research-article

FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs

Authors:

Fabian Schwarz,

Lucjan Hanzlik,

Christian RossowAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 2581 - 2594

https://doi.org/10.1145/3548606.3560584

Published: 07 November 2022 Publication History

Abstract

Two-factor authentication (2FA) mitigates the security risks of passwords as sole authentication factor. FIDO2---the de facto standard for interoperable web authentication---leverages strong, hardware-backed second factors. However, practical challenges hinder wider FIDO2 user adoption for 2FA tokens, such as the extra costs (20-30 per token) or the risk of inaccessible accounts upon token loss/theft.

To tackle the above challenges, we propose FeIDo, a virtual FIDO2 token that combines the security and interoperability of FIDO2 2FA authentication with the prevalence of existing eIDs (e.g., electronic passports). Our core idea is to derive FIDO2 credentials based on personally-identifying and verifiable attributes---name, date of birth, and place of birth---that we obtain from the user's eID. As these attributes do not change even for refreshed eID documents, the credentials "survive" token loss. Even though FeIDo operates on privacy-critical data, all personal data and resulting FIDO2 credentials stay unlinkable, are never leaked to third parties, and are securely managed in attestable hardware containers (e.g., SGX enclaves). In contrast to existing FIDO2 tokens, FeIDo can also derive and share verifiable meta attributes (anonymous credentials) with web services. These enable verified but pseudonymous user checks, e.g., for age verification (e.g., "is adult").

References

[1]

2019. Regulation (EU) 2019/1157 of the European Parliament and of the Council. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R1157

[2]

2020. Standardized Digital Identity on National Identity Cards. https://www.calctopia.com/2020/02/14/standardized-digital-identity-on-national-identity-cards/

[3]

2021. National ID cards: 2016-2021 facts and trends. https://www.thalesgroup. com/en/markets/digital-identity-and-security/government/identity/2016-national-id-card-trends

[4]

2021. Popular Baby Names (US). https://www.ssa.gov/oact/babynames/limits. html

[5]

2021. The electronic passport in 2021 and beyond. https://www.thalesgroup.com/ en/markets/digital-identity-and-security/government/passport/electronic-passport-trends

[6]

2022. Hardware-backed Keystore. https://source.android.com/security/keystore

[7]

Michel Abdalla, Pierre-Alain Fouque, and David Pointcheval. 2005. Password-Based Authenticated Key Exchange in the Three-Party Setting. In Public Key Cryptography, Serge Vaudenay (Ed.). Springer Berlin Heidelberg, 65--84.

[8]

FIDO Alliance. 2020. Using FIDO with eIDAS Services. https://fidoalliance.org/wp-content/uploads/2020/04/FIDO-deploying-FIDO2-eIDAS-QTSPs-eID-schemes-white-paper.pdf

[9]

FIDO Alliance. 2021. FIDO Security Reference. https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-rd-20210525.html

[10]

FIDO Alliance. 2022. Choosing FIDO Authenticators for Enterprise Use Cases. https://media.fidoalliance.org/wp-content/uploads/2022/03/FIDO-White-Paper-Choosing-FIDO-Authenticators-for-Enterprise-Use-Cases-RD10-2022.03.01.pdf Retrieved July 28, 2022 from

[11]

Ferdinand Brasser, Ghada Dessouky, Patrick Jauernig, Matthias Klimmek, Ahmad-Reza Sadeghi, and Emmanuel Stapf. 2021. CURE: A Security Architecture with CUstomizable and Resilient Enclaves. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 1073--1090. https://www.usenix.org/conference/usenixsecurity21/presentation/bahmani

[12]

Mihir Bellare. 2015. New proofs for NMAC and HMAC: Security without collision resistance. Journal of Cryptology, Vol. 28, 4 (2015), 844--878.

Digital Library

[13]

Jens Bender, Marc Fischlin, and Dennis Kügler. 2009. Security Analysis of the PACE Key-Agreement Protocol. In Information Security. Springer Berlin Heidelberg, 33--48.

Digital Library

[14]

Inc. Biometrics Research Group. 2020. Apple launches web authentication using FIDO standard with Touch ID or Face ID biometrics in Safari. https://www.biometricupdate.com/202006/apple-launches-web-authentication-using-fido-standard-with-touch-id-or-face-id-biometrics-in-safari

[15]

Dhiman Chakraborty and Sven Bugiel. 2019. SimFIDO: FIDO2 User Authentication with simTPM. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2569--2571.

Digital Library

[16]

Dhiman Chakraborty, Lucjan Hanzlik, and Sven Bugiel. 2019. simTPM: User-centric TPM for Mobile Devices. In 28th USENIX Security Symposium (USENIX Security 19). 533--550.

[17]

Intel Corporation. [n.,d.]. Intel SGX for Linux. https://github.com/intel/linux-sgx

[18]

Intel Corporation. 2022. Intel SGX Data Center Attestation Primitives. https://download.01.org/intel-sgx/sgx-dcap/1.14/linux/docs/DCAP_ECDSA_Orientation.pdf

[19]

Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive, Vol. 2016 (2016).

