New protocol backs up WebAuthn credentials and could make the web safer for all
Multi-factor authentication (MFA) has become ubiquitous across the web and is most commonly deployed by sending one-time codes to users' mobile phones in addition to requiring a password. However, the technology is susceptible to being intercepted by hackers; further, there is no security backup, with providers often relying on insecure questions or reset links to allow users to regain access to their accounts.
WebAuthn is a relatively new standard for stronger web authentication and has already been adopted by major IT companies such as Google, Microsoft and Facebook, and governmental websites including GOV.UK. Thanks to the use of public-key cryptography WebAuthn solves many of the existing problems with web authentication, including phishing. However, WebAuthn also relies on hardware tokens called authenticators or security keys to manage cryptographic keys, and recent studies have shown that the potential loss of authenticators is one of the biggest fears affecting the adoption of WebAuthn.
In a paper published and presented at the renowned ACM CCS 2020 cybersecurity conference, Surrey Centre for Cyber Security details a newly proposed solution for backing up WebAuthn credentials, which was developed by engineers from Yubico, and analysed its cryptographic core called Asynchronous Remote Key Generation (ARKG).
In the study, Surrey and Yubico show that ARKG means an attacker cannot impersonate users or forge their WebAuthn backup credentials. The team also shows that hackers cannot determine whether credentials can be linked to the same user, preserving user privacy. Yubico’s recent blog provides further details on their proposal.
Dr Mark Manulis, co-author of the paper and Deputy Director of the Surrey Centre for Cyber Security, said: "Authentication tokens such as YubiKeys are so small that they can easily be lost or stolen. ARKG is a major step towards a secure, automated and user-friendly backup solution for WebAuthn credentials that would greatly improve resilience against human negligence, and protect user accounts on the web."
Dain Nilsson, Director of Engineering at Yubico, said: "Security is only as strong as its weakest link. That means solving not only the problem of secure authentication with the help of hardware authenticators like YubiKeys but also how to regain access in the case a user’s main login mechanism is lost. We believe that providing secure and easy-to-use recovery methods, which don't compromise the security or privacy aspects of the core protocol, will be key to the continued adoption of WebAuthn."
"Backup credentials are an important problem for the WebAuthn ecosystem to solve, and the key generation approach behind ARKG enables architectures that fit well with the decentralised and interoperable design of WebAuthn,” said W3C Web Authentication co-chairs Tony Nadalin and John Fontana in a statement. “The ARKG analysis performed by Dr Manulis and his team proves that this technique preserves WebAuthn's security and privacy principles. The Web Authentication Working Group looks forward to exploring how ARKG can be leveraged to improve the WebAuthn end-user experience."