CISPA
Browse

Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication

Download (1.28 MB)
Version 2 2023-12-11, 20:12
Version 1 2023-11-29, 18:13
conference contribution
posted on 2023-12-11, 20:12 authored by Sanam Ghorbani Lyastani, Michael Schilling, Michaela Neumayr, Michael BackesMichael Backes, Sven BugielSven Bugiel
The newest contender for succeeding passwords as the incumbent web authentication scheme is the FIDO2 standard. Jointly developed and backed by the FIDO Alliance and the W3C, FIDO2 has found support in virtually every browser, finds increasing support by service providers, and has adoptions beyond browser-software on its way. While it supports MFA and 2FA, its single-factor, passwordless authentication with security tokens has received the bulk of attention and was hailed by its supporters and the media as the solution that will replace text-passwords on the web. Despite its obvious security and deployability benefits—a setting that no prior solution had in this strong combination—the paradigm shift from a familiar knowledge factor to purely a possession factor raises questions about the acceptance of passwordless authentication by end-users. This paper presents the first large-scale lab study of FIDO2 single-factor authentication to collect insights about end-users' perception, acceptance, and concerns about passwordless authentication. Through hands-on tasks our participants gather first-hand experience with passwordless authentication using a security key, which they afterwards reflect on in a survey. Our results show that users are willing to accept a direct replacement of text-based passwords with a security key for single-factor authentication. That is an encouraging result in the quest to replace passwords. But, our results also identify new concerns that can potentially hinder the widespread adoption of FIDO2 passwordless authentication. In order to mitigate these factors, we derive concrete recommendations to try to help in the ongoing proliferation of passwordless authentication on the web.

History

Preferred Citation

Sanam Lyastani, Michael Schilling, Michaela Neumayr, Michael Backes and Sven Bugiel. Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication. In: IEEE Symposium on Security and Privacy (S&P). 2020.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date

2020-07-13

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3146, title = "Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication", author = "Lyastani, Sanam Ghorbani and Schilling, Michael and Neumayr, Michaela and Backes, Michael and Bugiel, Sven", booktitle="{IEEE Symposium on Security and Privacy (S&P)}", year="2020", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC