How many FIDO protocols are needed? Analysing the technology, security and compliance
Article No.: 214, Pages 1 - 51
Abstract
To overcome the security vulnerabilities caused by weak passwords, thus bridge the gap between user friendly interfaces and advanced security features, the Fast IDentity Online (FIDO) alliance defined a number of authentication protocols. The existing literature leverages all versions of the FIDO protocols, without indicating the reasons behind the choice of each individual FIDO protocol (i.e., U2F, UAF, FIDO2). Inevitably, the question “which protocol is more suitable per case” becomes significant. To provide an answer to the previous question, this article performs a thorough comparative analysis on the different protocol specifications and their technological and market support, to identify whether any protocol has become obsolete. To reach to a conclusion, the proposed approach (i) explores the existing literature, (ii) analyses the specifications released by the FIDO Alliance, elaborating on the security characteristics, (iii) inspects the technical adoption by the industry and (iv) investigates the compliance of the FIDO with standards, regulations and other identity verification protocols. Our results indicate that FIDO2 is the most widely adopted solution; however, U2F remains supported by numerous web services as a two-factor authentication (2FA) choice, while UAF continues to be utilised in mobile clients seeking to offer the Transaction Confirmation feature.
Supplementary Material
Supplementary material
- Download
- 160.74 KB
References
[1]
2021. Can I use: WebAuthn. Retrieved 14 April 2024 from https://caniuse.com/?search=webauthn
[2]
2015. USB-Dongle Authentication. Retrieved 14 April 2024 from https://www.dongleauth.info/
[3]
Dipankar Dasgupta, Arunava Roy, and Abhijit Nag. 2016. Toward the design of adaptive selection strategies for multi-factor authentication. Computers & Security 63 (2016), 85–116.
[4]
Aftab Alam, Katharina Krombholz, and Sven Bugiel. 2019. Poster: Let history not repeat itself (this time) – tackling webauthn developer issues early on. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). Association for Computing Machinery, New York, NY, USA, 2669–2671. DOI:
[5]
FIDO Alliance. 2023. Conformance Self-Validation Testing. Retrieved 14 April 2024 from https://fidoalliance.org/certification/functional-certification/conformance/
[6]
FIDO Alliance. 2020. FIDO alliance white paper: considerations for deploying FIDO servers in the enterprise. Retrieved 14 April 2024 from https://fidoalliance.org/whitepaper-considerations-for-deploying-fido-servers-in-the-enterprise/
[7]
FIDO Alliance. 2020. FIDO authentication and EMV 3-D secure: Using FIDO for payment authentication. Retrieved 14 April 2024 from https://fidoalliance.org/technical-notefido-authentication-and-emv-3-d-secure-using-fido-for-payment-authentication/
[8]
FIDO Alliance. 2020. FIDO authenticator allowed restricted operating environments list. Retrieved 14 April 2024 from https://fidoalliance.org/specs/fido-securityrequirements/fido-authenticator-allowed-restricted-operating-environments-list-v1.2-fd-20201102.html
[9]
FIDO Alliance. 2021. FIDO Certified Professional Program. Retrieved 24 April 2024 from https://fidoalliance.org/fido-certified-professional-program/
[10]
FIDO Alliance. 2021. FIDO Client to Authenticator Protocol (CTAP) Proposed Standard. Retrieved 14 April 2024 from https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fidoclient-to-authenticator-protocol-v2.1-ps-20210615.html
[11]
FIDO Alliance. 2023. FIDO Reference Implementation Library. Retrieved June 1, 2023 from https://fidoalliance.org/certification/functional-certification/reference-implementation-library/
[12]
FIDO Alliance. 2018. FIDO Security Reference. Retrieved 14 April 2024 from https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-security-ref-v2.0-rd-20180702.pdf
[13]
FIDO Alliance. 2017. FIDO Universal 2nd Factor (U2F) Proposed Standard. Retrieved 14 April 2024 from https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/FIDO-U2FCOMPLETE-v1.2-ps-20170411.pdf
[14]
FIDO Alliance. 2017. FIDO Universal Authentication Framework (UAF) Proposed Standard version 1.1. Retrieved 14 April 2024 from https://fidoalliance.org/specs/fido-uafv1.1-ps-20170202/FIDO-UAF-COMPLETE-v1.1-ps-20170202.pdf
[15]
