Search Icon
Register

A Formal Analysis of the FIDO UAF Protocol

Haonan Feng (Beijing University of Posts and Telecommunications), Hui Li (Beijing University of Posts and Telecommunications), Xuesong Pan (Beijing University of Posts and Telecommunications), Ziming Zhao (University at Buffalo)

The FIDO protocol suite aims at allowing users to log in to remote services with a local and trusted authenticator. With FIDO, relying services do not need to store user-chosen secrets or their hashes, which eliminates a major attack surface for e-business. Given its increasing popularity, it is imperative to formally analyze whether the security promises of FIDO hold. In this paper, we present a comprehensive and formal verification of the FIDO UAF protocol by formalizing its security assumptions and goals and modeling the protocol under different scenarios in ProVerif. Our analysis identifies the minimal security assumptions required for each of the security goals of FIDO UAF to hold. We confirm previously manually discovered vulnerabilities in an automated way and disclose several new attacks. Guided by the formal verification results we also discovered 2 practical attacks on 2 popular Android FIDO apps, which we responsibly disclosed to the vendors. In addition, we offer several concrete recommendations to fix the identified problems and weaknesses in the protocol.

Paper
Video

View More Papers

coucouArray ( [post_type] => ndss-paper [post_status] => publish [posts_per_page] => 4 [orderby] => rand [tax_query] => Array ( [0] => Array ( [taxonomy] => category [field] => id [terms] => Array ( [0] => 47 ) ) ) [post__not_in] => Array ( [0] => 6939 ) )

GALA: Greedy ComputAtion for Linear Algebra in Privacy-Preserved Neural...

Qiao Zhang (Old Dominion University), Chunsheng Xin (Old Dominion University), Hongyi Wu (Old Dominion University)

Read More

“Lose Your Phone, Lose Your Identity”: Exploring Users’ Perceptions...

Michael Lutaaya, Hala Assal, Khadija Baig, Sana Maqsood, Sonia Chiasson (Carleton University)

Read More

Holistic Privacy and Usability of a Cryptocurrency Wallet

Harry Halpin (Nym Technologies)

Read More

Understanding the Growth and Security Considerations of ECS

Athanasios Kountouras (Georgia Institute of Technology), Panagiotis Kintis (Georgia Institute of Technology), Athanasios Avgetidis (Georgia Institute of Technology), Thomas Papastergiou (Georgia Institute of Technology), Charles Lever (Georgia Institute of Technology), Michalis Polychronakis (Stony Brook University), Manos Antonakakis (Georgia Institute of Technology)

Read More

Privacy Starts with UI: Privacy Patterns and Designer Perspectives in UI/UX Practice

Anxhela Maloku (Technical University of Munich), Alexandra Klymenko (Technical University of Munich), Stephen Meisenbacher (Technical University of Munich), Florian Matthes (Technical University of Munich)

Vision: Profiling Human Attackers: Personality and Behavioral Patterns in Deceptive Multi-Stage CTF Challenges

Khalid Alasiri (School of Computing and Augmented Intelligence Arizona State University), Rakibul Hasan (School of Computing and Augmented Intelligence Arizona State University)

From Underground to Mainstream Marketplaces: Measuring AI-Enabled NSFW Deepfakes on Fiverr

Mohamed Moustafa Dawoud (University of California, Santa Cruz), Alejandro Cuevas (Princeton University), Ram Sundara Raman (University of California, Santa Cruz)