A Usability Study of FIDO2 Roaming Software Tokens as a Password Replacement

Rasmussen, Brian

06 August 2021

The use of passwords for user authentication has significant shortcomings. As society becomes more dependent on the internet and web services, we need to find a replacement authentication method that users are willing to use. WebAuthn is one potential technology for password replacement. Recent studies have shown that users enjoy the usability of WebAuthn and hardware tokens as a password replacement but don't want to carry them around. Meanwhile, little to no research involves the use of software tokens. I carried out a user study of WebAuthn and roaming software tokens when used as a password replacement. We were able to learn if the shortcoming of WebAuthn and hardware tokens were remedied by the use of smart phones as software tokens. Software tokens have similiar usability to hardware tokens and are more usable than passwords. Users continued fearing loss of access to their account when using software tokens. Users were less worried about carrying an extra device but replaced that fear with the fear of a dead battery or a broken phone.

FIDO2

passwordless

Physical Sciences and Mathematics

A Usability Study of FIDO2 Hardware Tokens on Mobile Devices

Lambert, Stephen

14 December 2022

Passwords as the primary form of authentication on the web have many issues, such as password re-use across sites and difficulty in remembering secure passwords. The FIDO Alliance has created a passwordless system that has with support from companies like Google, Apple, and Microsoft: FIDO2. Studies have shown so far that users find FIDO2 usable on personal computers, but no work has been published on its usability on mobile devices. I conducted a lab study in which participants used FIDO2 passwordless authentication with hardware tokens on a mobile phone. Participants found FIDO2 usable on mobile devices, but had similar fears as participants in prior studies, primarily revolving around account loss. I also found that showing participants an instructional video after they had used FIDO2 on a mobile device increased perceived usefulness and likelihood of adoption, though usability scores remained about the same.

usability

FIDO2

paswordless authentication

Physical Sciences and Mathematics

Säker nyckelhantering i webbläsaren

Engman, Daniel, Hagman, William

January 2023

Idag används vanligtvis lösenord som autentiseringsmetod i moderna applikationer. Men allt fler företag och applikationer övergår från denna metod och i stället använda krypterade nycklar och certifikat för att öka säkerheten. Dessutom har telefoner och datorer utvecklats som har hårdvarusäkerhetsmoduler för att lagra och skydda sådan information. Projektet utgick på att bekanta sig med olika kryptografiska standarder i en modern webbläsare, med fokus på WebAuthn. Därefter utvecklades och designades en Proof Of Concept-applikation i Amazon webservice som använde sig av WebAuthn för autentisering. Tilläggsfunktioner som möjliggör återanvändning av den privata nyckeln som genereras av WebAuthn implementerades och testades. Dessa tillägg inkluderar pseudo-random function (PRF) och large blob. Resultatet blev en fungerande webbapplikation i Amazon webservice som använder sig av WebAuthn-standarden där en användare har möjlighet att registrera samt autentisera sig med hjälp av biometriska metoder i stället för lösenord. Implementationen av tillägg för återanvändning av privata nycklar visade sig vare en utmaning. Tekniska svårigheter med webbläsare, protokoll och autentiseringsenheter, samt det faktum att WebAuthn-standarden är relativt ny, påverkade implementationen av tilläggen. Det kan vara värt att notera att med tiden kommer fler webbläsare och autentiseringsenheter troligtvis stödja dessa funktioner, vilket kan möjliggöra återanvändning av privata nycklar. Avslutningsvis visade projektet att det är möjligt att skapa en webbapplikation i Amazon webservice som använder sig av WebAuthN-standarden och möjliggör autentisering med biometriska metoder. Trots de tekniska utmaningarna med pseudo-random function (PRF) och large blob, är det en lovande riktning för framtida implementeringar när standarden mognar och stöd för tilläggsfunktionerna förbättras. / Today, passwords are commonly used as an authentication method in modern applications. However, more and more companies and applications are moving away from this method and instead using encrypted keys and certificates to increase security. Additionally, phones and computers have been developed that have hardware security modules to store and protect such information. The project was based on getting to know different cryptographic standards in a modern browser, with a focus on WebAuthn. Next, a Proof-of-Concept application was developed and designed in AWS that used WebAuthn for authentication. Additional features that allow reuse of the private key generated by WebAuthn were implemented and tested. These extensions include pseudo-random function (PRF) and large blob. The result was a functioning web application in AWS that uses the WebAuthn standard where a user can register and authenticate themselves using biometric methods instead of passwords. The implementation of private key reuse extensions proved to be a challenge. Technical difficulties with browsers, protocols, and authenticators, as well as the fact that the WebAuthnstandard is relatively new, affected the implementation of the extensions. It may be worth noting that over time, more browsers, and authentication devices will likely support these features, which may allow private key reuse. In conclusion, the project showed that it is possible to create a web application in AWS that uses the WebAuthn-standard and enables authentication with biometric methods. Despite the technical challenges with pseudo-random function (PRF) and large blob, it is a promising direction for future implementations as the standard matures and support for the extension functions improves.

WebAuthn

AWS

FIDO

FIDO2

prf

large blob

Knigtech

WebAuthn

AWS

FIDO

FIDO2

prf

large blob

Knigtech

Software Engineering

Programvaruteknik

Systém Excalibur - implementace SSO / Excalibur System - SSO Implementation

Chripko, Juraj

January 2021

Cieľom systému Excalibur je presunúť autentifikáciu od hesiel používaných v súčastnosti ku bezheslovej budúcnosti. Zámerom tejto práce je integrácia systému Excalibur s webovými bezheslovými protokolmi SAML a FIDO2.    Štandard SAML bol integrovaný do systému Excalibur a úspešne otestovaný s niekoľkými známymi aplikáciami. Excalibur má na starosti samotnú autentifikáciu a manažment používateľov a SAML je použitý na predanie týchto informácii aplikáciam tretích strán.   FIDO2 je, na druhú stranu, kompletný autentifikačný štandard, ktorý môže byť do systému Excalibur integrovaný viacerými spôsobmi. Ako najsľubnejší spôsob sa javí výmena autentifikačného mechanizmu systému Excalibur za FIDO2, ale slabá podpora štandardu a chýbajúce funkcie to zatiaľ nedovoľujú.

Usability-Driven Security Enhancements in Person-to-Person Communication

Yadav, Tarun Kumar

01 February 2024

In the contemporary digital landscape, ensuring secure communication amid widespread data exchange is imperative. This dissertation focuses on enhancing the security and privacy of end-to-end encryption (E2EE) applications while maintaining or improving usability. The dissertation first investigates and proposes improvements in two areas of existing E2EE applications: countering man-in-the-middle and impersonation attacks through automated key verification and studying user perceptions of cryptographic deniability. Insights from privacy-conscious users reveal concerns about the lack of E2EE support, app siloing, and data accessibility by client apps. To address these issues, we propose an innovative user-controlled encryption system, enabling encryption before data reaches the client app. Finally, the dissertation evaluates local threats in the FIDO2 protocol and devises defenses against these risks. Additionally, it explores streamlining FIDO2 authentication management across multiple websites for user convenience and security.

FIDO2

End-to-end encryption

E2EE

Application-independent encryption

2FA

Signal

Secure messaging

MITM attacks

Authentication

Physical Sciences and Mathematics