International Association for Cryptologic Research

International Association
for Cryptologic Research


To attest or not to attest, this is the question – Provable attestation in FIDO2

Nina Bindel , SandboxAQ
Nicolas Gama , SandboxAQ
Sandra Guasch , SandboxAQ
Eyal Ronen , Tel Aviv University
Search ePrint
Search Google
Presentation: Slides
Conference: ASIACRYPT 2023
Abstract: FIDO2 is currently the main initiative for passwordless authentication in web servers. It mandates the use of secure hardware authenticators to protect the authentication protocol's secrets from compromise. However, to ensure that only secure authenticators are being used, web servers need a method to attest their properties.The FIDO2 specifications allow for authenticators and web servers to choose between different attestation modes to prove the characteristics of an authenticator, however the properties of most these modes have not been analysed in the context of FIDO2. In this work, we analyse the security and privacy properties of FIDO2 when the different attestation modes included in the standard are used, and show that they lack good balance between security, privacy and revocation of corrupted devices. For example, the basic attestation mode prevents remote servers from tracing user's actions across different services while requiring reduced trust assumptions. However in case one device is compromised, all the devices from the same batch (e.g., of the same brand or model) need to be recalled, which can be quite complex (and arguably impractical) in consumer scenarios. As a consequence we suggest a new attestation mode based on the recently proposed TokenWeaver, which provide more convenient mechanisms for revoking a single token while maintaining user privacy.
  title={To attest or not to attest, this is the question – Provable attestation in FIDO2},
  author={Nina Bindel and Nicolas Gama and Sandra Guasch and Eyal Ronen},