FB pixel

Paragon reveals cryptographic weaknesses in WebAuthn

| Rawlson King
Categories Access Control  |  Biometrics News
 

Paragon Initiative Enterprises recently announced the discovery of security flaws in the latest drafts of a standard Web Authentication API called “WebAuthn”, published by the World Wide Web Consortium (W3C) and FIDO Alliance.

The WebAuthn standard is designed to make “unphishable” privacy-preserving authentication available on the Web and reduced reliance on passwords.

The W3C specification defines the FIDO-based API that supposedly enables Web pages to access “WebAuthn” compliant strong cryptographic credentials through browser script. Conceptually, one or more credentials are stored on an authenticator, and each credential is scoped to a single “relying party.”

Authenticators are responsible for ensuring that no operation is performed without the user’s consent. The user agent mediates access to credentials in order to preserve user privacy. Authenticators use attestation to provide cryptographic proof of their properties to the relying party. This specification also describes a functional model of a “WebAuthn” compliant authenticator, including its signature and attestation functionality.

Paragon notes that its analysis of the standard reveals that the latest WebAuthn protocol recommends or requires the implementation of old and weak cryptographic algorithms, that have been known to be vulnerable to attacks for years. Cryptography experts at the firm have disparagingly noted that almost any competent cryptographer should have been able to identify and remedy the vulnerabilities that they had identified earlier in the standard’s design phase.

Paragon is appealing to W3C and FIDO Alliance to fix the error-prone cryptographic designs in WebAuthn, before the standard is finalized. Their recommendations include requiring, or, at least allowing point compression; using deterministic nonces; and hiring cryptographers to review their designs and implementations.

Paragon Initiative Enterprises is a Florida-based company that provides software consulting, application development, code auditing, and security engineering services.

Article Topics

 |   |   | 

Latest Biometrics News

 

Porn site operator fixes liveness detection for age verification after Ofcom fine

Forgive Ofcom if it is feeling emboldened. Belize-based pornographer AVS Group Ltd. has upgraded its biometric liveness detection capability after…

 

UK startup’s AOT biometric sensor could bring liveness detection to curved surfaces

Manchester, England-based Smartkem says it has developed a biometric sensor out of an all-organic transistor (AOT) in collaboration with Shanghai…

 

Age checks for social media find global support

The sun has now risen twice since Australia cut off access to social media for kids under 16, and so…

 

SecuGen upgrades all-in-one fingerprint biometrics scanner for scale deployments

SecuGen has unveiled a new version of its Unity 20 USB-S fingerprint recognition system with internal storage capacity for up…

 

Ring faces new scrutiny as lawmaker warns of biometric surveillance crisis

U.S. Senator Edward J. Markey’s long-running probe into Amazon’s Ring surveillance doorbell system reached a new boiling point this week…

 

Regulatory software platform Smouse acquired by Namirial Group

Namirial, an Italian digital identity company managed by Bain Capital, PSG Equity and Ambienta SGR, has signed an agreement to…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Continue Reading

Biometric Market Analysis

Most Viewed This Week

Featured Company

Learn More

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events