A group of researchers partly backed by America’s National Science Foundation claim they’ve identified a design flaw in the passwordless FIDO authentication system.
Their work, Provable Security Analysis of FIDO2, was published last week in the International Association for Cryptologic Research’s Cryptology ePrint Archive.
The FIDO alliance was launched in 2013 by a group of tech vendors and services including PayPal; it now counts Microsoft, Google, Apple and Facebook among its members.
In February 2016, the World Wide Web Consortium (W3C) began work standardising FIDO 2.0.
The passwordless logins are based on two key protocols: the W3C’s WebAuthn, and the Client-to-Authenticator Protocol (CTAP2).
The WebAuthn part of a FIDO-supported login uses a trusted authenticator device (smartphone or security token) to establish a private key for a communication session; while CTAP2 binds a trusted client to the authenticator.
“Roughly speaking, [CTAP2's] security goal is to ‘bind’ a trusted client to the set-up authenticator by requiring the user to provide the correct PIN, such that the authenticator accepts only authorized commands sent from a ‘bound’ client”, the paper said.
However, CTAP2's approach isn't “provably secure” (a formal term meaning that the protocol or product can be mathematically demonstrated to be secure).
In their analysis, the researchers cite two aspects of CTAP2 that open possible attack vectors.
The most important is that it uses an unauthenticated Diffie-Hellman key exchange.
“The FIDO designers made some educated choices to simplify the protocol design and implementation”, the authors told iTnews in an email.
“FIDO uses unauthenticated Diffie-Hellman and our guess is that this is justified by the assumption that FIDO will be used in scenarios where active attacks are highly unlikely (eg NFC connections).”
The unencrypted opens the door to two kinds of attack, the paper says: a simple MITM attack, giving the attacker access to security keys and therefore the user's communications; or the attacker can impersonate a client to the authenticator.
“These go together: MitM attack would allow an adversary to obtain the authentication key that permits impersonating a client (browser) to the token”, the authors told iTnews.
“The consequence of this would be that the attacker (for example, some kind of malware in the user’s machine) could, in principle, then use the token without the user’s knowledge to create an authenticated session, on behalf of the user.”
This opens the door to two kinds of attack, the paper says: a simple MITM attack, giving the attacker access to security keys and therefore the user's communications; or the attacker can impersonate a client to the authenticator.
The other flaw is that the smartphone or PC using FIDO2 for login generates a single “pinToken” at startup.
That pinToken is then used for all subsequent communications, which means security is lost if any of those sessions are compromised.
“FIDO seems to assume that the user’s machine is malware free, which makes sense because if the user's machine is under the attacker’s control, it is hard to give any security guarantees”, the authors told iTnews.
“Our paper clarifies what a less powerful malware would be able to achieve, for example if it was able to sit between the browser and the token (for example in the USB driver).
“Of course, besides USB connections, FIDO could also interact with tokens via Bluetooth. MitM attacks against Bluetooth are feasible even if the user's machine is malware-free, though in practice such attacks might be less of a risk compared to malware.”
The paper suggests replacing the CTAP2 part of the FIDO exchange with another scheme to get rid of these issues.
Provable Security Analysis of FIDO2 is the work of Manuel Barbosa, University of Porto (FCUP) and INESC TEC in Portugal; Alexandra Boldyreva of the Georgia Institute of Technology in the USA; Shan Chen of Darmstadt Technische Universitat in Germany; and Bogdan Warinschi of the University of Bristol.