Paragon Initiative security researchers warn of problems with the new WebAuthn protocol that enables passwordless authentication. The standard would rely on a number of outdated algorithms that have been vulnerable to attacks for years.

WebAuthn was officially launched in April this year by the World Wide Web Consortium (W3C), the body that manages all web standards, with input from the FIDO Alliance. The FIDO Alliance was founded in 2013 to create interoperable authentication standards across the industry. More than 260 technology companies are members of the consortium.

Among other things, the consortium created the U2F standard for the use of security keys in two-step verification, as well as the UAF protocol that forms the basis for WebAuthn. WebAuthn allows a user to log on to a website using a security key, biometric solution, or the password of his or her device.

The idea is that WebAuthn replaces the need to create a separate account with a unique password for each website. Instead, the user registers on a site using a device (via an attestation key). He or she can then identify with that device or generate authentication keys to log on to another device.

Outdated algorithms

Chrome, Firefox and Edge all already support WebAuthn, because at first glance the protocol offers very tangible security benefits. However, a team of cryptography experts from Paragon Initiative identified several problems with the standard during a security audit. Especially with the algorithms that generate the attestation keys.

The researchers listed all the problems in a technical analysis. They point out that in its WebAuthn specification, W3C recommends the use of outdated algorithms, such as Elliptic Curve Direct Anonymous Attestation (ECDAA) and RSASSA-PKCS1-v1_5. The latter is particularly problematic because there are several exploits for it.

PKCS1v1.5 is bad. The exploits are almost old enough to legally drink alcohol in the United States. Don’t use it!, warn Paragon.

The ECDAA algorithm, created by the FIDO Alliance, is also not without problems, according to the security experts. The researchers describe possible exploits in which an attacker can clone a user’s hardware token remotely, although they acknowledge that such attacks are not trivial. However, the team believes that ECDAA is insufficiently prepared to be used for such an important function as WebAuthn.

Confusing documentation

According to Paragon, which discussed its findings in more detail with ZDNet, the FIDO Alliance’s confusing WebAuthn documentation is at the root of the problem. For legacy reasons, PKCS1v1.5 is categorized as mandatory and ECDAA as recommended.

As a result, implementers may erroneously think that these algorithms are the minimum thresholds for implementation and only support them. However, there are many more suitable algorithms to choose from.

After a thorough reading of the blog post, we find it positive that no fundamental shortcomings in the protocol have been discovered, the FIDO Alliance reacts to ZDNet. We acknowledge the valid points made about potential vulnerabilities that could be introduced by implementers if best practices are not followed. We have started to think about which guidelines we want to document for them.

This news article was automatically translated from Dutch to give a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.