Fast Identity Online Research Articles

Fast Identity Online 2 :Authentication Technique

Fast Identity Online 2 (FIDO2) emerges as a transformative solution to the vulnerabilities inherent in traditional password-based authentication methods. Leveraging public key cryptography and authenticators, it establishes a passwordless authentication paradigm, extending its relevance beyond web applications to diverse realms such as online payments and government services. This paper explores FIDO2's emphasis on a seamless user experience while bolstering security measures through innovative credential management techniques. The acceptance of FIDO2 on major browsers ensures its usability on mobile devices, with most modern devices equipped to support FIDO2 authentication, thus expanding its reach and applicability. Additionally, its adoption by major tech companies and standards bodies underscores its credibility and potential for widespread adoption. However, challenges remain, including overcoming legacy systems, addressing compatibility issues, and ensuring user education. Despite these challenges, FIDO2 represents a significant advancement in online authentication, offering strong security, usability, and privacy features, positioning it as a key enabler of the passwordless authentication paradigm. Keywords: Public key cryptosystem, challenge, relying party, web browser and web authentication.

How many FIDO protocols are needed? Analysing the technology, security and compliance

To overcome the security vulnerabilities caused by weak passwords, thus bridge the gap between user friendly interfaces and advanced security features, the Fast IDentity Online (FIDO) alliance defined a number of authentication protocols. The existing literature leverages all versions of the FIDO protocols, without indicating the reasons behind the choice of each individual FIDO protocol (i.e., U2F, UAF, FIDO2). Inevitably, the question “which protocol is more suitable per case” becomes significant. To provide an answer to the previous question, this article performs a thorough comparative analysis on the different protocol specifications and their technological and market support, to identify whether any protocol has become obsolete. To reach to a conclusion, the proposed approach (i) explores the existing literature, (ii) analyses the specifications released by the FIDO Alliance, elaborating on the security characteristics, (iii) inspects the technical adoption by the industry and (iv) investigates the compliance of the FIDO with standards, regulations and other identity verification protocols. Our results indicate that FIDO2 is the most widely adopted solution; however, U2F remains supported by numerous web services as a two-factor authentication (2FA) choice, while UAF continues to be utilised in mobile clients seeking to offer the Transaction Confirmation feature.

Decentralized Identity Authentication Mechanism: Integrating FIDO and Blockchain for Enhanced Security

FIDO (Fast Identity Online) is a set of network identity standards established by the FIDO Alliance. It employs a framework based on public key cryptography to facilitate multi-factor authentication (MFA) and biometric login, ensuring the robust protection of personal data associated with cloud accounts and ensuring the security of server-to-terminal device protocols during the login process. The FIDO Alliance has established three standards: FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF), and the Client to Authenticator Protocols (CTAP). The newer CTAP, also known as FIDO2, integrates passwordless login and two-factor authentication. Importantly, FIDO2’s support for major browsers enables users to authenticate their identities via FIDO2 across a broader range of platforms and devices, ushering in the era of passwordless authentication. In the FIDO2 framework, if a user’s device is stolen or compromised, then the private key may be compromised, and the public key stored on the FIDO2 server may be tampered with by attackers attempting to impersonate the user for identity authentication, posing a high risk to information security. Recognizing this, this study aims to propose a solution based on the FIDO2 framework, combined with blockchain technology and access control, called the FIDO2 blockchain architecture, to address existing security vulnerabilities in FIDO2. By leveraging the decentralized nature of the blockchain, the study addresses potential single points of failure in FIDO2 server centralized identity management systems, thereby enhancing system security and availability. Furthermore, the immutability of the blockchain ensures the integrity of public keys once securely stored on the chain, effectively reducing the risk of attackers impersonating user identities. Additionally, the study implements an access control mechanism to manage user permissions effectively, ensuring that only authorized users can access corresponding permissions and preventing unauthorized modifications and abuse. In addition to proposing practical solutions and steps, the study explains and addresses security concerns and conducts performance evaluations. Overall, this study brings higher levels of security and trustworthiness to FIDO2, providing a robust identity authentication solution.

Zero knowledge registration of PKI authentication for symbiotic security in FIDO IoT

In this paper, we critically discourse on the current Fast IDentity Online specification, its underlying security layer and the resulting misconceptions or even weaknesses. We juxtapose the presented view against some of the fundamental and long-standing public key infrastructure problems such as the initial enrolment of identities and their keys (e.g., X.509v3 certificates). We then observe a novel approach of zero-knowledge initial enrolment of resource-constrained Internet of Things devices and investigate how its idea of symbiotic security, i.e., a consistent and consolidated cooperative design which involves all architectural building blocks such as software, hardware, networks, and processes, can contribute to the new Fast IDentity Online Internet of Things specification in the making. Finally, we suggest by way of an outlook or future work how this already modular security-by-design mindset can be further enhanced through a dynamic management system to keep cryptographic keys in volatile memory only. The idea is also based on a symbiotic connection between hardware and software to create a number of added benefits from the security perspective.

