International Association for Cryptologic Research

International Association
for Cryptologic Research


Provable Security Analysis of FIDO2

Manuel Barbosa , University of Porto (FCUP) and INESC TEC
Alexandra Boldyreva , Georgia Institute of Technology
Shan Chen , Technische Universität Darmstadt
Bogdan Warinschi , University of Bristol and Dfinity
DOI: 10.1007/978-3-030-84252-9_5 (login may be required)
Search ePrint
Search Google
Conference: CRYPTO 2021
Abstract: We carry out the first provable security analysis of the new FIDO2 protocols, the promising FIDO Alliance’s proposal for a standard for passwordless user authentication. Our analysis covers the core components of FIDO2: the W3C’s Web Authentication (WebAuthn) specification and the new Client-to-Authenticator Protocol (CTAP2). Our analysis is modular. For WebAuthn and CTAP2, in turn, we propose appropriate security models that aim to capture their intended security goals and use the models to analyze their security. First, our proof confirms the authentication security of WebAuthn. Then, we show CTAP2 can only be proved secure in a weak sense; meanwhile, we identify a series of its design flaws and provide suggestions for improvement. To withstand stronger yet realistic adversaries, we propose a generic protocol called sPACA and prove its strong security; with proper instantiations, sPACA is also more efficient than CTAP2. Finally, we analyze the overall security guarantees provided by FIDO2 and WebAuthn+sPACA based on the security of their components. We expect that our models and provable security results will help clarify the security guarantees of the FIDO2 protocols. In addition, we advocate the adoption of our sPACA protocol as a substitute for CTAP2 for both stronger security and better performance.
Video from CRYPTO 2021
  title={Provable Security Analysis of FIDO2},
  author={Manuel Barbosa and Alexandra Boldyreva and Shan Chen and Bogdan Warinschi},