![FIDO2 system architecture [9]](https://www.researchgate.net/profile/Harshavardhan-Ravilla/publication/383944347/figure/fig1/AS:11431281277388162@1726061779878/FIDO2-system-architecture-9_Q320.jpg)
Content uploaded by Harshavardhan Ravilla
Author content
All content in this area was uploaded by Harshavardhan Ravilla on Sep 11, 2024
Content may be subject to copyright.
Study and Analysis of FIDO2
Passwordless Web Authentication
Harshavardhan Ravilla, Rishi Sayal, and Pooja Kulkarni
Abstract As cyberthreats evolve, traditional password-based authentication
systems have proven inadequate. FIDO2 passwordless authentication offers a
compelling solution, eliminating passwords while enhancing security and user expe-
rience. This survey examines FIDO2’s core components, integration with blockchain
technology, accessibility for diverse devices, and comparative usability. Findings
suggest FIDO2 delivers superior security and usability compared to passwords.
However, challenges remain regarding standardization, privacy, and balancing secu-
rity with convenience. Further research into multi-factor authentication, biometrics,
cross-device functionality, and blockchain integration can advance FIDO2’s acces-
sibility, security, and adoption. This analysis underscores FIDO2’s transformative
potential to redefine authentication.
Keywords FIDO2 ·Hardware tokens ·Public key cryptography ·WebAuthn ·
Biometrics ·Blockchain
1 Introduction
As digital systems proliferate, secure user authentication is imperative. However,
traditional password-based approaches face rising threats [1]. Phishing, social
engineering, and data breaches enable credential theft and unauthorized account
access [2]. Users struggle to create and recall complex passwords across expanding
H. Ravilla (B) · R. Sayal · P. K ulk a r ni
Department of Cyber Security, Guru Nanak Institutions Technical Campus, Ibrahimpatnam,
Hyderabad, India
e-mail: harshavardhan76740@gmail.com
R. Sayal
e-mail: ad.rs@gniindia.org
P. Ku l k arn i
e-mail: poojakulkarni.csegnitc@gniindia.org
© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2024
R. R. Chillarige et al. (eds.), Advances in Computational Intelligence and Informatics,
Lecture Notes in Networks and Systems 993,
https://doi.org/10.1007/978-981-97-4727-6_38
375
376 H. Ravilla et al.
online accounts [3]. These vulnerabilities necessitate an evolution in authentication
paradigms.
Fast Identity Online (FIDO2) enables passwordless web authentication using
alternative methods like biometrics and hardware tokens [4]. FIDO2 offers enhanced
security, eliminating many password risks while improving usability and conve-
nience. Findings reveal FIDO2’s advantages but also highlight ongoing standardiza-
tion, privacy, and usability concerns [5, 6]. Additional research can refine FIDO2’s
security, inclusiveness, and adoption. This analysis underscores FIDO2’s potential
as a disruptive force in authentication.
2 FIDO2 Passwordless Authentication
Public Key Cryptography: Users register a public/private key pair to verify identi-
ties. The private key is kept safe on the user’s device, while the public key is registered
with the server [7–9].
Biometrics and Hardware Tokens: Fingerprints, facial recognition, or other unique
user attributes. Users’ inherent physical characteristics and traits allow password-
less biometric authentication [4]. Peripheral devices, such as USB keys. The token
activates to authenticate the user’s session [10].
2.1 FIDO2 and Its Two Core Protocols
Figure 1 shows FIDO2 architecture-based communication [9]. Client-to-
authenticator protocol version two (CTAP2) is used to communicate between the
cryptographic authenticator and the client via USB. To communicate with the server
over the network, the client’s browser uses the JavaScript-based Web Authentication
API.
Fig. 1 FIDO2 system architecture [9]
Study and Analysis of FIDO2 Passwordless Web Authentication 377
WebAuthn is an web API used for web/app logins using on-device authenticators
[1, 3, 11]. WebAuthn is the web API using public key cryptography, and servers can
register and authenticate users.
Client-to-Authenticator Protocol (CTAP) allows authenticators to communicate
with client devices. CTAP enables interaction between authentication hardware/
software and the client platform [4, 10]. FIDO2 provides standards enabling pass-
wordless methods to authenticate users’ identities via biometrics, devices, and cryp-
tography [1]. This eliminates reliance on passwords that are hard to manage and
vulnerable to guessing, phishing, and reuse [12].
3 Related Work
This study evaluates previous work and analysis on traditional based password-based
authentication and FIDO2 passwordless authentication.
3.1 Overview of Passwordless Landscape
A comprehensive study provides a broad overview of passwordless authentication
[4]. They outline traditional password problems including vulnerability to guessing,
reuse across accounts, and phishing. Passwordless techniques like biometrics and
WebAuthn are highlighted as more secure and user-friendly. FIDO2 is recognized as
a prominent passwordless platform due to its cryptographic strength and usability.
This study emphasizes how passwords remain susceptible to brute force attacks,
especially as computing power increases. Password reuse also critically undermines
security by linking multiple accounts and services.
FIDO2 provides standards and protocols enabling such methods to be deployed
and adopted at scale across the web ecosystem. Its cryptographic foundations and
alignment with natural user behaviours highlight its game-changing potential.
3.2 Integration with Blockchain
The possibility for encompassing FIDO2 with blockchain infrastructure [5].
Blockchain characteristics like decentralization, transparency, and immutability can
enhance authentication. For example, private keys used in FIDO2 can be registered
on blockchain ledgers as user identities. Verification via WebAuthn would then allow
passwordless blockchain transactions.
In Fig. 2, blockchain-based FIDO2 implementation shows about
378 H. Ravilla et al.
Fig.2 Blockchain-based FIDO2 implementation
•User authenticates locally to authenticator via biometrics or security token.
•Authenticator communicates with client device over CTAP.
•Client device calls WebAuthn API on the browser.
•Browser sends authentication request to FIDO2 server.
•FIDO2 server writes credential record to blockchain.
•Blockchain adds transaction to distributed ledger.
•FIDO2 server checks credentials in database.
•After verification, authentication is approved via WebAuthn.
•User achieves passwordless authentication.
The blockchain network provides a decentralized tamper-proof store for creden-
tial records, enhancing security and transparency of the FIDO2 infrastructure. This
demonstrates conceptual synergies between blockchain decentralization and FIDO2
passwordless authentication.
3.3 Accessibility
Address FIDO2 accessibility for devices with limited interfaces like IoT systems.
They propose “Remote WebAuthn” to enable passwordless authentication on these
devices via alternate interfaces like voice control or proxy devices [13]. For example,
Study and Analysis of FIDO2 Passwordless Web Authentication 379
users could invoke verbal credentials on a voice assistant device to remotely authenti-
cate with an IoT system lacking its own user interface. This preserves FIDO2’s secu-
rity advantages while accommodating diverse user abilities and device capabilities.
Users can leverage interfaces attuned to their needs and limitations to interoperate
with less accessible systems [7]. It expands the scope of passwordless authentication
to novel contexts of use, such as within smart homes controlling appliances via voice
commands.
This study emphasizes architecting authentication flows around users’ needs and
constraints. Individuals with disabilities may struggle with certain biometric tech-
niques. Supporting flexible authentication channels tailored to their abilities promotes
inclusiveness.
3.4 Comparative Usability Study
Conducted a comparative usability study of FIDO2 passwordless methods versus
traditional passwords [14]. Metrics included task completion time, user errors,
and user satisfaction. Results showed FIDO2’s superior performance, with faster
logins, fewer errors, and higher user satisfaction. However, users still faced chal-
lenges understanding new authentication concepts. The study involved 48 partic-
ipants performing representative password and FIDO2 authentication tasks [14].
Password t asks involved entering an assigned complex password. For FIDO2, users
authenticated via fingerprint reader or physical NFC card tap. Metrics captured
included.
Task Completion Time: Measured duration for users to complete each login.
User Errors: Instances where users failed to login successfully.
User Satisfaction: Self-reported ratings on ease of use.
This quantitatively demonstrates FIDO2’s advantages in efficiency, errors, and
user perception relative to incumbent password practices. But quality of experience
metrics also reveals ongoing adoption and integration challenges requiring further
enhancement for truly seamless authentication experiences.
Table 1 summarizes key differences between legacy password-based models
and emerging FIDO2 passwordless paradigms for user authentication. Traditional
approaches rely solely on knowledge factors, requiring users to memorize and accu-
rately type usernames and passwords. In contrast, FIDO2 passwordless authentica-
tion utilizes modern cryptographic protocols and biometric factors intrinsic to indi-
vidual users. This provides enhanced resilience against many common attack vectors
including phishing and data breaches. Further, employing user-unique attributes and
devices streamlines the authentication experience, reducing the friction of recalling
and inputting traditional passwords.
