Abstract

Passwords are the de facto standard for authentication despite their significant weaknesses. While businesses are currently focused on implementing multi-factor authentication to provide greater security, user adoption is still low. An alternative, WebAuthn, uses cryptographic key pairs to provide password-less authentication. WebAuthn has been standardised and is resilient to phishing attacks. However, its adoption is also very low; the barriers to adoption include usability and resilience of keys. We propose a novel architecture for password-less authentication designed to improve usability and deployability. Our architecture is based on the WebAuthn standards and supports registration and login to web-services. We support a WebAuthn authenticator that generates and uses the key pairs on the client device by providing resilience for these key pairs by using a backup key store in the cloud. We also propose a WebAuthn authenticator using a key store in the cloud so that password-less authentication can be used interoperably between devices. We also assess the properties of these architectures against identified threats and how they can form the basis for improving usability and lowering the technical barriers to adoption of password-less authentication.

Links

• https://www.researchgate.net/publication/347465746_An_Interoperable_Architecture_for_Usable_Password-Less_Authentication

Citation

Casey, M., Manulis, M., Newton, C.J.P., Savage, R., Treharne, H., 2020. An Interoperable Architecture for Usable Password-Less Authentication, in: Saracino, A., Mori, P. (Eds.), Emerging Technologies for Authorization and Authentication, Lecture Notes in Computer Science. Springer International Publishing, Cham, pp. 16–32. https://doi.org/10.1007/978-3-030-64455-0_2