QES-Backed Virtual FIDO2 Authenticators: Architectural Options for Secure, Synchronizable WebAuthn Credentials

• URL: http://arxiv.org/abs/2601.06554v1
• Date: Sat, 10 Jan 2026 12:47:44 GMT
• Title: QES-Backed Virtual FIDO2 Authenticators: Architectural Options for Secure, Synchronizable WebAuthn Credentials
• Authors: Kemal Bicakci, Fatih Mehmet Varli, Muhammet Emir Korkmaz, Yusuf Uzunay,
• Abstract summary: FIDO2 and the WebAuthn standard offer phishing-resistant, public-key based authentication.<n>Recent passkey deployments address this limitation by enabling multi-device credentials synchronized via platform-specific cloud ecosystems.<n>This paper explores architectural options for bridging these technologies by securing a virtual FIDO2 authenticator with a QES-grade PKCS key.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: FIDO2 and the WebAuthn standard offer phishing-resistant, public-key based authentication but traditionally rely on device-bound cryptographic keys that are not naturally portable across user devices. Recent passkey deployments address this limitation by enabling multi-device credentials synchronized via platform-specific cloud ecosystems. However, these approaches require users and organizations to trust the corresponding cloud or phone providers with the protection and availability of their authentication material. In parallel, qualified electronic signature (QES) tokens and smart-card--based PKCS#11 modules provide high-assurance, hardware-rooted identity, yet they are not directly compatible with WebAuthn flows. This paper explores architectural options for bridging these technologies by securing a virtual FIDO2 authenticator with a QES-grade PKCS#11 key and enabling encrypted cloud synchronization of FIDO2 private keys. We first present and implement a baseline architecture in which the cloud stores only ciphertext and the decryption capability remains anchored exclusively in the user's hardware token. We then propose a hardened variant that introduces an Oblivious Pseudorandom Function (OPRF)-based mechanism bound to a local user-verification factor, thereby mitigating cross-protocol misuse and ensuring that synchronization keys cannot be repurposed outside the intended FIDO2 semantics; this enhanced design is analyzed but not implemented. Both architectures preserve a pure WebAuthn/FIDO2 interface to relying parties while offering different trust and deployment trade-offs. We provide the system model, threat analysis, implementation of the baseline architecture, and experimental evaluation, followed by a discussion of the hardened variant's security implications for high-assurance authentication deployments.

