-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recovering from Device Loss #931
Comments
Thanks for opening this Issue Jeff! To help get everyone moving in the same direction and drive the conversation forward, UW is hosting a day/half-day summit on the topic of recovery from device loss on August 3 at the Paul Allen Center for Computer Science. All are welcome to attend! |
see also issue #931 wrt providing for RP signalling that it is OK for key material associated with platform authenticators to be "sync'd" across devices. For some definition of "sync'd", eg, see Recovering from lost devices in WebAuthn) |
I'm not familiar with the webauthn spec yet; however, in terms of sharing data, wouldn't you always risk the same issue with an accidental logging? (@ptoomey3 noted it as a possibility in issue #969 ). In hope to start some sort of a discussion: I think that the One thing I am confused about is the tradeoff talking about the RP losing hardware attestation, could you share some material about WebAuthn's hardware attestation capabilities? |
@suedadam By specification, each FIDO U2F devices contains an attestation key which proves its vendor. I believe that this correlates to vendors' promise that device private key can't be stolen. In addition devices contain a counter which would not be synchronized when copying keys initially. |
Device Loss Summit 20-Aug-2018 Summary: https://lists.w3.org/Archives/Public/public-webauthn/2018Sep/att-0012/Summit_Summary.pdf |
Here's the draft of our recovery extension idea presented at W3C TPAC today. I apologize for omitting the cryptograpy details until we've had them properly vetted. Pseudo-spec draft: https://gist.github.com/emlun/74a4d8bf53fd760a5c5408b418875e2b |
Cool stuff guys! Can't wait to see the final vetted math. One issue I also see that wasn't explicitly noted is that the user will have to use device B will have to run a recovery procedure with every RP. We may want to study this, it could turn out to be completely acceptable to users. |
@emlun I'm not sure what is the “public key seed” in your slide. It seems that main key need to store or generate "recovery credential id" which equivalent to WebAuthn Credential ID. extensions: {
“recovery”: {
“action”: “generate”
}
}
extensionOutputs: {
“recovery”: {
“action”: “generate”,
“state”: 3,
“creds”: [{
“id”: “ABCD…”, //equivalent to WebAuthn credentialId
“publicKey”: “AAAA…”
}]
}
} How to be generated creds.id and creds.publicKey from "public key seed" in main authenticator? or just |
@watahani We don't want to publish the crypto details just yet - I don't think we'll keep it secret, but we also don't want to risk people starting to use it before we've had it vetted by external cryptography experts. You're right that the |
I'm thinking we ought to move this to a later milestone, eg L2-WD-02 or later... |
Today at the face-to-face meeting in Fukuoka we presented our recovery extension in full, including all details of the key agreement scheme. The extension draft is published here: https://github.com/Yubico/webauthn-recovery-extension This is NOT IMPLEMENTATION READY. Please keep in mind that the cryptographic details have not yet been extensively reviewed, so approach with caution until we have official approval from reputable cryptanalysts. |
Today we also found some prior work proposing the same key agreement scheme: the ISAP protocol described in this article, which references this whitepaper. We haven't yet found any proof or analysis of its security, however. The white paper proposes proofs of the security of a larger protocol built on top, but I don't think one can automatically assume that they imply that the key agreement scheme in isolation must also be secure. |
Hi @emlun, I took a quick look over the extension draft and have some feedback on the crypto design which is below. Best, Missing Requirements It should be specified that Currently, Bob / the backup device is required to verify an alleged A malicious RP can forge a credential id with Consequently, devices must ensure Minor Quibbles: Why use each half of Why add |
Aha, there's the attack enabled by knowing Might it make sense, then, to include an EDH key agreement in the import/export exchange, and encrypt
Good catch, we'll add that. This also has me thinking it might make sense to include the
Yeah, that might be cleaner. It also shouldn't make a difference in terms of performance cost as you'd need to run one HKDF-Extract and two HMAC-Hash in either case.
If you don't, then @dainnilsson @ve7jtb thoughts on this? |
I am not sure how much benefit there is to protecting
I don't see much difference here, but more key separation is always nice.
There's two cases to be distinguished here - at the point of backup credential registration - is the main authenticator malicious or not? If the main authenticator is malicious, the RP cannot detect it and consequently the main authenticator can provide a backup key of its own construction (to which it knows the private key). If the main authenticator is not malicious, it will destroy its private key |
We should clarify the consequence of a bad actor getting access to S. It's clear that anyone with access to S can forge a valid recovery credential, which potentially could be used to break the unlinkability aspect. One mitigating factor here would be if the client (browsers) UX is clear about distinguishing a call to On ensuring E != point at infinity I fully agree, the requirement on enforcing this should be added. Regarding the use of HKDF, I'm not sure I see how invoking it twice to derive 2 keys is more clean than just doing so once. It's my understanding that deriving multiple keys is one of the stated purposes of HKDF (from RFC5869):
Am I missing some reason for why separate invocations of HKDF would be beneficial? On the addition of |
My thinking here was implementation rather than any cryptographic properties.
vs
But as I said, its a very minor quibble!
