Paper 2022/1555

Avoiding Lock Outs: Proactive FIDO Account Recovery using Managerless Group Signatures

Sunpreet S. Arora, Visa Research
Saikrishna Badrinarayanan, Visa Research
Srinivasan Raghuraman, Visa Research
Maliheh Shirvanian, Visa Research
Kim Wagner, Visa Research
Gaven Watson, Visa Research

Passwords are difficult to remember, easy to guess and prone to hacking. While there have been several attempts to solve the aforementioned problems commonly associated with passwords, one of the most successful ones to date has been by the Fast Identity Online (FIDO) alliance. FIDO introduced a series of protocols that combine local authentication on a user device with remote validation on relying party servers using public-key cryptography. One of the fundamental problems of FIDO protocols is complete reliance on a single user device for authentication. More specifically, the private key used for signing relying party challenges can only be stored on a single device. Each FIDO authenticator key is linked uniquely to an account with a relying party service. As a result a lost or stolen user device necessitates creation of new user account, using a new device, with each (previously enrolled) relying party service. To overcome this limitation, we introduce a dynamic managerless group signature scheme that organizes authenticators into groups. Each authenticator in a group has a unique private key that links it to an account with a relying party, which can sign relying party challenges. The relying party server has a group verification key that can validate challenges signed using the private key of any authenticator in a group. Our approach provides additional redundancy and usability to the FIDO protocol whilst still achieving the security properties expected in the FIDO setting such as unforgeability and unlinkability.

Available format(s)
Cryptographic protocols
Publication info
Group Signature Authentication Account Recovery FIDO2
Contact author(s)
sunarora @ visa com
mshirvan @ visa com
2022-11-10: approved
2022-11-08: received
See all versions
Short URL
Creative Commons Attribution-NonCommercial-ShareAlike


      author = {Sunpreet S. Arora and Saikrishna Badrinarayanan and Srinivasan Raghuraman and Maliheh Shirvanian and Kim Wagner and Gaven Watson},
      title = {Avoiding Lock Outs: Proactive FIDO Account Recovery using Managerless Group Signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1555},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.