Paper 2022/084

Token meets Wallet: Formalizing Privacy and Revocation for FIDO2

Lucjan Hanzlik, CISPA Helmholtz Center for Information Security
Julian Loss, CISPA Helmholtz Center for Information Security
Benedikt Wagner, CISPA Helmholtz Center for Information Security, Saarland University

The FIDO2 standard is a widely-used class of challenge-response type protocols that allows to authenticate to an online service using a hardware token. Barbosa et al. (CRYPTO `21) provided the first formal security model and analysis for the FIDO2 standard. However, their model has two shortcomings: (1) It does not include privacy, one of the key features claimed by FIDO2. (2) It only covers tokens that store {all secret keys locally}. In contrast, due to limited memory, most existing FIDO2 tokens either derive all secret keys from a common seed or store keys on the server (the latter approach is also known as {key wrapping}). In this paper, we revisit the security of the WebAuthn component of FIDO2 as implemented in practice. Our contributions are as follows. (1) We adapt the model of Barbosa et al. so as to capture authentication tokens using key derivation or key wrapping. (2) We provide the {first formal definition of privacy for the WebAuthn component of FIDO2}. We then prove the privacy of this component in common FIDO2 token implementations if the underlying building blocks are chosen appropriately. (3) We address the unsolved problem of {global key revocation} in FIDO2. To this end, we introduce and analyze a simple revocation procedure that builds on the popular BIP32 standard used in cryptocurrency wallets and can efficiently be implemented with existing FIDO2 servers.

Note: This version is a major revision of the first eprint version, and the full version of the S&P version.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. IEEE S&P 2023
FIDO2 BIP32 unlinkability revocation
Contact author(s)
hanzlik @ cispa de
loss @ cispa de
benedikt wagner @ cispa de
2022-11-11: last of 2 revisions
2022-01-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Lucjan Hanzlik and Julian Loss and Benedikt Wagner},
      title = {Token meets Wallet: Formalizing Privacy and Revocation for FIDO2},
      howpublished = {Cryptology ePrint Archive, Paper 2022/084},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.