This repository hosts useful artifacts (source code and screenshots) of a research project about FIDO2 biometric WebAuthn. In our paper, we conducted three user studies and developed notifications that can help to address misconceptions and increase the adoption of biometric WebAuthn.
A short summary can be found at: What users think about logging in without a password. If you are interested in the details, please refer to our paper, "It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn, which appeared at the 30th USENIX Security Symposium (SSYM '21).
High-resolution screenshots of all notifications and all steps of the user study can be found in docs/screenshots.
In our study, we compared the following six different notifications for biometric WebAuthn. All notifications consisted of a title, an icon, and optionally a body text.
- Title: Fast and easy sign-in with your fingerprint or face.
- Icon:
logo_base.png
Biometric-Control:- Body:
N/A
- Body:
Biometric-Brands- Body: Backed by Microsoft, Google, and Apple.
Biometric-Hacked- Body: Unlike passwords it can't be hacked.
Biometric-Leaves- Body: Your fingerprint or face never leaves your personal device.
Biometric-Stored- Body: Your fingerprint or face is only stored on your personal device.
Biometric-Shared- Body: Your fingerprint or face is never shared with ExampleTech or third parties.
We also tested a notification for non-biometric WebAuthn consisting of a title and an icon.
- Title: Fast and easy sign-in with your device's PIN, pattern, or password.
- Icon:
logo_fallback.png - Body:
N/A
In our traditional password condition, participants saw no notification but were directly forwarded to the password registration form.
- Title:
N/A - Icon:
N/A - Body:
N/A
The PHP/JavaScript/HTML/CSS code in this repository is a slight modification of the code that has been used in Study 3 (cf. Section 5). If you run this code, you can test our developed notifications and authenticate using (biometric) WebAuthn or traditional passwords.
Our PHP code relies on the PHP WebAuthn Framework developed by Spomky-Labs (Florent Morselli). The framework's documentation will soon become your new best friend, so you should bookmark it webauthn-doc.spomky-labs.com.
The flow of this user study demo is outlined in the following screenshots. Note that participants in our study did not see the Debug Menu and were redirected to Qualtrics once they successfully registered.
Warning: This is a proof of concept (PoC) implementation and not intended to be used in a production environment.
We use Prepared Statements and PHP Data Objects (PDO) to execute SQL statements. We make use of intval(), floatval(), htmlspecialchars(... ENT_QUOTES | ENT_SUBSTITUTE), and json_encode/decode() to sanitize user input. Passwords are insecurely stored in plaintext in the database (because we analyzed them in our paper using CMU's Password Guessability Service).
- A common LAMP stack.
- We used Apache 2.4, PHP 7.4, and MySQL 8 on Ubuntu 20.04.
- You need a domain and a TLS certificate (WebAuthn enforces this and will not work over plain
HTTP).- You can get a TLS certificate for free using Let's Encrypt.
- For local development, you might want to use
mkcert.
- You need to install the following packages using Composer.
composer require web-auth/webauthn-lib
composer require symfony/http-foundation
composer require symfony/psr-http-message-bridge ^1.3.0
composer require zendframework/zend-diactoros- Required: Google Chrome (currently commented out for easier testing). We used UAParser.js for this.
location.href = 'help_aw.php?d1=wrongbrowser'-> Redirect to help page.
- Required: Android >= v7 (Nougat) (currently commented out for easier testing). We used
navigator.userAgent.indexOf("Android") > -1;location.href = 'help_aw.php?d1=notandroid'-> Redirect to help page.
- Required: WebAuthn support and a screen lock on the device (
if (window.PublicKeyCredential) {})location.href = 'help_aw.php?d1=wrongbrowser'-> Redirect to help page.- NotSupportedError: The specified
userVerificationrequirement cannot be fulfilled by this device unless the device is secured with a screen lock.
- Maximum of 3 attempts each (registration & authentication). Enforced via the backend.
⚠️ Registration failed. Please try again!⚠️ Authentication failed. Please try again!
- Composition Policy: >= 8 chars and minimum password strength of zxcvbn score >= 3 (guess_number >= 10^8 guesses)
- Must be at least 8 characters long.
- ❌ Your password is not long enough.
- zxcvbn password strength meter (bar + text + emoji)
- length < 8: 😵 That's too short. You need at least 8 characters.
- score 0 || 1: 😟 Terrible. This password is very easy to guess.
- score 2: 😐 Weak. Your password needs to be better.
- score 3: 🙂 Good. Your password is pretty good.
- score 4: 😇 Excellent. Your password appears strong.
- Minimal custom blocklist:
['Example Tech', 'example', 'Example.Tech', 'example.tech', 'Study', 'Prolific']; - Support for password managers (
autocomplete="new-password") - Option to display password in plaintext (
.on('touchstart'and.on('mousedown')) - Password confirm field
- ❌ Passwords do not match. Check them for typos.
- timeout:
60000, we require the user to respond within 60 seconds. - userVerification:
required, users are forced to enter the device PIN/provide a biometric.- NotAllowedError: The operation either timed out or was not allowed.
- authenticatorAttachment:
platform, only platform authenticators (AUTHENTICATOR_ATTACHMENT_PLATFORM) were allowed in the study, aka only Android devices, no third-party NFC/Bluetooth/USB hardware security keys (currently set toAUTHENTICATOR_ATTACHMENT_NO_PREFERENCEfor easier testing). - attestation:
none, no attestation required. We don't care from where the keys originate. - requireResidentKey:
false, no resident keys/discoverable credentials are used.
Please make sure first to verify whether the device supports WebAuthn. This can be achieved using the following code snippet (from js/custom/register_webauthn.js):
// Check whether WebAuthn is supported by the user agent
if (window.PublicKeyCredential) {
console.log("WebAuthn is supported");
} else {
...
}Below is a list of other error situations that might result from calling navigator.credentials.create() and navigator.credentials.get() that you would want to consider:
- NotSupportedError: The specified
userVerificationrequirement cannot be fulfilled by this device unless the device is secured with a screen lock.- Potential reason: User does not have a screen lock configured on their device.
- NotAllowedError: The operation either timed out or was not allowed.
- Potential reason: User denied or did not respond within our set timeout of 60 seconds.
- InvalidStateError: A request is already pending.
- Potential reason: The device is too slow/the user pressed the login button multiple times. Can be prevented with better callback handling.
- NotReadableError: An unknown error occurred while talking to the credential manager.
- Potential reason: Unknown.
Please edit static/enroll_w.php.
- Register Authenticators: You can change timeout to any value (in milliseconds).
$timeout = 60000; // 60 seconds-
Authenticator Selection Criteria: You can change authenticatorAttachment from
AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE(UI will ask which authenticator to use) andAUTHENTICATOR_ATTACHMENT_PLATFORM(UI will prompt for screen lock). -
Resident Key: You can change requireResidentKey from
falsetotrue. -
User Verification: You can change userVerification from
USER_VERIFICATION_REQUIREMENT_REQUIREDtoUSER_VERIFICATION_REQUIREMENT_DISCOURAGED.
$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM, // Platform authenticator
false, // Resident key required
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED // User verification required
);To edit the database name, user, and password, please refer to includes/lib/db_connection.php.
CREATE DATABASE `bio_webauthn_db`;
ALTER SCHEMA `bio_webauthn_db` DEFAULT CHARACTER SET utf8;
CREATE USER 'bio_webauthn_user'@'%' IDENTIFIED BY 'some-fake-password-replace-me'; # You need to change this!!!
GRANT SELECT, INSERT, UPDATE ON `bio_webauthn_db`.* TO 'bio_webauthn_user'@'%';
FLUSH PRIVILEGES;
DROP TABLE bio_webauthn_db.webauthn_registrations;
DROP TABLE bio_webauthn_db.webauthn_authentications;
DROP TABLE bio_webauthn_db.password_registrations;
DROP TABLE bio_webauthn_db.password_authentications;
DROP TABLE bio_webauthn_db.ui_actions;
CREATE TABLE webauthn_registrations (
uid INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
prolific VARCHAR(64) NOT NULL,
username VARCHAR(64) NOT NULL,
notification VARCHAR(64) NOT NULL,
attempt INT NOT NULL,
gender VARCHAR(64) NOT NULL,
age INT NOT NULL,
ui_timespan INT NOT NULL,
date_reg TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
raw_id VARCHAR(256) NOT NULL,
json_parsed VARCHAR(4096) NOT NULL,
json_raw VARCHAR(4096) NOT NULL,
useragent VARCHAR(512) NOT NULL,
ip VARCHAR(64) NOT NULL
) ENGINE=InnoDB;
CREATE TABLE webauthn_authentications (
uid INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
prolific VARCHAR(64) NOT NULL,
username VARCHAR(64) NOT NULL,
notification VARCHAR(64) NOT NULL,
attempt INT NOT NULL,
ui_timespan INT NOT NULL,
date_auth TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
json_parsed VARCHAR(4096) NOT NULL,
json_raw VARCHAR(4096) NOT NULL,
useragent VARCHAR(512) NOT NULL,
ip VARCHAR(64) NOT NULL
) ENGINE=InnoDB;
CREATE TABLE password_registrations (
uid INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
prolific VARCHAR(64) NOT NULL,
notification VARCHAR(64) NOT NULL,
attempt INT NOT NULL,
ratelimit INT DEFAULT 0,
gender VARCHAR(64) NOT NULL,
age INT NOT NULL,
ui_timespan VARCHAR(8192) NOT NULL,
date_reg TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
password VARCHAR(512) NOT NULL,
strength VARCHAR(64) NOT NULL,
useragent VARCHAR(512) NOT NULL,
ip VARCHAR(64) NOT NULL
) ENGINE=InnoDB;
CREATE TABLE password_authentications (
uid INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
prolific VARCHAR(64) NOT NULL,
notification VARCHAR(64) NOT NULL,
attempt INT NOT NULL,
ui_timespan VARCHAR(8192) NOT NULL,
date_auth TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
useragent VARCHAR(512) NOT NULL,
ip VARCHAR(64) NOT NULL
) ENGINE=InnoDB;
CREATE TABLE ui_actions (
aid INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
prolific VARCHAR(64) NOT NULL,
action_log VARCHAR(4096) NOT NULL,
useragent VARCHAR(512) NOT NULL,
ip VARCHAR(64) NOT NULL
) ENGINE=InnoDB;If you want to cite our work, please use the following BibTeX entry:
@inproceedings{lassak-21-webauthn-misconceptions,
author = {Lassak, Leona and Hildebrandt, Annika and Golla, Maximilian and Ur, Blase},
title = {{``It's Stored, Hopefully, on an Encrypted Server'': Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn}},
booktitle = {USENIX Security Symposium},
year = {2021},
series = {SSYM~'21},
pages = {91--108},
address = {Virtual Conference},
month = aug,
publisher = {USENIX}
}The source code in this repository is licensed under the MIT license. Refer to docs/LICENSE for more information.
- PHP WebAuthn Framework is developed by Spomky-Labs (Florent Morselli) and other contributors. The license and the source code can be downloaded here.
- zxcvbn is developed by Dan Wheeler, Dropbox, and other contributors. The license and the source code can be downloaded here.
- UAParser is developed by Faisal Salman and other contributors. The license and the source code can be downloaded here.
- Lockr is developed by Dimitris Tsironis and other contributors. The license and the source code can be downloaded here.
- jQuery is developed by the JS Foundation and other contributors. The license and the source code can be downloaded here.
- Font Awesome Free is developed by FortAwesome and other contributors. The license and the source code can be downloaded here.
- Bootstrap is developed by Twitter and other contributors. The license and the source code can be downloaded here.
Visit SUPERgroup, Ruhr University Bochum, or the MPI-SP. If you are interested in authentication, consider contributing and attending the Symposium on Usable Privacy and Security (SOUPS) and International Conference on Passwords (PASSWORDS).