FIDO Alliance. 2020. FIDO Universal Authentication Framework (UAF) Proposed Standard version 1.2. Retrieved 14 April 2024 from https://fidoalliance.org/specs/fido-uafv1.2-ps-20201020/FIDO-UAF-COMPLETE-v1.2-ps-20201020.pdf
[16]
FIDO Alliance. 2021. Github FIDO2 Interoperability Testing Web App. Retrieved 14 April 2024 from https://github.com/fido-alliance/fido2-interop-webapp
[17]
FIDO Alliance. 2020. Github Repository for Certification Test Tools Resources. Retrieved 14 April 2024 from https://github.com/fido-alliance/conformance-test-tools-resources
[18]
FIDO Alliance. 2018. How FIDO standards meet psd2’s regulatory standards requirements on strong customer authentication. Retrieved 14 April 2024 from https://fidoalliance.org/wp-content/uploads/2019/01/How_FIDO_Meets_the_RTS_Requirements_December2018.pdf
[19]
FIDO Alliance. 2021. Interoperability Testing. Retrieved 14 April 2024 from https://fidoalliance.org/certification/interoperability-testing/
[20]
FIDO Alliance. 2021. Metadata Service. Retrieved 14 April 2024 from https://fidoalliance.org/metadata/
[21]
FIDO Alliance. 2020. National Health Service uses FIDO Authentication for Enhanced Login. Retrieved 14 April 2024 from https://fidoalliance.org/national-health-service-uses-fido-authentication-for-enhanced-login
[22]
FIDO Alliance. 2021. FIDO Privacy Principles. Retrieved 14 April 2024 from https://media.fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf
[23]
FIDO Alliance. 2020. Using FIDO with eIDAS Services. Retrieved November 17, 2021 from https://media.fidoalliance.org/wp-content/uploads/2020/06/FIDO_Using-FIDO-with-eIDAS-Services-White-Paper.pdf
[24]
Fatima Alqubaisi, Ahmad Samer Wazan, Liza Ahmad, and David W. Chadwick. 2020. Should we rush to implement password-less single factor FIDO2 based authentication?. In Proceedings of the 2020 12th Annual Undergraduate Research Conference on Applied Computing (URC). 1–6. DOI:
[25]
Apple.2019. iOS & iPadOS 13.3 Release Notes. Retrieved 14 April 2024 from https://developer.apple.com/documentation/ios-ipados-release-notes/ios-ipados-13_3-release-notes
[26]
Apple.2020. Safari 14 Release Notes. Retrieved 14 April 2024 from https://developer.apple.com/documentation/safari-release-notes/safari-14-release-notes
[27]
BalDirk Balfanz, Alexei Czeskis, Jeff Hodges, J. C. Jones, Michael B. Jones, Akshay Kumar, Angelo Liao, Rolf Lindemann, and Emil Lundberg. [n.d.]. Web Authentication: An API for Accessing Public Key Credentials Level 1. Technical Report.
[28]
Manuel Barbosa, Alexandra Boldyreva, Shan Chen, and Bogdan Warinschi. 2020. Provable security analysis of FIDO2. Cryptology ePrint Archive, Paper 2020/756 (2020). https://eprint.iacr.org/2020/756. Accessed 14 April 2024.
[29]
Antonio Bianchi, Yanick Fratantonio, Aravind Machiry, Christopher Kruegel, Giovanni Vigna, Simon Pak Ho Chung, and Wenke Lee. 2018. Broken fingers: On the usage of the fingerprint API in android. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS).
[30]
Kemal Bicakci and Yusuf Uzunay. 2022. Is FIDO2 passwordless authentication a hype or for real?: A position paper. In Proceedings of the 2022 15th International Conference on Information Security and Cryptography (ISCTURKEY). 68–73. DOI:
[31]
Nina Bindel, Cas Cremers, and Mang Zhao. 2023. FIDO2, CTAP 2.1, and WebAuthn 2: Provable security and post-quantum instantiation. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP). 1471–1490. DOI:
[32]
Google Blog. 2021. Announcing the Android Ready SE Alliance. Retrieved 14 April 2024 from https://security.googleblog.com/2021/03/announcing-android-ready-se-alliance.html
[33]
Jiewen Tan. 2020. Meet Face ID and Touch ID for the Web. Retrieved 14 April 2024 from https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/
[34]
Vaios Bolgouras, Anna Angelogianni, Ilias Politis, and Christos Xenakis. 2022. Trusted and Secure Self-sovereign Identity Framework. Association for Computing Machinery, New York, NY, USA. DOI:
[35]
Broadcom. 2020. MAG and Samsung SDS Nexsign Integration. Retrieved January 18, 2021 from https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/mobile-api-gateway/4-1/solutions-and-integrations/mag-and-samsung-sds-nexsign-integration.html?src=contextnavpagetreemode
[36]
Jan Camenisch, Liqun Chen, Manu Drijvers, Anja Lehmann, David Novick, and Rainer Urian. 2017. One TPM to bind them all: Fixing TPM 2.0 for provably secure anonymous attestation. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP). 901–920. DOI:
