The FIDO2 open authentication standard, developed jointly by the FIDO Alliance and the W3C, provides end-users with the means to use public-key cryptography in addition to or even instead of text-based passwords for authentication on the web. Its WebAuthn protocol has been adopted by all major browser vendors and recently also by major service providers (e.g., Google, GitHub, Dropbox, Microsoft, and others). Thus, FIDO2 is a very strong contender for finally tackling the problem of insecure user authentication on the web. However, there remain a number of open questions to be answered for FIDO2 to succeed as expected. In this poster, we focus specifically on the critical question of how well web-service developers can securely roll out WebAuthn in their own services and which issues have to be tackled to help developers in this task. The past has unfortunately shown that software developers struggle with correctly implementing or using security-critical APIs, such as TLS/SSL, password storage, or cryptographic APIs. We report here on ongoing work that investigates potential problem areas and concrete pitfalls for adopters of WebAuthn and tries to lay out a plan of how our community can help developers. We believe that raising awareness for foreseeable developer problems and calling for action to support developers early on is critical on the path for establishing FIDO2 as a de-facto authentication solution.
History
Preferred Citation
Aftab Alam, Katharina Krombholz and Sven Bugiel. Let History not Repeat Itself (this Time) - Tackling WebAuthn Developer Issues Early On. In: ACM Conference on Computer and Communications Security (CCS). 2019.
Primary Research Area
Empirical and Behavioral Security
Name of Conference
ACM Conference on Computer and Communications Security (CCS)
CISPA Affiliation
No
Legacy Posted Date
2021-03-24
Open Access Type
Unknown
Presentation Type
Presentation (no conference)
BibTeX
@inproceedings{cispa_all_3386,
title = "Let History not Repeat Itself (this Time) - Tackling WebAuthn Developer Issues Early On",
author = "Alam, Aftab and Krombholz, Katharina and Bugiel, Sven",
booktitle="{ACM Conference on Computer and Communications Security (CCS)}",
year="2019",
}