Should We Rush to Implement Password-less Single Factor FIDO2 based Authentication?

Author First name, Last name, Institution

Fatima Alqubaisi
Ahmad Samer Wazan
Liza Ahmad
David W. Chadwick

Document Type

Conference Proceeding

Source of Publication

Proceedings - 2020 12th Annual Undergraduate Research Conference on Applied Computing, URC 2020

Publication Date

4-1-2020

Abstract

© 2020 IEEE. Fast Identity Online (FIDO) Alliance and W3C have defined a set of specifications (called FIDO2) that allows a user to replace the password based authentication system. However, none of the high profile web sites have implemented FIDO2 yet as password-less single factor (SF) authentication (password-less SF). In this paper, we analyze the set of factors that make websites reluctant to adopt password-less FIDO SF authentication. We start by comparing the threat models of password-less FIDO SF authentication with password-based SF authentication. Our analysis shows that although password-based authentication is less secure than FIDO SF authentication, other factors related to the usability of FIDO security keys and FIDO based authentication system, the non-consideration of enterprise requirements and the lack of specifications regarding account recovery/deletion and suspension are the main obstacles to the adoption of password-less FIDO SF authentication.

DOI Link

10.1109/urc49805.2020.9099190

ISBN

9781728197890

Publisher

Institute of Electrical and Electronics Engineers Inc.

Disciplines

Computer Sciences

Keywords

FIDO2, Password based authentication, threat model, UAF, WebAuthn

Scopus ID

85086729520

Recommended Citation

Alqubaisi, Fatima; Wazan, Ahmad Samer; Ahmad, Liza; and Chadwick, David W., "Should We Rush to Implement Password-less Single Factor FIDO2 based Authentication?" (2020). All Works. 3088.
https://zuscholars.zu.ac.ae/works/3088

Indexed in Scopus

yes

Open Access

no