JoWUA

Abstract

With passwords being a problem in today’s digital world, FIDO2 through WebAuthn brought an alternative password-less authentication model for web applications and services, which is more usable and secure than the legacy password-based systems. The adoption of WebAuthn standard is undoubtedly a step forward in improving and strengthening online services, however it may carry potential risks if not implemented correctly. To minimise the risk of leaving implementations vulnerable to attacks, a more systematic approach has to be followed for testing and securing emerging FIDO2 services. Towards this end, the paper proposes a novel tool for testing FIDO2/WebAuthn implementation’s conformance, configuration and security by analysing the WebAuthn requests and emulating the client’s WebAuthn responses. The proposed tool and associated tests aim towards empowering application developers and security auditors with the ability to effectively and quickly improve WebAuthn implementations by identifying and resolving flaws and security vulnerabilities in their password-less services. A detailed analysis of various commercial and open source WebAuthn services has been conducted, revealing common security weaknesses and faulty configuration, thus highlighting the significance of the proposed methodology.