Two-factor authentication (2FA) mitigates the security risks of passwords as sole authentication factor. FIDO2---the de facto standard for interoperable web authentication---leverages strong, hardware-backed second factors. However, practical challenges hinder wider FIDO2 user adoption for 2FA tokens, such as the extra costs ($20-$30 per token) or the risk of inaccessible accounts upon token loss/theft.
To tackle the above challenges, we propose FeIDo, a virtual FIDO2 token that combines the security and interoperability of FIDO2 2FA authentication with the prevalence of existing eIDs (e.g., electronic passports). Our core idea is to derive FIDO2 credentials based on personally-identifying and verifiable attributes---name, date of birth, and place of birth---that we obtain from the user's eID. As these attributes do not change even for refreshed eID documents, the credentials "survive" token loss. Even though FeIDo operates on privacy-critical data, all personal data and resulting FIDO2 credentials stay unlinkable, are never leaked to third parties, and are securely managed in attestable hardware containers (e.g., SGX enclaves). In contrast to existing FIDO2 tokens, FeIDo can also derive and share verifiable meta attributes (anonymous credentials) with web services. These enable verified but pseudonymous user checks, e.g., for age verification (e.g., "is adult").
History
Preferred Citation
Fabian Schwarz, Khue Do, Gunnar Heide, Lucjan Hanzlik and Christian Rossow. FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs. In: ACM Conference on Computer and Communications Security (CCS). 2023.
Primary Research Area
Secure Connected and Mobile Systems
Name of Conference
ACM Conference on Computer and Communications Security (CCS)
Legacy Posted Date
2023-01-23
Page Range
2581–2594
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3894,
title = "FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs",
author = "Schwarz, Fabian and Do, Khue and Heide, Gunnar and Hanzlik, Lucjan and Rossow, Christian",
booktitle="{ACM Conference on Computer and Communications Security (CCS)}",
year="2023",
}