DOCSLIB.ORG

Mitigating Users' Misconceptions About FIDO2 Biometric Webauthn

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Mitigating Users' Misconceptions About FIDO2 Biometric Webauthn “It’s Stored, Hopefully, on an Encrypted Server”: Mitigating Users’ Misconceptions About FIDO2 Biometric WebAuthn Leona Lassak, Annika Hildebrandt†, Maximilian Golla?, Blase Ur† Ruhr University Bochum, † University of Chicago, ? Max Planck Institute for Security and Privacy Abstract While prior attempts at passwordless authentication on the web have required specialized hardware, FIDO2’s WebAuthn protocol lets users sign into websites with their smartphone. Users authenticate locally via the phone’s unlock mechanism. Their phone then uses public-key cryptography to authenti- cate to the website. Using biometrics (e.g., fingerprint, face) for this local authentication can be convenient, yet may en- gender misconceptions that discourage adoption. Through three complementary studies, we characterized and sought to mitigate misconceptions about biometric WebAuthn. We (a) WebAuthn notification used (b) WebAuthn instructions on also compared it to non-biometric WebAuthn and traditional by eBay (June 2021, edited). a Google Pixel 3a (Android 11). passwords. First, 42 crowdworkers used biometric WebAuthn Figure 1: Examples of a site-specific notification used by to sign into a website and then completed surveys. Critically, eBay and OS-specific instructions for authenticating. 67% of participants incorrectly thought their biometrics were sent to the website, creating security concerns. In remote focus groups, 27 crowdworkers then co-designed short no- A user can also adopt a password manager to facilitate unique tifications to mitigate biometric WebAuthn misconceptions. passwords [45]. Sadly, adoption rates for these mechanisms Through a 345-participant online study, we found that some remain low [37, 45] and industry has thus continued to search notifications improved perceptions of biometric WebAuthn for an alternative to passwords for signing into websites [26]. and partially addressed misconceptions, yet key misconcep- One of the most promising approaches for passwordless tions about where the biometric is stored partially persisted. web authentication is the FIDO2 Project [5] and its web au- Nonetheless, participants were willing to adopt biometric thentication (WebAuthn) protocol. The core idea is to use WebAuthn over non-biometric WebAuthn or passwords. Our public-key cryptography in place of a password. To regis- work identifies directions for increasing the adoption of bio- ter with a website, the user’s authenticator (hardware token metric WebAuthn by highlighting its security and usability. or other device) creates a public-private keypair unique to that website. Subsequent authentication attempts proceed via 1 Introduction a challenge-response protocol, overcoming many disadvan- tages of passwords and also stopping phishing attacks [32]. Despite their drawbacks, passwords remain widely used. A Hardware tokens (e.g., YubiKeys) are commonly used as typical user can have hundreds of password-protected on- authenticators [5]. Recent user studies have demonstrated line accounts [44, 59]. To be secure, the user must create that using WebAuthn with a hardware security key achieves (and remember) a unique password for each service. If they substantial benefits relative to passwords in both security and reuse passwords across services, they are vulnerable to cre- usability [18,32]. The cost and inconvenience of security keys, dential stuffing attacks, in which attackers exploit credentials however, are impediments to widespread adoption [18, 32]. breached from one service to attack accounts on other ser- Fortunately, smartphones can also be used as FIDO2 au- vices where the user has a similar password [23, 43]. In thenticators. Smartphones’ ubiquity and familiarity to users response, online services have introduced two-factor authen- makes this support a crucial advance beyond prior attempts at tication (2FA)[11, 51] and risk-based authentication [22, 62]. passwordless online authentication. The private key is stored in a trusted enclave on the smartphone. The user authorizes encounter extrapolates about its properties. Thus, in Study 1, each use of the private key via their usual mechanism for 42 crowdworkers used biometric WebAuthn on an Android unlocking their phone. This unlock mechanism ultimately is phone to register and later authenticate at a website we con- a PIN, pattern, or password. However, schemes like Apple’s trolled. To understand participants’ preconceived notions, we Touch ID [9] and its Android equivalent enable users to un- intentionally gave little information about how WebAuthn lock their phone with a biometric, such as a fingerprint or face. worked. Through surveys, we investigated how participants As a result, these biometrics can also be used to sign into a thought biometric WebAuthn worked and explored potential website [5], an interaction we term biometric WebAuthn. misconceptions suggested by either the literature or Web- This ability to authenticate to websites using only a fin- Authn’s design. Critically, 67% of participants incorrectly gerprint or other biometric holds great promise. Because of thought their biometrics were sent to our website or elsewhere WebAuthn’s basis in public-key cryptography, it is far more outside their phone, leading to other misconceptions. secure than a password. Similar to how support for biometrics To help mitigate misconceptions we observed, especially made phone unlocking much more convenient [7,14,63], bio- those that might discourage adoption, we then focused on metric WebAuthn promises better usability than passwords. the design of short notifications that websites can display. Furthermore, support for WebAuthn is quickly being added by For example, Figure 1a shows eBay’s current notification. major websites, including eBay, Microsoft, and Yahoo [40]. Designing any notification that conveys complex technical Unfortunately, when biometric phone unlocking was intro- concepts in a short and simple format is a challenge in many duced, misconceptions were initially widespread [7,14,63], areas of security [21]. To this end, Study 2 engaged 27 par- and we hypothesized the same would hold true for biometric ticipants in seven online focus groups. After a moderator WebAuthn. The superficial appearance that a user is signing taught participants how biometric WebAuthn worked and the into an online service with only their fingerprint or face sug- group discussed their perceptions of WebAuthn, participants gests the potential for even more problematic misconceptions engaged in iterative co-design of new notifications. We dis- about biometric WebAuthn’s security and usability. These tilled participants’ ideas into six potential notifications. To misconceptions could discourage the adoption of biometric align notifications with what users would actually want to WebAuthn. Thus, our research focused on users’ initial en- learn, our co-design focus groups took an unrealistically large counters with biometric WebAuthn and their resultant expecta- amount of time to help non-technical users better understand tions. We anticipate that many users will encounter biometric how biometric WebAuthn works. They then collaboratively WebAuthn for the first time via a small notification on a web- proposed new notifications. This co-design approach, which site encouraging them to adopt the technology. Such short aims to benefit from end-users’ creativity and opinions [39], notifications cannot possibly capture FIDO2’s technical com- was motivated by prior research in which notifications for plexities. However, after looking at such a notification for 2FA, TLS, cryptographic APIs, and phishing prevention ben- a few seconds, many users will form expectations about the efited from similar focus groups [4, 25, 49, 60]. scheme’s security and usability, ultimately deciding whether Finally, Study 3 compared these notifications inspired by to adopt biometric WebAuthn based on very little information. our co-design focus groups. Each of 345 crowdworkers was While future work should examine how to better educate users assigned to use biometric WebAuthn (with one of those noti- about how FIDO2 actually works, we focused on understand- fications), non-biometric WebAuthn, or a site-specific pass- ing and improving these initial impressions and perceptions. word. Similar to Study 1, participants created an account We thus conducted three complementary user studies to on our website and answered survey questions. One notifi- understand and mitigate misconceptions about biometric Web- cation was a baseline representing how early-adopter com- Authn, as well as to compare it to non-biometric WebAuthn panies currently advertise WebAuthn. Relative to this base- (e.g., using a PIN) and site-specific passwords.1 For all stud- line, some notifications created through co-design improved ies, we did not expect participants to have any prior knowl- perceptions of biometric WebAuthn’s security and partially edge of biometric WebAuthn or how it worked. Rather, our addressed some key misconceptions. Furthermore, most par- intention was to understand their initial expectations relating ticipants were willing to adopt biometric WebAuthn over non- to security, privacy, usability, and trust. Study 1 and 3 were biometric WebAuthn and passwords for trustworthy websites. conducted on participants’ personal Android phones, which Nonetheless, many participants still held key misconceptions, was the most common, fully supported FIDO2 configuration especially about where their biometric is stored, highlighting at the time of the study [20]. While we focused on
Load more

Recommended publications
  • FIDO Technical Glossary
    Client to Authenticator Protocol (CTAP) Implementation Draft, February 27, 2018 This version: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id- 20180227.html Previous Versions: https://fidoalliance.org/specs/fido-v2.0-ps-20170927/ Issue Tracking: GitHub Editors: Christiaan Brand (Google) Alexei Czeskis (Google) Jakob Ehrensvärd (Yubico) Michael B. Jones (Microsoft) Akshay Kumar (Microsoft) Rolf Lindemann (Nok Nok Labs) Adam Powers (FIDO Alliance) Johan Verrept (VASCO Data Security) Former Editors: Matthieu Antoine (Gemalto) Vijay Bharadwaj (Microsoft) Mirko J. Ploch (SurePassID) Contributors: Jeff Hodges (PayPal) Copyright © 2018 FIDO Alliance. All Rights Reserved. Abstract This specification describes an application layer protocol for communication between a roaming authenticator and another client/platform, as well as bindings of this application protocol to a variety of transport protocols using different physical media. The application layer protocol defines requirements for such transport protocols. Each transport binding defines the details of how such transport layer connections should be set up, in a manner that meets the requirements of the application layer protocol. Table of Contents 1 Introduction 1.1 Relationship to Other Specifications 2 Conformance 3 Protocol Structure 4 Protocol Overview 5 Authenticator API 5.1 authenticatorMakeCredential (0x01) 5.2 authenticatorGetAssertion (0x02) 5.3 authenticatorGetNextAssertion (0x08) 5.3.1 Client Logic 5.4 authenticatorGetInfo (0x04)
    [Show full text]
  • Report On​ Next Generation Authentication Technologies
    International Telecommunication Union FINANCIAL INCLUSION GLOBAL INITIATIVE (FIGI) TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (12/2018) Security, Infrastructure and Trust Working Group Discussion Paper: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers Report of the Authentication Workstream Security, Infrastructure and Trust Working Group: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. A new global program to advance research in digital finance and accelerate digital financial inclusion in developing countries, the Financial Inclusion Global Initiative (FIGI), was launched by the World Bank Group, the International Telecommunication Union (ITU) and the Committee on Payments and Market Infrastructures (CPMI), with support from the Bill & Melinda Gates Foundation. The Security, Infrastructure and Trust Working Group is one of the three working groups which has been established under FIGI and is led by the ITU. The other two working groups are the Digital Identity and Electronic Payments Acceptance Working Groups
    [Show full text]
  • Security Evaluation of Multi-Factor Authentication in Comparison with the Web Authentication API
    Hochschule Wismar University of Applied Sciences Technology, Business and Design Faculty of Engineering, Department EE & CS Course of Studies: IT-Security and Forensics Master’s Thesis for the Attainment of the Academic Degree Master of Engineering (M. Eng.) Security Evaluation of Multi-Factor Authentication in Comparison with the Web Authentication API Submitted by: September 30, 2019 From: Tim Brust born xx/xx/xxxx in Hamburg, Germany Matriculation number: 246565 First supervisor: Prof. Dr.-Ing. habil. Andreas Ahrens Second supervisor: Prof. Dr. rer. nat. Nils Gruschka Purpose of This Thesis The purpose of this master’s thesis is an introduction to multi-factor authentication, as well as to the conventional methods of authentication (knowledge, possession, biometrics). This introduction includes technical functionality, web usability, and potential security threats and vulnerabilities. Further, this thesis will investigate whether the Web Authentication API is suit- able as an alternative or possible supplement to existing multi-factor authentication methods. The question has to be answered to what extent the Web Authentication API can increase security and user comfort. An evaluation of the security of the Web Authentication API in comparison with other multi-factor authentication solutions plays a crucial role in this thesis. Abstract Internet users are at constant risk, given that data breaches happen nearly daily. When a breached password is re-used, it renders their whole digital identity in dan- ger. To counter these threats, the user can deploy additional security measures, e.g., multi-factor authentication. This master’s thesis introduces and compares the multi- factor authentication solutions, one-time passwords, smart cards, security keys, and the Universal Second Factor protocol with a focus on their security.
    [Show full text]
  • Authentication Module Based on the Protocol of Zero- Knowledge Proof*
    365 Authentication Module Based on the Protocol of Zero- Knowledge Proof* Alexander M. Kadan1[0000-0003-3701-8100], Egor R. Kirichonok2[0000-0002-5904-6391] 1 Yanka Kupala State University of Grodno, Grodno, Belarus, [email protected] 2 Yanka Kupala State University of Grodno, Grodno, Belarus, [email protected] Abstract. This article discusses passwordless authentication methods. These methods are now becoming commonplace and eliminate the problems associated with the difficulty of remembering secrets. Passwordless authentication has clear security and privacy advantages over traditional authentication methods. The us- ability of passwordless authentication depends on the type of authenticator used. The paper proposes an implementation of an authentication module based on the Zero Knowledge Proof (ZKP) protocol. The issues of its application for pass- wordless user authentication to web application resources are discussed within the framework of the Web Authentication (WebAuthn) passwordless web au- thentication standard developed by the FIDO Alliance. The module is based on the use of the FIDO2 authenticator. It also allows the use of various authentica- tors, including hardware keys connected to the device via USB, Bluetooth Low Energy or NFC, software keys, the implementation of which can be very differ- ent. Currently, the cost of implementing passwordless authentication can be sig- nificant. This is a major obstacle to the widespread adoption of this advanced technology. Keywords: Zero-Knowledge Proof, ZKP, Cryptographic Protocols, Authentica- tion, Web Authentication, WebAuthn, FIDO Alliance. 1 Introduction In cryptography, Zero-Knowledge Proof (ZKP) is considered as an interactive protocol that allows one of the parties (the Verifier) to verify the validity of a statement (usually mathematical) without receiving any other information from the second party (the Prover), neither the content of the statement nor the source from which the Prover learned about its truth.
    [Show full text]
  • Client to Authenticator Protocol (CTAP) Proposed Standard, January 30, 2019
    Client to Authenticator Protocol (CTAP) Proposed Standard, January 30, 2019 This version: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html Previous Versions: https://fidoalliance.org/specs/fido-v2.0-id-20180227/ Issue Tracking: GitHub Editors: Christiaan Brand (Google ) Alexei Czeskis (Google ) Jakob Ehrensvärd (Yubico) Michael B. Jones (Microsoft) Akshay Kumar (Microsoft) Rolf Lindemann (Nok Nok Labs ) Adam Powers (FIDO Alliance ) Johan Verrept (OneSpan ) Former Editors: Matthieu Antoine (Gemalto ) Arnar Birgisson (Google ) Vijay Bharadwaj (Microsoft) Mirko J. Ploch (SurePassID ) Contributors: Jeff Hodges (PayPal) Copyright © 2019 FIDO Alliance. All Rights Reserved. Abstract This specification describes an application layer protocol for communication between a roaming authenticator and another client/platform, as well as bindings of this application protocol to a variety of transport protocols using different physical media. The application layer protocol defines requirements for such transport protocols. Each transport binding defines the details of how such transport layer connections should be set up, in a manner that meets the requirements of the application ↑ layer protocol. → Status of This Document This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current FIDO Alliance publications and the latest revision of this technical report can be found in the FIDO Alliance specifications index at https://www.fidoalliance.org/specifications/. This document was published by the FIDO Alliance as a Proposed Standard. If you wish to make comments regarding this document, please Contact Us . All comments are welcome. Implementation of certain elements of this Specification may require licenses under third party intellectual property rights, including without limitation, patent rights.