[37]
David W. Chadwick, Romain Laborde, Arnaud Oglaza, Remi Venant, Samer Wazan, and Manreet Nijjar. 2019. Improved identity management with verifiable credentials and FIDO. IEEE Communications Standards Magazine 3, 4 (2019), 14–20. DOI:
[38]
Dhiman Chakraborty and Sven Bugiel. 2019. SimFIDO: FIDO2 user authentication with SimTPM. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). Association for Computing Machinery, New York, NY, USA, 2569–2571. DOI:
[39]
Donghoon Chang, Sweta Mishra, Somitra Kumar Sanadhya, and Ajit Pratap Singh1. 2017. On Making U2F Protocol Leakage-Resilient via Re-keying. Cryptology ePrint Archive, Report 2017/721. Retrieved 14 April 2024 from https://eprint.iacr.org/2017/721
[40]
Bogdan-Cosmin Chifor, Ion Bica, Victor-Valeriu Patriciu, and Florin Pop. 2018. A security authorization scheme for smart home Internet of Things devices. Future Generation Computer Systems 86 (2018), 740–749. DOI:
[41]
Bogdan-Cosmin Chifor, Sorin Teican, Mihai Togan, and George Gugulea. 2018. A flexible authorization mechanism for enterprise networks using smart-phone devices. In Proceedings of the 2018 International Conference on Communications (COMM). 437–440. DOI:
[42]
Stéphane Ciolino, Simon Parkin, and Paul Dunphy. 2019. Of two minds about two-factor: Understanding everyday FIDO U2F usability through device comparison and experience sampling. In Proceedings of the 15th Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA. Retrieved from https://www.usenix.org/conference/soups2019/presentation/ciolino
[43]
Citrix. 2020. Introducing end-to-end password-less authentication using FIDO2. Retrieved January 5, 2021 from https://www.citrix.com/blogs/2020/10/01/introducing-end-to-end-password-less-authentication-using-fido2/
[44]
The Mitre Corporation. 2021. CVE-2021-3011. Retrieved November 17, 2021 from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3011
[45]
Sanchari Das, Andrew Dingman, and L. Jean Camp. 2018. Why johnny doesn’t use two factor a two-phase usability study of the FIDO U2F security key. In Proceedings of the Financial Cryptography and Data Security. Sarah Meiklejohn and Kazue Sako (Eds.), Springer, Berlin, 160–179.
[46]
Debian. 2018. Package: python3-fido2. Retrieved 14 April 2024 from https://packages.debian.org/unstable/python3-fido2
[47]
Samsung Developers. 2016. Tizen API: FIDO Client. Retrieved 14 April 2024 from https://developer.tizen.org/dev-guide/csapi/api/Tizen.Account.FidoClient.html
[48]
Samsung Developers. 2017. Tizen Native API: FIDO Client. Retrieved 14 April 2024 from https://docs.tizen.org/application/native/api/mobile/5.5/group__CAPI__FIDO__MODULE.html
[49]
Samsung Developers. 2016. TizenFX API References. Retrieved 14 April 2024 from https://developer.samsung.com/smarttv/develop/api-references/tizenfx-api-references.html
[50]
eBay. 2016. UAF - Universal Authentication Framework. Retrieved January 18, 2021 from https://github.com/eBay/UAF
[51]
ENISA. 2020. Threat Landscape 2020 - Phishing. Retrieved January 5, 2021 from https://www.enisa.europa.eu/publications/phishing
[52]
Europol. 2020. The SIM Highjackers: How criminals are stealing millions by highjacking phone numbers. Retrieved January 5, 2021 from https://www.europol.europa.eu/newsroom/news/sim-highjackers-how-criminals-are-stealing-millions-highjacking-phone-numbers
[53]
Kai Fan, Hui Li, Wei Jiang, Chengsheng Xiao, and Yintang Yang. 2017. U2F based secure mutual authentication protocol for mobile payment. In Proceedings of the ACM Turing 50th Celebration Conference - China (ACM TUR-C ’17). Association for Computing Machinery, New York, NY, USA, 6 pages. DOI:
[54]
Aristeidis Farao, Eleni Veroni, Christoforos Ntantogian, and Christos Xenakis. 2021. P4G2Go: A privacy-preserving scheme for roaming energy consumers of the smart grid-to-go. Sensors 21, 8 (2021). DOI:
[55]
Florian M. Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, and Markus Dürmuth. 2020. “You still use the password after all” – Exploring FIDO2 Security Keys in a Small Company. In Proceedings of the 16th Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, 19–35. Retrieved from https://www.usenix.org/conference/soups2020/presentation/farke
[56]
Henry Faulds. 1880. Finger-print identification. Nature 22 (1880), 23.
