Skip to main content
SpringerLink
Log in

Future-Proof Web Authentication: Bring Your Own FIDO2 Extensions

  • Conference paper
  • First Online:
Emerging Technologies for Authorization and Authentication (ETAA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13136))

Abstract

The FIDO2 standards for strong authentication on the Internet define an extension interface, which allows them to flexibly adapt to future use cases. The domain of establishing new FIDO2 extensions, however, is currently limited to web browser developers and members of the FIDO alliance. We show how researchers and developers can design and implement their own extensions for using FIDO2 as a well-established and secure foundation to demonstrate innovative authentication concepts or to support custom deployments. Our open-source implementation targets the full FIDO2 stack, such as the Chromium web browser and hardware tokens, to enable tailor-made authentication based on the power of the existing FIDO2 ecosystem. To give an overview of existing extensions, we survey all published FIDO2 extensions by manually inspecting the source code of major web browsers and authenticators. Their current design, however, hinders the implementation of custom extensions, and they only support a limited number of extensions out of the box. We discuss weaknesses of current implementations and identify the lack of extension pass-through as a major limitation in current FIDO2 clients.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Chromium version canary 93.0.4570.0 \(\rightarrow \) Google Chrome 93, Microsoft Edge 93.

  2. 2.

    Gecko version version nightly 91.0a1 \(\rightarrow \) Mozilla Firefox 91.

  3. 3.

    WebKit version 611.2.7.1 \(\rightarrow \) Apple Safari 14.1.1.

  4. 4.

    Solo version 4.1.2.

  5. 5.

    OpenSK version 1.0.0.

  6. 6.

    Online repository with our source code and additional documentation on how to implement your own FIDO2 extensions: https://seemoo.de/s/fido2ext.

  7. 7.

    Chromium Credential Management API (Blink): third_party/blink/renderer/modules/credentialmanager/.

  8. 8.

    Chromium WebAuthn Mojo (Blink): third_party/blink/public/mojom/webauthn/.

  9. 9.

    Chromium Web Authentication (content): content/browser/webauth/.

  10. 10.

    Chromium CTAP (device): device/fido/.

References

  1. Ciolino, S., Parkin, S., Dunphy, P.: Of two minds about two-factor: understanding everyday FIDO U2F usability through device comparison and experience sampling. In: Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pp. 339–356. USENIX Association, Santa Clara, August 2019

    Google Scholar 

  2. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280, RFC Editor, May 2008. http://www.rfc-editor.org/rfc/rfc5280.txt

  3. Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt

  4. Eastlake, D.: Transport layer security (TLS) extensions: Extension definitions. RFC 6066, RFC Editor, January 2011. http://www.rfc-editor.org/rfc/rfc6066.txt

  5. Farke, F.M., Lorenz, L., Schnitzler, T., Markert, P., Dürmuth, M.: “You still use the password after all" – exploring FIDO2 security keys in a small company. In: Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), pp. 19–35. USENIX Association, August 2020

    Google Scholar 

  6. FIDO Alliance: Client to authenticator protocol (CTAP), June 2021. https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html

  7. FIDO Alliance: FIDO U2F raw message formats, April 2017. https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html

  8. FIDO Alliance: FIDO2: Moving the world beyond passwords using WebAuthn & CTAP, June 2020. https://fidoalliance.org/fido2

  9. Frymann, N., Gardham, D., Kiefer, F., Lundberg, E., Manulis, M., Nilsson, D.: Asynchronous remote key generation: an analysis of Yubico’s proposal for W3C WebAuthn. Association for Computing Machinery, New York, October 2020. https://doi.org/10.1145/3372297.3417292

  10. Google: OpenSK. https://github.com/google/OpenSK (2020)

  11. Hodges, J., Mandyam, G., Jones, M.B.: RFC 8809: Registries for web authentication (WebAuthn). RFC 8809, RFC Editor, August 2020. https://www.rfc-editor.org/rfc/rfc8809.txt