Okay, I see the benefit here, but it only applies if you have a main authenticator with a bad RNG, the adversary learns Perhaps its worth adding in some security guidance for RPs in event they believe an authenticator (or an entire class of them) have been compromised. They must obviously reject main or recovery credentials if they have reason to believe the authenticator owning them is compromised. Additionally, if they reject a main authenticator, they should also consider rejecting any recent update of the recovery credentials, as these could have been forged by the attacker / main authenticator as a backdoor in the event the main authenticator is revoked. |
Hi everyone, I'm pleased to report there's been some more progress on this. Yubico and Mozilla have been collaborating with researchers from Surrey Centre for Cyber Security, at the University of Surrey, who have now formally modeled and proved security of this key generation scheme - meaning that the backup private keys ( |
on 2020-01-29 call: @emlun reported on @emlun's #931 (comment) |
Good news and good job! Looking forward to reading the final proceedings! |
The research paper has now been accepted to the ACM CCS conference! The eprint is published here for public review: https://eprint.iacr.org/2020/1004 |
My comments is going to be strictly focused on platform authenticators(esp. fingerprint scanners) not the unknowns(meaning the rest).
|
A minor comment (added in the original repo but copying here too as that doesn't seem as active): Hi, I believe that in "Step 3", stage 3, " Should actually be " Correct? |
Thanks, that's fixed now. Looks like PR #1425 does not have the same typo. |
It seems that all recovery options depend on having access to an authenticator, weather it's a roaming one or a platform one. I have some idea that I'm playing with in my head to try and solve this scenario, basically it relies upon asymmetric encryption signatures. Upon registration the clients browser creates a public private key pair, it shows the user the private key in the form of a seed phrase (same as crypto wallets) and tells the user to store it safely, after the user is confirming that he stored it, the public key is saved by the RP for a future recovery scenario, and the private key is deleted. When the user triggers the recovery flow, the RP will send a randomly generated message to the client, the client will be prompted to provide his seed phrase (private key) and the clients browser will use it to sign the message provided by the RP, then it will send the signed message to the RP where it will be verified by the public key associated with the account, if the signature is valid we can be certain that the correct and only private key was used. After that the user will get the ability to perform a new attestation and create a new credential, when he is done all the old credentials will be deleted, and he will be shown a new recovery seed phrase for future recovery scenarios. (making it a one time use recovery phrase) I find that this approach is a safe option since it is resistant to RP database breaches as acquiring the public key will not help the attacker, the private key is generated on the client side and doesn't leave it, so it is resistant to man in the middle attacks. The only security issues I can come up with this approach is that it is not resistant to phishing attacks/social engineering attacks + the user will need to store it safely otherwise it is open to theft attacks. I'm still trying to find a way to invalidate phishing/social engineering attacks with this approach. so far I didn't find a way. Looking forward for your feedbacks on this idea. |
Just to add my grain of salt. I think there are plenty of ways to recover accounts upon device loss.
I even wrote a small article about it https://dev.to/dagnelies/webauthn-what-if-i-loose-my-device-1lbh I don't think there is a need to embed some "backup" functionality as part of the protocol itself. I would even be worried if the private key would be shared in any way, even if it's called a backup. It would be like sharing an unencrypted password. One strong security aspect of webauthn is the certainity that this private key is a secret tied to the authenticator device and that there is no way to "extract it". I hope it stays that way. 😉 |
The proposal by @emlun does not violate that principle. There is no need for the authenticators to export or share secrets. |
This sounds like a problem for the RP to think about and implement their own work flows, not for the devices to have to share secrets which weakens the whole system. The same way we have password-reset emails, you need to think about the same for when someone loses a webauthn device. |
Indeed. This has always been an issue with 2FA in general which is why you have users who do not wish to use it. How your system deals with ways to circumvent 2FA implosion is not 2FA standard, it's business logic. Therefore, from what I gather, Webauthn having inbuilt recovery is... beyond its scope? If you'd like to register a new public key for the Webauthn pair (your new device), then that's business logic of your service. You can have both webauthn and SSO to access the service and perform modifications to your settings. Or you can just have webauthn and watch as users eventually brick themselves out of your system. |
Unfortunately all the methods you listed either sacrifice privacy, or require accessing the backup location/device during sign up, which is both dangerous and adds friction. At minimum, I think a good recovery method (1) should reveal no private information; (2) can be stored somewhere secure like in a safe deposit box or with trusted friend; and (3) still allows me to create new accounts without opening the safe or asking the friend every time. This can be done, but has to be supported by the protocol. I'd rather disable the recovery method for my extra-sensitive accounts, than have no good recovery method on any account. |
@boppreh I find your statements kind of confusing...
You mean by providing an email/phone number to recover the account? Well, yeah, it's the convenient way to send you a recovery link. But all other alternative recovery options do not require any information.
Well, not necessarily. You could add a second/third device to your account anytime, or print a QR code on a sheet of paper to put in your safe anytime. It's not necessarily upon registration.
What is dangerous exactly?
Then you're the perfect candidate to print a QR code on a sheet of paper, put it in your friend's safe 🤣
Well, you can always do that. Why would you need anything to "create a new account" ?!?
Well, you are in luck (🙄 ?), google, microsoft and apple do not only sync passwords in the cloud now, but also the private keys created with webauthn, that they dubbed "passkeys" ...there you go with your built-in recovery method, the big 3 simply have a copy of your keys. Whether you find this great or worrysome is up to you. Viele Grüße |
@dagnelies Sorry for the confusion, let me try to reword it. I think recoverable accounts should be the default, from the moment the account is created, and that default features should not reveal any private information like email or phone number. I also think that some of the most secure storage methods are naturally hard to access, like house safes, bank deposit boxes, and secret shares. By forcing users to access that storage to create each account (like printing a new QR code and putting in a safe), users will either: a. opt out of recoverable accounts; All of those options increase the chance of account loss. That's the dangerous part. And I agree with your sarcastic assessment that cloud sync is less desirable, which is why I like the original proposal here. |
Well, I still think registering your smartphone and your laptop (for example) to your account sounds quite ok. It is private, is convenient since you can login directly on each device and if you lose one you can still use the other. I personally think the ideal way is to leave the choice to the user depending on its preference. |
Closing as addressed by PR #1695. |
[submitting on behalf of @leshi & @arnar and their collaborator Alex Takakuwa [email protected]]
https://lists.w3.org/Archives/Public/public-webauthn/2018May/0464.html:
Subject: Recovering from Device Loss in WebAuthn
From: Alex Takakuwa [email protected]
To: [email protected]
In April, we sent an email introducing some potential solutions to the
problem of “Recovering from Device Loss in WebAuthn”.
As you all know, in the current WebAuthn specifications, users face a
potentially onerous process when migrating to new devices either because of
device loss or just a device upgrade. We view this as a problem that can be
solved while retaining all the security guarantees of the existing WebAuthn
scheme and improving the usability of WebAuthn drastically all without
changing the API. We would like to encourage members of the WebAuthn
mailing lists to join us in developing proposals that can be accepted into
the WebAuthn specifications to solve the problem of recovery from device
loss and device upgrade.
Our preliminary proposals are listed here:
Recovering from lost devices in WebAuthn
https://docs.google.com/document/d/1tRLbXYLb9Z65QqhOX7v9D-aq_RUODyn5oALpCXj46K8/edit?usp=sharing
I look forward to hearing your feedback!
SEE ALSO:
[updated 27-Oct-2018]
See especially the recent comments below regarding the notes from the "Device loss summit" and a newly-proposed recovery approach, beginning here: #931 (comment)
Recovering from Device Loss in WebAuthn (Tue, 3 Apr 2018)
https://lists.w3.org/Archives/Public/public-webauthn/2018Apr/0009.html
The Transfer Access Protocol - Moving to New Authenticators in the FIDO Ecosystem
Technical Report UW-CSE-17-06-01
https://www.cs.washington.edu/tr/2017/06/UW-CSE-17-06-01.pdf
Secure authentication key sharing between mobile devices based on owner identity
https://ieeexplore.ieee.org/abstract/document/8311436/
Recovering from Device Loss in WebAuthn/FIDO2 [thread on fido-dev@]
https://groups.google.com/a/fidoalliance.org/forum/#!msg/fido-dev/Eh3cLPjuWlo/PlMGwP9mCAAJ;context-place=forum/fido-dev
Issue #1106 "Is there a community for webauthn implementation discussion?"
[short answer: yes, fido-dev@]
[NOTE: this issue #1106 also poses questions re "key loss" aka "device loss" aka "account recovery"]
Issue #334 "Add clearer definition of API use cases to the spec"
[touches upon guiding user such that recovery flows are available]
The text was updated successfully, but these errors were encountered: