Paper 2022/1555

Avoiding Lock Outs: Proactive FIDO Account Recovery using Managerless Group Signatures

Sunpreet S. Arora, Visa Research
Saikrishna Badrinarayanan, Visa Research
Srinivasan Raghuraman, Visa Research
Maliheh Shirvanian, Visa Research
Kim Wagner, Visa Research
Gaven Watson, Visa Research
Abstract

Passwords are difficult to remember, easy to guess and prone to hacking. While there have been several attempts to solve the aforementioned problems commonly associated with passwords, one of the most successful ones to date has been by the Fast Identity Online (FIDO) alliance. FIDO introduced a series of protocols that combine local authentication on a user device with remote validation on relying party servers using public-key cryptography. One of the fundamental problems of FIDO protocols is complete reliance on a single user device for authentication. More specifically, the private key used for signing relying party challenges can only be stored on a single device. Each FIDO authenticator key is linked uniquely to an account with a relying party service. As a result a lost or stolen user device necessitates creation of new user account, using a new device, with each (previously enrolled) relying party service. To overcome this limitation, we introduce a dynamic managerless group signature scheme that organizes authenticators into groups. Each authenticator in a group has a unique private key that links it to an account with a relying party, which can sign relying party challenges. The relying party server has a group verification key that can validate challenges signed using the private key of any authenticator in a group. Our approach provides additional redundancy and usability to the FIDO protocol whilst still achieving the security properties expected in the FIDO setting such as unforgeability and unlinkability.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Group Signature Authentication Account Recovery FIDO2
Contact author(s)
sunarora @ visa com
mshirvan @ visa com
History
2022-11-10: approved
2022-11-08: received
See all versions
Short URL
https://ia.cr/2022/1555
License
Creative Commons Attribution-NonCommercial-ShareAlike
CC BY-NC-SA

BibTeX

@misc{cryptoeprint:2022/1555,
      author = {Sunpreet S. Arora and Saikrishna Badrinarayanan and Srinivasan Raghuraman and Maliheh Shirvanian and Kim Wagner and Gaven Watson},
      title = {Avoiding Lock Outs: Proactive {FIDO} Account Recovery using Managerless Group Signatures},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1555},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1555}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.