    [Show full text]
  • FIDO Client to Authenticator Protocol (CTAP)
    Client to Authenticator Protocol (CTAP) Implementation Draft, February 27, 2018 This version: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id- 20180227.html Previous Versions: https://fidoalliance.org/specs/fido-v2.0-ps-20170927/ Issue Tracking: GitHub Editors: Christiaan Brand (Google) Alexei Czeskis (Google) Jakob Ehrensvärd (Yubico) Michael B. Jones (Microsoft) Akshay Kumar (Microsoft) Rolf Lindemann (Nok Nok Labs) Adam Powers (FIDO Alliance) Johan Verrept (VASCO Data Security) Former Editors: Matthieu Antoine (Gemalto) Vijay Bharadwaj (Microsoft) Mirko J. Ploch (SurePassID) Contributors: Jeff Hodges (PayPal) Copyright © 2018 FIDO Alliance. All Rights Reserved. Abstract This specification describes an application layer protocol for communication between a roaming authenticator and another client/platform, as well as bindings of this application protocol to a variety of transport protocols using different physical media. The application layer protocol defines requirements for such transport protocols. Each transport binding defines the details of how such transport layer connections should be set up, in a manner that meets the requirements of the application layer protocol. Table of Contents 1 Introduction 1.1 Relationship to Other Specifications 2 Conformance 3 Protocol Structure 4 Protocol Overview 5 Authenticator API 5.1 authenticatorMakeCredential (0x01) 5.2 authenticatorGetAssertion (0x02) 5.3 authenticatorGetNextAssertion (0x08) 5.3.1 Client Logic 5.4 authenticatorGetInfo (0x04)
    [Show full text]
  • Report on Implementation of Secure Authentication Technologies
    International Telecommunication Union FINANCIAL INCLUSION GLOBAL INITIATIVE (FIGI) TELECOMMUNICATION STANDARDIZATION SECTOR 11/2019 OF ITU Security, Infrastructure and Trust Working Group Implementation of Secure Authentication Technologies for Digital Financial Services Report of the Security Workstream FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. A new global program to advance research in digital finance and accelerate digital financial inclusion in developing countries, the Financial Inclusion Global Initiative (FIGI), was launched by the World Bank Group, the International Telecommunication Union (ITU) and the Committee on Payments and Market Infrastructures (CPMI), with support from the Bill & Melinda Gates Foundation. The Security, Infrastructure and Trust Working Group is one of the three working groups which has been established under FIGI and is led by the ITU. The other two working groups are the Digital Identity and Electronic Payments Acceptance Working Groups and are led by the World Bank Group. ITU 2019 This work is licensed to the public through a Creative Commons Attribution-Non-Commercial- Share Alike 4.0 International license (CC BY-NC-SA 4.0). For more information visit https://creativecommons.org/licenses/by-nc-sa/4.0/ i Implementation of Secure Authentication Technologies for Digital Financial Services Security Workstream ii About this Report This report was written by Andrew Hughes, Abbie Barbir.
