Mitigating security risk by using WebAuthn in cross-device SIOP

Issue #1273 open
Kristina Yasuda created an issue

In 2021-07-27 SIOP special call it was agreed that the most effective way to mitigating MITM/phishing attacks in cross-device SIOP is to use WebAuthn for the session creation and many people expressed interest in writing up a specification how to do so and issue a WebAuthn credential to the claims returned in SIOP response.

Related to Issue #1257 and Issue #1269

just pinging few people @Pamela Dingle @John Bradley @David Waite @Jeremie Miller @Tim Cappalli

Comments (7)

  1. Kristina Yasuda reporter

    At SIOP call a month ago we discussed a proposal, and it was to use WebAuthn to strengthen self-attestation nature of SIOP-based authentication.

    We could add this to security considerations section in SIOP? that using WebAuthn as additional authentication is an option?

  2. Jeremie Miller

    My (possibly limited) understanding of how using WebAuthn to securely support cross-device is: the authenticating device performs the WebAuthn enrollment via its local browser with the user’s authenticator, and then that same authenticator must be used again on the initiating device to complete the authentication.

    It will require either a separate hardware authenticator that can be used across both devices, or a platform-level authenticator that automatically synchronizes on devices already linked to the user.

    That’s pretty restrictive, but it would be secure and only have to be performed once.

  3. Kristina Yasuda reporter

    Based on the SIOP call discussions we should add a non-normative text in SIOP v2, that we will consider using "WebAuthn based invocation" such as caBLE when and if it is realized, and close this issue.

  4. Kristina Yasuda reporter
    • changed status to open

    On Sept-30-2021 SIOP call we discussed that caBLE is very promising to mitigate cross-device security, but is few years away from being ready, and considered adding a general non-normative language on using proximity between RP and SIOP as a cross-device security enhancement

  5. David Chadwick

    Jeremie said “My (possibly limited) understanding of how using WebAuthn to securely support cross-device is: the authenticating device performs the WebAuthn enrollment via its local browser with the user’s authenticator,”

    Whilst it is true that the authenticating device performs WebAuthn enrolment, this does not need to be via browser. Native apps can perform enrolment directly with the RP, and the RP can (in the FIDO protocol) demand a ceremony between the user and the device. This ceremony can mandate such things as, the user is present, the user performs some action to authenticate to the device, and the authenticator must be on the device itself (so called platform authenticator) and not on some external USB hardware.

    So FIDO has the potential to be more secure than most other authentication mechanisms. The only weakness we have identified so far is that multiple biometrics may be stored on the device (e.g for parent and child) and all can claim ownership of the FIDO private key. The device is not able to differentiate between the different people (with fingerprint recognition). However Google is working on a mechanism for mDL in which the same biometric that was used during enrolment must be used during credential presentation.

  6. Log in to comment