ABSTRACT
Passwords are a problem in today's digital world. FIDO2, through WebAuthn, brought alternative password-less authentication that is more usable and secure than classic password-based systems, for web applications and services. In this work, we give a brief overview of FIDO2, and we present WebDevAuthn, a novel FIDO2/WebAuthn requests and responses analyser web tool. This tool can be used to help developers understand how FIDO2 works, aid in the development processes by speeding debugging using the WebAuthn traffic analyser and to test the security of an application through penetration testing by editing the WebAuhn requests or responses.
- .M. Bromiley, “Bye Bye Passwords: New Ways to Authenticate,” SANS Report, July 2019, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3y9UJGoogle Scholar
- A. Angelogianni, I. Politis, F. Mohammadi and C. Xenakis, "On Identifying Threats and Quantifying Cybersecurity Risks of Mnos Deploying Heterogeneous Rats," in IEEE Access, vol. 8, pp. 224677-224701, 2020.Google ScholarCross Ref
- FIDO Alliance - Open Authentication Standards More Secure than Passwords, https://fidoalliance.org/Google Scholar
- K. Papadamou , "Killing the Password and Preserving Privacy With Device-Centric and Attribute-Based Authentication," in IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2183-2193, 2020, doi: 10.1109/TIFS.2019.2958763.Google ScholarCross Ref
- M. Jones, R. Lindemann, A. Kumar, J. Hodges, J.C. Jones, H. Liao, A. Czeskis, E. Lundberg and D. Balfanz, “Web Authentication:An API for accessing Public Key Credentials Level 1,” W3C Recommendation, March 2019, https://www.w3.org/TR/2019/REC-webauthn-1-20190304/Google Scholar
- A. Simons, “A breakthrough year for passwordless technology,” Microsoft Article, December 2020, https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/Google Scholar
- M. West, “Credential Management Level 1,” W3C Working Draft, January 2019, https://www.w3.org/TR/2019/WD-credential-management-1-20190117/Google Scholar
- Window.postMessage() - Web APIs | MDN, https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessageGoogle Scholar
- PublicKeyCredentialCreationOptions - Web APIs | MDN, https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptionsGoogle Scholar
- PublicKeyCredentialRequestOptions - Web APIs | MDN, https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptionsGoogle Scholar
- Microsoft, “Win32 APIs for WebAuthN standard”, GitHub Repository, October 2018, https://github.com/microsoft/webauthnGoogle Scholar
- Mark Watson, “Web Cryptography API,” January 2017, https://www.w3.org/TR/2017/REC-WebCryptoAPI-20170126/Google Scholar
- CBOR Object Signing and Encryption (COSE), https://www.iana.org/assignments/cose/cose.xhtmlGoogle Scholar
- Dirk Balfanz, Alexei Czeskis, Jeff Hodges, J.C. Jones, Michael B. Jones, Akshay Kumar, Angelo Liao, Rolf Lindemann, and Emil Lundberg. 2019. Web Authentication: An API for accessing Public Key Credentials Level 1 . Technical Report. https://www.w3.org/TR/webauthnGoogle Scholar
- StrongKey, “Open-source FIDO server, featuring the FIDO2 standard”, GitHub Repository, October 2019, https://github.com/StrongKey/fido2Google Scholar
- Yubico, “Python FIDO2 - Provides library functionality for FIDO 2.0, including communication with a device over USB.”, GitHub Repository, October 2018, https://github.com/Yubico/python-fido2Google Scholar
- M. R. Dourado, M. Gestal, and J. M. Vázquez-Naya, “Implementing a Web Application for W3C WebAuthn Protocol Testing,” Proceedings, vol. 54, no. 1, p. 5, Aug. 2020 [Online]. Available: http://dx.doi.org/10.3390/proceedings2020054005Google ScholarCross Ref
- M. Rivera, “WebAuthn Authenticator Debugging Tool,” DebAuthn. [Online]. Available: https://debauthn.tic.udc.es/. [Accessed: 06-Jun-2021]Google Scholar
- Auth0 Inc., See your WebAuthn config in action. [Online]. Available: https://webauthn.me/debugger. [Accessed: 06-Jun-2021]Google Scholar
- N. Steele, “A demonstration of the WebAuthn specification,” WebAuthn.io. [Online]. Available: https://webauthn.io/. [Accessed: 06-Jun-2021]Google Scholar
- M. Miller, “MasterKale/webauthn-previewer,” GitHub. [Online]. Available: https://github.com/MasterKale/webauthn-previewer. [Accessed: 06-Jun-2021]Google Scholar
- M. Miller, “WebAuthn Debugger,” SimpleWebAuthn. [Online]. Available: https://debugger.simplewebauthn.dev/. [Accessed: 06-Jun-2021]Google Scholar
- S. Weeden, “sbweeden/fido2viewer,” GitHub. [Online]. Available: https://github.com/sbweeden/fido2viewer. [Accessed: 06-Jun-2021].Google Scholar
Recommendations
Asynchronous Remote Key Generation: An Analysis of Yubico's Proposal for W3C WebAuthn
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityWebAuthn, forming part of FIDO2, is a W3C standard for strong authentication, which employs digital signatures to authenticate web users whilst preserving their privacy. Owned by users, WebAuthn authenticators generate attested and unlinkable public-key ...
An Interoperable Architecture for Usable Password-Less Authentication
Emerging Technologies for Authorization and AuthenticationAbstractPasswords are the de facto standard for authentication despite their significant weaknesses. While businesses are currently focused on implementing multi-factor authentication to provide greater security, user adoption is still low. An alternative,...
Comments