Daniel Waghubinger,
"Evaluating the Viability of WebAuthn Across Various Security Modes on Websites"
, 12-2024
Original Titel:
Evaluating the Viability of WebAuthn Across Various Security Modes on Websites
Sprache des Titels:
Englisch
Original Kurzfassung:
Authentication plays a critical role in ensuring the security and integrity of online services by verifying the identity of users. Traditionally, passwords have served as the most common form of authentication. Although in theory passwords can provide adequate security, in practice they often fall short due to user habits. Many users choose low-entropy passwords, reuse passwords across multiple platforms, or select nonrandom passwords, making their accounts more susceptible to compromise. This behavior weakens the security of authentication systems and requires the implementation of additional security measures. Mode switching is one such measure that could improve the security of the authentication process. This is a technique in which the system can operate in different modes that each provide different levels of security. As such, the system may have a default mode that allows full operation of the system and a mode that restricts the system when, for example, an intruder is detected. In an authentication system, the default mode may be a password authentication mode, while the more restricted and secure mode may be implemented with WebAuthn, a web standard that allows passwordless authentication via cryptographic key-pairs.
In this master's thesis, a prototype featuring such a system is built in order to evaluate whether or not WebAuthn is a viable option to use as a security-focused mode in a mode-switching authentication system. For this switching to the WebAuthn mode must provide an improvement in security over the password-based default mode, while also resulting in drawbacks on the usability side of the application. Otherwise, if there were no drawbacks, it would make more sense to implement WebAuthn as the default mode, with no switching.
Three WebAuthn-based modes are implemented alongside a password-based mode. 1) WebAuthn mode that only allows authentication from a pre-defined machine on which the private-key is stored. 2) A mode that required a USB key in order to authenticate and 3) a mode in which the user authenticated via a second device, such as a smartphone.
To evaluate the viability of these modes, metrics are defined and calculated on the basis of the prototype implementation. These metrics are split into two categories 1) security-focused metrics that measure brute-force attack resilience and sensitivity of stored information. And 2) usability-focused metrics that measure the complexity of the authentication process in user interactions and whether the mode is capable of handling all authentication-related tasks.
The results show that the modes implemented with WebAuthn are indeed viable as security-focused modes in a mode-switching system. The metrics show that WebAuthn as a whole provides security improvements over password authentication that are substantial enough to make a mode switch worthwhile. While security is improved via the mode switch, WebAuthn also is held back by usability issues, mainly in the form of portability between devices and access on smart devices. This means that WebAuthn is indeed a viable option for a security-focused mode. The different WebAuthn modes provide the same benefits in terms of security, and differ mostly in the usability aspect and the scenarios in which they can be switched.
Forschungs-