Abstract
WebAuthn, forming part of FIDO2, is a W3C standard for strong authentication,
which employs digital signatures to authenticate web users whilst preserving their
privacy. Owned by users, WebAuthn authenticators generate attested and unlinkable
public-key credentials for each web service to authenticate users. Since the
loss of authenticators prevents users from accessing web services, usable recovery
solutions preserving the original WebAuthn design choices and security objectives
are urgently needed. Additionally, there exist challenges when the account
owner wants to delegate certain rights to a proxy user, such as to access their
accounts or perform actions on their behalf, as delegation must not undermine the
decentralisation, unlinkability, and attestation properties provided by WebAuthn.
With recent proposals to provide security in a post-quantum web, it is clear that
any solutions should also be future-proofed.
To address these issues, we introduce a new primitive, called Asynchronous Remote
Key Generation (ARKG), which allows some primary authenticator to generate
unlinkable public keys for which the backup authenticator may later recover
corresponding private keys. Both processes occur asynchronously without the need for
authenticators to export or share secrets, adhering to WebAuthn’s attestation
requirements. Our construction satisfies ARKG’s security properties under the discrete
logarithm and PRF-ODH assumptions in the random oracle model.
We use ARKG to provide a potential solution to account recovery in WebAuthn
for hardware authenticators. We then continue by presenting two approaches to
tackling delegation, called remote and direct, maintaining the standard’s properties.
Both of which also make use of ARKG, with the direct version making use of a new
primitive providing a delegation-by-warrant approach called Proxy Signature with
Unlinkable Warrants (PSUW)—which we use to extend WebAuthn’s unlinkability
property to proxy users and show it can be constructed generically from ARKG.
For all three issues and corresponding solutions, we discuss their individual
implementation and compatibility with WebAuthn, including extensions required
for CTAP, and provide sample instantiations alongside performance metrics and
discussion on key management and usability.
For post-quantum ARKG, we address challenges associated with the noisiness of
lattice hardness assumptions, whilst preserving the security and privacy
properties of the former instantiation. Our ARKG construction uses key encapsulation
techniques by Brendel et al. [5] (SAC 2020) coined Split KEMs.