<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <link href="/css/dist/css/bootstrap.min.css" rel="stylesheet"> <title>Privacy and Security of FIDO2 Revisited</title> <link rel="stylesheet" href="/css/eprint.css?v=10"> <style> a.toggle-open:after { content:' -'; font-weight: 800; } a.toggle-closed:after { content: " ›"; font-weight: 800; } .paper-abstract { white-space: pre-wrap; } #metadata dt { margin-top: 1rem; } #metadata dt + dd { /* gap between dt and first dd */ margin-top: .75rem; } #metadata dd { margin-left: 2rem; } #metadata dd.keywords { padding-bottom: .5rem; } span.authorName { margin-top: .5rem; font-style: italic; } </style> <script> MathJax = { tex: { inlineMath: [['$', '$'], ['\\(', '\\)']], displayMath: [ ['$$','$$'], ["\\[","\\]"] ], processEnvironments: false }, loader: { load: [ "ui/safe", "ui/lazy", ], }, options: { safeOptions: { allow: { URLs: "none", classes: "safe", cssIDs: "safe", styles: "safe", }, }, } }; </script> <script id="MathJax-script" async src="/js/mathjax/tex-chtml.js"></script> <meta name="citation_title" content="Privacy and Security of FIDO2 Revisited"> <meta name="citation_author" content="Manuel Barbosa"> <meta name="citation_author" content="Alexandra Boldyreva"> <meta name="citation_author" content="Shan Chen"> <meta name="citation_author" content="Kaishuo Cheng"> <meta name="citation_author" content="Luís Esquível"> <meta name="citation_journal_title" content="Cryptology ePrint Archive"> <meta name="citation_publication_date" content="2025"> <meta name="citation_pdf_url" content="https://eprint.iacr.org/2025/459.pdf"> <meta property="og:image" content="https://eprint.iacr.org/img/iacrlogo.png"/> <meta property="og:image:alt" content="IACR logo"/> <meta property="og:url" content="https://eprint.iacr.org/2025/459"> <meta property="og:site_name" content="IACR Cryptology ePrint Archive" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Privacy and Security of FIDO2 Revisited" /> <meta property="og:description" content="We revisit the privacy and security analyses of FIDO2, a widely deployed standard for passwordless authentication on the Web. We discuss previous works and conclude that each of them has at least one of the following limitations: (i) impractical trusted setup assumptions, (ii) security models that are inadequate in light of state of the art of practical attacks, (iii) not analyzing FIDO2 as a whole, especially for its privacy guarantees. Our work addresses these gaps and proposes revised security models for privacy and authentication. Equipped with our new models, we analyze FIDO2 modularly and focus on its component protocols, WebAuthn and CTAP2, clarifying their exact security guarantees. In particular, our results, for the first time, establish privacy guarantees for FIDO2 as a whole. Furthermore, we suggest minor modifications that can help FIDO2 provably meet stronger privacy and authentication definitions and withstand known and novel attacks." /> <meta property="article:section" content="PROTOCOLS" /> <meta property="article:modified_time" content="2025-03-15T05:42:59+00:00" /> <meta property="article:published_time" content="2025-03-11T21:09:06+00:00" /> <meta property="article:tag" content="FIDO2" /> <meta property="article:tag" content="CTAP2" /> <meta property="article:tag" content="WebAuthn" /> <meta property="article:tag" content="Privacy" /> <meta property="article:tag" content="Authentication" /> </head> <body> <noscript> <h1 class="text-center">What a lovely hat</h1> <h4 class="text-center">Is it made out of <a href="https://iacr.org/tinfoil.html">tin foil</a>?</h4> </noscript> <div class="fixed-top" id="topNavbar"> <nav class="navbar navbar-custom navbar-expand-lg"> <div class="container px-0 justify-content-between justify-content-lg-evenly"> <div class="order-0 align-items-center d-flex"> <button class="navbar-toggler btnNoOutline" type="button" data-bs-toggle="collapse" data-bs-target="#navbarContent" aria-controls="navbarContent" aria-expanded="false"> <span class="icon-bar top-bar"></span> <span class="icon-bar middle-bar"></span> <span class="icon-bar bottom-bar"></span> </button> <a class="d-none me-5 d-lg-inline" href="https://iacr.org/"><img class="iacrlogo" src="/img/iacrlogo_small.png" alt="IACR Logo" style="max-width:6rem;"></a> </div> <a class="ePrintname order-1" href="/"> <span class="longNavName">Cryptology ePrint Archive</span> </a> <div class="collapse navbar-collapse order-3" id="navbarContent"> <ul class="navbar-nav