A group of researchers partly supported by the US National Science Foundation claims to have identified a design flaw in the passwordless FIDO authentication system.
Their work, FIDO2 Provable Security Analysiswas published last week in the Cryptology ePrint archive of the International Association for Cryptologic Research.
The FIDO Alliance was launched in 2013 by a group of technology providers and services, including PayPal; it now counts Microsoft, Google, Apple and Facebook among its members.
In February 2016, the World Wide Web Consortium (W3C) began standardizing FIDO 2.0.
Passwordless logins are based on two key protocols: W3C WebAuthn and Client-to-Authenticator Protocol (CTAP2).
The WebAuthn portion of a FIDO-supported login uses a trusted authentication device (smartphone or security token) to establish a private key for a communication session; while CTAP2 binds a trusted client to the authenticator.
“Basically, [CTAP2’s] The security goal is to “bind” a trusted client to the configured authenticator by requiring the user to provide the correct PIN, so that the authenticator only accepts authorized commands sent by a client” bound,'” the newspaper said.
However, CTAP2’s approach is not “provably secure” (a formal term meaning that the protocol or product can be mathematically demonstrated to be secure).
In their analysis, the researchers cite two aspects of CTAP2 that open up possible attack vectors.
Most importantly, it uses an unauthenticated Diffie-Hellman key exchange.
This opens the door to two types of attacks, the paper says: a simple MITM attack, giving the attacker access to security keys and therefore user communications; or the attacker can impersonate a client to the authenticator.
The other flaw is that the smartphone or PC using FIDO2 for the connection generates a single “pinToken” at startup.
This pinToken is then used for all subsequent communication, meaning that security is lost if any of these sessions are compromised.
The document suggests replacing the CTAP2 part of the FIDO exchange with another schema to get rid of these problems.
FIDO2’s provable security analysis is the work of Manuel Barbosa, University of Porto (FCUP) and INESC TEC in Portugal; Alexandra Boldyreva from the Georgia Institute of Technology in the United States; Shan Chen from Darmstadt Technische Universitat in Germany; and Bogdan Warinschi from the University of Bristol.