Additional advantages of passwordless models highlighted in the table include
improved accessibility for users with disabilities, scalability across services without
separate credentials, and leveraging advanced technology beyond sole reliance on
380 H. Ravilla et al.
Table.1 Comparison of traditional password model and FIDO2 passwordless model
Features Traditional password FIDO2 passwordless
Authentication Ability based Hardware token or biometric
Credentials Username/password Fingerprint/hardware token
Security Vulnerable for guessing, phishing,
data spill
Hard to crack, breach, phish
Convenience Passwords must be memorized and
typed
Authentication like Touch ID, face
recognition, hardware key
Scalability Separate credentials needed for each
service
Credentials work for all services
Accessibility Can be challenging for some users Accommodates more abilities for
disabled one
User experience Hard to reset and manage password User friendly and need not to store
the password
Technology Relies on password Relies on cryptography
fallible text passwords. While trade-offs exist, FIDO2’s multi-factor approach aims
to deliver superior security and usability compared to legacy single-factor password
paradigms.
4 Discussion
Integration with blockchain provides decentralized verifiability, while accommo-
dating diverse devices enhances accessibility. However, challenges remain around
standards, privacy, and balancing security with usability.
4.1 Interoperability
Varying FIDO2 platforms complicate integration. Differences in implementations
and client support for emerging standards like WebAuthn pose hurdles [5, 6]. Users
struggle managing credentials across different services and devices. These frag-
mentation issues inhibit adoption and realization of FIDO2’s full benefits. Cohesive
universal standards, rather than fragmented proprietary variations, are key to securely
unlocking FIDO2’s potential at global scale.
Study and Analysis of FIDO2 Passwordless Web Authentication 381
4.2 Standardization
The fractured technical landscape poses interoperability barriers. Differences
between platform implementations complicate FIDO2 integration and consistent user
experiences [3, 13]. Communications research on technology diffusion emphasizes
the importance of standardization and universal protocols enable disparate systems to
interconnect. Accordingly, expanded efforts at harmonizing various vendors’ FIDO2
implementations can improve technical interoperability and usability. International
standards bodies like the FIDO Alliance play an important role in driving alignment.
Additionally, open source FIDO2 codebases enable collective development and
transparency. Shared references like Google’s FIDO2 Libraries facilitate consistency.
Open collaboration allows inspecting code ambiguities and aligning approaches.
4.2.1 User Adoption
Users struggle understanding and using new FIDO2 concepts. Lacking familiarity
with passwordless paradigms impedes adoption. Furthermore, suboptimal integration
and lack of single sign-on capability reduces usability benefits compared to pass-
words. Rethinking system designs and user interactions can enhance understanding
and ease of use [7, 14].
4.2.2 Privacy
Sharing biometric profiles raises concerns. Stoking fears of surveillance or misuse
will deter adoption. Accordingly, engineering privacy into technical FIDO2 imple-
mentations is critical. Cryptographic solutions that preserve confidentiality without
compromising security warrant research [4, 6]. For example, zero knowledge proofs
allow validating identities without revealing underlying biometric data.
4.2.3 Balancing Security and Usability
Simplifying authentication risks reducing effectiveness. However, forcing complex
security procedures undermines user experience. Reconciling security with conve-
nience remains an open challenge [5, 15]. Adaptive and context-aware models may
help achieve equilibrium. For example, transparently elevating authentication factors
for high-risk transactions or unfamiliar devices provides added security when needed
without constantly overburdening users. Research into dynamic and risk-based
authentication tailored to usage situations can balance security and experience.
382 H. Ravilla et al.
4.3 Advancing FIDO2 Through User Centric Design
While promising, FIDO2’s potential remains encumbered by lack of standards
harmonization, suboptimal integration with existing systems, and poor user expe-
rience design [3]. However, insights from human-centred design research offer
pathways for refining FIDO2’s capability and adoption.
4.3.1 Mental Models and Metaphors
Driving widespread FIDO2 adoption requires designing authentication interactions
that map to existing user mental models [14]. Cryptography and public key protocols
fundamentally differ from ingrained password behaviours. Mapping abstract security
mechanisms onto tangible metaphors and experiences makes them more intuitive
[15].