Related papers

• Post-Quantum Identity-Based TLS for 5G Service-Based Architecture and Cloud-Native Infrastructure [0.5735035463793009]
  We present a certificate-free authentication framework for private distributed systems based on post-quantum Identity-Based Encryption (IBE)<n>Our design replaces certificate and signature based authentication with identity-derived keys and identity-based key encapsulation, enabling mutually authenticated TLS connections without certificate transmission or validation.<n>We apply this framework to cloud-native application deployments and latency-sensitive 5G Core networks.
  arXiv  Detail & Related papers  (2026-02-04T05:55:41Z)
• Binding Agent ID: Unleashing the Power of AI Agents with accountability and credibility [46.323590135279126]
  BAID (Binding Agent ID) is a comprehensive identity infrastructure establishing verifiable user-code binding.<n>We implement and evaluate a complete prototype system, demonstrating the practical feasibility of blockchain-based identity management and zkVM-based authentication protocol.
  arXiv  Detail & Related papers  (2025-12-19T13:01:54Z)
• Zero Trust Security Model Implementation in Microservices Architectures Using Identity Federation [0.0]
  The article itself is a case on the need of the Zero Trust Security Model of micro services ecosystem.<n>It is proposed that the solution framework will be based on industry-standard authentication and authorization and end-to-end trust identity technologies.<n>The research results overlay that the federated identity combined with the Zero Trust basics not only guarantee the rules relating to authentication and authorization but also fully complies with the latest DevSecOps standards of microservice deployment.
  arXiv  Detail & Related papers  (2025-11-07T02:03:05Z)
• The Qey: Implementation and performance study of post quantum cryptography in FIDO2 [0.18416014644193066]
  FIDO2 is an industry standard for secure passwordless authentication.<n>Current FIDO2 standards use ECDSA with SHA-256 (ES256), RSA with SHA-256 (RS256) and similar classical cryptographic signature algorithms.<n>This paper explores the usability of Module Lattice based Digital Signature Algorithm (ML-DSA) based on Crystals Dilithium as a post quantum cryptographic signature standard for FIDO2.
  arXiv  Detail & Related papers  (2025-10-24T11:30:15Z)
• Building a robust OAuth token based API Security: A High level Overview [0.0]
  This paper presents the fundamentals necessary for building a such a token-based API security system.<n>The intent is to equip developers with the foundational knowledge necessary to build secure, scalable token-based API security systems.
  arXiv  Detail & Related papers  (2025-07-22T06:14:14Z)
• Zero-Trust Foundation Models: A New Paradigm for Secure and Collaborative Artificial Intelligence for Internet of Things [61.43014629640404]
  Zero-Trust Foundation Models (ZTFMs) embed zero-trust security principles into the lifecycle of foundation models (FMs) for Internet of Things (IoT) systems.<n>ZTFMs can enable secure, privacy-preserving AI across distributed, heterogeneous, and potentially adversarial IoT environments.
  arXiv  Detail & Related papers  (2025-05-26T06:44:31Z)
• EAP-FIDO: A Novel EAP Method for Using FIDO2 Credentials for Network Authentication [43.91777308855348]
  EAP-FIDO allows organisations with WPA2/3-Enterprise wireless networks or MACSec-enabled wired networks to leverage FIDO2's passwordless authentication.<n>We provide a comprehensive security and performance analysis to support the feasibility of this approach.
  arXiv  Detail & Related papers  (2024-12-04T12:35:30Z)
• Advocate -- Trustworthy Evidence in Cloud Systems [39.58317527488534]
  The rapid evolution of cloud-native applications, characterized by dynamic, interconnected services, presents significant challenges for maintaining trustworthy and auditable systems. Traditional methods of verification and certification are often inadequate due to the fast-past and dynamic development practices common in cloud computing. This paper introduces Advocate, a novel agent-based system designed to generate verifiable evidence of cloud-native application operations.
  arXiv  Detail & Related papers  (2024-10-17T12:09:26Z)
• Quantum digital signature based on single-qubit without a trusted third-party [45.41082277680607]
  We propose a novel quantum digital signature protocol without a trusted third-party.<n>We prove that the protocol has information-theoretical unforgeability.
  arXiv  Detail & Related papers  (2024-10-17T09:49:29Z)
• A Novel Protocol Using Captive Portals for FIDO2 Network Authentication [45.84205238554709]
  We introduce FIDO2CAP: FIDO2 Captive-portal Authentication Protocol. We develop a prototype of FIDO2CAP authentication in a mock scenario. This work makes the first systematic approach for adapting network authentication to the new authentication paradigm relying on FIDO2 authentication.
  arXiv  Detail & Related papers  (2024-02-20T09:55:20Z)
• A Universal System for OpenID Connect Sign-ins with Verifiable Credentials and Cross-Device Flow [4.006745047019997]
  Self-Sovereign Identity (SSI) is a new and promising identity management paradigm. We propose a comparatively simple system that enables SSI-based sign-ins for services that support the widespread OpenID Connect or OAuth 2.0 protocols.
  arXiv  Detail & Related papers  (2024-01-16T16:44:30Z)
• On Cryptographic Mechanisms for the Selective Disclosure of Verifiable Credentials [39.4080639822574]
  Verifiable credentials are a digital analogue of physical credentials. They can be presented to verifiers to reveal attributes or even predicates about the attributes included in the credential. One way to preserve privacy during presentation consists in selectively disclosing the attributes in a credential.
  arXiv  Detail & Related papers  (2024-01-16T08:22:28Z)
• Blockchain-based Zero Trust on the Edge [5.323279718522213]
  This paper proposes a novel approach based on Zero Trust Architecture (ZTA) extended with blockchain to further enhance security. The blockchain component serves as an immutable database for storing users' requests and is used to verify trustworthiness by analyzing and identifying potentially malicious user activities. We discuss the framework, processes of the approach, and the experiments carried out on a testbed to validate its feasibility and applicability in the smart city context.
  arXiv  Detail & Related papers  (2023-11-28T12:43:21Z)
• Combining Decentralized IDentifiers with Proof of Membership to Enable Trust in IoT Networks [44.99833362998488]
  The paper proposes and discusses an alternative (mutual) authentication process for IoT nodes under the same administration domain. The main idea is to combine the Decentralized IDentifier (DID)-based verification of private key ownership with the verification of a proof that the DID belongs to an evolving trusted set.
  arXiv  Detail & Related papers  (2023-10-12T09:33:50Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.