How Not to Handle Keys: Timing Attacks on FIDO Authenticator Privacy

This paper presents a timing attack on the FIDO2 (Fast IDentity Online) authentication protocol that allows attackers to link user accounts stored in vulnerable authenticators, a serious privacy concern. FIDO2 is a new standard specified by the FIDO industry alliance for secure token online authentication. It complements the W3C WebAuthn specification by providing means to use a USB token or other authenticator (which holds the secret authenticating material and implements FIDO protocols) as a second factor during the authentication process. From a cryptographic perspective, the protocol is a simple challenge-response where the elliptic curve digital signature algorithm is used to sign challenges. To protect the privacy of the user the token uses unique key pairs per service. To accommodate for small memory, tokens use various techniques that make use of a special parameter called a key handle sent by the service to the token with which the token can securely produce an authentication key (through generation or decryption). We identify and analyse a vulnerability in the way the processing of key handles is implemented that allows attackers to remotely link user accounts on multiple services. We show that for vulnerable authenticators there is a difference between the time it takes to process a key handle for a different service but correct authenticator, and for a different authenticator but correct service. This difference can be used to perform a timing attack allowing an adversary to link user’s accounts across services. We present several real world examples of adversaries that are in a position to execute our attack and can benefit from linking accounts. We found that two of the eight hardware authenticators we tested were vulnerable despite FIDO level 1 certification, indicating a not insignificant problem. This vulnerability cannot be easily mitigated on authenticators because, for security reasons, they usually do not allow firmware updates. In addition, we show that due to the way existing browsers implement the WebAuthn standard, the attack can be executed remotely. However, we discuss countermeasures that can be implemented by browser providers to mitigate the remote form of the attack.

Loki: A Physical Security Key Compatible IoT Based Lock for Protecting Physical Assets

The twenty first century has witnessed an enormous rise in data produced per person and it has also witnessed newer and advanced forms of digital attacks and instinctively, witnessed a rise in the need for data protection. However, the essential assets are still physical and needs to be protected. Usually vaults, lockers, safes and so on and used for the safe keeping of the physical assets. However, studies have shown they are vulnerable to various attacks. This paper proposes a novel and robust physical lock for safekeeping of physical assets called Loki. A Physical Security key is used to authenticate the lock and it uses a cloud-server architecture. It employs best cloud security practices, proper use of cryptography and trusted computing to mitigate all common risks. The cloud architecture runs a Virtual Machine (VM) to securely authenticate using Fast IDentity Online (FIDO2) specifications. The physical authenticator data is stored in the cloud for security and only accessed when an unlock is requested. The cloud allows web-based physical key management for adding more keys or removing keys. The whole system has been implemented in a Internet of Things (IoT) scenario.

A Secure and Efficient Multi-Factor Authentication Algorithm for Mobile Money Applications

With the expansion of smartphone and financial technologies (FinTech), mobile money emerged to improve financial inclusion in many developing nations. The majority of the mobile money schemes used in these nations implement two-factor authentication (2FA) as the only means of verifying mobile money users. These 2FA schemes are vulnerable to numerous security attacks because they only use a personal identification number (PIN) and subscriber identity module (SIM). This study aims to develop a secure and efficient multi-factor authentication algorithm for mobile money applications. It uses a novel approach combining PIN, a one-time password (OTP), and a biometric fingerprint to enforce extra security during mobile money authentication. It also uses a biometric fingerprint and quick response (QR) code to confirm mobile money withdrawal. The security of the PIN and OTP is enforced by using secure hashing algorithm-256 (SHA-256), a biometric fingerprint by Fast IDentity Online (FIDO) that uses a standard public key cryptography technique (RSA), and Fernet encryption to secure a QR code and the records in the databases. The evolutionary prototyping model was adopted when developing the native mobile money application prototypes to prove that the algorithm is feasible and provides a higher degree of security. The developed applications were tested, and a detailed security analysis was conducted. The results show that the proposed algorithm is secure, efficient, and highly effective against the various threat models. It also offers secure and efficient authentication and ensures data confidentiality, integrity, non-repudiation, user anonymity, and privacy. The performance analysis indicates that it achieves better overall performance compared with the existing mobile money systems.

