Press Release

User-friendly protocol that backs up WebAuthn credentials announced

The University of Surrey and Yubico, the leading provider of hardware authentication security keys, have proposed a new web protocol that should pave the way for an easy-to-use and secure online experience. 

Multi-factor authentication (MFA) has become ubiquitous across the web and is most commonly deployed by sending one-time codes to users’ mobile phones in addition to requiring a password. However, the technology is susceptible to being intercepted by hackers; further, there is no security backup, with providers often relying on insecure questions or reset links to allow users to regain access to their accounts. 

WebAuthn is a relatively new standard for stronger web authentication and has already been adopted by major IT companies such as Google, Microsoft and Facebook, and governmental websites including GOV.UK. Thanks to the use of public-key cryptography WebAuthn solves many of the existing problems with web authentication, including phishing.

However, WebAuthn also relies on hardware tokens called authenticators or security keys to manage cryptographic keys, and recent studies have shown that the potential loss of authenticators is one of the biggest fears affecting the adoption of WebAuthn.

In a paper published and presented at the renowned ACM CCS 2020 cybersecurity conference, Surrey Centre for Cyber Security details a newly proposed solution for backing up WebAuthn credentials, which was developed by engineers from Yubico, and analysed its cryptographic core called Asynchronous Remote Key Generation (ARKG).

In the study, Surrey and Yubico show that ARKG means an attacker cannot impersonate users or forge their WebAuthn backup credentials. The team also shows that hackers cannot determine whether credentials can be linked to the same user, preserving user privacy. Yubico’s recent blog provides further details on their proposal.

Dr. Mark Manulis, co-author of the paper and Deputy Director of the Surrey Centre for Cyber Security, said: “Authentication tokens such as YubiKeys are so small that they can easily be lost or stolen. ARKG is a major step towards a secure, automated and user-friendly backup solution for WebAuthn credentials that would greatly improve resilience against human negligence, and protect user accounts on the web.” 

Dain Nilsson, Director of Engineering at Yubico, said: “Security is only as strong as its weakest link. That means solving not only the problem of secure authentication with the help of hardware authenticators like YubiKeys, but also how to regain access in the case a user’s main login mechanism is lost. We believe that providing secure and easy-to-use recovery methods, which don’t compromise the security or privacy aspects of the core protocol, will be key to the continued adoption of WebAuthn.”

“Backup credentials are an important problem for the WebAuthn ecosystem to solve, and the key generation approach behind ARKG enables architectures that fit well with the decentralised and interoperable design of WebAuthn,” said W3C Web Authentication co-chairs Tony Nadalin and John Fontana in statement.

“The ARKG analysis performed by Dr. Manulis and his team proves that this technique preserves WebAuthn’s security and privacy principles. The Web Authentication Working Group looks forward to exploring how ARKG can be leveraged to improve the WebAuthn end-user experience.”

Security Report News

Security Report News and guest post account. Opinions and views expressed by guest authors are their own and not necessarily endorsed by Security Report Ltd. or our affiliates.

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.