FIDO2 and WebAuthn have momentum but won’t help if they are not used

March 18, 2023: The preprint referenced below has been updated to add a patent disclosure.

FIDO2 and WebAuthn have momentum. They are supported on all browsers. Apple, Google and Microsoft are busy developing or releasing initial versions of passkey syncing. NIST now requires resistance to phishing attacks at Authentication Assurance Level 3 of the Initial Public Draft of Revision 4 of the Digital Identity Guidelines. CISA has endorsed FIDO as the gold standard. And all the tech blogs are announcing the demise of passwords that FIDO will bring.

But a year ago the FIDO Alliance announced in a white paper that FIDO authentication “has not attained large-scale adoption in the consumer space.” Has that changed? Is it changing? Is it ever going to change?

The FIDO Alliance white paper coupled the announcement of the lack-of-adoption problem with a diagnosis of the problem and the announcement of an upcoming solution. The problem was due to the challenges that consumers face with platform authenticators: “having to re-enroll each new device”, and having “no easy ways to recover from a lost or stolen device”. Apple, Google and Microsoft were going to provide the solution by syncing credentials across devices. The term “passkeys” was coined to refer to synced credentials.

Apple, Google and Microsoft are keeping their promise and diligently working on the solution. Kudos to them. But FIDO authentication has daunting problems that are not addressed by passkeys.

One of them is the reliance on the device unlocking mechanism, e.g. Windows Hello in the case of a Windows laptop, to provide a second authentication factor supplementing the proof of possession of the private key. A user who does not set up device unlocking cannot use FIDO. How many users set it up? I couldn’t find any statistics about this, but I thought of people who would know. Geek Squad Agents work full time helping people set up and repair their devices, so they intimately know how consumers use laptops and smart phones. I interviewed one of them: “How many Windows users set up Windows Hello?” He said: “30%; just a guess.”. I thought he had misunderstood the question, so I asked again: “You mean as many as 30% do NOT set it up?” He replied: “No, MOST do not set it up. I’d guess about 30% set it up.”.

Another big problem for FIDO is its positioning as passwordless authentication. There are three kinds of authentication factors: knowledge, possession, and inherence. Advertising an authentication technology as being passwordless is advertising it as lacking one kind of factor. That’s a bad thing, not a good thing. I guess the slogan originated when people started using many web sites, and were told not to reuse passwords, and were having trouble remembering many different passwords. But that’s a problem that disappeared more than ten years ago when, first password managers, and then browsers, started keeping track of passwords.

Today users love passwords, and they resist having to use anything else. A password is the only authenticator factor that the user has full control over. It is the quintessential self-sovereign authentication factor.

I’ve just put online a preprint of a paper entitled “Overcoming the UX Challenges Faced by FIDO Credentials in the Consumer Space.” The previous post was an extended abstract of the paper. The full paper gives the details, with figures, of two authentication protocols. The first one uses existing FIDO credentials and provides an incremental improvement on the FIDO user experience. The second protocol removes the major obstacles to the adoption of FIDO2 and WebAuthn, using enhanced credentials and an extension of WebAuthn. It does not require a Windows user to set up Windows Hello, and uses as a second factor a full fledged password, not a PIN or a biometric, cryptographically protected against reuse, data breaches, and phishing attacks by being combined with the cryptographic factor into a joint authentication procedure.

Overcoming the UX Challenges Faced by FIDO Credentials in the Consumer Space

March 18, 2023: The preprint has been updated to add a patent disclosure.

This post is an extended abstract of a paper to be presented at HCI International 2023. A preprint of the full paper is available here.

Two-factor authentication (2FA) to a web application (hereinafter, the “relying party, or RP”), where the first factor is a password and the second factor is a security code sent to the user by the RP, has been touted as a solution to the vulnerabilities of passwords. But traditional 2FA is now known to be vulnerable to phishing attacks, as the security code can be relayed by a man-in-the-middle attacker in the same way as the password. On the other hand, cryptographic authentication with a key pair credential is phishing resistant because the private key is not transmitted to the attacker. Widespread adoption of cryptographic authentication could greatly improve the security of web applications, and cybersecurity more generally.

