Exploration of the Security and Usability of the FIDO2 Authentication Protocol

Abstract

Fast IDentity Online (FIDO) is a passwordless authentication protocol for the web that leverages public key cryptography and trusted devices to avoid shared secrets on servers. The current version of FIDO, FIDO2, has become widespread and is directly integrated into popular systems such as Windows Hello and Android OS. This thesis details two contributions to the advancement of FIDO2. The first is a modification to the protocol which uses Trusted Execution Environments to resolve security vulnerabilities in the Client To Authenticator Protocol Version 2 (CTAP2), which is a component of FIDO2. It is formally demonstrated that this modification provides a stronger security assumption than CTAP2. The second contribution is an outline of procedures and resources for future researchers to carry out a study of the usability of FIDO2 authenticators via a within-subjects experiment. In the study, subjects register an account on a custom web app using both passwords and FIDO2 credentials. The web app collects metrics about user behavior such as timing information for authentication sessions. Over the course of a week, subjects log in to the same web app every day using both authentication methods. Subjects complete entrance and exit surveys based on the System Usability Scale (SUS) according to their experiences. The surveys and user metrics would then be analyzed to determine whether users perceive FIDO2 as more usable than passwords.