Fabian Schwarz
ABSTRACT
Two-factor authentication (2FA) mitigates the security risks of passwords as sole authentication factor. FIDO2---the de facto standard for interoperable web authentication---leverages strong, hardware-backed second factors. However, practical challenges hinder wider FIDO2 user adoption for 2FA tokens, such as the extra costs (20-30 per token) or the risk of inaccessible accounts upon token loss/theft.
To tackle the above challenges, we propose FeIDo, a virtual FIDO2 token that combines the security and interoperability of FIDO2 2FA authentication with the prevalence of existing eIDs (e.g., electronic passports). Our core idea is to derive FIDO2 credentials based on personally-identifying and verifiable attributes---name, date of birth, and place of birth---that we obtain from the user's eID. As these attributes do not change even for refreshed eID documents, the credentials "survive" token loss. Even though FeIDo operates on privacy-critical data, all personal data and resulting FIDO2 credentials stay unlinkable, are never leaked to third parties, and are securely managed in attestable hardware containers (e.g., SGX enclaves). In contrast to existing FIDO2 tokens, FeIDo can also derive and share verifiable meta attributes (anonymous credentials) with web services. These enable verified but pseudonymous user checks, e.g., for age verification (e.g., "is adult").
- 2019. Regulation (EU) 2019/1157 of the European Parliament and of the Council. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R1157Google Scholar
- 2020. Standardized Digital Identity on National Identity Cards. https://www.calctopia.com/2020/02/14/standardized-digital-identity-on-national-identity-cards/Google Scholar
- 2021. National ID cards: 2016-2021 facts and trends. https://www.thalesgroup. com/en/markets/digital-identity-and-security/government/identity/2016-national-id-card-trendsGoogle Scholar
- 2021. Popular Baby Names (US). https://www.ssa.gov/oact/babynames/limits. htmlGoogle Scholar
- 2021. The electronic passport in 2021 and beyond. https://www.thalesgroup.com/ en/markets/digital-identity-and-security/government/passport/electronic-passport-trendsGoogle Scholar
- 2022. Hardware-backed Keystore. https://source.android.com/security/keystoreGoogle Scholar
- Michel Abdalla, Pierre-Alain Fouque, and David Pointcheval. 2005. Password-Based Authenticated Key Exchange in the Three-Party Setting. In Public Key Cryptography,, Serge Vaudenay (Ed.). Springer Berlin Heidelberg, 65--84.Google Scholar
- FIDO Alliance. 2020. Using FIDO with eIDAS Services. https://fidoalliance.org/wp-content/uploads/2020/04/FIDO-deploying-FIDO2-eIDAS-QTSPs-eID-schemes-white-paper.pdfGoogle Scholar
- FIDO Alliance. 2021. FIDO Security Reference. https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-rd-20210525.htmlGoogle Scholar
- FIDO Alliance. 2022. Choosing FIDO Authenticators for Enterprise Use Cases. https://media.fidoalliance.org/wp-content/uploads/2022/03/FIDO-White-Paper-Choosing-FIDO-Authenticators-for-Enterprise-Use-Cases-RD10-2022.03.01.pdf Retrieved July 28, 2022 fromGoogle Scholar
- Ferdinand Brasser, Ghada Dessouky, Patrick Jauernig, Matthias Klimmek, Ahmad-Reza Sadeghi, and Emmanuel Stapf. 2021. CURE: A Security Architecture with CUstomizable and Resilient Enclaves. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 1073--1090. https://www.usenix.org/conference/usenixsecurity21/presentation/bahmaniGoogle Scholar
- Mihir Bellare. 2015. New proofs for NMAC and HMAC: Security without collision resistance. Journal of Cryptology, Vol. 28, 4 (2015), 844--878.Google ScholarDigital Library
- Jens Bender, Marc Fischlin, and Dennis Kügler. 2009. Security Analysis of the PACE Key-Agreement Protocol. In Information Security. Springer Berlin Heidelberg, 33--48.Google ScholarDigital Library
- Inc. Biometrics Research Group. 2020. Apple launches web authentication using FIDO standard with Touch ID or Face ID biometrics in Safari. https://www.biometricupdate.com/202006/apple-launches-web-authentication-using-fido-standard-with-touch-id-or-face-id-biometrics-in-safariGoogle Scholar
- Dhiman Chakraborty and Sven Bugiel. 2019. SimFIDO: FIDO2 User Authentication with simTPM. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2569--2571.Google ScholarDigital Library
- Dhiman Chakraborty, Lucjan Hanzlik, and Sven Bugiel. 2019. simTPM: User-centric TPM for Mobile Devices. In 28th USENIX Security Symposium (USENIX Security 19). 533--550.Google Scholar
- Intel Corporation. [n.,d.]. Intel SGX for Linux. https://github.com/intel/linux-sgxGoogle Scholar
- Intel Corporation. 2022. Intel SGX Data Center Attestation Primitives. https://download.01.org/intel-sgx/sgx-dcap/1.14/linux/docs/DCAP_ECDSA_Orientation.pdfGoogle Scholar
- Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive, Vol. 2016 (2016).Google Scholar
- Özgür Dagdelen and Marc Fischlin. 2011. Security Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents. In Information Security. Springer Berlin Heidelberg, Berlin, Heidelberg, 54--68.Google Scholar
- Organización Internacional de Normalización. 2020. ISO IEC 7816-4: Identification cards--Integrated circuit cards. Organization, security and commands for interchange. ISO.Google Scholar
- Matteo Dell'Amico, Pietro Michiardi, and Yves Roudier. 2010. Password strength: An empirical analysis. In 2010 Proceedings IEEE INFOCOM. IEEE, 1--9.Google ScholarCross Ref
- Ghada Dessouky, Tommaso Frassetto, and Ahmad-Reza Sadeghi. 2020. HybCache: Hybrid Side-Channel-Resilient Caches for Trusted Execution Environments. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association. https://www.usenix.org/conference/usenixsecurity20/presentation/dessoukyGoogle Scholar
- Roger Dingledine, Nick Mathewson, and Paul Syverson. 2004. Tor: The Second-Generation Onion Router. In 13th USENIX Security Symposium (USENIX Security 04). USENIX Association, San Diego, CA. https://www.usenix.org/conference/13th-usenix-security-symposium/tor-second-generation-onion-routerGoogle Scholar
- Malin Eiband, Mohamed Khamis, Emanuel Von Zezschwitz, Heinrich Hussmann, and Florian Alt. 2017. Understanding shoulder surfing in the wild: Stories from users and observers. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. 4254--4265.Google ScholarDigital Library
- Frank Morgner and Dominik Oepen. [n.,d.]. OpenPACE. https://frankmorgner.github.io/openpace/Google Scholar
- Sanam Ghorbani Lyastani, Michael Schilling, Michaela Neumayr, Michael Backes, and Sven Bugiel. 2020. Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication. In IEEE Symposium on Security and Privacy (SP).Google Scholar
- Sérgio Gonçalves, Alessandro Tomasi, Andrea Bisegna, Giulio Pellizzari, and Silvio Ranise. 2020. Verifiable Contracting: A Use Case for Onboarding and Contract Offering in Financial Services with eIDAS and Verifiable Credentials. 133--144. https://doi.org/10.1007/978-3-030-66504-3_8Google ScholarDigital Library
- Lucjan Hanzlik, Julian Loss, and Benedikt Wagner. 2022. Token meets Wallet: Formalizing Privacy and Revocation for FIDO2. https://ia.cr/2022/084Google Scholar
- Interpol. 2022. I-Checkit - FAQs brochure - Private Sector Partners. https://www.interpol.int/content/download/12470/file/I-Checkit_FAQs_brochure_private%20sector_EN_LR_02.pdf?inLanguage=eng-GB Retrieved July 25, 2022 fromGoogle Scholar
- Janis Danisevskis. 2018. Android Protected Confirmation: Taking transaction security to the next level. https://android-developers.googleblog.com/2018/10/android-protected-confirmation.htmlGoogle Scholar
- Governikus GmbH & Co. KG. 2022. AusweisApp2: Passende Smartphones & Tablets für die Online-Ausweisfunktion. https://www.ausweisapp.bund.de/mobile-geraete Retrieved July 27, 2022 fromGoogle Scholar
- Thomas Knauth, Michael Steiner, Somnath Chakrabarti, Li Lei, Cedric Xing, and Mona Vij. 2018. Integrating Remote Attestation with Transport Layer Security. CoRR, Vol. abs/1801.05863 (2018). arxiv: 1801.05863 http://arxiv.org/abs/1801.05863Google Scholar
- Hugo Krawczyk. 2010. Cryptographic extraction and key derivation: The HKDF scheme. In Annual Cryptology Conference. Springer, 631--648.Google ScholarCross Ref
- Johannes Kunke, Stephan Wiefling, Markus Ullmann, and Luigi Lo Iacono. 2021. Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication. In Open Identity Summit. Gesellschaft für Informatik e.V., Bonn.Google Scholar
- Duo Labs. 2020. WebAuthn.io (Github). https://github.com/duo-labs/webauthn.ioGoogle Scholar
- Duo Labs. 2021. WebAuthn.io: A demo of the WebAuthn specification. https://webauthn.io/Google Scholar
- Zeyu Lei, Yuhong Nan, Yanick Fratantonio, and Antonio Bianchi. 2021. On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices. In 28th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society. https://www.ndss-symposium.org/ndss-paper/on-the-insecurity-of-sms-one-time-password-messages-against-local-attackers-in-modern-mobile-devices/Google Scholar