[20]

Özgür Dagdelen and Marc Fischlin. 2011. Security Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents. In Information Security. Springer Berlin Heidelberg, Berlin, Heidelberg, 54--68.

[21]

Organización Internacional de Normalización. 2020. ISO IEC 7816-4: Identification cards--Integrated circuit cards. Organization, security and commands for interchange. ISO.

[22]

Matteo Dell'Amico, Pietro Michiardi, and Yves Roudier. 2010. Password strength: An empirical analysis. In 2010 Proceedings IEEE INFOCOM. IEEE, 1--9.

[23]

Ghada Dessouky, Tommaso Frassetto, and Ahmad-Reza Sadeghi. 2020. HybCache: Hybrid Side-Channel-Resilient Caches for Trusted Execution Environments. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association. https://www.usenix.org/conference/usenixsecurity20/presentation/dessouky

[24]

Roger Dingledine, Nick Mathewson, and Paul Syverson. 2004. Tor: The Second-Generation Onion Router. In 13th USENIX Security Symposium (USENIX Security 04). USENIX Association, San Diego, CA. https://www.usenix.org/conference/13th-usenix-security-symposium/tor-second-generation-onion-router

[25]

Malin Eiband, Mohamed Khamis, Emanuel Von Zezschwitz, Heinrich Hussmann, and Florian Alt. 2017. Understanding shoulder surfing in the wild: Stories from users and observers. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. 4254--4265.

Digital Library

[26]

Frank Morgner and Dominik Oepen. [n.,d.]. OpenPACE. https://frankmorgner.github.io/openpace/

[27]

Sanam Ghorbani Lyastani, Michael Schilling, Michaela Neumayr, Michael Backes, and Sven Bugiel. 2020. Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication. In IEEE Symposium on Security and Privacy (SP).

[28]

Sérgio Gonçalves, Alessandro Tomasi, Andrea Bisegna, Giulio Pellizzari, and Silvio Ranise. 2020. Verifiable Contracting: A Use Case for Onboarding and Contract Offering in Financial Services with eIDAS and Verifiable Credentials. 133--144. https://doi.org/10.1007/978-3-030-66504-3_8

Digital Library

[29]

Lucjan Hanzlik, Julian Loss, and Benedikt Wagner. 2022. Token meets Wallet: Formalizing Privacy and Revocation for FIDO2. https://ia.cr/2022/084

[30]

Interpol. 2022. I-Checkit - FAQs brochure - Private Sector Partners. https://www.interpol.int/content/download/12470/file/I-Checkit_FAQs_brochure_private%20sector_EN_LR_02.pdf?inLanguage=eng-GB Retrieved July 25, 2022 from

[31]

Janis Danisevskis. 2018. Android Protected Confirmation: Taking transaction security to the next level. https://android-developers.googleblog.com/2018/10/android-protected-confirmation.html

[32]

Governikus GmbH & Co. KG. 2022. AusweisApp2: Passende Smartphones & Tablets für die Online-Ausweisfunktion. https://www.ausweisapp.bund.de/mobile-geraete Retrieved July 27, 2022 from

[33]

Thomas Knauth, Michael Steiner, Somnath Chakrabarti, Li Lei, Cedric Xing, and Mona Vij. 2018. Integrating Remote Attestation with Transport Layer Security. CoRR, Vol. abs/1801.05863 (2018). arxiv: 1801.05863 http://arxiv.org/abs/1801.05863

[34]

Hugo Krawczyk. 2010. Cryptographic extraction and key derivation: The HKDF scheme. In Annual Cryptology Conference. Springer, 631--648.

[35]

Johannes Kunke, Stephan Wiefling, Markus Ullmann, and Luigi Lo Iacono. 2021. Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication. In Open Identity Summit. Gesellschaft für Informatik e.V., Bonn.

[36]

Duo Labs. 2020. WebAuthn.io (Github). https://github.com/duo-labs/webauthn.io

[37]

Duo Labs. 2021. WebAuthn.io: A demo of the WebAuthn specification. https://webauthn.io/

[38]

Zeyu Lei, Yuhong Nan, Yanick Fratantonio, and Antonio Bianchi. 2021. On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices. In 28th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society. https://www.ndss-symposium.org/ndss-paper/on-the-insecurity-of-sms-one-time-password-messages-against-local-attackers-in-modern-mobile-devices/

[39]

Blue Bite LLC. 2021. Android NFC Compatibility. https://www.bluebite.com/nfc/android-nfc-compatibility Retrieved July 27, 2022 from

[40]

SJB Research Ltd. 2019. Confirmed: iOS 13 to include support for NFC passport reading - NFCW. https://www.nfcw.com/2019/06/07/362943/confirmed-ios-13-to-include-support-for-nfc-passport-reading/ Retrieved July 27, 2022 from

[41]

Emil Lundberg, Michael Jones, J.C. Jones, Akshay Kumar, and Jeff Hodges. 2021. Web Authentication: An API for accessing Public Key Credentials - Level 2. Technical Report. W3C. https://www.w3.org/TR/2021/REC-webauthn-2--20210408/

[42]

Martijn Oostdijk. [n.,d.]. JMRTD: An Open Source Java Implementation of Machine Readable Travel Documents. https://jmrtd.org/

[43]

Frank Morgner, Paul Bastian, and Marc Fischlin. 2016. Securing Transactions with the eIDAS Protocols. In Information Security Theory and Practice, Sara Foresti and Javier Lopez (Eds.). Springer International Publishing, Cham, 3--18.