me-auto ms-2 mb-2 mb-lg-0 justify-content-end w-100"> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> Papers </a> <ul class="dropdown-menu me-3" aria-labelledby="navbarDropdown"> <span class="text-dark mx-3" style="white-space:nowrap;">Updates from the last:</span> <li><a class="dropdown-item ps-custom" href="/days/7">7 days</a></li> <li><a class="dropdown-item ps-custom" href="/days/31">31 days</a></li> <li><a class="dropdown-item ps-custom" href="/days/183">6 months</a></li> <li><a class="dropdown-item ps-custom" href="/days/365">365 days</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/byyear">Listing by year</a></li> <li><a class="dropdown-item" href="/complete">All papers</a></li> <li><a class="dropdown-item" href="/complete/compact">Compact view</a></li> <li><a class="dropdown-item" href="https://www.iacr.org/news/subscribe">Subscribe</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/citation.html">How to cite</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/rss">Harvesting metadata</a></li> </ul> </li> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="submissionsDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> Submissions </a> <ul class="dropdown-menu me-3" aria-labelledby="submissionsDropdown"> <li><a class="dropdown-item" href="/submit">Submit a paper</a></li> <li><a class="dropdown-item" href="/revise">Revise or withdraw a paper</a></li> <li><a class="dropdown-item" href="/operations.html">Acceptance and publishing conditions</a></li> </ul> </li> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="aboutDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> About </a> <ul class="dropdown-menu me-3" aria-labelledby="aboutDropdown"> <li><a class="dropdown-item" href="/about.html">Goals and history</a></li> <li><a class="dropdown-item" href="/news.html">News</a></li> <li><a class="dropdown-item" href="/stats">Statistics</a></li> <li><a class="dropdown-item" href="/contact.html">Contact</a></li> </ul> </li> </ul> </div> <div class="dropdown ps-md-2 text-right order-2 order-lg-last"> <button class="btn btnNoOutline" type="button" id="dropdownMenuButton1" data-bs-toggle="dropdown" aria-expanded="false"> <img src="/img/search.svg" class="searchIcon" alt="Search Button"/> </button> <div id="searchDd" class="dropdown-menu dropdown-menu-end p-0" aria-labelledby="dropdownMenuButton1"> <form action="/search" method="GET"> <div class="input-group"> <input id="searchbox" name="q" type="search" class="form-control" autocomplete="off"> <button class="btn btn-secondary border input-group-append ml-2"> Search </button> </div> </form> <div class="ms-2 p-1 d-none"><a href="/search">Advanced search</a></div> </div> </div> </div> </nav> </div> <main id="eprintContent" class="container px-3 py-4 p-md-4"> <div class="row mt-4"> <div class="col-md-7 col-lg-8 pe-md-5"> <h4>Paper 2025/459</h4> <h3 class="mb-3">Privacy and Security of FIDO2 Revisited</h3> <div class="author"><span class="authorName">Manuel Barbosa</span><a class="ms-1" target="_blank" href="https://orcid.org/0000-0002-6848-5564"><img class="align-baseline orcidIcon" src="/img/orcid.svg"></a><span class="affiliation">, INESC TEC</span><span class="affiliation">, University of Porto (FCUP)</span><span class="affiliation">, Max Planck Institute for Security and Privacy</span></div> <div class="author"><span class="authorName">Alexandra Boldyreva</span><a class="ms-1" target="_blank" href="https://orcid.org/0009-0000-7019-884X"><img class="align-baseline orcidIcon" src="/img/orcid.svg"></a><span class="affiliation">, Georgia Institute of Technology</span></div> <div class="author"><span class="authorName">Shan Chen</span><span class="affiliation">, Southern University of Science and Technology</span></div> <div class="author"><span class="authorName">Kaishuo Cheng</span><a class="ms-1" target="_blank" href="https://orcid.org/0000-0003-4984-8195"><img class="align-baseline orcidIcon" src="/img/orcid.svg"></a><span class="affiliation">, Georgia Institute of Technology</span></div> <div class="author"><span class="authorName">Luís Esquível</span><a class="ms-1" target="_blank" href="https://orcid.org/0009-0009-6387-9271"><img class="align-baseline orcidIcon" src="/img/orcid.svg"></a><span class="affiliation">, INESC TEC</span><span class="affiliation">, University of Porto (FCUP)</span></div> <h5 class="mt-3">Abstract</h5> <p style="white-space: pre-wrap;">We revisit the privacy and security analyses of FIDO2, a widely deployed standard for