True2F: Backdoor-Resistant Authentication Tokens

Dauterman, Emma; Corrigan-Gibbs, Henry; Mazières, David; Boneh, Dan; Rizzo, Dominic

doi:10.1109/sp.2019.00048

Cited by 17 publications

(9 citation statements)

References 148 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some participants expressed mistrust into the hardware token, mostly due to a lack of transparency, and recent security incidents [79] could reinforce such mistrust. Thus, work that increases the trustworthiness of the device [80] is important. Further, our participants raised concerns that we did not cover in our video (e.g., recovery and revocation) or that we did not predict (e.g., corner cases).…”

Section: A Closer To a Password Killer?mentioning

confidence: 99%

Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication

Lyastani

Schilling

Neumayr

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

The newest contender for succeeding passwords as the incumbent web authentication scheme is the FIDO2 standard. Jointly developed and backed by the FIDO Alliance and the W3C, FIDO2 has found support in virtually every browser, finds increasing support by service providers, and has adoptions beyond browser-software on its way. While it supports MFA and 2FA, its single-factor, passwordless authentication with security tokens has received the bulk of attention and was hailed by its supporters and the media as the solution that will replace text-passwords on the web. Despite its obvious security and deployability benefits-a setting that no prior solution had in this strong combination-the paradigm shift from a familiar knowledge factor to purely a possession factor raises questions about the acceptance of passwordless authentication by end-users.This paper presents the first large-scale lab study of FIDO2 single-factor authentication to collect insights about end-users' perception, acceptance, and concerns about passwordless authentication. Through hands-on tasks our participants gather first-hand experience with passwordless authentication using a security key, which they afterwards reflect on in a survey. Our results show that users are willing to accept a direct replacement of text-based passwords with a security key for single-factor authentication. That is an encouraging result in the quest to replace passwords. But, our results also identify new concerns that can potentially hinder the widespread adoption of FIDO2 passwordless authentication. In order to mitigate these factors, we derive concrete recommendations to try to help in the ongoing proliferation of passwordless authentication on the web.

show abstract

Section: A Closer To a Password Killer?mentioning

confidence: 99%

Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication

Lyastani

Schilling

Neumayr

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…In addition to text-based schemes, the hardware-based AS can also be applied to address the vulnerabilities of other conventional AS, such as Web based and Biometrics based, by comprising a secret token as the initial authentication eligibility. In other words, it is possible to prevent most of the aforementioned attacks by employing functions of hardware tokens, except those noticed below [175], [176].…”

Section: E Attacks On Hardware-based Asmentioning

confidence: 99%

“…It is important to emphasize that the hardware-based AS still provide sufficient protection (superior to the other AS). Even if an attacker steals the user's credentials through some forms of spyware, (s)he is not able to crack the security of the device without possessing the token [175], [176].…”

Section: E Attacks On Hardware-based Asmentioning

confidence: 99%

“…To protect against the above attacks, researchers have introduced the Universal Second Factor (U2F) tokens (e.g., FIDO U2F and FIDO2) which are remarkably efficient types of second-factor hardware-based AS [176]. Since these tokens bind their authentication credentials cryptographically to a unique origin, they obstruct phishing attacks unlike other AS, such as time-based OTP, which leave the AS vulnerable to cyberattacks.…”

Section: E Attacks On Hardware-based Asmentioning

confidence: 99%

See 1 more Smart Citation

Modern Authentication Schemes in Smartphones and IoT Devices: An Empirical Survey

Ahvanooey

Zhu

et al. 2022

IEEE Internet Things J.

View full text Add to dashboard Cite

User authentication remains a challenging issue, despite the existence of a large number of proposed solutions, such as traditional text-based, graphical-based, biometrics-based, Web-based, and hardware-based schemes. For example, some of these schemes are not suitable for deployment in an Internet of Things (IoT) setting, partly due to the hardware and/or software constraints of IoT devices. The increasing popularity and pervasiveness of IoT equipment in a broad range of settings reinforces the importance of ensuring the security and privacy of IoT devices. Therefore, in this article, we conduct a comprehensive literature review and an empirical study to gain an in-depth understanding of the different authentication schemes as well as their vulnerabilities and deficits against various types of cyberattacks when applied in IoT-based systems. Based on the identified limitations, we recommend several mitigation strategies and discuss the practical implications of our findings.

show abstract

“…Two-factor authentication devices. Hardware security devices such as RSA SecurID [53], smart cards [10], and U2F tokens [5, 24,62] serve as a second factor for authentication. Such devices can prove physical possession and protect against phishing attacks.…”

Section: Security Devicesmentioning

confidence: 99%

Notary

Athalye¹,

Belay²,

Kaashoek³

et al. 2019

Proceedings of the 27th ACM Symposium on Operating Systems Principles

View full text Add to dashboard Cite

Notary is a new hardware and software architecture for running isolated approval agents in the form factor of a USB stick with a small display and buttons. Approval agents allow factoring out critical security decisions, such as getting the user's approval to sign a Bitcoin transaction or to delete a backup, to a secure environment. The key challenge addressed by Notary is to securely switch between agents on the same device. Prior systems either avoid the problem by building single-function devices like a USB U2F key, or they provide weak isolation that is susceptible to kernel bugs, side channels, or Rowhammer-like attacks. Notary achieves strong isolation using reset-based switching, along with the use of physically separate systems-on-a-chip for agent code and for the kernel, and a machine-checked proof of both the hardware's register-transfer-level design and software, showing that reset-based switching leaks no state. Notary also provides a trustworthy I/O path between the agent code and the user, which prevents an adversary from tampering with the user's screen or buttons. We built a hardware/software prototype of Notary, using a combination of ARM and RISC-V processors. The prototype demonstrates that it is feasible to verify Notary's reset-based switching, and that Notary can support diverse agents, including cryptocurrencies and a transaction approval agent for traditional client-server applications such as websites. Measurements of reset-based switching show that it is fast enough for interactive use. We analyze security bugs in existing cryptocurrency hardware wallets, which aim to provide a similar form factor and feature set as Notary, and show that Notary's design avoids many bugs that affect them. CCS Concepts • Security and privacy → Systems security; Software and application security; Security in hardware; Logic and verification.

show abstract

True2F: Backdoor-Resistant Authentication Tokens

Cited by 17 publications

References 148 publications

Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication

Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication

Modern Authentication Schemes in Smartphones and IoT Devices: An Empirical Survey

Notary

Contact Info

Product

Resources

About