Researchers claim design flaws with FIDO2 passwordless authentication standard
A team of researchers have published a paper in the Cryptology ePrint Archive of the International Association for Cryptologic Research which they say identifies security design flaws with a core component of the FIDO2 passwordless authentication standard.
The paper, titled, ‘Provable Security Analysis of FIDO2,’ examines the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and the new Client-to-Authenticator Protocol (CTAP2) from the FIDO Alliance, which includes biometrics.
FIDO2 is a passwordless digital ID authentication standard based on public key cryptography that aims for a more secure and easy-to-use online authentication with possession credentials like biometrics. It has seen rapid adoption by popular web browsers, the Android operating system, and various biometric authentication systems like Windows Hello and Keyless.
The researchers write in the paper that there is a lack of analysis on the cryptographic provable security approach to the FIDO2 protocols or the CTAP2, and there are limited results on WebAuthn research. By performing a modular cryptographic analysis of the authentication properties guaranteed by FIDO2 using the provable security approach, the research team sought to uncover vulnerabilities and recommendations to bolster the security of FIDO2.
While WebAuthn’s provable security could be proven, the same could not be said of CTAP2. The team found that CTAP2’s “pinToken” generation at login could be a security vulnerability as it was repeated for subsequent communication, which could compromise security as a whole. It also used an unauthenticated Diffie-Hellman cryptographic key exchange that leaves it vulnerable to man-in-the-middle attacks.
To patch these flaws in CTAP2, the research team proposes strong PIN-based access control for authenticators (sPACA) to replace unauthenticated Diffie-Hellman key exchanges in the binding phase with a password-authenticated key exchange (PAKE) protocol. This would generate a strong key which can be used as the binding state to build the access channel. The team also says sPACA is more efficient, which should be another benefit.
Vendor lock-in risk
FIDO’s passwordless authentication standard does not yet include a method for the bulk transfer of cryptographic passkeys, which as Fast Company reports, would make it necessary to migrate passwordless credentials one by one, or simply stay within the ecosystem they were created in, likely Apple’s or Google’s.
FIDO Alliance Executive Director Andrew Shikiar suggests that bulk key transfer will likely be part of a future version of the standard.
Researchers will attempt to devise a way to perform bulk transfers without making the operation a target for hackers, and weakening the standard’s security, which could then be included within the FIDO2 specifications.