[57]
Haonan Feng, Jingjing Guan, Hui Li, Xuesong Pan, and Ziming Zhao. 2023. FIDO gets verified: A formal analysis of the universal authentication framework protocol. IEEE Transactions on Dependable and Secure Computing 20, 5 (2023), 4291–4310.
[58]
Haonan Feng, Hui Li, Xuesong Pan, and Ziming Zhao. 2021. A formal analysis of the FIDO UAF protocol. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS).
[59]
FIDO Alliance. 2019. Android Now FIDO2 Certified, Accelerating Global Migration Beyond Passwords. Retrieved January 18, 2021 from https://fidoalliance.org/android-now-fido2-certified-accelerating-global-migration-beyond-passwords/
[60]
FIDO Alliance. 2020. Authentication Attitudes, Usage & FIDO Brand Research Report. Retrieved December 4, 2020 from https://media.fidoalliance.org/wp-content/uploads/2020/05/FIDO-Consumer-Research-Report.pdf
[61]
FIDO Alliance. 2020. Certification Overview. Retrieved January 5, 2021 from https://fidoalliance.org/certification/authenticator-certification-levels/
[62]
FIDO Alliance. 2020. FIDO Showcase. Retrieved December 21, 2020 from https://fidoalliance.org/fido-certified-showcase/
[63]
FIDO Alliance. 2021. FIDO Authenticator Allowed Restricted Operating Environments List. Retrieved August 21, 2021 from https://fidoalliance.org/specs/fido-security-requirements-v1.0-fd-20170524/fido-authenticator-allowed-restricted-operating-environments-list_20170524.html/
[64]
Nick Frymann, Daniel Gardham, Franziskus Kiefer, Emil Lundberg, Mark Manulis, and Dain Nilsson. 2020. Asynchronous remote key generation: An analysis of yubico’s proposal for W3C WebAuthn. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 939–954.
[65]
Alex Gaynor. 2021. Quantifying Memory Unsafety and Reactions to It. USENIX Association.
[66]
FIDO Alliance. 2021. FIDO Device Onboard Specification Proposed Standard. Retrieved August 14 April 2024 from https://fidoalliance.org/specs/FDO/fido-device-onboard-v1.0-ps-20210323/fido-device-onboard-v1.0-ps-20210323.html
[67]
S. Ghorbani Lyastani, M. Schilling, M. Neumayr, M. Backes, and S. Bugiel. 2020. Is FIDO2 the kingslayer of user authentication? A comparative usability study of FIDO2 passwordless authentication. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP). 268–285. DOI:
[68]
Google. 2021. Build your first WebAuthn app. Retrieved 14 April 2024 from https://codelabs.developers.google.com/codelabs/webauthn-reauth#0
[69]
Google. 2020. Github CTAP2 test tool. Retrieved 14 April 2024 from https://github.com/google/CTAP2-test-tool
[70]
Google. 2020. How we built the Chrome DevTools WebAuthn tab. Retrieved 14 April 2024 from https://developer.chrome.com/blog/webauthn-tab/
[71]
Google. 2017. Google APIs for Android: FIDO. Retrieved December 21, 2020 from https://developers.google.com/android/reference/packages#fido
[72]
Athanasios Vasileios Grammatopoulos, Ilias Politis, and Christos Xenakis. 2022. Blind software-assisted conformance and security assessment of FIDO2/WebAuthn implementations. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 13, 2 (2022), 96–127.
[73]
Roger A. Grimes. 2020. Hacking Multifactor Authentication. Wiley, Hoboken, New Jersey.
[74]
Iness Ben Guirat and Harry Halpin. 2018. Formal verification of the W3C web authentication protocol. In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security (HoTSoS ’18). Association for Computing Machinery, New York, NY, USA, 10 pages. DOI:
[75]
Chengqian Guo, Quanwei Cai, Qiongxiao Wang, and Jingqiang Lin. 2020. Extending registration and authentication processes of FIDO2 external authenticator with QR codes. In Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). 518–529. DOI:
[76]
Timon Hackenjos, Benedikt Wagner, Julian Herr, Jochen Rill, Marek Wehmer, Niklas Goerke, and Ingmar Baumgart. 2022. FIDO2 with two displays - Or how to protect security-critical web transactions against malware attacks. arXiv:2206.13358. Retrieved 14 April 2024 from https://arxiv.org/abs/2206.13358
[77]
Lucjan Hanzlik, Julian Loss, and Benedikt Wagner. 2022. Token meets Wallet: Formalizing Privacy and Revocation for FIDO2. Cryptology ePrint Archive, Report 2022/084. Retrieved 14 April 2024 from https://ia.cr/2022/084
[78]
Red Hat. [n.d.]. Authentication using FIDO Protocol UAF and U2F. Retrieved March 5, 2021 from https://access.redhat.com/solutions/3076761
[79]
Silke Holtmanns and Ian Oliver. 2017. SMS and one-time-password interception in LTE networks. In Proceedings of the 2017 IEEE International Conference on Communications (ICC). 1–6. DOI:
[80]
Zhou Hongwei, Ke Zhipeng, Zhang Yuchen, Wu Dangyang, and Yuan Jinhui. 2021. TSGX: Defeating SGX side channel attack with support of TPM. In Proceedings of the 2021 Asia-Pacific Conference on Communications Technology and Computer Science (ACCTCS). 192–196. DOI:
[81]
Kexin Hu and Zhenfeng Zhang. 2016. Security analysis of an attractive online authentication standard: FIDO UAF protocol. China Communications 13, 12 (2016), 189–198.
