EAP-FIDO: A Novel EAP Method for Using FIDO2 Credentials for Network Authentication

Martiño Rivera-Dourado,Christos Xenakis,Alejandro Pazos,Jose Vázquez-Naya
2024-12-04
Abstract:The adoption of FIDO2 authentication by major tech companies in web applications has grown significantly in recent years. However, we argue FIDO2 has broader potential applications. In this paper, we introduce EAP-FIDO, a novel Extensible Authentication Protocol (EAP) method for use in IEEE 802.1X-protected networks. This allows organisations with WPA2/3-Enterprise wireless networks or MACSec-enabled wired networks to leverage FIDO2's passwordless authentication in compliance with existing standards. Additionally, we provide a comprehensive security and performance analysis to support the feasibility of this approach.
Cryptography and Security
What problem does this paper attempt to address?
### What problems does this paper attempt to solve? This paper aims to solve the security and user - experience problems of password - authentication methods in enterprise network authentication. Specifically, it proposes EAP - FIDO, a novel Extended Authentication Protocol (EAP) method based on FIDO2 credentials for IEEE 802.1X - protected network authentication. Through this method, organizations can utilize FIDO2's password - less authentication in WPA2/3 - Enterprise wireless networks or MACSec - enabled wired networks and comply with existing standards. #### Main problems: 1. **Security problems of password authentication**: - Passwords are vulnerable to multiple attacks, such as phishing, keylogging, etc. - Traditional EAP methods (such as EAP - MD5, EAP - LEAP, MS - CHAPv2, etc.) mostly rely on password authentication and have security risks. 2. **User - experience problems**: - Users need to remember multiple complex passwords, resulting in a poor user experience. - Using different authentication methods in different application scenarios will cause user confusion and inconvenience. #### Solutions: - **EAP - FIDO**: Integrate FIDO2's password - less authentication into the EAP framework, allowing users to use FIDO2 credentials (such as security keys or platform authenticators) in network authentication, thereby providing a more secure and convenient authentication experience. - **Compatibility and transparency**: EAP - FIDO can be seamlessly integrated into existing IEEE 802.1X networks without changing the underlying network infrastructure. Only compatible clients and servers need to be configured. - **Performance and security analysis**: The paper also provides a detailed performance and security analysis to prove the feasibility and superiority of this method. #### Specific applications: - **Enterprise network authentication**: For example, the Eduroam federated Wi - Fi network allows registered users to use FIDO2 credentials for network authentication. - **Unified authentication experience**: Organizations can use the same FIDO2 credentials for Web single - sign - on (SSO) and network authentication, providing a consistent user experience. Through these improvements, EAP - FIDO not only improves the security of enterprise network authentication but also simplifies the user's authentication process and enhances the overall user experience.