Abstract
FIDO2 is currently the main initiative for passwordless authentication in web servers. It mandates the use of secure hardware authenticators to protect the authentication protocol’s secrets from compromise. However, to ensure that only secure authenticators are being used, web servers need a method to attest their properties. The FIDO2 specifications allow for authenticators and web servers to choose between different attestation modes to prove the characteristics of an authenticator, however the properties of most these modes have not been analysed in the context of FIDO2. In this work, we analyse the security and privacy properties of FIDO2 when different attestation modes included in the standard are used, and show that they lack good balance between security, privacy and revocation of corrupted devices. For example, the basic attestation mode prevents remote servers from tracing user’s actions across different services while requiring reduced trust assumptions. However in case one device is compromised, all the devices from the same batch (e.g., of the same brand or model) need to be recalled, which can be quite complex (and arguably impractical) in consumer scenarios. As a consequence we suggest a new attestation mode based on the recently proposed TokenWeaver, which provides more convenient mechanisms for revoking a single token while maintaining user privacy.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The name is chosen since during many of the attestation modes, the attestation key is generated on the authenticator during this step.
- 2.
- 3.
We have rephrased the respective condition in [4] which said “any registration partner of S" to avoid ambiguities. The meaning, however, has been maintained.
References
Alliance, F.: Passkeys FAQ (2023). https://fidoalliance.org/passkeys/#faq
Alliance, F.: What is FIDO?. https://fidoalliance.org/what-is-fido/ (2023)
Barbosa, M., Boldyreva, A., Chen, S., Warinschi, B.: Provable security analysis of FIDO2. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 125–156. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_5
Bindel, N., Cremers, C., Zhao, M.: FIDO2, CTAP 2.1, and WebAuthn 2: provable security and post-quantum instantiation. In: 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, May 21-25, 2023, pp. 1471–1490. IEEE (2023). https://doi.org/10.1109/SP46215.2023.10179454
Bindel, N., Gama, N., Guasch, S., Ronen, E.: To attest or not to attest, this is the question – Provable attestation in FIDO2 (full version). IACR Cryptol. ePrint Arch., 2023/1398 (2023). https://eprint.iacr.org/2023/1398
Camenisch, J., Drijvers, M., Lehmann, A.: Universally composable direct anonymous attestation. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 234–264. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49387-8_10
Cohn-Gordon, K., Cremers, C., Garratt, L.: On post-compromise security. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 164–178. IEEE (2016)
Cremers, C., Jacomme, C., Ronen, E.: TokenWeaver: privacy preserving and post-compromise secure attestation. IACR Cryptol. ePrint Arch., 1691 (2022). https://eprint.iacr.org/2022/1691
Group, T.I.W.: A CMC profile for AIK certificate enrollment, version 1.0, revision 7 (2011). https://trustedcomputinggroup.org/wp-content/uploads/IWG_CMC_Profile_Cert_Enrollment_v1_r7.pdf
Hanzlik, L., Loss, J., Wagner, B.: Token meets wallet: formalizing privacy and revocation for FIDO2. In: 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, May 21-25, 2023, pp. 1491–1508. IEEE (2023). https://doi.org/10.1109/DSP46215.2023.10179373
NIST: Selected algorithms 2022. https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022 (2023)
Popov, A., Nystroem, M., Balfanz, D., Hodges, J.: The token binding protocol version 1.0 (2018). https://www.rfc-editor.org/rfc/rfc8471#section-1
Shakevsky, A., Ronen, E., Wool, A.: Trust Dies in Darkness: shedding light on Samsung’s TrustZone Keymaster design. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 251–268. USENIX Association, Boston, MA (2022). https://www.usenix.org/conference/usenixsecurity22/presentation/shakevsky
W3C: Web authentication: an API for accessing public key credentials level 2 (2021). https://www.w3.org/TR/webauthn-2/
W3C: Web authentication: an API for accessing public key credentials level 3 (2023). https://w3c.github.io/webauthn/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Bindel, N., Gama, N., Guasch, S., Ronen, E. (2023). To Attest or Not to Attest, This is the Question – Provable Attestation in FIDO2. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14443. Springer, Singapore. https://doi.org/10.1007/978-981-99-8736-8_10
Download citation
DOI: https://doi.org/10.1007/978-981-99-8736-8_10
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8735-1
Online ISBN: 978-981-99-8736-8
eBook Packages: Computer ScienceComputer Science (R0)