Overcoming the UX Challenges Faced by FIDO Credentials in the Faced by FIDO Credentials in the Consumer Space

Slide Note
Embed
Share

Many websites are vulnerable to phishing attacks due to traditional authentication methods. To address this, the utilization of cryptographic authentication, such as key pairs, is recommended to enhance security and prevent MITM attacks.

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

talullah
talullah Follow

Uploaded on Mar 13, 2024 | 0 Views

Presentation Transcript

  1. Overcoming the UX Challenges Overcoming the UX Challenges Faced by FIDO Credentials in the Faced by FIDO Credentials in the Consumer Space Consumer Space Presented at HCI International 2023 on July 24, 2023 Francisco Corella fcorella@pomcor.com

  2. Today, most web sites are still vulnerable to Today, most web sites are still vulnerable to phishing attacks phishing attacks 1. Most users still authenticate with username and password, which can be phished 2. MFA using an authentication code is vulnerable to a man-in-the- middle (MITM) phishing attack, because the attacker can relay the username, the password and the authentication code to the legitimate site and capture the session cookie that the legitimate site sends to the victim's browser

  3. Surprise? Surprise? It may come as a surprise to users who are asked to use MFA, but it is not a surprise for IAM professionals In 2017, the Evilginx attack tool showed how easy it is to mount a MITM phishing attack, and people started paying attention Today, there is consensus that traditional MFA is not secure enough and something else should be used instead

  4. There is also consensus on what to use instead: There is also consensus on what to use instead: cryptographic authentication using a key pair cryptographic authentication using a key pair A very simple protocol: 1. At registration: a. The JavaScript frontend of the web site creates a key pair and registers the public key with the backend 2. To authenticate: a. The backend sends a challenge b. The frontend signs the challenge with the private key and sends the signature c. The backend verifies the signature using the public key

  5. Does this prevent a MITM attack? Does this prevent a MITM attack? Why doesn't this MITM attack work? 1. The victim sends a login request to the attacker's site, mistaking it for the web site 2. The attacker relays the login request to the web site 3. The web site responds with a challenge 4. The attacker relays the challenge to the victim 5. The victim signs the challenge and sends the signature 6. The attacker relays the signature to the web site At step 5, the victim's browser is running JavaScript code coming from the attacker, which does not have access to the private key, due to the same origin policy of the web, enforced by the browser

  6. But cryptographic authentication cannot be But cryptographic authentication cannot be used by itself used by itself A cryptographic factor is a possession factor, and as such has an inherent vulnerability to theft of the cryptographic secret, in this case the private key A second factor is needed, such as a password or a biometric There are two methods for adding a second factor

  7. Method No. 1 for adding a second factor: Method No. 1 for adding a second factor: Use the second factor to unlock the first factor Use the second factor to unlock the first factor Used by the FIDO Alliance The key pair is called a FIDO credential and is stored in a FIDO authenticator Using a FIDO credential requires unlocking the authenticator with the same PIN or biometric used to unlock the device Good news: Today, every OS provides a platform authenticator accessible to all browsers So FIDO is a generally available technology on the internet

  8. But general availability does not mean general But general availability does not mean general adoption adoption In March 2022 the FIDO Alliance published a white paper announcing that FIDO "has not attained large scale adoption in the consumer space"

  9. The reason for lack of adoption is that FIDO The reason for lack of adoption is that FIDO credentials face multiple UX challenges credentials face multiple UX challenges The FIDO Alliance white paper correctly diagnosed one of the challenges: Challenge 1: the credential is bound to the authenticator, and lost if the device containing the authenticator becomes unavailable and it proposed a solution: Synchronize credentials via the OS across devices with OSes from the same OS vendor Apple, Microsoft and Google where ready to implement the credential, and they have indeed implemented it: synchronized FIDO credentials are known as passkeys is

  10. But passkey synchronization faces its own UX But passkey synchronization faces its own UX challenges challenges Not available across devices with OSes from different vendors Requires the user to log in to the OS vendor with the insecure MFA that FIDO is trying to avoid My paper proposes an alternative solution to Challenge 1 that avoids these passkey challenges without requiring any modification to current FIDO technology: Use an email address as username and generate credentials on-the- fly upon email address verification