passwordless authentication on the Web. We discuss previous works and conclude that each of them has at least one of the following limitations: (i) impractical trusted setup assumptions, (ii) security models that are inadequate in light of state of the art of practical attacks, (iii) not analyzing FIDO2 as a whole, especially for its privacy guarantees. Our work addresses these gaps and proposes revised security models for privacy and authentication. Equipped with our new models, we analyze FIDO2 modularly and focus on its component protocols, WebAuthn and CTAP2, clarifying their exact security guarantees. In particular, our results, for the first time, establish privacy guarantees for FIDO2 as a whole. Furthermore, we suggest minor modifications that can help FIDO2 provably meet stronger privacy and authentication definitions and withstand known and novel attacks.</p> </div> <div id="metadata" class="col-md-5 col-lg-4 ps-md-5 mt-4 mt-md-0"> <h5>Metadata</h5> <dl> <dt> Available format(s) </dt> <dd> <a class="btn btn-sm btn-outline-dark" href="/2025/459.pdf"> <img class="icon" src="/img/file-pdf.svg">PDF</a> </dd> <dt>Category</dt> <dd><a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a></dd> <dt>Publication info</dt> <dd>Published elsewhere. Major revision. PoPETs 2025</dd> <dt>Keywords</dt> <dd class="keywords"><a href="/search?q=FIDO2" class="me-2 badge bg-secondary keyword">FIDO2</a><a href="/search?q=CTAP2" class="me-2 badge bg-secondary keyword">CTAP2</a><a href="/search?q=WebAuthn" class="me-2 badge bg-secondary keyword">WebAuthn</a><a href="/search?q=Privacy" class="me-2 badge bg-secondary keyword">Privacy</a><a href="/search?q=Authentication" class="me-2 badge bg-secondary keyword">Authentication</a></dd> <dt>Contact author(s)</dt> <dd><span class="font-monospace"> mbb<span class="obfuscate"> &#64; </span>fc up pt<br>sasha<span class="obfuscate"> &#64; </span>gatech edu<br>dragoncs16<span class="obfuscate"> &#64; </span>gmail com<br>kcheng89<span class="obfuscate"> &#64; </span>gatech edu<br>luis esquivel costa<span class="obfuscate"> &#64; </span>gmail com </span> </dd> <dt>History</dt> <dd>2025-03-15: revised</dd> <dd>2025-03-11: received</dd> <dd><a rel="nofollow" href="/archive/versions/2025/459">See all versions</a></dd> <dt>Short URL</dt> <dd><a href="https://ia.cr/2025/459">https://ia.cr/2025/459</a></dd> <dt>License</dt> <dd><a rel="license" target="_blank" href="https://creativecommons.org/publicdomain/zero/1.0/"> <img class="licenseImg" src="/img/license/CC0.svg" alt="No rights reserved" title="No rights reserved"><br> <small>CC0</small> </a> </dd> </dl> </div> </div> <p class="mt-4"><strong>BibTeX</strong> <button id="bibcopy" class="ms-2 btn btn-sm btn-outline-dark" aria-label="Copy to clipboard" onclick="copyBibtex()"> <img src="/img/copy-outline.svg" class="icon">Copy to clipboard</button></p> <pre id="bibtex"> @misc{cryptoeprint:2025/459, author = {Manuel Barbosa and Alexandra Boldyreva and Shan Chen and Kaishuo Cheng and Luís Esquível}, title = {Privacy and Security of {FIDO2} Revisited}, howpublished = {Cryptology {ePrint} Archive, Paper 2025/459}, year = {2025}, url = {https://eprint.iacr.org/2025/459} } </pre> <script> var bibcopy; function triggerTooltip() { console.log('setting tooltip'); } window.onload = triggerTooltip; function copyBibtex() { let range = document.createRange(); range.selectNode(document.getElementById('bibtex')); window.getSelection().removeAllRanges(); window.getSelection().addRange(range); document.execCommand('copy'); window.getSelection().removeAllRanges(); let bibcopy = document.getElementById('bibcopy'); let copyTooltip = new bootstrap.Tooltip(bibcopy, {trigger: 'manual', title: 'Copied!'}); copyTooltip.show(); setTimeout(function() { copyTooltip.dispose(); }, 2000); } </script> </main> <div class="container-fluid mt-auto" id="eprintFooter"> <a href="https://iacr.org/"> <img id="iacrlogo" src="/img/iacrlogo_small.png" class="img-fluid d-block mx-auto" alt="IACR Logo"> </a> <div class="colorDiv"></div> <div class="alert alert-success w-75 mx-auto"> Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content. </div> </div> <script src="/css/bootstrap/js/bootstrap.bundle.min.js"></script> <script> var topNavbar = document.getElementById('topNavbar'); if (topNavbar) { document.addEventListener('scroll', function(e) { if (window.scrollY > 100) { topNavbar.classList.add('scrolled'); } else { topNavbar.classList.remove('scrolled'); } }) } </script> </body> </html>