Bridging the old with the new - Passkeys and LDAP

Thesis typeBachelor Thesis
SupervisorErwin Kupris
Starting dateAs soon as possible
SkillsLaTeX, Git, Any programming language
LanguageEnglish (preferred), German
Industry cooperationnot possible
Publish date2024-03-26

Problem and context

Identity and Access Management (IAM) has the goal to only allow the right entities to access the right resources at the right time and for the right reasons. Therefore, IAM handles everything surrounding digital identities and their usage. This includes, but is not limited to, concepts such as Identification, Authentication, Authorization, Federation, and Provisioning.

Authentication is one of the key concepts of IT security. Even though it is widely known to be insecure, password-based authentication is still the predominant method to verify a user’s identity. Alternative methods, such as Multi-Factor Authentication (MFA), often suffer from low adoption rates due to limited usability. This is why the FIDO Alliance, among others, aims to replace traditional authentication schemes with ones that are both secure and usable. The FIDO2 framework represents a promising next step in the quest to replace passwords with unphishable credentials based on asymmetric cryptography [1].

In 2022, the industry-backed advancement of multi-device FIDO credentials, so-called passkeys, was introduced [2]. The new standard allows the synchronization of FIDO credentials across devices in order to overcome the issue of recovering credentials from a lost platform authenticator or hardware token. Additionally, an increased UX is expected because smartphones can now be used as roaming authenticators [3].

Goals

Since passkeys are rather new, integrating them with legacy systems poses a significant challenge. Many essential services still depend on LDAP and password-based methods for authentication. To address this challenge, we propose creating a secure and user-friendly bridge that allows users to authenticate via passkeys while maintaining compatibility with LDAP-dependent services.

A possible architecture for this system could include the following steps:

  1. User authentication using passkeys
  2. Creation of short-lived LDAP credentials for the user
  3. Automatic, transparent access to the legacy service using these credentials
  4. Revoking/ Expiring the credential after the session ends

The thesis can focus on a number of sub-topics, including, but not limited to:

Thesis proposals for adjacent topics are welcome. Get in touch if you have further questions.

Literature

  1. https://fidoalliance.org/fido2/
  2. https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/
  3. https://fidoalliance.org/white-paper-multi-device-fido-credentials/