Post-Quantum Account Recovery for Passwordless Authentication

Abstract

WebAuthn is a passwordless authentication protocol which allows users to authenticate to online services using public-key cryptography. Users prove their identity based on possession of a private key, which is stored on a device such as a cell phone or a USB security token. This approach avoids many of the common security problems with password-based authentication. The reliance on possession as opposed to knowledge leads to a usability issue, however: a user who loses access to their authenticator device either loses access to their accounts or is required to fall back on a weaker authentication mechanism for recovery. Yubico has proposed a protocol which allows a user to link two tokens in such a way that one (the primary authenticator) can generate public keys on behalf of the other (the backup authenticator). This allows users to use WebAuthn with a single token, only using their backup token if necessary for account recovery. However, Yubico's protocol relies on the hardness of the discrete log problem for its security and hence is vulnerable to an attacker with a powerful enough quantum computer.

We present a WebAuthn backup protocol which can be instantiated with quantum-safe primitives. We also critique the security model used in previous analysis of Yubico's protocol, proposing a new framework which we use to evaluate the security of both the group-based and the post-quantum protocol. This leads us to uncover a weakness in Yubico's proposal which escaped detection in prior work but was revealed by our model. In our security analysis, we find that a number of novel security properties of cryptographic primitives underlying the protocols are required; we formalize these and prove that well-known algorithms satisfy the properties required for analysis of our post-quantum protocol. For the group-based protocol, we require a novel Diffie–Hellman-like assumption; we leave further evaluation of this property to future work.