Paper 2025/459
Privacy and Security of FIDO2 Revisited
, INESC TEC, University of Porto (FCUP), Max Planck Institute for Security and Privacy, Georgia Institute of Technology, Georgia Institute of Technology, INESC TEC, University of Porto (FCUP)Abstract
We revisit the privacy and security analyses of FIDO2, a widely deployed standard for passwordless authentication on the Web. We discuss previous works and conclude that each of them has at least one of the following limitations: (i) impractical trusted setup assumptions, (ii) security models that are inadequate in light of state of the art of practical attacks, (iii) not analyzing FIDO2 as a whole, especially for its privacy guarantees. Our work addresses these gaps and proposes revised security models for privacy and authentication. Equipped with our new models, we analyze FIDO2 modularly and focus on its component protocols, WebAuthn and CTAP2, clarifying their exact security guarantees. In particular, our results, for the first time, establish privacy guarantees for FIDO2 as a whole. Furthermore, we suggest minor modifications that can help FIDO2 provably meet stronger privacy and authentication definitions and withstand known and novel attacks.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. Major revision. PoPETs 2025
- Keywords
- FIDO2CTAP2WebAuthnPrivacyAuthentication
- Contact author(s)
-
mbb @ fc up pt
sasha @ gatech edu
dragoncs16 @ gmail com
kcheng89 @ gatech edu
luis esquivel costa @ gmail com - History
- 2025-03-15: revised
- 2025-03-11: received
- See all versions
- Short URL
- https://ia.cr/2025/459
- License
-
CC0
BibTeX
@misc{cryptoeprint:2025/459,
author = {Manuel Barbosa and Alexandra Boldyreva and Shan Chen and Kaishuo Cheng and Luís Esquível},
title = {Privacy and Security of {FIDO2} Revisited},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/459},
year = {2025},
url = {https://eprint.iacr.org/2025/459}
}
