Extending Registration and Authentication Processes of FIDO2 External Authenticator with QR Codes

摘要

FIDO2, the newest set of FIDO specifications, enables the user to leverage an external authenticator for the authentication in both mobile and desktop environments (referred to as user agent). For the secure registration and authentication, FIDO2 requires the external authenticator and user agent to establish a confidential and mutually authenticated data transport channel through either USB interfaces, Near Field Communication (NFC) or Bluetooth. However, the external authenticator and host may not be equipped with one of the above physical media simultaneously, for example, a desktop may only have USB interfaces while an external authenticator (e.g., a smartphone) may have no USB inferfaces. This affects the wide adoption of FIDO2. In this paper, we extend the registration and authentication processes of FIDO2 external authenticator with QR code, which enables the external authenticator being equipped with a camera to be used for the authentication at any user agent. During the registration process, our scheme requires the user to provide the original credential and a one-time password displayed on the authenticator, and therefore ensures the correct user will only be bound with the expected authenticator. The security of our scheme has been formally analyzed based on the Dolev-Yao style model, a widely adopted model for the analysis of web systems. We have implemented the prototype, and the performance evaluation demonstrated the efficiency of our scheme, which needs 373 ms for registration and 141 ms for authentication in our environment.