Related papers: SoK: Web Authentication in the Age of End-to-End Encryption

SoK: Web Authentication in the Age of End-to-End Encryption

URL: http://arxiv.org/abs/2406.18226v1
Date: Wed, 26 Jun 2024 10:23:58 GMT
Title: SoK: Web Authentication in the Age of End-to-End Encryption
Authors: Jenny Blessing, Daniel Hugenroth, Ross J. Anderson, Alastair R. Beresford,
Abstract summary: E2EE messaging and backup services have brought new challenges for usable authentication. passwordless authentication ("passkeys") has become a promising candidate to replace passwords altogether. E2EE authentication quickly becomes relevant not only for a niche group of dedicated E2EE enthusiasts but for the general public.
Score: 9.053236170794579
License: http://creativecommons.org/licenses/by/4.0/
Abstract: The advent of end-to-end encrypted (E2EE) messaging and backup services has brought new challenges for usable authentication. Compared to regular web services, the nature of E2EE implies that the provider cannot recover data for users who have forgotten passwords or lost devices. Therefore, new forms of robustness and recoverability are required, leading to a plethora of solutions ranging from randomly-generated recovery codes to threshold-based social verification. These implications also spread to new forms of authentication and legacy web services: passwordless authentication ("passkeys") has become a promising candidate to replace passwords altogether, but are inherently device-bound. However, users expect that they can login from multiple devices and recover their passwords in case of device loss--prompting providers to sync credentials to cloud storage using E2EE, resulting in the very same authentication challenges of regular E2EE services. Hence, E2EE authentication quickly becomes relevant not only for a niche group of dedicated E2EE enthusiasts but for the general public using the passwordless authentication techniques promoted by their device vendors. In this paper we systematize existing research literature and industry practice relating to security, privacy, usability, and recoverability of E2EE authentication. We investigate authentication and recovery schemes in all widely-used E2EE web services and survey passwordless authentication deployment in the top-200 most popular websites. Finally, we present concrete research directions based on observed gaps between industry deployment and academic literature.

Related papers

2FA: Navigating the Challenges and Solutions for Inclusive Access [55.2480439325792]
Two-Factor Authentication (2FA) has emerged as a critical solution to protect online activities. This paper examines the intricacies of deploying 2FA in a way that is secure and accessible to all users. An analysis was conducted to examine the implementation and availability of various 2FA methods across popular online platforms.
arXiv Detail & Related papers (2025-02-17T12:23:53Z)
Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication [0.0]
With passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. We show how credential syncing has also created a debate among experts about their security guarantees.
arXiv Detail & Related papers (2025-01-13T15:00:18Z)
EAP-FIDO: A Novel EAP Method for Using FIDO2 Credentials for Network Authentication [43.91777308855348]
EAP-FIDO allows organisations with WPA2/3-Enterprise wireless networks or MACSec-enabled wired networks to leverage FIDO2's passwordless authentication. We provide a comprehensive security and performance analysis to support the feasibility of this approach.
arXiv Detail & Related papers (2024-12-04T12:35:30Z)
Nudging Users to Change Breached Passwords Using the Protection Motivation Theory [58.87688846800743]
We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.
arXiv Detail & Related papers (2024-05-24T07:51:15Z)
A Novel Protocol Using Captive Portals for FIDO2 Network Authentication [45.84205238554709]
We introduce FIDO2CAP: FIDO2 Captive-portal Authentication Protocol. We develop a prototype of FIDO2CAP authentication in a mock scenario. This work makes the first systematic approach for adapting network authentication to the new authentication paradigm relying on FIDO2 authentication.
arXiv Detail & Related papers (2024-02-20T09:55:20Z)
A Review of Password-less User Authentication Schemes [0.0]
Review examines password-less authentication schemes that have been proposed since after the death knell was placed on passwords in 2004. We evaluate the truly password-less and practical schemes based on their impact on user experience, overall security, and ease of deployment.
arXiv Detail & Related papers (2023-12-05T15:57:40Z)
InfoGuard: A Design and Usability Study of User-Controlled Application-Independent Encryption for Privacy-Conscious Users [1.2499537119440245]
Billions of secure messaging users have adopted end-to-end encryption (E2EE) Most communication applications do not provide E2EE, and application silos prevent interoperability. We propose InfoGuard, a system enabling E2EE for user-to-user communication in any application.
arXiv Detail & Related papers (2023-11-01T19:54:01Z)
ROSTAM: A Passwordless Web Single Sign-on Solution Mitigating Server Breaches and Integrating Credential Manager and Federated Identity Systems [0.0]
We envision a passwordless future which provides a frictionless and trustworthy online experience for users by integrating credential management and federated identity systems. In this regard, our implementation ROSTAM offers a dashboard that presents all applications the user can access with a single click after a passwordless SSO. The security of web passwords on the credential manager is ensured with a Master Key, rather than a Master Password, so that encrypted passwords can remain secure even if stolen from the server.
arXiv Detail & Related papers (2023-10-08T16:41:04Z)
RiDDLE: Reversible and Diversified De-identification with Latent Encryptor [57.66174700276893]
This work presents RiDDLE, short for Reversible and Diversified De-identification with Latent Encryptor. Built upon a pre-learned StyleGAN2 generator, RiDDLE manages to encrypt and decrypt the facial identity within the latent space.
arXiv Detail & Related papers (2023-03-09T11:03:52Z)
Smart Home, security concerns of IoT [91.3755431537592]
The IoT (Internet of Things) has become widely popular in the domestic environments. People are renewing their homes into smart homes; however, the privacy concerns of owning many Internet connected devices with always-on environmental sensors remain insufficiently addressed. Default and weak passwords, cheap materials and hardware, and unencrypted communication are identified as the principal threats and vulnerabilities of IoT devices.
arXiv Detail & Related papers (2020-07-06T10:36:11Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.