Security Analysis and Bypass User Authentication Bound to Device of Windows Hello in the Wild

Windows Hello is a Fast IDentity Online- (FIDO-) based new login system for Windows 10, which provides a single sign-on (SSO) service to diverse online applications. Hardware protection is essential for Window Hello’s security. This paper aims to examine the security of Windows Hello on a device where hardware protection is unavailable. We present the first detailed analysis of Windows Hello’s security. The results show that, on a hardware-unsupported device, the authentication data for Windows Hello is not properly protected. We propose a migration attack to compromise Windows Hello’s security. In the proposed attack, an attacker extracts authentication data from a device to impersonate a victim in his or her Microsoft online account. We consider the possibility of such an attack to be serious and harmful to our society and demand immediate attention for remediation.

Fast Identity Online-Based Facial Authentication System Development in Mobile

Recently, research on methods to improve upon the security vulnerability of password based authentication is being actively conducted. Research on how to use real-time biometric recognition is also actively underway. The system development of Public Key Infrastructure (PKI) key pairs and uses a method that safely stores the produced keys in secure zones, and encryption key data is composed so that access can only be made in Fast Identity Online (FIDO) Authenticator zones. Face certification data extracted from the face recognition engine is created, data can be accessed and saved through encryption. With the Fast Identity Online (FIDO) Authenticator, a method was developed that compares and face certification data. The system in this thesis developed a Fast Identity Online (FIDO) based face certification system that uses biometric authentication to supplement the weaknesses of password based systems which were used for user certification in the past because they cost little and are convenient. System development in this thesis was conducted by applying a Fast Identity Online (FIDO) based certification system to an Active Shape Model (ASM) style face recognition algorithm. After taking a photo of the face with the user’s cellular phone and saving it, certification is carried out through comparisons made of the photo and real-time input images. Once certification is made using Fast Identity Online (FIDO) protocols, tests of face detection speed and matching speed are conducted to measure accuracy and speed. A total of 30 tests were conducted and test results showed that detection speed was an average of 30.35 f/s and matching speed was 14.16 ms. In this paper, biometric authentication security and convenience are provided by using security functions provided by user devices and supplementing them with a server operation method.

Authenticator Rebinding Attack of the UAF Protocol on Mobile Devices

We present a novel attack named “Authenticator Rebinding Attack,” which aims at the Fast IDentity Online (FIDO) Universal Authentication Framework (UAF) protocol implemented on mobile devices. The presented Authenticator Rebinding Attack rebinds the victim’s identity to the attacker’s authenticator rather than the victim’s authenticator being verified by the service in the UAF protocol, allowing the attacker to bypass the UAF protocol local authentication mechanism by imitating the victim to perform sensitive operations such as transfer and payment. The lack of effective authentication between entities in the implementations of the UAF protocol used in the actual system causes the vulnerability to the Authenticator Rebinding Attack. In this paper, we implement this attack on the Android platform and evaluate its implementability, where results show that the proposed attack is implementable in the actual system and Android applications using the UAF protocol are prone to such attack. We also discuss the possible countermeasures against the threats posed by Authenticator Rebinding Attack for different stakeholders implementing UAF on the Android platform.

Secured smart mobile app for smart home environment

Smart home appliances like smart door, smart AC, smart lights etc., are the facilities which can be utilized because of advancements in Internet of Things. However, security of these smart home appliances is very much important to avoid security threats. Existing smart home appliances are facing problems with security issues such as such as hacking, mishandling of devices etc., due to one stage authentication process. The proposed Secured Smart Mobile App for Smart Home Environment (SSMASHE) provides a two stage authentication process which can secure smart home appliances. It consists of three modules, first one is smart things, next one smart mobile app and the third module is big data platform. In this paper a smart home environment embedding with smart mobile app has been simulated to evaluate the security mechanism through authentication process. In this process the delay has been calculated for the purpose of fast communication and security assigned to big data environment. The proposed method delay time is less when compared to Fast Identity Online (FIDO) method. The proposed method is comfortable to real time heterogeneous smart home IoT devices because this process follows the asynchronous authentication procedure.

Secure User Authentication using Captcha as Passwords based on Graphical Methods

An alternative to traditional text-based password is being proposed. This aims to enhance the safety and security of the current system by adding a layer of additional security, the proposed system uses FIDO (Fast Identity Online) which unlike password catalogue, stores personally recognizing information data locally on the handler's device to defend it. FIDO's personal identification and local storing of biometric is an intended way to ease user apprehensions about personal data. Image-captchas have lately developed into a very prevalent and extensively organized crossways throughout the online networks to guard from the offensive things. Still, the developing competence in the system field has steadily weakened the safety of Image-captcha and has exposed them to attacks. Built on our valuation, we roughly recognize the defects in these methods of prominent structures, laterally with the perfect performance and plan. Ideologies for more secure captchas are formed from our findings which lean-to light on the considerate of measure and impact, for captcha solving.

