With their publication on smartphone authentication, Leon Würsching, Florentin Putz and Steffen Haesler from TU Darmstadt won a Best Paper Award at the ACM CHI 2023 Conference. We sincerely congratulate on the great team achievement! CHI is the top international conference for Human-Computer Interaction, which took place this year in Hamburg.
The award went to the paper “FIDO2 the Rescue? Platform vs. Roaming Authentication on Smartphones”, in which the researchers tested and compared the acceptance and user-friendliness of two authentication methods in a study. Both methods have been supported by modern Android and Apple smartphones for several years, but although they are a secure alternative to passwords, they are still hardly used.
The two methods examined differ considerably: Instead of passwords, the login with “Platform Authentication” works via fingerprint and with “Roaming Authentication” with an external token that is held to the smartphone. The FIDO2 protocol developed by the Fast Identity Online Alliance runs in the background.
The study has now shown that although users would generally be willing to switch to passwordless authentication, it also depends on the type and properties of the specific account. The study participants mentioned here, for example, the frequency of use and the sensitivity of an account.
The strengths and weaknesses of FIDO2
While the great advantage of Platform Authentication by fingerprint is that you always have your finger ready and logging in is quick and easy, the disadvantage of this method for the study participants was that it cannot be easily extended to other devices. The smartphone stores a local key that is required for the login. This is not a problem with Roaming Authentication using NFC tokens, because the key is stored in the token. This has the advantage that the procedure can also be used on other end devices such as laptops. However, the disadvantage is already apparent here: the token can be lost, broken or even stolen. The thief would then have access to the accounts. In addition, the method is less practical because you have to remember to carry the token with you and, unlike fingerprints, it costs money. Furthermore, with both methods, the question arose for the study participants as to what happens if one loses either the smartphone or the external key. How do you get back into your account? And how can online services be informed that access has been lost and the account blocked as a precaution?
Overall, the study was able to show which open problems should be addressed in authentication with FIDO2 and thus makes an important contribution to improving digital security among the population. This is because the two new authentication methods protect users against many attacks that have been used to steal passwords in the past. However, it is not enough to develop a technically secure procedure; it must also be usable in everyday life in order to be accepted.
Open Source Research
It is also special that the scientists open source their research data as well as the source code of the sample website used in the study to best support further research. The study was conducted in collaboration of the research areas SEEMOO and PEASEC, the LOEWE Center emergenCITY and the research project Open6GHub.