[82]
Galen Hunt, George Letey, and Edmund B. Nightingale. [n.d.]. The Seven Properties of Highly Secured Devices. Retrieved March 5, 2021 from https://www.microsoft.com/en-us/research/uploads/prod/2020/11/Seven-Properties-of-Highly-Secured-Devices-2nd-Edition-R1.pdf
[83]
Michael Jones, Jeff Hodges, Emil Lundberg, J. C. Jones, and Akshay Kumar. 2021. Web Authentication: An API for accessing Public Key Credentials - Level 2. W3C Recommendation. Retrieved from https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
[84]
Markus Keil, Philipp Markert, and Markus Dürmuth. 2022. “It’s just a lot of prerequisites”: A user perception and usability analysis of the german id card as a FIDO2 authenticator. In Proceedings of the 2022 European Symposium on Usable Security (EuroUSEC ’22). Association for Computing Machinery, New York, NY, USA, 172–188. DOI:
[85]
Michal Kepkowski, Lucjan Hanzlik, Ian Wood, and Mohamed Ali Kaafar. 2022. How not to handle keys: Timing attacks on FIDO authenticator privacy. arXiv:2205.08071. Retrieved 14 April 2024 from https://arxiv.org/abs/2205.08071
[86]
Michal Kepkowski, Maciej Machulak, Ian Wood, and Dali Kaafar. 2023. Challenges with passwordless FIDO2 in an enterprise setting: A usability study. In Proceedings of the 2023 IEEE Secure Development Conference (SecDev). 37–48. DOI:
[87]
Strong Key. 2021. Crypto-Based Authentication. Retrieved March 5, 2021 from https://encryptedweb.org/authentication/
[88]
Ejin Kim and Hyoung-Kee Choi. 2021. Security analysis and bypass user authentication bound to device of windows hello in the wild. Security and Communication Networks 2021 (2021), 6245306–6245318.
[89]
Hyunjin Kim, Dongseop Lee, and Jaecheol Ryou. 2020. User authentication method using FIDO based password management for smart energy environment. In Proceedings of the 2020 International Conference on Data Mining Workshops (ICDMW). 707–710. DOI:
[90]
Theodoula-Ioanna Kitsaki, Anna Angelogianni, Christoforos Ntantogian, and Christos Xenakis. 2018. A forensic investigation of android mobile applications. In Proceedings of the 22nd Pan-Hellenic Conference on Informatics (PCI ’18). Association for Computing Machinery, New York, NY, USA, 58–63. DOI:
[91]
Eric Klieme, Jonathan Wilke, Niklas van Dornick, and Christoph Meinel. 2020. FIDOnuous: A FIDO2/WebAuthn extension to support continuous web authentication. In Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). 1857–1867. DOI:
[92]
Nikolaos Koutroumpouchos, Christoforos Ntantogian, and Christos Xenakis. 2021. Building trust for smart connected devices: The challenges and pitfalls of TrustZone. Sensors 21, 2 (2021). Retrieved from https://www.mdpi.com/1424-8220/21/2/520
[93]
Dhruv Kuchhal, Muhammad Saad, Adam Oest, and Frank Li. 2023. Evaluating the Security Posture of Real-world FIDO2 Deployments. Association for Computing Machinery, New York, NY, USA. DOI:
[94]
Johannes Kunke, Stephan Wiefling, Markus Ullmann, and Luigi Lo Iacono. 2021. Evaluation of account recovery strategies with fido2-based passwordless authentication. In Proceedings of the Open Identity Summit 2021, Copenhagen, Denmark, Juni 1-2, 2021(LNI, Vol. P-312). Heiko Roßnagel, Christian H. Schunck, and Sebastian Mödersheim (Eds.), Gesellschaft für Informatik e.V., 59–70.