  11. This solution to Challenge 1 results in a simple This solution to Challenge 1 results in a simple user experience user experience 1. The user logs in by entering the email address. 2. If there is no cryptographic credential in the browser, a message with an email verification link is sent 3. A credential is automatically created when the user opens the link in the browser

  12. But the FIDO Alliance white paper failed to But the FIDO Alliance white paper failed to diagnose a second UX challenge: diagnose a second UX challenge: Challenge 2: reliance on the device-unlocking mechanism (e.g. Windows Hello) To use FIDO, Windows users have to set up Windows Hello, which only 30% of them do And few web sites will implement an authentication mechanism that most Windows users cannot use

  13. Challenge 2 cannot be solved with unmodified Challenge 2 cannot be solved with unmodified FIDO technology FIDO technology It requires a different method for adding a second factor And that would require an extension of the Web Authentication API, or giving up on FIDO and storing the cryptographic credential in localStorage

  14. Method No. 2 for adding a second factor Method No. 2 for adding a second factor Use a password as second factor Extend the credential by adding a secret salt To authenticate, the frontend sends: The signature on the backend challenge, computed with the private key The hash of the password with the secret salt The public key The backend: Hashes the public key with the salted hash and verifies the result against a registered value Verifies the signature with the public key, then discards the public key

  15. Security properties Security properties Authentication resists a MITM phishing attack thanks to the same origin policy The password is protected against reuse at a malicious site because every site has a different secret salt The password is protected against backend breaches because the secret salt is not stored in the backend The private key is protected against a postquantum attacker who breaches the backend because the public key is not stored in the backend

  16. Replicating a cryptographic credential without Replicating a cryptographic credential without synchronization synchronization Technique 2 requires the same extended key pair to be used in all browsers and devices This is achieved without credential synchronization by: Using an email address as username Deriving a seed for generation of pseudo-random bits from the email address and a master secret Using the seed to generate the cryptographic credential upon email verification

  17. A familiar UX A familiar UX The user authenticates as usual with username and password, using an email address as username When using a new browser, a message with an email verification link is sent, and a cryptographic credential is created when the user opens the link in the browser

Related


Office of the Consumer Protector: Ensuring Business Regulation in Western Cape

Office of the Consumer Protector: Ensuring Business Regulation in Western Cape

oriana
CONSUMER DUTY

CONSUMER DUTY

wulfric
Physical Distribution

Physical Distribution

bronwen
Chapter 13: The Impact of Consumer Choices

Chapter 13: The Impact of Consumer Choices

caelan
Understanding Business Markets and Consumer Buyer Behavior

Understanding Business Markets and Consumer Buyer Behavior

azriel
United States Space Systems Command International Affairs Overview

United States Space Systems Command International Affairs Overview

ada
Analysis of FY24 DoD Space Budget Requests for Space Force and Research & Development

Analysis of FY24 DoD Space Budget Requests for Space Force and Research & Development

leja
Consumer Protection Act 2019

Consumer Protection Act 2019

deva
Understanding Consumer Protection in Personal Finance

Understanding Consumer Protection in Personal Finance

kason
Insights from Public Hearings on Housing Consumer Protection Bill 2021

Insights from Public Hearings on Housing Consumer Protection Bill 2021

zoha
Online Consumer Complaint Filing and Response Process in India

Online Consumer Complaint Filing and Response Process in India

vada
The Main Factors That Influence the Consumer Buyer Behavior

The Main Factors That Influence the Consumer Buyer Behavior

libby
Four-Year Plan for WMO Space Weather Activities 2024-2027

Four-Year Plan for WMO Space Weather Activities 2024-2027

bailee
Advancing Space Exploration Through Nuclear Thermal Propulsion Engine Technology

