Anna Angelogianni,Ilias Politis,Christos Xenakis

DOI: https://doi.org/10.1145/1122445.1122456

2021-06-29

Abstract:Unequivocally, a single man in possession of a strong password is not enough to solve the issue of security. Studies indicate that passwords have been subjected to various attacks, regardless of the applied protection mechanisms due to the human factor. The keystone for the adoption of more efficient authentication methods by the different markets is the trade-off between security and usability. To bridge the gap between user-friendly interfaces and advanced security features, the Fast Identity Online (FIDO) alliance defined several authentication protocols. Although FIDO's biometric-based authentication is not a novel concept, still daunts end users and developers, which may be a contributor factor obstructing FIDO's complete dominance of the digital authentication market. This paper traces the evolution of FIDO protocols, by identifying the technical characteristics and security requirements of the FIDO protocols throughout the different versions while providing a comprehensive study on the different markets (e.g., digital banking, social networks, e-government, etc.), applicability, ease of use, extensibility and future security considerations. From the analysis, we conclude that there is currently no dominant version of a FIDO protocol and more importantly, earlier FIDO protocols are still applicable to emerging vertical services.

Cryptography and Security

Haonan Feng,Jingjing Guan,Hui Li,Xuesong Pan,Ziming Zhao

DOI: https://doi.org/10.1109/tdsc.2022.3217259

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The FIDO protocol suite aims at allowing users to log in to remote services with a local and trusted authenticator. With FIDO, relying services do not need to store user-chosen secrets or their hashes, which eliminates a major attack surface for e-business. Given its increasing popularity, it is imperative to formally analyze whether the security promises of FIDO hold. In this paper, we present a comprehensive and formal verification of the FIDO UAF protocol by formalizing its security assumptions and goals and modeling the protocol under different scenarios in ProVerif. Our analysis identifies the minimal security assumptions required for each of the security goals of FIDO UAF to hold. We confirm previously manually discovered vulnerabilities in an automated way and disclose several new attacks. Guided by the formal verification results, we also discovered two practical attacks on two popular Android FIDO apps, which we responsibly disclosed to the vendors. In addition, we offer several concrete recommendations to fix the identified problems and weaknesses in the protocol.

Emma Dauterman,Henry Corrigan-Gibbs,David Mazières,Dan Boneh,Dominic Rizzo

DOI: https://doi.org/10.48550/arXiv.1810.04660

2019-08-12

Abstract:We present True2F, a system for second-factor authentication that provides the benefits of conventional authentication tokens in the face of phishing and software compromise, while also providing strong protection against token faults and backdoors. To do so, we develop new lightweight two-party protocols for generating cryptographic keys and ECDSA signatures, and we implement new privacy defenses to prevent cross-origin token-fingerprinting attacks. To facilitate real-world deployment, our system is backwards-compatible with today's U2F-enabled web services and runs on commodity hardware tokens after a firmware modification. A True2F-protected authentication takes just 57ms to complete on the token, compared with 23ms for unprotected U2F.

Cryptography and Security

Michal Kepkowski,Maciej Machulak,Ian Wood,Dali Kaafar

DOI: https://doi.org/10.48550/arXiv.2308.08096

2023-08-16

Cryptography and Security

Abstract:Fast Identity Online 2 (FIDO2), a modern authentication protocol, is gaining popularity as a default strong authentication mechanism. It has been recognized as a leading candidate to overcome limitations (e.g., phishing resistance) of existing authentication solutions. However, the task of deprecating weak methods such as password-based authentication is not trivial and requires a comprehensive approach. While security, privacy, and end-user usability of FIDO2 have been addressed in both academic and industry literature, the difficulties associated with its integration with production environments, such as solution completeness or edge-case support, have received little attention. In particular, complex environments such as enterprise identity management pose unique challenges for any authentication system. In this paper, we identify challenging enterprise identity lifecycle use cases (e.g., remote workforce and legacy systems) by conducting a usability study, in which over 100 cybersecurity professionals shared their perception of challenges to FIDO2 integration from their hands-on field experience. Our analysis of the user study results revealed serious gaps such as account recovery (selected by over 60% of our respondents), and identify priority development areas for the FIDO2 community.

Liang Kou,Yiqi Shi,Liguo Zhang,Duo Liu,Qing Yang

DOI: https://doi.org/10.32604/cmc.2019.03760

2019-01-01

Abstract:With the development of computer hardware technology and network technology, the Internet of Things as the extension and expansion of traditional computing network has played an increasingly important role in all professions and trades and has had a tremendous impact on people lifestyle. The information perception of the Internet of Things plays a key role as a link between the computer world and the real world. However, there are potential security threats in the Perceptual Layer Network applied for information perception because Perceptual Layer Network consists of a large number of sensor nodes with weak computing power, limited power supply, and open communication links. We proposed a novel lightweight authentication protocol based on password, smart card and biometric identification that achieves mutual authentication among User, GWN and sensor node. Biometric identification can increase the non-repudiation feature that increases security. After security analysis and logical proof, the proposed protocol is proven to have a higher reliability and practicality.

Muhammad Bilal,Can Wang,Zhi Yu,Abid Bashir

DOI: https://doi.org/10.1109/icsess49938.2020.9237635

2020-01-01

Abstract:Identity management (IdM) plays a significant role in managing user identities (IDs). However, IdM is challenging to handle the rapidly rising numerous kinds of Web-based applications nowadays. The OpenID 2.0 communication protocol is an improved solution for managing a user's IDs based on the OpenID URL identity. OpenID URL identity is not very much secure in specific Web-based attacks; for instance, session hijacking and phishing attacks often occur. The earlier OpenID-based methods secure OpenID URL identity with single, double, and triple authentication schemes. But Identity Provider (IdP) side is still not secure in Web attacks: if an attacker steals the IdP-side legal user information, then existing OpenID-based security techniques are unreliable. The anticipated OpenID Reverse Authentication Authorizing and Accounting (RAAA) user authentication-based protocol secured OpenID URL identity by providing two beneficial fields Secret Alphanumeric String (SAS) and Special Innovative PIN (SIP) that utilize in testing website both sides in reverse and cost-effective way. In this experiment, IdP and Relying Party (RP), both sides are being used secretly. Therefore, experimental websites also test to check the proposed triple authentication protocol. In this paper, we have compared our RAAA user authentication protocol with already available SSO protocol methods. The tested websites and comparative results represent that the anticipated design protocol is very much secure and reliable solution. The advanced cryptographic Single-Sign-On (SSO) secure protocol reduces the higher-level session hijacking and phishing attacks risk in an OpenID-based environment. We suggest future SSO protocol methods will be needed more in terms of the authorized user's identity authentication in Web-based applications.

Tarun Kumar Yadav,Kent Seamons

2023-08-06

Abstract:The FIDO2 protocol aims to strengthen or replace password authentication using public-key cryptography. FIDO2 has primarily focused on defending against attacks from afar by remote attackers that compromise a password or attempt to phish the user. In this paper, we explore threats from local attacks on FIDO2 that have received less attention -- a browser extension compromise and attackers gaining physical access to an HSK. Our systematic analysis of current implementations of FIDO2 reveals four underlying flaws, and we demonstrate the feasibility of seven attacks that exploit those flaws. The flaws include (1) Lack of confidentiality/integrity of FIDO2 messages accessible to browser extensions, (2) Broken clone detection algorithm, (3) Potential for user misunderstanding from social engineering and notification/error messages, and (4) Cookie life cycle. We build malicious browser extensions and demonstrate the attacks on ten popular web servers that use FIDO2. We also show that many browser extensions have sufficient permissions to conduct the attacks if they were compromised. A static and dynamic analysis of current browser extensions finds no evidence of the attacks in the wild. We conducted two user studies confirming that participants do not detect the attacks with current error messages, email notifications, and UX responses to the attacks. We provide an improved clone detection algorithm and recommendations for relying part