[95]
Romain Laborde, Arnaud Oglaza, Samer Wazan, François Barrere, Abdelmalek Benzekri, David W. Chadwick, and Rémi Venant. 2020. A user-centric identity management framework based on the W3C verifiable credentials and the FIDO universal authentication framework. In Proceedings of the 2020 IEEE 17th Annual Consumer Communications Networking Conference (CCNC). 1–8. DOI:
[96]
Leona Lassak, Annika Hildebrandt, Maximilian Golla, and Blase Ur. 2021. “It’s stored, hopefully, on an encrypted server’’: Mitigating users’ misconceptions about FIDO2 biometric WebAuthn. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 91–108. Retrieved from https://www.usenix.org/conference/usenixsecurity21/presentation/lassak
[97]
Kevin Lee, Benjamin Kaiser, Jonathan Mayer, and Arvind Narayanan. 2020. An empirical study of wireless carrier authentication for SIM swaps. In Proceedings of the 16th Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, 61–79. Retrieved from https://www.usenix.org/conference/soups2020/presentation/lee
[98]
Hui Li, Xuesong Pan, Xinluo Wang, Haonan Feng, and Chengjie Shi. 2020. Authenticator rebinding attack of the UAF protocol on mobile devices. Wireless Communications and Mobile Computing 2020, 1 (2020), 8819790–8819803.
[99]
H. Luo, C. Wang, H. Luo, F. Zhang, F. Lin, and G. Xu. 2021. G2F: A secure user authentication for rapid smart home IoT management. IEEE Internet of Things Journal 8, 13 (2021), 10884–10895.
[100]
Luka Malisa. 2017. Security of User Interfaces: Attacks and Countermeasures. Ph.D. Dissertation. ETH Zürich. Doctor of Sciences thesis.
[101]
Tim Matthews. 2012. Passwords are not enough. Computer Fraud and Security 2012, 5 (2012), 18–20.
[102]
G. Menegazzo Verzeletti, E. Ribeiro de Mello, and M. Wangham. 2018. A mobile identity management system to enhance the brazilian electronic government. IEEE Latin America Transactions 16, 11 (2018), 2790–2797. DOI:
[103]
David Weston. 2020. Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs. Retrieved 14 April 2024 from https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/
[104]
Microsoft. 2021. Support passwordless authentication with FIDO2 keys in apps you develop. Retrieved 14 April 2024 from https://docs.microsoft.com/en-us/azure/active-directory/develop/support-fido2-authentication
[105]
Microsoft. 2020. How it works: Azure AD Multi-Factor Authentication. Retrieved March 5, 2021 from https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
[106]
Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger. 2020. TPM-FAIL: TPM meets timing and lattice attacks. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2057–2073. Retrieved from https://www.usenix.org/conference/usenixsecurity20/presentation/moghimi-tpm
[107]
Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, and Vashek Matyas. 2017. The return of coppersmith’s attack: Practical factorization of widely used RSA moduli. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS’2017). ACM, 1631–1648.
[108]
National Institute of Standards and Technology. 2020. Zero Trust Architecture. Technical Report NIST Special Publication 800-207. U.S. Department of Commerce, Washington, D.C.DOI:
[109]
Okta. 2020. Okta FastPass. Retrieved 14 April 2024 from https://www.okta.com/fastpass/
[110]
Aleksandr Ometov, Sergey Bezzateev, Niko Mäkitalo, Sergey Andreev, Tommi Mikkonen, and Yevgeni Koucheryavy. 2018. Multi-factor authentication: A survey. Cryptography 2, 1 (2018).
[111]
Oracle. 2021. Packages Released on Oracle Linux Yum Server. Retrieved April 20, 2021 from https://yum.oracle.com/whatsnew.html
[112]
A. Othman and J. Callahan. 2018. The horcrux protocol: A method for decentralized biometric-based self-sovereign identity. In Proceedings of the 2018 International Joint Conference on Neural Networks (IJCNN). 1–7. DOI:
[113]
OWASP. 2010. Secure Coding Practices-Quick Reference Guide. Retrieved 14 April 2024 from https://owasp.org/www-project-secure-coding-practices-quick-referenceguide/assets/docs/OWASP_SCP_Quick_Reference_Guide_v21.pdf
[114]
Kentrell Owens, Olabode Anise, Amanda Krauss, and Blase Ur. 2021. User perceptions of the usability and security of smartphones as FIDO2 roaming authenticators. In Proceedings of the 17th Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, 57–76. Retrieved from https://www.usenix.org/conference/soups2021/presentation/owens
[115]
Christoforos Panos, Stefanos Malliaros, Christoforos Ntantogian, Angeliki Panou, and Christos Xenakis. 2017. A security evaluation of FIDO’s UAF protocol in mobile and embedded devices. In Proceedings of the Digital Communication. Towards a Smart and Secure Future Internet. Alessandro Piva, Ilenia Tinnirello, and Simone Morosi (Eds.), Springer International Publishing, Cham, 127–142.
