Should We Rush to Implement Password-less Single Factor FIDO2 based Authentication?
Source of Publication
Proceedings - 2020 12th Annual Undergraduate Research Conference on Applied Computing, URC 2020
© 2020 IEEE. Fast Identity Online (FIDO) Alliance and W3C have defined a set of specifications (called FIDO2) that allows a user to replace the password based authentication system. However, none of the high profile web sites have implemented FIDO2 yet as password-less single factor (SF) authentication (password-less SF). In this paper, we analyze the set of factors that make websites reluctant to adopt password-less FIDO SF authentication. We start by comparing the threat models of password-less FIDO SF authentication with password-based SF authentication. Our analysis shows that although password-based authentication is less secure than FIDO SF authentication, other factors related to the usability of FIDO security keys and FIDO based authentication system, the non-consideration of enterprise requirements and the lack of specifications regarding account recovery/deletion and suspension are the main obstacles to the adoption of password-less FIDO SF authentication.
Institute of Electrical and Electronics Engineers Inc.
FIDO2, Password based authentication, threat model, UAF, WebAuthn
Alqubaisi, Fatima; Wazan, Ahmad Samer; Ahmad, Liza; and Chadwick, David W., "Should We Rush to Implement Password-less Single Factor FIDO2 based Authentication?" (2020). All Works. 3088.
Indexed in Scopus