    [Show full text]
  • “You Still Use the Password After All” – Exploring FIDO2 Security Keys in a Small Company Florian M
    “You still use the password after all” – Exploring FIDO2 Security Keys in a Small Company Florian M. Farke, Ruhr University Bochum; Lennart Lorenz, tracekey solutions GmbH; Theodor Schnitzler, Philipp Markert, and Markus Dürmuth, Ruhr University Bochum https://www.usenix.org/conference/soups2020/presentation/farke This paper is included in the Proceedings of the Sixteenth Symposium on Usable Privacy and Security. August 10–11, 2020 978-1-939133-16-8 Open access to the Proceedings of the Sixteenth Symposium on Usable Privacy and Security is sponsored by USENIX. “You still use the password after all” – Exploring FIDO2 Security Keys in a Small Company Florian M. Farke Lennart Lorenz Theodor Schnitzler Ruhr University Bochum tracekey solutions GmbH Ruhr University Bochum Philipp Markert Markus Dürmuth Ruhr University Bochum Ruhr University Bochum Abstract Phishing attacks become more and more sophisticated, lead- The goal of the FIDO2 project is to provide secure and usable ing to often transparent and nearly indistinguishable imita- alternatives to password-based authentication on the Web. It tions of valid authentication requests [3, 27]. relies on public-key credentials, which a user can provide via Many alternatives have been proposed, but their usage is security tokens, biometrics, knowledge-based factors, or com- minimal [5]. Biometric schemes such as fingerprint or face binations. In this work, we report the results of a qualitative recognition are regularly used to unlock phones, but they study accompanying the deployment of FIDO2-enabled secu- are not used for remote authentication. Authentication with rity tokens for primary authentication in a web application of hardware tokens, typically in the form of two-factor authenti- a small software company operating in the life sciences indus- cation (2FA) combined with a knowledge-based scheme like try.
    [Show full text]
  • Server Requirements and Transport Binding Profile Review Draft, July 02, 2018
    Server Requirements and Transport Binding Profile Review Draft, July 02, 2018 This version: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html Previous Versions: https://fidoalliance.org/specs/fido-v2.0-id-20180227/ Issue Tracking: Github Editors: Adam Powers (FIDO Alliance) Yuriy Ackermann (FIDO Alliance) Copyright © 2018 FIDO Alliance. All Rights Reserved. Abstract FIDO2 provides secure authentication through the use of authenticators that implement the Client-to- Authenticator Protocol (CTAP) and platforms or browsers that implement the W3C WebAuthn specifications. These authenticators are expected to communicate to servers that will validate registration and authentication requests. Many of the requirements for FIDO2 servers, such as assertion formats, attestation formats, optional extensions, and so forth, are contained in the W3C WebAuthn specification. This Server Requirements and Guidance specification attempts to pull together all the requirements for servers in a single document that will be an aid to implementing a FIDO2 server, while leaving behind the details of authenticators and web browsers that do not pertain to servers. Table of Contents 1 Introduction 2 Registration and Attestations 2.1 Validating Attestation 2.2 Attestation Types 2.3 Attestation Formats 2.3.1 Packed Attestation 2.3.2 TPM Attestation 2.3.3 Android SafetyNet Attestation Example 2.3.4 Android SafetyNet Attestation Example 2.3.5 U2F Attestation 3 Authentication and Assertions 4 Communication Channel Requirements 5 Extensions
    [Show full text]
  • Brno University of Technology Excalibur System
    BRNO UNIVERSITY OF TECHNOLOGY VYSOKÉ UČENÍ TECHNICKÉ V BRNĚ FACULTY OF INFORMATION TECHNOLOGY FAKULTA INFORMAČNÍCH TECHNOLOGIÍ DEPARTMENT OF INTELLIGENT SYSTEMS ÚSTAV INTELIGENTNÍCH SYSTÉMŮ EXCALIBUR SYSTEM - SSO IMPLEMENTATION SYSTÉM EXCALIBUR - IMPLEMENTACE SSO MASTER’S THESIS DIPLOMOVÁ PRÁCE AUTHOR Bc. JURAJ CHRIPKO AUTOR PRÁCE SUPERVISOR Mgr. KAMIL MALINKA, Ph.D. VEDOUCÍ PRÁCE BRNO 2021 Brno University of Technology Faculty of Information Technology Department of Intelligent Systems (DITS) Academic year 2020/2021 Master's Thesis Specification Student: Chripko Juraj, Bc. Programme: Information Technology Field of study: Information Technology Security Title: Excalibur System - SSO Implementation Category: Security Assignment: 1. Get familiar with Single Sign On (SSO) technologies, focus on Security Assertion Markup Language (SAML) and Fast Identity Online 2 (FIDO2). 2. Get familiar with Excalibur (commercial distributed infrastructure access control system) and other existing access control solutions and used concepts. 3. Design a solution for integrating SAML or FIDO2 into Excalibur system to enable SSO. 4. Implement proposed design for integrating SAML or FIDO2 protocols into Excalibur system. 5. Test correct functionality of implemented solution such as correct behavior from a user point of view, soundness of access control mechanism, and access revocation. Recommended literature: FIDO Alliance (available online https://fidoalliance.org/fido2/) Security Assertion Markup Language (SAML) V2.0 Technical Overview (available online http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) "Excalibur - No More Passwords!" (available online https://getexcalibur.com/docs/Excalibur_pitch_2_4_2018.pdf) Requirements for the semestral defence: Items 1 to 3. Detailed formal requirements can be found at https://www.fit.vut.cz/study/theses/ Supervisor: Malinka Kamil, Mgr., Ph.D.
