James S. Conners and Daniel Zappala, Brigham Young University
The FIDO2 Alliance is proposing standards for cryptographic authentication that are intended to replace passwords. We show that their standards could lead to difficult registration, cumbersome account recovery, and potential privacy leaks and tracking. We propose an alternative architecture based on certificates instead of bare keys that provides automatic registration and login and simplified account recovery. We use a framework to compare our approach to related work, illustrating usability, security, and privacy trade-offs.
@inproceedings{conners-19-lets-authenticate, author = {Conners, James S. and Zappala, Daniel}, title = {{Let's Authenticate: Automated Cryptographic Authentication for the Web with Simple Account Recovery}}, booktitle = {Who Are You?! Adventures in Authentication Workshop}, year = {2019}, series = {WAY~'19}, pages = {1--6}, address = {Santa Clara, California, USA}, month = aug, publisher = {} } % No publisher