Exploration of the Security and Usability of the FIDO2 Authentication Protocol
Exploration of the Security and Usability of the FIDO2 Authentication Protocol
Files
Publication or External Link
Date
2022
Authors
Breit, Zachary
Dean, Hunter
Generrette, Tai-Juan
Howard, Samuel
Kodali, Balaji
Kong, Jim
Tash, Jonah
Wang, Phillip
Wu, John
Advisor
Baras, John
Citation
DRUM DOI
Abstract
Fast IDentity Online (FIDO) is a passwordless authentication protocol for the web that leverages
public key cryptography and trusted devices to avoid shared secrets on servers. The current version
of FIDO, FIDO2, has become widespread and is directly integrated into popular systems such
as Windows Hello and Android OS. This thesis details two contributions to the advancement of
FIDO2. The first is a modification to the protocol which uses Trusted Execution Environments
to resolve security vulnerabilities in the Client To Authenticator Protocol Version 2 (CTAP2),
which is a component of FIDO2. It is formally demonstrated that this modification provides a
stronger security assumption than CTAP2. The second contribution is an outline of procedures
and resources for future researchers to carry out a study of the usability of FIDO2 authenticators
via a within-subjects experiment. In the study, subjects register an account on a custom web app
using both passwords and FIDO2 credentials. The web app collects metrics about user behavior
such as timing information for authentication sessions. Over the course of a week, subjects log in
to the same web app every day using both authentication methods. Subjects complete entrance
and exit surveys based on the System Usability Scale (SUS) according to their experiences. The
surveys and user metrics would then be analyzed to determine whether users perceive FIDO2 as
more usable than passwords.
Notes
Gemstone Team PASS