[116]
Kostantinos Papadamou, Savvas Zannettou, Bogdan Chifor, Sorin Teican, George Gugulea, Alberto Caponi, Annamaria Recupero, Claudio Pisa, Giuseppe Bianchi, Steven Gevers, Christos Xenakis, and Michael Sirivianos. 2020. Killing the password and preserving privacy with device-centric and attribute-based authentication. IEEE Transactions on Information Forensics and Security 15 (2020), 2183–2193. DOI:
[117]
G. Patat and M. Sabt. 2020. Please remember me: Security analysis of U2F remember me implementations in the wild. In Proceedings of the 18ème Symposium sur la sécurité des Technologies de l’information et des Communications (SSTIC). Rennes, France.
[118]
pkgs.prg. 2021. Python-fido2 Download for Linux (eopkg, rpm, xz, zst). Retrieved 14 April 2024 from https://pkgs.org/download/python-fido2
[119]
John C. Polley, Ilias Politis, Christos Xenakis, Adarbad Master, and Michał Kȩpkowski. 2021. On an innovative architecture for digital immunity passports and vaccination certificates. arXiv preprint arXiv:2103.04142 (2021). Accessed: 14 April 2024.
[120]
Florentin Putz, Steffen Schön, and Matthias Hollick. 2021. Future-proof web authentication: Bring your own FIDO2 extensions. In Proceedings of the International Workshop on Emerging Technologies for Authorization and Authentication. Springer, 17–32.
[121]
Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A usability study of five two-factor authentication methods. In Proceedings of the 15th Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA, 357–370. Retrieved from https://www.usenix.org/conference/soups2019/presentation/reese
[122]
Florian Reimair, Christian Kollmann, and Alexander Marsalek. 2016. Emulating U2F authenticator devices. In Proceedings of the 2016 IEEE Conference on Communications and Network Security (CNS). 543–551. DOI:
[123]
Thomas Roche, Victor Lomné, Camille Mutschler, and Laurent Imbert. 2021. A side journey to titan. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 231–248. Retrieved from https://www.usenix.org/conference/usenixsecurity21/presentation/roche
[124]
Samsung. 2021. Using Samsung Pass on my Galaxy device. Retrieved 14 April 2024 from https://www.samsung.com/au/support/mobile-devices/using-samsung-pass/
[125]
Joanna C. S. Santos, Katy Tarrit, Adriana Sejfia, Mehdi Mirakhorli, and Matthias Galster. 2019. An empirical study of tactical vulnerabilities. Journal of Systems and Software 149 (2019), 263–284. DOI:
[126]
Fabian Schwarz, Khue Do, Gunnar Heide, Lucjan Hanzlik, and Christian Rossow. 2022. FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs. Association for Computing Machinery, New York, NY, USA. DOI:
[127]
Jason Choi. 2020. Extending Keycloak SSO Capabilities with IBM Security Verify. Retrieved March 5, 2021 from https://community.ibm.com/community/user/security/blogs/jason-choi1/2020/06/10/extending-keycloak-sso-capabilities-with-ibm-secur
[128]
Hossein Siadati, Toan Nguyen, Payas Gupta, Markus Jakobsson, and Nasir Memon. 2017. Mind your SMSes: Mitigating social engineering in second factor authentication. Computers and Security 65 (2017), 14–28. DOI:
[129]
Federico Sinigaglia, Roberto Carbone, Gabriele Costa, and Nicola Zannone. 2020. A survey on multi-factor authentication for online banking in the wild. Computers and Security 95 (2020), 101745.
[130]
Joel Snyder. 2020. Using biometrics for authentication in Android. Retrieved April 20, 2021 from https://www.samsungknox.com/en/blog/using-biometrics-for-authentication-in-android
[131]
StatCounter. 2020. Mobile Operating System Market Share Worldwide. Retrieved January 18, 2021 from https://gs.statcounter.com/os-market-share/mobile/worldwide
[132]
FIDO Alliance. 2019. Support for FIDO2: WebAuthn and CTAP. Retrieved 14 April 2024 from https://fidoalliance.org/fido2/fido2-web-authentication-webauthn/
[133]
The Guardian. 2020. What you need to know about the biggest hack of the US government in years. Retrieved 14 April 2024 from https://www.theguardian.com/technology/2020/dec/15/orion-hack-solar-winds-explained-us-treasury-commerce-department
[134]
Mihai Togan, Bogdan-Cosmin Chifor, Ionuţ Florea, and George Gugulea. 2017. A smart-phone based privacy-preserving security framework for IoT devices. In Proceedings of the 2017 9th International Conference on Electronics, Computers and Artificial Intelligence (ECAI). 1–7. DOI:
[135]
Enis Ulqinaku, Hala Assal, AbdelRahman Abdou, Sonia Chiasson, and Srdjan Capkun. 2021. Is Real-time phishing eliminated with FIDO? Social engineering downgrade attacks against FIDO protocols. In 30th USENIX Security Symposium (USENIX Security’21). USENIX Association, 3811–3828. https://www.usenix.org/conference/usenixsecurity21/presentation/ulqinaku
[136]
Athanasios Vasileios Grammatopoulos, Ilias Politis, and Christos Xenakis. 2021. A web tool for analyzing FIDO2/WebAuthn requests and responses. In Proceedings of the 16th International Conference on Availability, Reliability and Security (ARES 2021). Association for Computing Machinery, New York, NY, USA, 10 pages. DOI:
[137]
Eleni Veroni, Christoforos Ntantogian, and Christos Xenakis. 2022. A large-scale analysis of Wi-Fi passwords. Journal of Information Security and Applications 67 (2022), 103190.