  12. IANA: Web authentication (WebAuthn) registries, August 2020. https://www.iana.org/assignments/webauthn/webauthn.xhtml

  13. Kreichgauer, M.: Intent to deprecate and remove: U2F API (cryptotoken)(2021). https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A

  14. Langley, A.: Re: issue 1097972: support WebAuthn uvi & uvm extension, June 2020. https://bugs.chromium.org/p/chromium/issues/detail?id=1097972#c3

  15. Lyastani, S.G., Schilling, M., Neumayr, M., Backes, M., Bugiel, S.: Is FIDO2 the Kingslayer of user authentication? A comparative usability study of FIDO2 passwordless authentication. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 842–859. IEEE Computer Society, May 2020. https://doi.org/10.1109/SP40000.2020.00047

  16. MDN: Web authentication API. https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API (2021)

  17. MDN: Web authentication API: Browser compatibility, March 2021. https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API#Browser_compatibility

  18. Microsoft: Win32 headers for WebAuthn (2021). https://github.com/microsoft/webauthn

  19. Mooney, N.: Addition of a network transport (2020). https://github.com/w3c/webauthn/issues/1381

  20. Protalinski, E.: You can now use your android phone as a 2FA security key for google accounts. VentureBeat, April 2019. https://venturebeat.com/2019/04/10/you-can-now-use-your-android-phone-as-a-2fa-security-key-for-google-accounts

  21. SoloKeys: Solo 1: open security key supporting FIDO2 & U2F over USB + NFC (2018). https://github.com/solokeys/solo

  22. SoloKeys: Tutorial: writing an extension for the solo stick (2020). https://github.com/solokeys/solo/blob/b86f0ee4e563f0b5ceb69770a6d6f64e42a688b6/docs/tutorial-getting-started.md

  23. SoloKeys: Solo 2 monorepo (2021). https://github.com/solokeys/solo2

  24. W3C: Web authentication: An API for accessing public key credentials - level 1. W3C recommendation, March 2019. https://www.w3.org/TR/2019/REC-webauthn-1-20190304/

  25. W3C: Web authentication: An API for accessing public key credentials - level 2. W3C recommendation, April 2021. https://www.w3.org/TR/2021/REC-webauthn-2-20210408/

  26. W3C: Web authentication: An API for accessing public key credentials - level 3. W3C first public working draft, April 2021. https://www.w3.org/TR/2021/WD-webauthn-3-20210427/

  27. Yubico: python-fido2, March 2018, https://github.com/Yubico/python-fido2

  28. Yubico: Discover YubiKey 5. strong authentication for secure login, July 2021.https://www.yubico.com/products/yubikey-5-overview

  29. Yubico: libfido2, July 2021. https://developers.yubico.com/libfido2

  30. Yubico: webauthn-recovery-extension. https://github.com/Yubico/webauthn-recovery-extension (2021)

Download references

Acknowledgements

This work has been funded by the LOEWE initiative (Hesse, Germany) within the emergenCITY center. We thank the anonymous reviewers for reviewing this paper and for their helpful comments.

Author information

Authors and Affiliations

  1. TU Darmstadt, Darmstadt, Germany

    Florentin Putz, Steffen Schön & Matthias Hollick

Authors
  1. Florentin Putz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Steffen Schön
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Matthias Hollick
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Florentin Putz .

Editor information

Editors and Affiliations

  1. Consiglio Nazionale delle Ricerche, Pisa, Italy

    Andrea Saracino

  2. Institute of Informatics and Telematics, Pisa, Italy

    Paolo Mori

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Putz, F., Schön, S., Hollick, M. (2021). Future-Proof Web Authentication: Bring Your Own FIDO2 Extensions. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2021. Lecture Notes in Computer Science(), vol 13136. Springer, Cham. https://doi.org/10.1007/978-3-030-93747-8_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-93747-8_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-93746-1

  • Online ISBN: 978-3-030-93747-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation