FIDO2 and WebAuthn have momentum but won’t help if they are not used

March 18, 2023: The preprint referenced below has been updated to add a patent disclosure.

FIDO2 and WebAuthn have momentum. They are supported on all browsers. Apple, Google and Microsoft are busy developing or releasing initial versions of passkey syncing. NIST now requires resistance to phishing attacks at Authentication Assurance Level 3 of the Initial Public Draft of Revision 4 of the Digital Identity Guidelines. CISA has endorsed FIDO as the gold standard. And all the tech blogs are announcing the demise of passwords that FIDO will bring.

But a year ago the FIDO Alliance announced in a white paper that FIDO authentication “has not attained large-scale adoption in the consumer space.” Has that changed? Is it changing? Is it ever going to change?

The FIDO Alliance white paper coupled the announcement of the lack-of-adoption problem with a diagnosis of the problem and the announcement of an upcoming solution. The problem was due to the challenges that consumers face with platform authenticators: “having to re-enroll each new device”, and having “no easy ways to recover from a lost or stolen device”. Apple, Google and Microsoft were going to provide the solution by syncing credentials across devices. The term “passkeys” was coined to refer to synced credentials.

Apple, Google and Microsoft are keeping their promise and diligently working on the solution. Kudos to them. But FIDO authentication has daunting problems that are not addressed by passkeys.

One of them is the reliance on the device unlocking mechanism, e.g. Windows Hello in the case of a Windows laptop, to provide a second authentication factor supplementing the proof of possession of the private key. A user who does not set up device unlocking cannot use FIDO. How many users set it up? I couldn’t find any statistics about this, but I thought of people who would know. Geek Squad Agents work full time helping people set up and repair their devices, so they intimately know how consumers use laptops and smart phones. I interviewed one of them: “How many Windows users set up Windows Hello?” He said: “30%; just a guess.”. I thought he had misunderstood the question, so I asked again: “You mean as many as 30% do NOT set it up?” He replied: “No, MOST do not set it up. I’d guess about 30% set it up.”.

Another big problem for FIDO is its positioning as passwordless authentication. There are three kinds of authentication factors: knowledge, possession, and inherence. Advertising an authentication technology as being passwordless is advertising it as lacking one kind of factor. That’s a bad thing, not a good thing. I guess the slogan originated when people started using many web sites, and were told not to reuse passwords, and were having trouble remembering many different passwords. But that’s a problem that disappeared more than ten years ago when, first password managers, and then browsers, started keeping track of passwords.

Today users love passwords, and they resist having to use anything else. A password is the only authenticator factor that the user has full control over. It is the quintessential self-sovereign authentication factor.

I’ve just put online a preprint of a paper entitled “Overcoming the UX Challenges Faced by FIDO Credentials in the Consumer Space.” The previous post was an extended abstract of the paper. The full paper gives the details, with figures, of two authentication protocols. The first one uses existing FIDO credentials and provides an incremental improvement on the FIDO user experience. The second protocol removes the major obstacles to the adoption of FIDO2 and WebAuthn, using enhanced credentials and an extension of WebAuthn. It does not require a Windows user to set up Windows Hello, and uses as a second factor a full fledged password, not a PIN or a biometric, cryptographically protected against reuse, data breaches, and phishing attacks by being combined with the cryptographic factor into a joint authentication procedure.

Leave a Reply

Your email address will not be published.