But as is the case for any new technology, adoption of cryptographic authentication will require a favorable user experience (UX), and current experiences face well-known challenges. In this paper we propose alternative user experiences that overcome these challenges in two different ways.

Continue reading “Overcoming the UX Challenges Faced by FIDO Credentials in the Consumer Space”

A User Experience for Strong Authentication in the Consumer Space

This is the last post of a four-part series on cryptographic authentication. Links to earlier posts can be found at the end of this post.

A few months ago I was talking with a business woman about technology topics. As I was trying to explain the concept of cryptographic authentication with a key pair, she asked: what if the attacker steals the computer?

She then told me that a boyfriend had once stolen her computer and used it to launch a devastating attack against her life, which it took her months to recover from, by impersonating her on the internet. We did not discuss the details of the attack, but it is easy to imagine how it may have been carried out. He may have screen-unlocked her computer using her PIN, which she may have given to him before they became estranged, or he may have obtained the PIN through shoulder surfing. Her browser may have saved all her passwords and supplied them as he logged in to her financial and social media accounts with the stolen computer. He may also have been able to extract the passwords from the browser and transfer them to his own computer, using the same PIN to authenticate to the browser.

As I remembered this story I realized that I had missed this attack as I listed attacks relevant to the consumer space in part 2 of the series. I did list theft of the computer by a determined attacker who plans ahead and mounts a prior attack to get the PIN. But this attack is different because the attacker has to make little or no effort to get the PIN if he lives in the same house or apartment as the victim or visits often. It is also a different kind of attack, because the the goal of the attacker is to inflict pain rather than to obtain information or material gain. Together with cyberstalking and other forms of digital abuse against women, the attack belongs in a category that deserves special efforts to protect against. Yet FIDO2 and WebAuthn provide no defense against it, since no password is used, and only a PIN is required to unlock a credential.

A password-centric user experience

Remembering the story also made me rethink the user experience that I was going the propose in this blog post for the strong authentication method that I specified in the previous post (part 3).

Continue reading “A User Experience for Strong Authentication in the Consumer Space”

PSD2 Is In Trouble: Will It Survive?

This blog post has been coauthored with Karen Lewison

The 2nd Payment Services Directive (PSD2) of the European Union went into effect on September 14, but one of its most prominent provisions, the Strong Customer Authentication (SCA) requirement, was postponed until December 31, 2020 by an opinion dated 16 October 2019 of the European Banking Authority (EBA). The EBA cited pushback from the National Competent Authorities (NCAs) of the EU member countries as the reason for the postponement, and the fact that version 2 of the 3-D Secure protocol (3-D Secure 2) is not ready as a reason for the pushback.

PSD2 is supposed to be technology neutral, but the EBA has unequivocally endorsed 3-D Secure as the way to implement the SCA requirement for online credit card transactions, as stated in another opinion, dated 21 June 2019:

Continue reading “PSD2 Is In Trouble: Will It Survive?”

Will Cardholder Authentication Ever Come to the US?

This blog post has been coauthored with Karen Lewison

You may have heard that the EU is struggling to implement the Strong Customer Authentication (SCA) requirements of Payment Services Directive 2 (PSD2). The directive was issued four years ago, Regulatory Technical Standards (RTS) followed two years later, and the SCA requirements went into effect on September 14. But on October 16 the European Banking Authority (EBA) had to postpone enforcement until December 31, 2020, due to pushback from the National Competent Authorities (NCAs) of the EU member countries. In an opinion announcing the postponement, the EBA cited as a reason for the pushback the fact that 3-D Secure 2 (3DS2) is not ready.

The problems that the EBA is having with the SCA requirements have more to do with the bureaucratic formulation of the requirements in PSD2, than with the technical difficulty of providing strong security. We will discuss this in another post, but first we want to ask here whether cardholder authentication will ever come to the US.

Continue reading “Will Cardholder Authentication Ever Come to the US?”