Paper 2022/1029

FIDO2, CTAP 2.1, and WebAuthn 2: Provable Security and Post-Quantum Instantiation

Nina Bindel, SandboxAQ
Cas Cremers, CISPA Helmholtz Center for Information Security
Mang Zhao, CISPA Helmholtz Center for Information Security

The FIDO2 protocol is a globally used standard for passwordless authentication, building on an alliance between major players in the online authentication space. While already widely deployed, the standard is still under active development. Since version 2.1 of its CTAP sub-protocol, FIDO2 can potentially be instantiated with post-quantum secure primitives. We provide the first formal security analysis of FIDO2 with the CTAP 2.1 and WebAuthn 2 sub-protocols. Our security models build on work by Barbosa et al. for their analysis of FIDO2 with CTAP 2.0 and WebAuthn 1, which we extend in several ways. First, we provide a more fine-grained security model that allows us to prove more relevant protocol properties, such as guarantees about token binding agreement, the None attestation mode, and user verification. Second, we can prove post-quantum security for FIDO2 under certain conditions and minor protocol extensions. Finally, we show that for some threat models, the downgrade resilience of FIDO2 can be improved, and show how to achieve this with a simple modification.

Note: Aug 18: Our initial comparison to [3] did not take into account that some issues had been fixed in their eprint version [11]. Updated comments to reflect this, notably about comments about trust in registration phase.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Security and Privacy 2023
FIDO2 CTAP WebAuthn Post-quantum
Contact author(s)
nina bindel @ sandboxaq com
cremers @ cispa de
mang zhao @ cispa de
2022-08-19: revised
2022-08-09: received
See all versions
Short URL
Creative Commons Attribution


      author = {Nina Bindel and Cas Cremers and Mang Zhao},
      title = {FIDO2, CTAP 2.1, and WebAuthn 2: Provable Security and Post-Quantum Instantiation},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1029},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.