Cryptography and Security

Nader Abdel Karim,Hasan Kanaker,Waleed K. Abdulraheem,Majdi Ali Ghaith,Essam Alhroob,Abdulla Mousa Falah Alali

DOI: https://doi.org/10.5267/j.ijdns.2023.10.003

2024-01-01

International Journal of Data and Network Science

Abstract:A robust authentication method is needed to protect online user accounts and data from cyber-attacks. Using only passwords is insufficient because they can be easily stolen or cracked. Multi-factor authentication (MFA) increases security by requiring two or more verification factors from the user before granting access to a resource such as an online account or an application. MFA is essential to a strong identity and access management (IAM) policy. This study evaluates and contrasts several MFA methods for online systems, including Microsoft Authenticator, FIDO2 security keys, SMS, voice calls, and biometrics. We assess these methods based on four criteria: security, usability, cost, and compatibility. We discover that only some MFA methods excel across the board. The best MFA method will depend on the organization's and users' specific needs and preferences. Each MFA method has benefits and drawbacks on its own. Based on our analysis, we do, however, make some general observations and recommendations, such as preferring FIDO2 security keys and certificate-based authentication for high-security scenarios, choosing Microsoft Authenticator and biometrics for high-usability scenarios, and avoiding SMS and voice calls for low-security and low-usability scenarios.

Hanguang Luo,Tao Zou,Chunming Wu,Dan Li,Shunbin Li,Chu

DOI: https://doi.org/10.32604/cmc.2022.027118

2022-01-01

Abstract:In the emerging Industrial Internet of Things (IIoT), authentication problems have become an urgent issue for massive resource-constrained devices because traditional costly security mechanisms are not suitable for them. The security protocol designed for resource-constrained systems should not only be secure but also efficient in terms of usage of energy, storage, and processing. Although recently many lightweight schemes have been proposed, to the best of our knowledge, they are unable to address the problem of privacy preservation with the resistance of Denial of Service (DoS) attacks in a practical way. In this paper, we propose a lightweight authentication protocol based on the Physically Unclonable Function (PUF) to overcome the limitations of existing schemes. The protocol provides an ingenious authentication and synchronization mechanism to solve the contradictions amount forward secrecy, DoS attacks, and resource-constrained. The performance analysis and comparison show that the proposed scheme can better improve the authentication security and efficiency for resource-constrained systems in IIoT.

Fan Dang,Xikai Sun,Kebin Liu,Xuan Ding,Xu Wang,Yunhao Liu

DOI: https://doi.org/10.1109/monetec60984.2024.10768120

2024-01-01

Abstract:The Fast Identity Online (FIDO) authentication protocol, the latest iteration of the FIDO2 standard, aims to provide a more secure and user-friendly online authentication method. In the era of digital transformation, anonymity has become a critical aspect of digital security. This paper proposes a novel anonymous authentication extension for FIDO based on blind signatures, enabling users to obtain signatures on public keys without revealing their content to the relying party. The proposed scheme is evaluated in detail, demonstrating its feasibility and effectiveness. By addressing a significant gap in current authentication methods and enhancing user privacy, this research contributes to the advancement of secure and anonymous online authentication techniques.

Martiño Rivera-Dourado,Christos Xenakis,Alejandro Pazos,Jose Vázquez-Naya

2024-12-04

Abstract:The adoption of FIDO2 authentication by major tech companies in web applications has grown significantly in recent years. However, we argue FIDO2 has broader potential applications. In this paper, we introduce EAP-FIDO, a novel Extensible Authentication Protocol (EAP) method for use in IEEE 802.1X-protected networks. This allows organisations with WPA2/3-Enterprise wireless networks or MACSec-enabled wired networks to leverage FIDO2's passwordless authentication in compliance with existing standards. Additionally, we provide a comprehensive security and performance analysis to support the feasibility of this approach.