[44]

Jämes Ménétrey, Christian Göttel, Marcelo Pasin, Pascal Felber, and Valerio Schiavoni. 2022. An Exploratory Study of Attestation Mechanisms for Trusted Execution Environments. In Workshop on System Software for Trusted Execution.

[45]

Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, and Gail-Joon Ahn. 2020. Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. In 29th USENIX Security Symposium (USENIX Security 20). 361--377.

[46]

Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein, and Christof Fetzer. 2018. Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks. In USENIX Annual Technical Conference (USENIX ATC 18). USENIX Association, 227--240. https://www.usenix.org/conference/atc18/presentation/oleksenko

[47]

International Civil Avaiation Organization. 2021a. Machine Readable Travel Documents Part 11: Security Mechanisms for MRTDs eighth ed.). Technical Report. https://www.icao.int/publications/documents/9303_p11_cons_en.pdf

[48]

International Civil Avaiation Organization. 2021b. Machine Readable Travel Documents Part 3: Specifications Common to all MRTDs eighth ed.). Technical Report. https://www.icao.int/publications/Documents/9303_p3_cons_en.pdf

[49]

Hamza Saleem and Muhammad Naveed. 2020. SoK: Anatomy of Data Breaches. Proc. Priv. Enhancing Technol., Vol. 2020, 4 (2020), 153--174.

[50]

Fabian Schwarz and Christian Rossow. 2020. SENG, the SGX-Enforcing Network Gateway: Authorizing Communication from Shielded Clients. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 753--770. https://www.usenix.org/conference/usenixsecurity20/presentation/schwarz

[51]

Latanya Sweeney. 2000. Simple demographics often identify people uniquely. Health (San Francisco), Vol. 671, 2000 (2000), 1--34.

[52]

Yubico. 2021. Losing Your YubiKey - Yubico. https://support.yubico.com/hc/en-us/articles/360013647620-Losing-Your-YubiKey

[53]

Yubico. 2022a. Spare YubiKeys. https://www.yubico.com/spare/

[54]

Yubico. 2022b. WebAuthn - Account Recovery. https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Account_Recovery.html

Cited By

Angelogianni APolitis IXenakis C(2024)How many FIDO protocols are needed? Analysing the technology, security and complianceACM Computing Surveys10.1145/365466156:8(1-51)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3654661
Pöhn DGruschka NZiegler LBüttner A(2024)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 10-Jan-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103515
Klemmer JGutfleisch MStransky CAcar YSasse MFahl SMeng WJensen CCremers CKirda E(2023)"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure AuthenticationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623072(2740-2754)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623072
Show More Cited By

Index Terms

FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs
1. Security and privacy

Recommendations

Making a nymbler nymble using VERBS
PETS'10: Proceedings of the 10th international conference on Privacy enhancing technologies

We propose a new system modeled after Nymble. Like Nymble, our scheme provides a privacy-preserving analog of IP address blocking for anonymizing networks. However, unlike Nymble, the user in our scheme need not trust third parties to maintain their ...
Concepts and languages for privacy-preserving attribute-based authentication

Existing cryptographic realizations of privacy-friendly authentication mechanisms such as anonymous credentials, minimal disclosure tokens, self-blindable credentials, and group signatures vary largely in the features they offer and in how these ...
Issuer-Hiding Attribute-Based Credentials
Cryptology and Network Security
Abstract
Attribute-based credential systems enable users to authenticate in a privacy-preserving manner. However, in such schemes verifying a user’s credential requires knowledge of the issuer’s public key, which by itself might already reveal private ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
545
Total Downloads

Downloads (Last 12 months)289
Downloads (Last 6 weeks)17

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Angelogianni APolitis IXenakis C(2024)How many FIDO protocols are needed? Analysing the technology, security and complianceACM Computing Surveys10.1145/365466156:8(1-51)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3654661
Pöhn DGruschka NZiegler LBüttner A(2024)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 10-Jan-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103515
Klemmer JGutfleisch MStransky CAcar YSasse MFahl SMeng WJensen CCremers CKirda E(2023)"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure AuthenticationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623072(2740-2754)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623072
Würsching LPutz FHaesler SHollick M(2023)FIDO2 the Rescue? Platform vs. Roaming Authentication on SmartphonesProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3580993(1-16)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3580993

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents