Let's Authenticate
Brigham Young University
Let's Authenticate

Presented at NDSS 2022

Let’s Authenticate: Automated Certificates for User Authentication

James Conners, Corey Devenport, Stephen Derbidge, Natalie Farnsworth, Kyler Gates, Stephen Lambert, Christopher McClain, Parker Nichols, Daniel Zappala — Brigham Young University

Passwords have numerous drawbacks, and as a result many systems have been designed to replace them. Password replacements have generally failed to dislodge passwords due to the complexity of balancing usability, deployability, and security. However, despite this lack of success, recent advances with password managers and FIDO2 afford new opportunities to explore system design for password replacements. In this work, we explore the feasibility of a system for user authentication based on certificates. Rather than developing new cryptography, we develop a new system, called Let's Authenticate, which combines elements of password managers, FIDO2, and certificates. Our design incorporates feedback from a survey of 397 participants to understand their preferences for system features. Let’s Authenticate issues privacy-preserving certificates to users, automatically manages their credentials, and eliminates trust in third parties. We provide a detailed security and privacy analysis, an overhead analysis, and a systematic comparison of the system to a variety of alternatives using a well-known framework. We discuss how Let’s Authenticate compares to other systems, lessons learned from our design, and issues related to centralized management of authentication data.

User Experience

Users authenticate using the 1Key browser extension. After installing the browser extension, the user sees the opening screen:

Next, they visit the registration page to create an account with the system:

After clicking the Register button, the extension opens a new tab in the browser that visits the Let's Authenticate web site and requires the user to authenticate using a passwordless FIDO2 hardware token. Once they complete this process, the browser extension is authorized to access their account, and they no longer need the hardware token. Access to the browser extension is protected by the PIN they entered.

After this, the user visits a website and asks to login using 1Key. The extension intercepts the authentication request and asks the user to authorize the login:

Software

Both the CA and the browser extension are still in active development. The mobile app is being re-written to take advantage of a platform with better cryptographic library support.

  • Certificate Authority
  • Browser Extension