Cryptography and Security

Anisha Ghosh,Aditya Mitra,Sibi Chakkaravarthy Sethuraman,Aswani Kumar Cherukuri

2024-08-09

Abstract:With challenges and limitations associated with security in the fintech industry, the rise to the need for data protection increases. However, the current existing passwordless and password-based peer to peer transactions in online banking systems are vulnerable to advanced forms of digital attacks. The influx of modern data protection methods keeps better records of the transactions, but it still does not address the issue of authentication and account takeovers during transactions. To the address the mentioned issue, this paper proposes a novel and robust peer to peer transaction system which employs best cloud security practices, proper use of cryptography and trusted computing to mitigate common vulnerabilities. We will be implementing FIDO2 compatible Smart Card to securely authenticate the user using physical smart cards and store the records in the cloud which enables access control by allowing access only when an access is requested. The standard incorporates multiple layers of security on cloud computing models to ensure secrecy of the said data. Services of the standard adhere to regulations provides by the government and assures privacy to the information of the payee or the end-user. The whole system has been implemented in the Internet of Things scenario.

Cryptography and Security,Emerging Technologies

Martiño Rivera-Dourado,Marcos Gestal,Alejandro Pazos,Jose Vázquez-Naya

2024-02-20

Abstract:FIDO2 authentication is starting to be applied in numerous web authentication services, aiming to replace passwords and their known vulnerabilities. However, this new authentication method has not been integrated yet with network authentication systems. In this paper, we introduce FIDO2CAP: FIDO2 Captive-portal Authentication Protocol. Our proposal describes a novel protocol for captive-portal network authentication using FIDO2 authenticators, as security keys and passkeys. For validating our proposal, we have developed a prototype of FIDO2CAP authentication in a mock scenario. Using this prototype, we performed an usability experiment with 15 real users. This work makes the first systematic approach for adapting network authentication to the new authentication paradigm relying on FIDO2 authentication.

Cryptography and Security,Software Engineering,Networking and Internet Architecture

Ang Kok Wee,Eyasu Getahun Chekole,Jianying Zhou

2024-07-30

Abstract:Nowadays, cyberattacks are growing exponentially, causing havoc to Internet users. In particular, authentication attacks constitute the major attack vector where intruders impersonate legitimate users to maliciously access systems or resources. Traditional single-factor authentication (SFA) protocols are often bypassed by side-channel and other attack techniques, hence they are no longer sufficient to the current authentication requirements. To alleviate this problem, multi-factor authentication (MFA) protocols have been widely adopted recently, which helps to raise the security bar against imposters. Although MFA is generally considered more robust and secure than SFA, it may not always guarantee enhanced security and efficiency. This is because, critical security vulnerabilities and performance problems may still arise due to design or implementation flaws of the protocols. Such vulnerabilities are often left unnoticed until they are exploited by attackers. Therefore, the main objective of this work is identifying such vulnerabilities in existing MFA protocols by systematically analysing their designs and constructions. To this end, we first form a set of security evaluation criteria, encompassing both existing and newly introduced ones, which we believe are very critical for the security of MFA protocols. Then, we thoroughly review several MFA protocols across different domains. Subsequently, we revisit and thoroughly analyze the design and construction of the protocols to identify potential vulnerabilities. Consequently, we manage to identify critical vulnerabilities in ten of the MFA protocols investigated. We thoroughly discuss the identified vulnerabilities in each protocol and devise relevant mitigation strategies. We also consolidate the performance information of those protocols to show the runtime and storage cost when employing varying number of authentication factors.