[138]
Daniel Votipka, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. 2020. Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 109–126. Retrieved from https://www.usenix.org/conference/usenixsecurity20/presentation/votipka-understanding
[139]
Paul Wagner, Kris Heid, and Jens Heider. 2021. Remote WebAuthn: FIDO2 authentication for less accessible devices. In Proceedings of the 7th International Conference on Information Systems Security and Privacy (ICISSP 2021). 368–375. DOI:
[140]
Arch Linux Wiki. 2021. PAM. Retrieved 14 April 2024 from https://wiki.archlinux.org/index.php/PAM
[141]
Arch Linux Wiki. 2021. Universal 2nd Factor. Retrieved 14 April 2024 from https://wiki.archlinux.org/index.php/Universal_2nd_Factor
[142]
Leon Würsching, Florentin Putz, Steffen Haesler, and Matthias Hollick. 2023. FIDO2 the rescue? Platform vs. roaming authentication on smartphones. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (CHI ’23). Association for Computing Machinery, New York, NY, USA, 16 pages. DOI:
[143]
Peng Xu, Ruijie Sun, Wei Wang, Tianyang Chen, Yubo Zheng, and Hai Jin. 2021. SDD: A trusted display of FIDO2 transaction confirmation without trusted execution environment. Future Generation Computer Systems 125 (2021), 32–40.
[144]
Yahoo Finance. 2020. Another AT&T SIM Swapping Hack Targets Trio of Crypto Execs. Retrieved January 5, 2021 from https://finance.yahoo.com/news/another-t-sim-swapping-hack-082039662.html?
[145]
Yubico. 2021. WebAuthn Compatibility. Retrieved 14 April 2024 from https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/
[146]
Yubico. 2021. Works with YubiKey catalog. Retrieved 14 April 2024 from https://www.yubico.com/gr/works-with-yubikey/catalog/#protocol=webauthn&usecase=all&key=all
[147]
Yongxian Zhang, Xinluo Wang, Ziming Zhao, and Hui Li. 2018. Secure display for FIDO transaction confirmation. In Proceedings of the 8th ACM Conference on Data and Application Security and Privacy(CODASPY 2018). Association for Computing Machinery, Inc, 155–157. DOI:
[148]
Ping Zhen, Dong Wang, and Chao Ji. 2019. Unified identity authentication scheme based on UAF protocol. In Proceedings of the 2019 IEEE 19th International Conference on Communication Technology (ICCT). 415–419. DOI:
Index Terms
- How many FIDO protocols are needed? Analysing the technology, security and compliance
Recommendations
Protecting FIDO Extensions Against Man-in-the-Middle Attacks
Emerging Technologies for Authorization and AuthenticationAbstractFIDO authentication has many advantages over password-based authentication, since it relies on proof of possession of a security key. It eliminates the need to remember long passwords and, in particular, is resistant to phishing attacks. Beyond ...
How many oblivious transfers are needed for secure multiparty computation?
CRYPTO'07: Proceedings of the 27th annual international cryptology conference on Advances in cryptologyOblivious transfer (OT) is an essential building block for secure multiparty computation when there is no honest majority. In this setting, current protocols for n ≥ 3 parties require each pair of parties to engage in a single OT for each gate in the ...
Comments
Information & Contributors
Information
Published In
August 2024
963 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 April 2024
Online AM: 27 March 2024
Accepted: 07 March 2024
Revised: 28 December 2023
Received: 13 October 2022
Published in CSUR Volume 56, Issue 8
Check for updates
Author Tags
Qualifiers
- Survey
Funding Sources
- H2020-SU-DS02-ERATOSTHENES
- HORIZON-CL4-2021-DATA-01-TRUSTEE
- HORIZON-CL4-2021-DATA-01-05-aerOS
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 527Total Downloads
- Downloads (Last 12 months)527
- Downloads (Last 6 weeks)71
Reflects downloads up to 01 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in