    [Show full text]
  • A Relying Party Implementation As a Webauthn Authenticator Debugging Tool
    Facultade de Informática TRABALLO FIN DE GRAO GRAO EN ENXEÑARÍA INFORMÁTICA MENCIÓN EN TECNOLOXÍAS DA INFORMACIÓN DebAuthn: a Relying Party Implementation as a WebAuthn Authenticator Debugging Tool Estudante: Martiño Rivera Dourado Dirección: José M. Vázquez Naya Dirección: Marcos Gestal Pose A Coruña, setembro de 2020. A meu pai e a miña nai Acknowledgements Firstly, I would like to show gratitude to my tutors José and Marcos for their time in mentoring and guiding this project. I also want to acknowledge the RNASA-IMEDIR group and the CITIC Research for supporting the project with their resources. More personally, I would like to show my gratitude to my close friends for their help and care during my studies and primarily during these last months. Many thanks also to my classmates who were always willing to give me a hand. Finally, I could not finish these acknowledgements without expressing my gratitude to my parents and my sister for the great support through all these years. Abstract Passwords as an authentication method have become vulnerable to numerous attacks. During the last few years, the FIDO Alliance and the W3C have been working on a new authentication method based on public key cryptography and hardware authenticators, which avoids attacks like phishing or password stealing. This degree thesis focuses on the development ofaweb application as a flexible testing and debugging environment for developers and researchers of the protocol, still under development. Moreover, the developed tool is used for testing the most relevant hardware authenticators, showcasing their main characteristics. Resumo Os contrasinais como método de autentificación volvéronse vulnerables a numerosos ata- ques.
    [Show full text]
  • Implementation of Secure Authentication Technologies for Digital Financial Services Security, Infrastructure and Trust Working G
    SECURITY, INFRASTRUCTURE AND TRUST WORKING GROUP Implementation of secure authentication technologies for digital financial services REPORT OF SECURITY WORKSTREAM a • Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions b • Technical report on SS7 vulnerabilities and mitigation measures for digital fi nancial services transactions Security, Infrastructure and Trust Working Group Implementation of Secure Authentication Technologies for Digital Financial Services DISCLAIMER The Financial Inclusion Global Initiative (FIGI) is a three-year program implemented in partnership by the World Bank Group (WBG), the Committee on Payments and Market Infrastructures (CPMI), and the International Telecommunication Union (ITU) funded by the Bill & Melinda Gates Foundation (BMGF) to support and accelerate the implementa- tion of country-led reform actions to meet national financial inclusion targets, and ulti- mately the global 'Universal Financial Access 2020' goal. FIGI funds national implemen- tations in three countries-China, Egypt and Mexico; supports working groups to tackle three sets of outstanding challenges for reaching universal financial access: (1) the Elec- tronic Payment Acceptance Working Group (led by the WBG), (2) The Digital ID for Financial Services Working Group (led by the WBG), and (3) The Security, Infrastructure and Trust Working Group (led by the ITU); and hosts three annual symposia to gather national authorities, the private sector, and the engaged public on relevant topics
    [Show full text]