Press Release

User-friendly protocol that backs up WebAuthn credentials announced

The University of Surrey and Yubico, the leading provider of hardware authentication security keys, have proposed a new web protocol that should pave the way for an easy-to-use and secure online experience. 

Multi-factor authentication (MFA) has become ubiquitous across the web and is most commonly deployed by sending one-time codes to users’ mobile phones in addition to requiring a password. However, the technology is susceptible to being intercepted by hackers; further, there is no security backup, with providers often relying on insecure questions or reset links to allow users to regain access to their accounts. 

WebAuthn is a relatively new standard for stronger web authentication and has already been adopted by major IT companies such as Google, Microsoft and Facebook, and governmental websites including GOV.UK. Thanks to the use of public-key cryptography WebAuthn solves many of the existing problems with web authentication, including phishing.

However, WebAuthn also relies on hardware tokens called authenticators or security keys to manage cryptographic keys, and recent studies have shown that the potential loss of authenticators is one of the biggest fears affecting the adoption of WebAuthn.

In a paper published and presented at the renowned ACM CCS 2020 cybersecurity conference, Surrey Centre for Cyber Security details a newly proposed solution for backing up WebAuthn credentials, which was developed by engineers from Yubico, and analysed its cryptographic core called Asynchronous Remote Key Generation (ARKG).

In the study, Surrey and Yubico show that ARKG means an attacker cannot impersonate users or forge their WebAuthn backup credentials. The team also shows that hackers cannot determine whether credentials can be linked to the same user, preserving user privacy. Yubico’s recent blog provides further details on their proposal.

Dr. Mark Manulis, co-author of the paper and Deputy Director of the Surrey Centre for Cyber Security, said: “Authentication tokens such as YubiKeys are so small that they can easily be lost or stolen. ARKG is a major step towards a secure, automated and user-friendly backup solution for WebAuthn credentials that would greatly improve resilience against human negligence, and protect user accounts on the web.” 

Dain Nilsson, Director of Engineering at Yubico, said: “Security is only as strong as its weakest link. That means solving not only the problem of secure authentication with the help of hardware authenticators like YubiKeys, but also how to regain access in the case a user’s main login mechanism is lost. We believe that providing secure and easy-to-use recovery methods, which don’t compromise the security or privacy aspects of the core protocol, will be key to the continued adoption of WebAuthn.”

“Backup credentials are an important problem for the WebAuthn ecosystem to solve, and the key generation approach behind ARKG enables architectures that fit well with the decentralised and interoperable design of WebAuthn,” said W3C Web Authentication co-chairs Tony Nadalin and John Fontana in statement.

“The ARKG analysis performed by Dr. Manulis and his team proves that this technique preserves WebAuthn’s security and privacy principles. The Web Authentication Working Group looks forward to exploring how ARKG can be leveraged to improve the WebAuthn end-user experience.”

Security Report News

Security Report News and guest post account. Opinions and views expressed by guest authors are their own and not necessarily endorsed by Security Report Ltd. or our affiliates.

Recent Posts

ParkMobile’s $32.8 Million Data Breach Settlement = You get $1?

In 2021, parking app ParkMobile suffered a massive data breach impacting 22 million users whose…

3 days ago

8 Brutal Truths About Cybersecurity I Wish I Knew

When I first got into cybersecurity, I thought it was all about hackers in hoodies…

4 days ago

US Air Force Probes Potential SharePoint-Linked Privacy Breach

The US Air Force is investigating a “privacy-related issue” that may have exposed personally identifiable…

6 days ago

Harrods third-party breach exposes 430,000 customer records, hackers reach out

London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in…

1 week ago

WestJet confirms customer ID, passports stolen in June cyberattack

WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained…

1 week ago

Did You Also Get a ‘Real’ Phishing Email From GitHub.com?

Imagine getting an email straight from GitHub’s own notification system: the same one you've trusted…

2 weeks ago

This website uses cookies.