(2019) Poster: Let History not Repeat Itself (this Time) - Tackling WebAuthn Developer Issues Early On.
|
Text
ACM_Conference_Proceedings_Poster.pdf Download (352kB) | Preview |
Abstract
The FIDO2 open authentication standard, developed jointly by the FIDO Alliance and the W3C, provides end-users with the means to use public-key cryptography in addition to or even instead of text-based passwords for authentication on the web. Its WebAuthn protocol has been adopted by all major browser vendors and recently also by major service providers (e.g., Google, GitHub, Dropbox, Microsoft, and others). Thus, FIDO2 is a very strong contender for finally tackling the problem of insecure user authentication on the web. However, there remain a number of open questions to be answered for FIDO2 to succeed as expected. In this poster, we focus specifically on the critical question of how well web-service developers can securely roll out WebAuthn in their own services and which issues have to be tackled to help developers in this task. The past has unfortunately shown that software developers struggle with correctly implementing or using security-critical APIs, such as TLS/SSL, password storage, or cryptographic APIs. We report here on ongoing work that investigates potential problem areas and concrete pitfalls for adopters of WebAuthn and tries to lay out a plan of how our community can help developers. We believe that raising awareness for foreseeable developer problems and calling for action to support developers early on is critical on the path for establishing FIDO2 as a de-facto authentication solution.
Item Type: | Conference or Workshop Item (A Paper) (Poster) |
---|---|
Divisions: | Katharina Krombholz (Human-Oriented Security, HOS) Sven Bugiel (Trusted Systems Group, TSG) |
Conference: | CCS ACM Conference on Computer and Communications Security |
Depositing User: | Sven Bugiel |
Date Deposited: | 24 Mar 2021 07:36 |
Last Modified: | 12 Oct 2022 20:06 |
Primary Research Area: | NRA5: Empirical & Behavioral Security |
URI: | https://publications.cispa.saarland/id/eprint/3386 |
Actions
Actions (login required)
View Item |