Advancing Space Exploration Through Nuclear Thermal Propulsion Engine Technology

veer
Real-world fieldwork for beginning teachers

Real-world fieldwork for beginning teachers

rome
Holistic Rating Training Requirements 2023-2024 by Texas Education Agency

Holistic Rating Training Requirements 2023-2024 by Texas Education Agency

lylah
Mirai Botnet

Mirai Botnet

michaela
Gravity in Space

Gravity in Space

daleyza
Advancing Deep Space Exploration Capabilities: NextSTEP Modular ECLSS Effort

Advancing Deep Space Exploration Capabilities: NextSTEP Modular ECLSS Effort

prosper
Explore the Universe: #FindYourPlaceInSpace Week 2024 Toolkit

Explore the Universe: #FindYourPlaceInSpace Week 2024 Toolkit

kyan
SpaceRadMon-NG: Revolutionizing Radiation Monitoring in Space Missions

SpaceRadMon-NG: Revolutionizing Radiation Monitoring in Space Missions

fitz
Impacts of Thermosphere Contraction on Debris Accumulation and Orbital Capacity

Impacts of Thermosphere Contraction on Debris Accumulation and Orbital Capacity

jeroen
Exploring Lunar Surface Radiation Risks and Mitigations Using Bioengineering

Exploring Lunar Surface Radiation Risks and Mitigations Using Bioengineering

caesar
International Legal Regulation of Space Debris and Celestial Bodies Concerns

International Legal Regulation of Space Debris and Celestial Bodies Concerns

alisa

More Related Content

Overcoming Challenges for Tourism in Uttarakhand
Overcoming Challenges for Tourism in Uttarakhand
Understanding Digital Government Technology Platforms for Effective Governance
Understanding Digital Government Technology Platforms for Effective Governance
Sun Insurance Company's Approach to Resilience Building in SIDS
Sun Insurance Company's Approach to Resilience Building in SIDS
Overcoming Challenges in South Sudan's Oil Economy
Overcoming Challenges in South Sudan's Oil Economy
Supporting Migrant Women: Challenges and Tips
Supporting Migrant Women: Challenges and Tips
Understanding Consumer Behavior: Importance and Application
Understanding Consumer Behavior: Importance and Application
PRODUCT MANAGEMENT
PRODUCT MANAGEMENT
Understanding Digital Marketing: Customer Behavior Analysis
Understanding Digital Marketing: Customer Behavior Analysis
Insights on Sustainable Food Consumption from European Consumers
Insights on Sustainable Food Consumption from European Consumers
Online Application Filing Guide for Consumer Complaints in India
Online Application Filing Guide for Consumer Complaints in India
Creating Trustworthy Green Hotels Around Oceans
Creating Trustworthy Green Hotels Around Oceans
ABMN 0511 - RURAL MARKETING
ABMN 0511 - RURAL MARKETING
Ethical Issues in Business Administration: A Focus on Consumer Relations at Libyan International Medical University
Ethical Issues in Business Administration: A Focus on Consumer Relations at Libyan International Medical University
Understanding the Classification of Advertisement Based on Media, Geography, and Target Audience
Understanding the Classification of Advertisement Based on Media, Geography, and Target Audience
Challenges in Multisectoral Nutrition Information System in Zambia
Challenges in Multisectoral Nutrition Information System in Zambia
Migration and Health in ASEAN: Key Challenges and Recommendations
Migration and Health in ASEAN: Key Challenges and Recommendations
Challenges and Future Prospects for Cypriot Banks
Challenges and Future Prospects for Cypriot Banks
Understanding Communication Challenges in Adults with Learning Disabilities
Understanding Communication Challenges in Adults with Learning Disabilities
Understanding Antitrust: Role, Objectives, and Challenges in Modern Economics
Understanding Antitrust: Role, Objectives, and Challenges in Modern Economics
Status of Activities Supporting the Space Weather Observations (SWO) Office
Status of Activities Supporting the Space Weather Observations (SWO) Office
Welcome to NASA's Goddard Space Flight Center Employee Information
Welcome to NASA's Goddard Space Flight Center Employee Information
SPACE HEATERS
SPACE HEATERS
Responsible Use of Space
Responsible Use of Space
3D Printing at NASA. Maryland STEM Festival
3D Printing at NASA. Maryland STEM Festival