Kentrell Owens, University of Washington; Blase Ur, University of Chicago; Olabode Anise, Duo Security
Several online authentication schemes in development would enable smartphones to be used as roaming (or portable) authenticators to register and log into websites in place of passwords. The schemes are supported by a new standard for passwordless web authentication, FIDO2, that uses public-key cryptography and a challenge-response protocol to provide security and usability benefits for users. Prior work on the use of security keys as roaming authenticators has identified several challenges to widespread adoption of FIDO2 passwordless authentication, one of which is the fact that people have to purchase and carry around security keys for some variants of the approach. Conversely, most people in the US already have a smartphone, so using smartphones as roaming authenticators might overcome this usability barrier. We present an overview of authentication schemes that could support smartphones as roaming authenticators. We also identify several key metrics to consider when evaluating the usability and security of smartphones as roaming authenticators.
@inproceedings{owens-20-fido2-smartphones,
author = {Owens, Kentrell and Ur, Blase and Anise, Olabode},
title = {{A Framework for Evaluating the Usability and Security of Smartphones as FIDO2 Roaming Authenticators}},
booktitle = {Who Are You?! Adventures in Authentication Workshop},
year = {2020},
series = {WAY~'20},
pages = {1--5},
address = {Virtual Conference},
month = aug,
publisher = {}
} % No publisher