Abstract
The FIDO2 standards for strong authentication on the Internet define an extension interface, which allows them to flexibly adapt to future use cases. The domain of establishing new FIDO2 extensions, however, is currently limited to web browser developers and members of the FIDO alliance. We show how researchers and developers can design and implement their own extensions for using FIDO2 as a well-established and secure foundation to demonstrate innovative authentication concepts or to support custom deployments. Our open-source implementation targets the full FIDO2 stack, such as the Chromium web browser and hardware tokens, to enable tailor-made authentication based on the power of the existing FIDO2 ecosystem. To give an overview of existing extensions, we survey all published FIDO2 extensions by manually inspecting the source code of major web browsers and authenticators. Their current design, however, hinders the implementation of custom extensions, and they only support a limited number of extensions out of the box. We discuss weaknesses of current implementations and identify the lack of extension pass-through as a major limitation in current FIDO2 clients.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Chromium version canary 93.0.4570.0 \(\rightarrow \) Google Chrome 93, Microsoft Edge 93.
- 2.
Gecko version version nightly 91.0a1 \(\rightarrow \) Mozilla Firefox 91.
- 3.
WebKit version 611.2.7.1 \(\rightarrow \) Apple Safari 14.1.1.
- 4.
Solo version 4.1.2.
- 5.
OpenSK version 1.0.0.
- 6.
Online repository with our source code and additional documentation on how to implement your own FIDO2 extensions: https://seemoo.de/s/fido2ext.
- 7.
Chromium Credential Management API (Blink): third_party/blink/renderer/modules/credentialmanager/.
- 8.
Chromium WebAuthn Mojo (Blink): third_party/blink/public/mojom/webauthn/.
- 9.
Chromium Web Authentication (content): content/browser/webauth/.
- 10.
Chromium CTAP (device): device/fido/.
References
Ciolino, S., Parkin, S., Dunphy, P.: Of two minds about two-factor: understanding everyday FIDO U2F usability through device comparison and experience sampling. In: Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pp. 339–356. USENIX Association, Santa Clara, August 2019
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280, RFC Editor, May 2008. http://www.rfc-editor.org/rfc/rfc5280.txt
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt
Eastlake, D.: Transport layer security (TLS) extensions: Extension definitions. RFC 6066, RFC Editor, January 2011. http://www.rfc-editor.org/rfc/rfc6066.txt
Farke, F.M., Lorenz, L., Schnitzler, T., Markert, P., Dürmuth, M.: “You still use the password after all" – exploring FIDO2 security keys in a small company. In: Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), pp. 19–35. USENIX Association, August 2020
FIDO Alliance: Client to authenticator protocol (CTAP), June 2021. https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html
FIDO Alliance: FIDO U2F raw message formats, April 2017. https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html
FIDO Alliance: FIDO2: Moving the world beyond passwords using WebAuthn & CTAP, June 2020. https://fidoalliance.org/fido2
Frymann, N., Gardham, D., Kiefer, F., Lundberg, E., Manulis, M., Nilsson, D.: Asynchronous remote key generation: an analysis of Yubico’s proposal for W3C WebAuthn. Association for Computing Machinery, New York, October 2020. https://doi.org/10.1145/3372297.3417292
Google: OpenSK. https://github.com/google/OpenSK (2020)
Hodges, J., Mandyam, G., Jones, M.B.: RFC 8809: Registries for web authentication (WebAuthn). RFC 8809, RFC Editor, August 2020. https://www.rfc-editor.org/rfc/rfc8809.txt
IANA: Web authentication (WebAuthn) registries, August 2020. https://www.iana.org/assignments/webauthn/webauthn.xhtml
Kreichgauer, M.: Intent to deprecate and remove: U2F API (cryptotoken)(2021). https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A
Langley, A.: Re: issue 1097972: support WebAuthn uvi & uvm extension, June 2020. https://bugs.chromium.org/p/chromium/issues/detail?id=1097972#c3
Lyastani, S.G., Schilling, M., Neumayr, M., Backes, M., Bugiel, S.: Is FIDO2 the Kingslayer of user authentication? A comparative usability study of FIDO2 passwordless authentication. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 842–859. IEEE Computer Society, May 2020. https://doi.org/10.1109/SP40000.2020.00047
MDN: Web authentication API. https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API (2021)
MDN: Web authentication API: Browser compatibility, March 2021. https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API#Browser_compatibility
Microsoft: Win32 headers for WebAuthn (2021). https://github.com/microsoft/webauthn
Mooney, N.: Addition of a network transport (2020). https://github.com/w3c/webauthn/issues/1381
Protalinski, E.: You can now use your android phone as a 2FA security key for google accounts. VentureBeat, April 2019. https://venturebeat.com/2019/04/10/you-can-now-use-your-android-phone-as-a-2fa-security-key-for-google-accounts
SoloKeys: Solo 1: open security key supporting FIDO2 & U2F over USB + NFC (2018). https://github.com/solokeys/solo
SoloKeys: Tutorial: writing an extension for the solo stick (2020). https://github.com/solokeys/solo/blob/b86f0ee4e563f0b5ceb69770a6d6f64e42a688b6/docs/tutorial-getting-started.md
SoloKeys: Solo 2 monorepo (2021). https://github.com/solokeys/solo2
W3C: Web authentication: An API for accessing public key credentials - level 1. W3C recommendation, March 2019. https://www.w3.org/TR/2019/REC-webauthn-1-20190304/
W3C: Web authentication: An API for accessing public key credentials - level 2. W3C recommendation, April 2021. https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
W3C: Web authentication: An API for accessing public key credentials - level 3. W3C first public working draft, April 2021. https://www.w3.org/TR/2021/WD-webauthn-3-20210427/
Yubico: python-fido2, March 2018, https://github.com/Yubico/python-fido2
Yubico: Discover YubiKey 5. strong authentication for secure login, July 2021.https://www.yubico.com/products/yubikey-5-overview
Yubico: libfido2, July 2021. https://developers.yubico.com/libfido2
Yubico: webauthn-recovery-extension. https://github.com/Yubico/webauthn-recovery-extension (2021)
Acknowledgements
This work has been funded by the LOEWE initiative (Hesse, Germany) within the emergenCITY center. We thank the anonymous reviewers for reviewing this paper and for their helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Putz, F., Schön, S., Hollick, M. (2021). Future-Proof Web Authentication: Bring Your Own FIDO2 Extensions. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2021. Lecture Notes in Computer Science(), vol 13136. Springer, Cham. https://doi.org/10.1007/978-3-030-93747-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-93747-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93746-1
Online ISBN: 978-3-030-93747-8
eBook Packages: Computer ScienceComputer Science (R0)