- Blue Bite LLC. 2021. Android NFC Compatibility. https://www.bluebite.com/nfc/android-nfc-compatibility Retrieved July 27, 2022 fromGoogle Scholar
- SJB Research Ltd. 2019. Confirmed: iOS 13 to include support for NFC passport reading - NFCW. https://www.nfcw.com/2019/06/07/362943/confirmed-ios-13-to-include-support-for-nfc-passport-reading/ Retrieved July 27, 2022 fromGoogle Scholar
- Emil Lundberg, Michael Jones, J.C. Jones, Akshay Kumar, and Jeff Hodges. 2021. Web Authentication: An API for accessing Public Key Credentials - Level 2. Technical Report. W3C. https://www.w3.org/TR/2021/REC-webauthn-2--20210408/Google Scholar
- Martijn Oostdijk. [n.,d.]. JMRTD: An Open Source Java Implementation of Machine Readable Travel Documents. https://jmrtd.org/Google Scholar
- Frank Morgner, Paul Bastian, and Marc Fischlin. 2016. Securing Transactions with the eIDAS Protocols. In Information Security Theory and Practice,, Sara Foresti and Javier Lopez (Eds.). Springer International Publishing, Cham, 3--18.Google Scholar
- Jämes Ménétrey, Christian Göttel, Marcelo Pasin, Pascal Felber, and Valerio Schiavoni. 2022. An Exploratory Study of Attestation Mechanisms for Trusted Execution Environments. In Workshop on System Software for Trusted Execution.Google Scholar
- Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, and Gail-Joon Ahn. 2020. Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. In 29th USENIX Security Symposium (USENIX Security 20). 361--377.Google Scholar
- Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. 2018. Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks. In USENIX Annual Technical Conference (USENIX ATC 18). USENIX Association, 227--240. https://www.usenix.org/conference/atc18/presentation/oleksenkoGoogle Scholar
- International Civil Avaiation Organization. 2021a. Machine Readable Travel Documents Part 11: Security Mechanisms for MRTDs eighth ed.). Technical Report. https://www.icao.int/publications/documents/9303_p11_cons_en.pdfGoogle Scholar
- International Civil Avaiation Organization. 2021b. Machine Readable Travel Documents Part 3: Specifications Common to all MRTDs eighth ed.). Technical Report. https://www.icao.int/publications/Documents/9303_p3_cons_en.pdfGoogle Scholar
- Hamza Saleem and Muhammad Naveed. 2020. SoK: Anatomy of Data Breaches. Proc. Priv. Enhancing Technol., Vol. 2020, 4 (2020), 153--174.Google ScholarCross Ref
- Fabian Schwarz and Christian Rossow. 2020. SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 753--770. https://www.usenix.org/conference/usenixsecurity20/presentation/schwarzGoogle Scholar
- Latanya Sweeney. 2000. Simple demographics often identify people uniquely. Health (San Francisco), Vol. 671, 2000 (2000), 1--34.Google Scholar
- Yubico. 2021. Losing Your YubiKey - Yubico. https://support.yubico.com/hc/en-us/articles/360013647620-Losing-Your-YubiKeyGoogle Scholar
- Yubico. 2022a. Spare YubiKeys. https://www.yubico.com/spare/Google Scholar
- Yubico. 2022b. WebAuthn - Account Recovery. https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Account_Recovery.htmlGoogle Scholar
Index Terms
- FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs
Recommendations
Making a nymbler nymble using VERBS
PETS'10: Proceedings of the 10th international conference on Privacy enhancing technologiesWe propose a new system modeled after Nymble. Like Nymble, our scheme provides a privacy-preserving analog of IP address blocking for anonymizing networks. However, unlike Nymble, the user in our scheme need not trust third parties to maintain their ...
Concepts and languages for privacy-preserving attribute-based authentication
Existing cryptographic realizations of privacy-friendly authentication mechanisms such as anonymous credentials, minimal disclosure tokens, self-blindable credentials, and group signatures vary largely in the features they offer and in how these ...
Issuer-Hiding Attribute-Based Credentials
Cryptology and Network SecurityAbstractAttribute-based credential systems enable users to authenticate in a privacy-preserving manner. However, in such schemes verifying a user’s credential requires knowledge of the issuer’s public key, which by itself might already reveal private ...
Comments