Paper 2023/1275

Post-Quantum Asynchronous Remote Key Generation for FIDO2 Account Recovery

Abstract

The Fast IDentity Online (FIDO) Alliance develops open standards to replace password-based authentication by token-based so- lutions. The latest protocol suite FIDO2 provides a promising alterna- tive which many key players have already adopted or are planning to. The central authentication mechanism WebAuthn uses cryptographic keys stored on the device to authenticate clients to a relying party via a challenge-response protocol. Yet, this approach leaves several open issues about post-quantum secure instantiations and credential recovery. Recently Frymann et al. (CCS 2020, ACNS 2023, EuroS&P 2023) made significant progress to advance the security of FIDO2 systems. Following a suggestion by device manufacturer Yubico, they considered a WebAuthn- compliant mechanism to store recovery information at the relying party. If required, the client can recover essential data with the help of a backup authenticator device. They proposed and analyzed Diffie-Hellman based schemes, showing basic authentication and privacy features. One of their solutions also provides a post-quantum secure variant, but only for a weaker version of authentication security. In this work here we show a generic construction based on (anonymous) KEMs and signature schemes. In particular, using post-quantum secure instances like Kyber and Dilitihium, one immediately obtains a post- quantum secure solution. In passing, we observe that the security defini- tions brought forward by Frymann et al., especially the privacy notion, do not appropriately capture the intuitive security goals of the FIDO2 protocol. We thus strengthen the notions and prove our general scheme to satisfy the stronger definitions.