FIDO Protocol Based on Physical Unclonable Functions and Its Application into Electronic Contract

In this paper, the emerging Physical Unclonable Function (PUF) and Fast Identity Online (FIDO), are studied for the secure identification (ID) authentication of electronic contract. To solve the unstable response of PUF, error correction algorithms are applied. This paper proposes a high security authentication protocol, which is a FIDO protocol based on PUF. A comparison of the proposed protocol with three classical protocols is presented. The results shows that the proposed protocol has the advantages of anti-cloning and error-correcting compared with existing authentication protocols. Finally, the application of the FIDO protocol based on PUF into the electronic contract is also demonstrated.

Context-Aware Multimodal FIDO Authenticator for Sustainable IT Services

Existing sustainable IT services have several problems related to user authentication such as the inefficiency of managing the system security, low security, and low usability. In this paper, we propose a Fast IDentity Online (FIDO) authenticator that performs continuous authentication with implicit authentication based on user context and multimodal authentication. The proposed FIDO authenticator, a context-aware multimodal FIDO authentication (CAMFA) method, combines information such as the user context, state of the mobile device, and user biometrics, then applies implicit and explicit authentication methods to meet the level of authentication required by the service provider. This reduces the user’s explicit authentication burden and continually authenticates users at risk during the session. Moreover, it is able to respond to attacks such as the theft of the authentication method or session hijacking. To study the effectiveness of CAMFA, we ran a user study by collecting data from 22 participants over 42 days of activity on a practical Android platform. The result of the user study demonstrates that the number of explicit authentication requests could be reduced by half. Based on the results of this study, an advanced user authentication that provides multimodal and continuous authentication could be applied to sustainable IT services.

Security analysis of an attractive online authentication standard: FIDO UAF protocol

FIDO (Fast IDentity Online) Alliance proposed a set of standard in 2014 for change the nature of online authentication. By now, it has drawn attention from many companies, including Google, VISA, Intel etc. In this paper, we analyze the FIDO UAF (Universal Authentication Framework) Protocol, one of the two sets of specifications in the standard. We first present protocols' cryptographic abstractions for the registration and authentication protocols of the FIDO UAF. According to the abstractions, we discuss on selected security goals presented in the standard to study UAF security properties. We also propose three attacks, which the first two are based on an assumption that an attacker can corrupt the software installed on the user device, and the third is based on two users sharing a FIDO roaming authenticator. The results of the attacks are to impersonate the legitimate user to pass the online authentication.

A Simple Fingerprint Fuzzy Vault for FIDO

Fast IDentity Online(FIDO) supports biometric authentications in an online environment without transmitting biometric templates over the network. For a given FIDO client, the securely stores biometric templates, houses additional biometric templates, and unlocks private keys via biometrics. The Fuzzy Vault has been extensively researched and some vulnerabilities have been discovered, such as brute force, correlation, and key inversions attacks. In this paper, we propose a simple fingerprint Fuzzy Vault for FIDO clients. By using the FIDO feature, a simple minutiae alignment, and point-to-point matching, our Fuzzy Vault provides a secure algorithm to combat a variety of attacks, such as brute force, correlation, and key inversions. Using a case study, we verified our Fuzzy Vault by using a publicly available fingerprint database. The results of our experiments show that the Genuine Acceptance Rate and the False Acceptance Rate range from 48.89% to 80% and from 0.02% to 0%, respectively. In addition, our Fuzzy Vault, compared to existing similar technologies, needed fewer attempts.

A Robust Mutual Authentication between User Devices and Relaying Server(FIDO Server) using Certificate Authority in FIDO Environments

Recently, Biometrics is being magnified than ID or password about user authentication. However, unlike a PIN, password, and personal information there is no way to modify the exposure if it is exposed and used illegally. As FIDO(Fast IDentity Online) than existing server storing method, It stores a user's biometric information to the user device. And the user device authentication using the user's biometric information, the user equipment has been used a method to notify only the authentication result to the server FIDO. However, FIDO has no mutual authentication between the user device and the FIDO server. We use a Certificate Authority in order to mutually authenticate the user and the FIDO server. Thereby, we propose a more reliable method and compared this paper with existed methods about security analysis.

FIDO Alliance to boost online authentication

Agnitio, Infineon Technologies, Lenovo, Nok Nok Labs, PayPal, and Validity have formed the FIDO Alliance (Fast IDentity Online) to address online authentication with an industry supported standards-based open protocol. FIDO Alliance founding member organisations are developing the specification and FIDO-compliant products.