Consider hardware security keys, a FIDO2 authenticator option. These resemble
common physical keys—a mental model familiar to most people. Software inter-
faces can build on this metaphor, representing cryptographic challenge response as
akin to using a physical key to unlock a door. This frames the interaction in a relat-
able way, smoothing adoption. Leveraging metaphors deeply embedded in users’
existing mental frameworks makes novel authentication methods feel more natural
and integrated into ordinary routines.
4.3.2 Habit-Driven Interactions
Authentication interactions should align with user habits and ingrained behaviours.
Attempting to change entrenched routines requires immense effort and faces resis-
tance. Accordingly, FIDO2 adoption benefits from seamlessly overlaying password-
less authentication onto habitual behaviours [14].
Contextual integration enables habit-driven use critical for passive adop-
tion. Location-based contextual triggers offer one avenue, automatically applying
FIDO2 when entering offices or buildings. Coupling authentication initiation with
entrenched environmental or behavioural cues makes it reflexive instead of inter-
ruptive. Habit-focused design that taps into habitual patterns rather than confronting
them can dramatically accelerate FIDO2’s assimilation into everyday routines and
rituals.
4.4 Integration Challenges and Mitigation Strategies
While promising, FIDO2 faces integration hurdles with legacy systems and frag-
mented standards while advancing through the user centric design.
Study and Analysis of FIDO2 Passwordless Web Authentication 383
4.4.1 Legacy System Interoperability
Integrating FIDO2 with extensive legacy systems using embedded passwords poses
challenges. Both protocols must be supported concurrently during transition periods.
This raises technical and user experience (UX) complexities. Strategically bridging
old and new paradigms is vital for successful assimilation.
Backward compatibility allows simple adoption. Ensuring FIDO2 authenticates
seamlessly with existing password-only sites provides this. One approach is securely
integrating FIDO2 identity verification into common web single sign-on protocols
like OAuth and OpenID Connect [1, 3]. This allows adding FIDO2 alongside legacy
password authentication within the same flows.
Gateway architecture also enables compatibility. Standalone FIDO2 authentica-
tors users already possess can securely log them into password-only systems via
credential translation gateways. This intermediates between interfaces, avoiding
disruptive system changes.
5 Biometric Authentication
Biometric authentication, using physical or behavioural traits for identification, is
a core enabler of FIDO2 passwordless models [4, 6, 16]. Assessing its strengths
and limitations provides insights into improving real-world performance. To balance
biometric strengths and weaknesses for optimized security by ingeniously integrating
multifaceted security orchestra like Multi-factor Authentication (MFA), continuous
risk monitoring, tokens in a hybrid authentication.
5.1 Biometrics Offer Notable Advantages Over Passwords
Convenience: Users need not memorize credentials. Presenting inherent character-
istics is convenient.
Security: Biometric traits are unique to individuals. They cannot be guessed or
directly shared, enhancing security.
Accuracy: Modern recognition algorithms have high accuracy when well-
implemented, rarely misidentifying legitimate users.
Scalability: Users need to only enrol once. The same biometric authenticates across
services, avoiding proliferation of credentials.
Accessibility: Biometrics accommodates diverse needs and abilities lacking dexterity
for passwords or tokens.
384 H. Ravilla et al.
These advantages highlight biometrics appeal for usability, security and inclusion.
When thoughtfully applied, biometrics can strengthen authentication experiences.
5.2 Limitations and Risks
Biometric authentication also exhibits shortcomings:
Privacy: Biometric data reveals sensitive personal details warranting protection.
Noise: Sensor or environmental variability can degrade signal quality, reducing
reliability.
Spoofing: Adversaries may attempt to fake fingerprints or other characteristics.
Exclusion: Ailments or disabilities can impede using certain biometric modalities.
Latency: Processing and validating biometrics adds potential delays compared to
instant password checks.
Revocation: Biometric traits cannot be reset like passwords if compromised. New
enrolments may be needed.
These limitations highlight the need to judiciously apply biometrics based on
context, augment with secondary factors, and provide alternatives accommodating
user diversity. While offering advantages, biometric technologies warrant thoughtful
implementation considering context, diversity, and combinations with other mech-
anisms. Careful engineering can maximize their potential while minimizing limita-
tions.
5.3 Hybrid Authentication
Hybrid authentication combining multiple factors offers one approach balancing
biometric strengths and weaknesses. For example, a fingerprint scan might unlock
a mobile device, but high-risk transactions could require an additional PIN or
hardware token. Redundancy compensates for limitations like biometric noise or
spoofing. Contextual risk-based factors adjust security strength dynamically. Multi-
modal biometrics strengthens reliability via multiple traits. Hybrid models thus
strategically overlay factors to optimize security, usability, and inclusion.
