Send email Copy Email Address

Felix Koltermann

CISPA researchers develop open-source prototype for 2-factor authentication

2-factor authentication has become the standard for logging into many web services. While many users use a combination of password and cell phone codes, the FIDO2 standard is considered to be the most secure variant, but requires an additional hardware component. CISPA researcher Fabian Schwarz and his colleagues from the teams of CISPA Faculty Dr Christian Rossow and CISPA Faculty Dr Lucjan Hanzlik have now developed FeIDo, a new method that does not require special user hardware. They have presented the associated paper "FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs" at the renowned ACM Conference on Computer and Communications Security (CCS).
It's a simple fact: without a log-in, many areas of the World Wide Web and in particular a large number of services, whether messengers, information services or online banking, are not available to users. With every new account, however, users give away data and have to remember new passwords. At the same time, it is widely known that passwords are a rather insecure way of logging in, which is why a large number of new methods are being used and tested. This is where Fabian Schwarz's considerations came in. "We wanted to make the login process in web services as simple as possible for users and at the same time as secure as possible," he explains. The goal of Schwarz and his colleagues was to make previous standards available and securely usable to a broad mass of users. Their focus was on the FIDO2 standard for 2-factor authentication, which was developed by the international FIDO Alliance. FIDO is the abbreviation for "Fast Identity Online". 
The special feature of the FIDO2 standard is that it relies on additional hardware components for authentication. This can be a security token in the form of a USB stick, which can also be secured with a fingerprint scanner, or a smartphone with the latest security standards. FIDO2 uses the W3C Web Authentication Standard (WebAuthn) and the Client-to-Authenticate Protocol (CTAP) of the FIDO Alliance. Authentication is performed with a private and a public key, which are generated by the security token. While the private keys never leave the security token, the public keys are stored on the respective servers of the web services used. Users use the private keys to request authentication, which can be securely verified and matched by the web services using the public keys.
Disadvantages of previous methods
The FIDO2 standard allows passwords to be supplemented by the use of hardware-based security tokens. In the long term, the FIDO2 tokens, such as the YubiKey from the company Yubico, aim to enable completely passwordless authentication. Although Schwarz says this is a welcome development, he believes there are also a number of drawbacks. For example, there is the cost factor, because users have to acquire new hardware components, for example in the form of hardware security tokens or smartphones with the latest security standards. In addition, the high security standard has a negative impact on user-friendliness. If the security token, such as the USB stick, with the stored login data is lost, it is no longer possible to log in, which blocks access to the user's own online accounts. Procedures for restoring access exist, but they usually have security gaps, Schwarz said, or involve additional user setup, such as the upfront registration of a backup token. The challenge for Schwarz in developing a new method was to get around these drawbacks.
From FIDO2 to FeIDo
Schwarz and his colleagues' starting point is a simple but all the more compelling idea: using things that almost everyone has at their disposal, such as an ID card and a cell phone. "We looked at how to use electronic ID cards or passports for this use case without sensitive user data contained in the passports going to the website operators," Schwarz explains. They wanted to take advantage of the fact that modern cell phones can also read eIDs via NFC technology, i.e. contactless data transmission using radio waves. All that is needed is an NFC-enabled smartphone, which includes almost all commercially available Apple and Android cell phones, but no extra hardware. "All that is then needed is a small intermediate app that carries out the reading process and transmits data to our specially secured service," Schwarz continues. This is exactly what the researchers implemented as a prototype and then successfully subjected it to various theoretical security tests. 
Anonymous log-in as an expanded field of application
Schwarz and colleagues see even more advantages in the FeIDo process, however, which result from working with data from the eIDs. The decisive factor here is that in the FeIDo process, this data is read out but not passed on. This distinguishes FeIDo from other processes that also use personal data from eIDs for authentication. This also makes new fields of application for FeIDo conceivable, such as checking age restrictions when logging into specially protected web services. "We can use our app to enable anonymous login, but at the same time our service provides proof that the user is of age," Schwarz explains. In order to use this variant, however, changes would have to be made to the applications of the web services. "However, this would not cause any problems," Schwarz continues. For web services without add-ons such as age verification, the log-in procedure of the CISPA researchers' prototype could be used immediately.
Good feedback at CCS conference
Schwarz and his colleagues presented the paper for the first time at the ACM Conference on Computer and Communications Security (CCS), which was held in Los Angeles from November 14 to 19, 2022. There was a great deal of interest in the topic there: "There were so many questions that there wasn't enough time to answer them all," Schwarz recounts. In response, Schwarz and colleagues also published an extended paper. Schwarz himself has since turned to other research topics. However, the results of his research, specifically the prototype application, are open source and thus freely available. "The whole thing was designed by us to be as openly usable as possible as a community project, like a Tor browser," he explains. The goal is for the community to provide such a service free of charge. Schwarz would be delighted to see colleagues or companies take on the project and develop the prototype further.

Other CISPA papers dealing with the FIDO2 standard include "How Not to Handle Keys: Timing Attacks on FIDO Authenticator Privacy" by CISPA faculty Lucjan Hanzlik, and "Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication" by CISPA-PhD Sanam Ghorbani Lyastani.