FIDOnuous: A FIDO2/WebAuthn Extension to Support Continuous Web Authentication

For many years username and password are the common solution to protect sensitive web services despite its various drawbacks. While many alternatives were proposed to improve security, passwords are still included in any authentication procedure today. With the proposal of FIDO and FIDO2/WebAuthn a very promising approach was presented in the last years that may replace passwords at some time since it also enables password-less authentication in addition to work as a second factor for any web authentication. Although FIDO2/WebAuthn solves many problems of passwords using public/private key cryptography and the possibility to use strong authentication mechanisms like biometrics, it is still not capable of detecting an attacker once a successful login has happened. In this paper we evaluate the extension of FIDO2/WebAuthn to enable continuous authentication in the web. While this extension would enable the many proposals of continuous authentication for system or device protection to be used for web authentication, it allows the exchange of the relying parties' security requirements on the one hand and the authenticator's capabilities on the other hand, too. We evaluate our extension using an Android-based roaming authenticator communicating via Bluetooth Low Energy and show that the FIDO2/WebAuthn extension mechanism is suitable. While a real world deployment would require modifications in the different browser implementations, we further point out the challenges resulting from the different implementation levels and the high dynamics in the standard development such as different notification windows or parallelism issues.