Advanced models using biometrics for continuous risk-based authentication.
Unlike single-point login events, continuous authentication passively validates users
throughout sessions based on background monitoring of their behaviours and
movements. This enhances security, responding dynamically to potential risks.
Study and Analysis of FIDO2 Passwordless Web Authentication 385
6 Conclusion and Future Enhancement
This study analyses research illuminating FIDO2’s principles, applications, and
adoption challenges. Findings reveal FIDO2’s immense promise to transform authen-
tication. Its passwordless approach offers security, usability, and accessibility bene-
fits. However, ongoing standardization promoting interoperability remains impera-
tive, as does inclusive UX design and education optimizing user experiences. FIDO2
demonstrates immense potential to reshape authentication technology and culture.
But deliberate collaborative action is needed to develop frameworks enabling its
capabilities to be compellingly and equitably harnessed worldwide.
Future research can focus on exploring postquantum cryptographic algorithms,
continuous multi-factor authentication frameworks responsive to contextual risks
and zero trust network authentication, enhanced accessibility and inclusivity, and
improved interoperability through standardization efforts.
References
1. Zhidovich, A., Lubenko, A., Vojteshenko, I., Andrushevich, A.: Semantic Approach to
Designing Applications with Passwordless Authentication According to the FIDO2 Speci-
fication (n.d.)
2. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)
3. FIDO Alliance, FIDO2: WebAuthn & CTAP [Online]. Available https://fidoalliance.org/fido2/
4. Parmar, V., Sanghvi, H., Patel, R., Pandya, A.: A comprehensive study on passwordless
authentication. In: Proceedings 3rd International Conference on Smart Systems and Inventive
Technology, Tirunelveli, India, pp. 991–997 (2020)
5. Singh, R., Jain, Y., Khawade, S., Jinde, A., Zanwar, S.: Blockchain-based decentralized pass-
wordless user authentication system: a Survey. Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol.
5(1), 478–485 (2019)
6. Lassak, L., Hildebrandt, A., Golla, M., Ur, B.: It’s Stored, Hopefully, on an Encrypted Server:
Mitigating Users’ Misconceptions About FIDO2 Biometric WebAuthn (2021)
7. Owens, K., Ur, B., Anise, O.: A Framework for Evaluating the Usability and Security of
Smartphones as FIDO2 Roaming Authenticators (2020)
8. W3C Web Authentication Working Group: Web Authentication: An API for Accessing Scoped
Credentials. W3C Recommendation (2019) [Online]. Available: https://www.w3.org/TR/web
authn-1/
9. Farke, F.M., Lorenz, L., Schnitzler, T., Markert, P., Dürmuth, M.: You still use the password
after all”—Exploring FIDO2 Security Keys in a Small Company (2020)
10. Mitra, A., Ghosh, A., Sethuraman, S.: TUSH-Key: Transferable User Secrets on Hardware Key
(2023)
11. Lee, A., Han, J.: Effective user authentication system in an E-learning platform. Int. J. Innov.
Creativity Change 13(3) (2020)
12. Dell ‘Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In:
Proceedings of IEEE INFOCOM (2010)
13. Wagner, P., Heid, K., Heider, J.: Remote WebAuthn: FIDO2 authentication for less acces-
sible devices. In: Proceedings International Workshop on Usable Security, Stockholm, Sweden
(2020)
14. Ghorbani Lyastani, S., Schilling, M., Neumayr, M., Backes, M., Bugiel, S.: Is FIDO2 the
Kingslayer of user authentication? A comparative usability study of FIDO2 passwordless
386 H. Ravilla et al.
authentication. In: Proceedings 2021 IEEE European Symposium on Security and Privacy
Workshops (EuroS&PW), pp. 181–190 (2021)
15. Volkamer, M., Renaud, K.: Mental models–general introduction and review of their application
to human-centred security. In: Number Theory and Cryptography: Papers in Honor of Johannes
Buchmann on the Occasion of His 60th Birthday, pp. 255–280. Springer Berlin Heidelberg,
Berlin, Heidelberg (2013)
16. Chadwick, D.W., Laborde, R., Oglaza, A., Venant, R., Wazan, S., Nijja, M.: Improved identity
management with verifiable credentials and FIDO. IEEE Commun. Stand. 3(4), 14–20 (2019)
