Happy to share our latest research on #FIDO2 password-less authentication using biometric #WebAuthn, with Leona Lassak, Annika Hildebrandt, and Blase Ur.
Preprint at bottom of thread. Paper to appear at @USENIXSecurity 2021. cc: @FIDOAlliance #usesec21
news.rub.de/english/press-…
Preprint at bottom of thread. Paper to appear at @USENIXSecurity 2021. cc: @FIDOAlliance #usesec21
news.rub.de/english/press-…
Users hate passwords; #WebAuthn could render them obsolete. But hardware security keys (YubiKeys) are inconvenient. Fortunately, end users can also use their phones as #FIDO2 authenticators. The user authorizes each sign in using their usual unlock mechanism (biometric, PIN).
Using your fingerprint to sign into a website is new to most end users. Our research focused on users' initial encounters with biometric WebAuthn. Many will encounter WebAuthn for the first time via a small notification on a website encouraging them to adopt the technology. 
We were interested in learning: 1) how participants think biometric WebAuthn works and explored potential misconceptions 2) to address these, participants engaged in co-design of new notifications 3) which we compared using a group of biometric/non-biometric WebAuthn/passwords.
We required that participants have a modern #Android phone, Google #Chrome, and #biometric #unlocking configured. #FIDO2 fully supports this configuration. Overall, 414 participants shared their understanding and expectations relating to security, privacy, usability, and trust.
Unfortunately, 70% of respondents were unsure or believed that their biometric is shared with the site.
Other misconceptions: a) where the biometrics are stored b) if they are transmitted c) if someone who finds the phone can access the account d) sharing and access delegation.
Other misconceptions: a) where the biometrics are stored b) if they are transmitted c) if someone who finds the phone can access the account d) sharing and access delegation.
To prevent these misconceptions and better communicate the complicated functionality of WebAuthn, seven focus groups develop texts and graphics.
These new notifications increased the fraction of participants who correctly reported that their biometric is stored on the device from 1/3 up to 1/2. We observed that participants tried to infer how WebAuthn worked based on their existing knowledge about passwords and unlocking.
Results show a clear usability advantage of biometric over non-biometric WebAuthn (PIN, pattern, or password). Participants were surprised by how easy and fast the login process was. The most urgent misconception we identified is where users believe their biometrics are stored.
To summarize: Biometric WebAuthn is a promising candidate to replace passwords. There are various problems that need to be addressed first. One of them is to more clearly communicate that the fingerprint and face data is never transmitted to the website.
If you want to learn more about our research, check out SUPERgroup (super.cs.uchicago.edu), @CASA_EXC, and mpi-sp.org.
A preprint of the paper can be found here:
maximiliangolla.com/files/2021/pap…
Extended version with screenshots and the survey:
blaseur.com/papers/fido2bi…
A preprint of the paper can be found here:
maximiliangolla.com/files/2021/pap…
Extended version with screenshots and the survey:
blaseur.com/papers/fido2bi…
Citation:
Leona Lassak, Annika Hildebrandt, Maximilian Golla, and Blase Ur. "It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn. In USENIX Security Symposium, SSYM '21, August 2021. USENIX.
Leona Lassak, Annika Hildebrandt, Maximilian Golla, and Blase Ur. "It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn. In USENIX Security Symposium, SSYM '21, August 2021. USENIX.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
