() - Web APIs | MDN, https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

[9]

PublicKeyCredentialCreationOptions - Web APIs | MDN, https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions

[10]

PublicKeyCredentialRequestOptions - Web APIs | MDN, https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions

[11]

Microsoft, “Win32 APIs for WebAuthN standard”, GitHub Repository, October 2018, https://github.com/microsoft/webauthn

[12]

Mark Watson, “Web Cryptography API,” January 2017, https://www.w3.org/TR/2017/REC-WebCryptoAPI-20170126/

[13]

CBOR Object Signing and Encryption (COSE), https://www.iana.org/assignments/cose/cose.xhtml

[14]

Dirk Balfanz, Alexei Czeskis, Jeff Hodges, J.C. Jones, Michael B. Jones, Akshay Kumar, Angelo Liao, Rolf Lindemann, and Emil Lundberg. 2019. Web Authentication: An API for accessing Public Key Credentials Level 1 . Technical Report. https://www.w3.org/TR/webauthn

[15]

StrongKey, “Open-source FIDO server, featuring the FIDO2 standard”, GitHub Repository, October 2019, https://github.com/StrongKey/fido2

[16]

Yubico, “Python FIDO2 - Provides library functionality for FIDO 2.0, including communication with a device over USB.”, GitHub Repository, October 2018, https://github.com/Yubico/python-fido2

[17]

M. R. Dourado, M. Gestal, and J. M. Vázquez-Naya, “Implementing a Web Application for W3C WebAuthn Protocol Testing,” Proceedings, vol. 54, no. 1, p. 5, Aug. 2020 [Online]. Available: http://dx.doi.org/10.3390/proceedings2020054005

[18]

M. Rivera, “WebAuthn Authenticator Debugging Tool,” DebAuthn. [Online]. Available: https://debauthn.tic.udc.es/. [Accessed: 06-Jun-2021]

[19]

Auth0 Inc., See your WebAuthn config in action. [Online]. Available: https://webauthn.me/debugger. [Accessed: 06-Jun-2021]

[20]

N. Steele, “A demonstration of the WebAuthn specification,” WebAuthn.io. [Online]. Available: https://webauthn.io/. [Accessed: 06-Jun-2021]

[21]

M. Miller, “MasterKale/webauthn-previewer,” GitHub. [Online]. Available: https://github.com/MasterKale/webauthn-previewer. [Accessed: 06-Jun-2021]

[22]

M. Miller, “WebAuthn Debugger,” SimpleWebAuthn. [Online]. Available: https://debugger.simplewebauthn.dev/. [Accessed: 06-Jun-2021]

[23]

S. Weeden, “sbweeden/fido2viewer,” GitHub. [Online]. Available: https://github.com/sbweeden/fido2viewer. [Accessed: 06-Jun-2021].

Cited By

Domingues PFrade MNegrao M(2024)Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11Proceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664496(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664496
Angelogianni APolitis IXenakis C(2024)How many FIDO protocols are needed? Analysing the technology, security and complianceACM Computing Surveys10.1145/365466156:8(1-51)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3654661
Kepkowski MMachulak MWood IKaafar D(2023)Challenges with Passwordless FIDO2 in an Enterprise Setting: A Usability Study2023 IEEE Secure Development Conference (SecDev)10.1109/SecDev56634.2023.00017(37-48)Online publication date: 18-Oct-2023
https://doi.org/10.1109/SecDev56634.2023.00017
Show More Cited By

Recommendations

Asynchronous Remote Key Generation: An Analysis of Yubico's Proposal for W3C WebAuthn
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

WebAuthn, forming part of FIDO2, is a W3C standard for strong authentication, which employs digital signatures to authenticate web users whilst preserving their privacy. Owned by users, WebAuthn authenticators generate attested and unlinkable public-key ...
RFC 8812: CBOR Object Signing and Encryption (COSE) and JSON Object Signing and Encryption (JOSE) Registrations for Web Authentication (WebAuthn) Algorithms
Quantum-Safe Account Recovery for WebAuthn
ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

WebAuthn is a passwordless authentication protocol which allows users to authenticate to online services using public-key cryptography. Users prove their identity by signing a challenge with a private key, which is stored on a device such as a cell phone ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Operational Programme Competitiveness, Entrepreneurship and Innovation 2014-2020 (EPAnEK)
H2020-MSCA-RISE-2018-INCOGNITO

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
281
Total Downloads

Downloads (Last 12 months)68
Downloads (Last 6 weeks)7

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Domingues PFrade MNegrao M(2024)Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11Proceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664496(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664496
Angelogianni APolitis IXenakis C(2024)How many FIDO protocols are needed? Analysing the technology, security and complianceACM Computing Surveys10.1145/365466156:8(1-51)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3654661
Kepkowski MMachulak MWood IKaafar D(2023)Challenges with Passwordless FIDO2 in an Enterprise Setting: A Usability Study2023 IEEE Secure Development Conference (SecDev)10.1109/SecDev56634.2023.00017(37-48)Online publication date: 18-Oct-2023
https://doi.org/10.1109/SecDev56634.2023.00017
Spanakis EPolitis IMarkakis EPapatsaroucha DGrammatopoulos ABolgouras VAngelogianni AXenakis CSakkalis V(2023)Towards building a Self-Sovereign Identity Framework for Healthcare2023 45th Annual International Conference of the IEEE Engineering in Medicine & Biology Society (EMBC)10.1109/EMBC40787.2023.10340626(1-4)Online publication date: 24-Jul-2023
https://doi.org/10.1109/EMBC40787.2023.10340626
Al Kabir MElmedany W(2022)An Overview of the Present and Future of User Authentication2022 4th IEEE Middle East and North Africa COMMunications Conference (MENACOMM)10.1109/MENACOMM57252.2022.9998304(10-17)Online publication date: 6-Dec-2022
https://doi.org/10.1109/MENACOMM57252.2022.9998304
Bicakci KUzunay Y(2022)Is FIDO2 Passwordless Authentication a Hype or for Real?: A Position Paper2022 15th International Conference on Information Security and Cryptography (ISCTURKEY)10.1109/ISCTURKEY56345.2022.9931832(68-73)Online publication date: 19-Oct-2022
https://doi.org/10.1109/ISCTURKEY56345.2022.9931832

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents