Evaluating FIDO2 implementations and conformity
| Thesis type | Bachelor Thesis |
| Supervisor | Erwin Kupris |
| Starting date | As soon as possible |
| Skills | LaTeX, Git, Any programming language |
| Language | English (preferred), German |
| Industry cooperation | not possible |
| Publish date | 2023-04-05 |
Problem and context
Identity and Access Management (IAM) has the goal to only allow the right entities to access the right resources at the right time and for the right reasons. Therefore, IAM handles everything surrounding digital identities and their usage. This includes, but is not limited to, concepts such as Identification, Authentication, Authorization, Federation, and Provisioning.
Authentication is one of the key concepts of IT security. Even though it is widely known to be insecure, password-based authentication is still the predominant method to verify a user’s identity. Alternative methods, such as Multi-Factor Authentication (MFA), often suffer from low adoption rates due to limited usability. This is why the FIDO Alliance, among others, aims to replace traditional authentication schemes with ones that are both secure and usable. The FIDO2 framework represents a promising next step in the quest to replace passwords with unphishable credentials based on asymmetric cryptography [1].
Nowadays, a multitude of websites offer the usage of FIDO2 credentials by implementing the Webauthn API [2]. However, it is hard to find the exact configuration a website implements and whether or not it conforms with the recent specifications. A Webauthn server can configure a multitude of parameters, such as pubkey algorithms, authenticator selections, extensions, and attestation options [3].
Goals
The goal of this thesis would be to develop a self-service webpage which can scan, analyze, and display the exact configuration of a given Webauthn webserver. Such a service could then be used to evaluate the prevalence and conformity FIDO2 implementations within top websites.
The thesis can focus on a number of sub-topics, including, but not limited to:
- Implementing a scanner to analyze Webauthn account creation webpages
- Evaluating top websites’ adoption of passkeys
- Possibility to publish a resulting research paper
Thesis proposals for adjacent topics are welcome. Get in touch if you have further questions.
Literature
- https://fidoalliance.org/fido2/
- https://webauthn.io/
- https://webauthn.me/debugger