Cryptography and Security

Marco Casagrande,Daniele Antonioli

2024-12-03

Abstract:FIDO2 is the standard technology for single-factor and second-factor authentication. It is specified in an open standard, including the WebAuthn and CTAP application layer protocols. We focus on CTAP, which allows FIDO2 clients and hardware authenticators to communicate. No prior work has explored the CTAP Authenticator API, a critical protocol-level attack surface. We address this gap by presenting the first security and privacy evaluation of the CTAP Authenticator API. We uncover two classes of protocol-level attacks on CTAP that we call CTRAPS. The client impersonation (CI) attacks exploit the lack of client authentication to tamper with FIDO2 authenticators. They include zero-click attacks capable of deleting FIDO2 credentials, including passkeys, without user interaction. The API confusion (AC) attacks abuse the lack of protocol API enforcements and confound FIDO2 authenticators, clients, and unaware users into calling unwanted CTAP APIs while thinking they are calling legitimate ones. The presented eleven attacks are conducted either in proximity or remotely and are effective regardless of the underlying CTAP transport. We detail the eight vulnerabilities in the CTAP specification, enabling the CTRAPS attacks. Six are novel and include unauthenticated CTAP clients and trackable FIDO2 credentials. We release CTRAPS, an original toolkit, to analyze CTAP and conduct the CTRAPS attacks. We confirm the attacks practicality on a large scale by exploiting six popular authenticators, including a FIPS-certified one from Yubico, Feitian, SoloKeys, and Google, and ten widely used relying parties, such as Microsoft, Apple, GitHub, and Facebook. We present eight practical and backward-compliant countermeasures to fix the attacks and their root causes. We responsibly disclosed our findings to the FIDO alliance and the affected vendors.

Cryptography and Security

Verena Zimmermann,Paul Gerber,Alina Stöver

DOI: https://doi.org/10.48550/arXiv.2209.13958

IF: 6.4588

2022-09-28

Human-Computer Interaction

Abstract:Choosing authentication schemes for a specific purpose is challenging for service providers, developers, and researchers. Previous ratings of technical and objective aspects showed that available schemes all have strengths and limitations. Yet, the security of authentication also relies on user perceptions which affect acceptance and user behaviour and can deviate from technical aspects. To shine light on the issue and support researchers, developers, and service-providers confronted with authentication choice, we conducted an in-depth analysis of user perceptions of the password, fingerprint, and a smartphone-based scheme in an online study with 201 participants. As authentication is a secondary task that needs to be evaluated in the context of authentication purpose, we also compared perceptions across four contexts of use with varying sensitivity levels: email accounts, online banking, social networks, and smart homes. The results revealed how perceptions of usability, security, privacy, trust, effort, and qualitative features of the schemes are related to user preferences. The results increase awareness for the influence of subjective perceptions and have practical implications for decision-makers. They can inform a) the choice between several adequate schemes, b) the authentication design to reduce concerns or security-related misconceptions, and c) the development of context-dependent authentication.

Kat Krol,Eleni Philippou,Emiliano De Cristofaro,M. Angela Sasse

DOI: https://doi.org/10.48550/arXiv.1501.04434

2015-01-19

Cryptography and Security

Abstract:To prevent password breaches and guessing attacks, banks increasingly turn to two-factor authentication (2FA), requiring users to present at least one more factor, such as a one-time password generated by a hardware token or received via SMS, besides a password. We can expect some solutions -- especially those adding a token -- to create extra work for users, but little research has investigated usability, user acceptance, and perceived security of deployed 2FA. This paper presents an in-depth study of 2FA usability with 21 UK online banking customers, 16 of whom had accounts with more than one bank. We collected a rich set of qualitative and quantitative data through two rounds of semi-structured interviews, and an authentication diary over an average of 11 days. Our participants reported a wide range of usability issues, especially with the use of hardware tokens, showing that the mental and physical workload involved shapes how they use online banking. Key targets for improvements are (i) the reduction in the number of authentication steps, and (ii) removing features that do not add any security but negatively affect the user experience.

Tunde Oduguwa,Abdullahi Arabo

2023-12-05

Abstract:Since the demise of the password was predicted in 2004, different attempts in industry and academia have been made to create an alternative for the use of passwords in authentication, without compromising on security and user experience. This review examines password-less authentication schemes that have been proposed since after the death knell was placed on passwords in 2004. We start with a brief discussion of the requirements of authentication systems and then identify various password-less authentication proposals to date. We then evaluate the truly password-less and practical schemes using a framework that examines authentication credentials based on their impact on user experience, overall security, and ease of deployment. The findings of this review observe a difficulty in balancing security with a user experience compared to that of passwords in new password-less schemes, providing the opportunity for new applied research to leverage existing knowledge and combine technologies and techniques in innovative ways that can address this imbalance.

Cryptography and Security

Khan Reaz,Gerhard Wunder

2024-03-18

Abstract:The existing high-friction device onboarding process hinders the promise and potentiality of Internet of Things (IoT). Even after several attempts by various device manufacturers and working groups, no widely adopted standard solution came to fruition. The latest attempt by Fast Identity Online (FIDO) Alliance promises a zero touch solution for mass market IoT customers, but the burden is transferred to the intermediary supply chain (i.e. they have to maintain infrastructure for managing keys and digital signatures called `Ownership Voucher' for all devices). The specification relies on a `Rendezvous Server' mimicking the notion of Domain Name System (DNS) server'. This essentially means resurrecting all existing possible attack scenarios associated with DNS, which include Denial of Service (DoS) attack, and Correlation attack. `Ownership Voucher' poses the risk that some intermediary supply chain agents may act maliciously and reject the transfer of ownership or sign with a wrong key. Furthermore, the deliberate use of the weak elliptic curve SECP256r1/SECP384r1 (also known as NIST P-256/384) in the specification raises questions. We introduce ASOP: a sovereign and secure device onboarding protocol for IoT devices without blindly trusting the device manufacturer, supply chain, and cloud service provider. The ASOP protocol allows onboarding an IoT device to a cloud server with the help of an authenticator owned by the user. This paper outlines the preliminary development of the protocol and its high-level description. Our `zero-trust' and `human-in-the-loop' approach guarantees that the device owner does not remain at the mercy of third-party infrastructures, and it utilises recently standardized post-quantum cryptographic suite (CRYSTALS) to secure connection and messages.

Cryptography and Security,Networking and Internet Architecture

Daniel Fett,Pedram Hosseyni,Ralf Kuesters

DOI: https://doi.org/10.48550/arXiv.1901.11520

2019-02-01

Abstract:Forced by regulations and industry demand, banks worldwide are working to open their customers' online banking accounts to third-party services via web-based APIs. By using these so-called Open Banking APIs, third-party companies, such as FinTechs, are able to read information about and initiate payments from their users' bank accounts. One of the most promising standards in this segment is the OpenID Financial-grade API (FAPI), currently under development in an open process by the OpenID Foundation and backed by large industry partners. The FAPI is a profile of OAuth 2.0 designed for high-risk scenarios and aiming to be secure against very strong attackers. To achieve this level of security, the FAPI employs a range of mechanisms that have been developed to harden OAuth 2.0. In this paper, we perform a rigorous, systematic formal analysis of the security of the FAPI, based on the Web Infrastructure Model (WIM) proposed by Fett, Kuesters, and Schmitz. To this end, we first develop a precise model of the FAPI in the WIM, including different profiles and combinations of security features. We then use our model of the FAPI to precisely define central security properties. In an attempt to prove these properties, we uncover partly severe attacks, breaking authentication, authorization, and session integrity properties. We develop mitigations against these attacks and finally are able to formally prove the security of a fixed version of the FAPI. This analysis is an important contribution to the development of the FAPI since it helps to define exact security properties and attacker models, and to avoid severe security risks. Of independent interest, we also uncover weaknesses in the aforementioned security mechanisms for hardening OAuth 2.0. We illustrate that these mechanisms do not necessarily achieve the security properties they have been designed for.

Cryptography and Security