{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T17:33:02Z","timestamp":1770226382535,"version":"3.49.0"},"reference-count":148,"publisher":"Association for Computing Machinery (ACM)","issue":"8","license":[{"start":{"date-parts":[[2024,4,26]],"date-time":"2024-04-26T00:00:00Z","timestamp":1714089600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2024,8,31]]},"abstract":"<jats:p>To overcome the security vulnerabilities caused by weak passwords, thus bridge the gap between user friendly interfaces and advanced security features, the Fast IDentity Online (FIDO) alliance defined a number of authentication protocols. The existing literature leverages all versions of the FIDO protocols, without indicating the reasons behind the choice of each individual FIDO protocol (i.e., U2F, UAF, FIDO2). Inevitably, the question \u201cwhich protocol is more suitable per case\u201d becomes significant. To provide an answer to the previous question, this article performs a thorough comparative analysis on the different protocol specifications and their technological and market support, to identify whether any protocol has become obsolete. To reach to a conclusion, the proposed approach (i) explores the existing literature, (ii) analyses the specifications released by the FIDO Alliance, elaborating on the security characteristics, (iii) inspects the technical adoption by the industry and (iv) investigates the compliance of the FIDO with standards, regulations and other identity verification protocols. Our results indicate that FIDO2 is the most widely adopted solution; however, U2F remains supported by numerous web services as a two-factor authentication (2FA) choice, while UAF continues to be utilised in mobile clients seeking to offer the Transaction Confirmation feature.<\/jats:p>","DOI":"10.1145\/3654661","type":"journal-article","created":{"date-parts":[[2024,3,27]],"date-time":"2024-03-27T11:55:39Z","timestamp":1711540539000},"page":"1-51","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["How many FIDO protocols are needed? Analysing the technology, security and compliance"],"prefix":"10.1145","volume":"56","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0009-4479","authenticated-orcid":false,"given":"Anna","family":"Angelogianni","sequence":"first","affiliation":[{"name":"Digital Systems, University of Piraeus, Piraeus, Greece"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1083-0345","authenticated-orcid":false,"given":"Ilias","family":"Politis","sequence":"additional","affiliation":[{"name":"InQbit Innovations SRL,  Bucharest Romania"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6718-122X","authenticated-orcid":false,"given":"Christos","family":"Xenakis","sequence":"additional","affiliation":[{"name":"University of Piraeus,  Piraeus Greece"}]}],"member":"320","published-online":{"date-parts":[[2024,4,26]]},"reference":[{"key":"e_1_3_3_2_2","unstructured":"2021. Can I use: WebAuthn. Retrieved 14 April 2024 from https:\/\/caniuse.com\/?search=webauthn"},{"key":"e_1_3_3_3_2","unstructured":"2015. USB-Dongle Authentication. Retrieved 14 April 2024 from https:\/\/www.dongleauth.info\/"},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","unstructured":"Dipankar Dasgupta Arunava Roy and Abhijit Nag. 2016. Toward the design of adaptive selection strategies for multi-factor authentication. Computers & Security 63 (2016) 85\u2013116. 10.1016\/j.cose.2016.09.004","DOI":"10.1016\/j.cose.2016.09.004"},{"key":"e_1_3_3_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363283"},{"key":"e_1_3_3_6_2","unstructured":"FIDO Alliance. 2023. Conformance Self-Validation Testing. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/certification\/functional-certification\/conformance\/"},{"key":"e_1_3_3_7_2","unstructured":"FIDO Alliance. 2020. FIDO alliance white paper: considerations for deploying FIDO servers in the enterprise. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/whitepaper-considerations-for-deploying-fido-servers-in-the-enterprise\/"},{"key":"e_1_3_3_8_2","unstructured":"FIDO Alliance. 2020. FIDO authentication and EMV 3-D secure: Using FIDO for payment authentication. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/technical-notefido-authentication-and-emv-3-d-secure-using-fido-for-payment-authentication\/"},{"key":"e_1_3_3_9_2","unstructured":"FIDO Alliance. 2020. FIDO authenticator allowed restricted operating environments list. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/specs\/fido-securityrequirements\/fido-authenticator-allowed-restricted-operating-environments-list-v1.2-fd-20201102.html"},{"key":"e_1_3_3_10_2","unstructured":"FIDO Alliance. 2021. FIDO Certified Professional Program. Retrieved 24 April 2024 from https:\/\/fidoalliance.org\/fido-certified-professional-program\/"},{"key":"e_1_3_3_11_2","unstructured":"FIDO Alliance. 2021. FIDO Client to Authenticator Protocol (CTAP) Proposed Standard. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/specs\/fido-v2.1-ps-20210615\/fidoclient-to-authenticator-protocol-v2.1-ps-20210615.html"},{"key":"e_1_3_3_12_2","unstructured":"FIDO Alliance. 2023. FIDO Reference Implementation Library. Retrieved June 1 2023 from https:\/\/fidoalliance.org\/certification\/functional-certification\/reference-implementation-library\/"},{"key":"e_1_3_3_13_2","unstructured":"FIDO Alliance. 2018. FIDO Security Reference. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/specs\/fido-v2.0-rd-20180702\/fido-security-ref-v2.0-rd-20180702.pdf"},{"key":"e_1_3_3_14_2","unstructured":"FIDO Alliance. 2017. FIDO Universal 2nd Factor (U2F) Proposed Standard. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/specs\/fido-u2f-v1.2-ps-20170411\/FIDO-U2FCOMPLETE-v1.2-ps-20170411.pdf"},{"key":"e_1_3_3_15_2","unstructured":"FIDO Alliance. 2017. FIDO Universal Authentication Framework (UAF) Proposed Standard version 1.1. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/specs\/fido-uafv1.1-ps-20170202\/FIDO-UAF-COMPLETE-v1.1-ps-20170202.pdf"},{"key":"e_1_3_3_16_2","unstructured":"FIDO Alliance. 2020. FIDO Universal Authentication Framework (UAF) Proposed Standard version 1.2. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/specs\/fido-uafv1.2-ps-20201020\/FIDO-UAF-COMPLETE-v1.2-ps-20201020.pdf"},{"key":"e_1_3_3_17_2","unstructured":"FIDO Alliance. 2021. Github FIDO2 Interoperability Testing Web App. Retrieved 14 April 2024 from https:\/\/github.com\/fido-alliance\/fido2-interop-webapp"},{"key":"e_1_3_3_18_2","unstructured":"FIDO Alliance. 2020. Github Repository for Certification Test Tools Resources. Retrieved 14 April 2024 from https:\/\/github.com\/fido-alliance\/conformance-test-tools-resources"},{"key":"e_1_3_3_19_2","unstructured":"FIDO Alliance. 2018. How FIDO standards meet psd2\u2019s regulatory standards requirements on strong customer authentication. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/wp-content\/uploads\/2019\/01\/How_FIDO_Meets_the_RTS_Requirements_December2018.pdf"},{"key":"e_1_3_3_20_2","unstructured":"FIDO Alliance. 2021. Interoperability Testing. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/certification\/interoperability-testing\/"},{"key":"e_1_3_3_21_2","unstructured":"FIDO Alliance. 2021. Metadata Service. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/metadata\/"},{"key":"e_1_3_3_22_2","unstructured":"FIDO Alliance. 2020. National Health Service uses FIDO Authentication for Enhanced Login. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/national-health-service-uses-fido-authentication-for-enhanced-login"},{"key":"e_1_3_3_23_2","unstructured":"FIDO Alliance. 2021. FIDO Privacy Principles. Retrieved 14 April 2024 from https:\/\/media.fidoalliance.org\/wp-content\/uploads\/2014\/12\/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf"},{"key":"e_1_3_3_24_2","unstructured":"FIDO Alliance. 2020. Using FIDO with eIDAS Services. Retrieved November 17 2021 from https:\/\/media.fidoalliance.org\/wp-content\/uploads\/2020\/06\/FIDO_Using-FIDO-with-eIDAS-Services-White-Paper.pdf"},{"key":"e_1_3_3_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/URC49805.2020.9099190"},{"key":"e_1_3_3_26_2","unstructured":"Apple.2019. iOS & iPadOS 13.3 Release Notes. Retrieved 14 April 2024 from https:\/\/developer.apple.com\/documentation\/ios-ipados-release-notes\/ios-ipados-13_3-release-notes"},{"key":"e_1_3_3_27_2","unstructured":"Apple.2020. Safari 14 Release Notes. Retrieved 14 April 2024 from https:\/\/developer.apple.com\/documentation\/safari-release-notes\/safari-14-release-notes"},{"key":"e_1_3_3_28_2","volume-title":"Web Authentication: An API for Accessing Public Key Credentials Level 1","author":"Balfanz BalDirk","unstructured":"BalDirk Balfanz, Alexei Czeskis, Jeff Hodges, J. C. Jones, Michael B. Jones, Akshay Kumar, Angelo Liao, Rolf Lindemann, and Emil Lundberg. [n.d.]. Web Authentication: An API for Accessing Public Key Credentials Level 1. Technical Report."},{"key":"e_1_3_3_29_2","unstructured":"Manuel Barbosa Alexandra Boldyreva Shan Chen and Bogdan Warinschi. 2020. Provable security analysis of FIDO2. Cryptology ePrint Archive Paper 2020\/756 (2020). https:\/\/eprint.iacr.org\/2020\/756. Accessed 14 April 2024."},{"key":"e_1_3_3_30_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23079"},{"key":"e_1_3_3_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCTURKEY56345.2022.9931832"},{"key":"e_1_3_3_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179454"},{"key":"e_1_3_3_33_2","unstructured":"Google Blog. 2021. Announcing the Android Ready SE Alliance. Retrieved 14 April 2024 from https:\/\/security.googleblog.com\/2021\/03\/announcing-android-ready-se-alliance.html"},{"key":"e_1_3_3_34_2","unstructured":"Jiewen Tan. 2020. Meet Face ID and Touch ID for the Web. Retrieved 14 April 2024 from https:\/\/webkit.org\/blog\/11312\/meet-face-id-and-touch-id-for-the-web\/"},{"key":"e_1_3_3_35_2","doi-asserted-by":"publisher","unstructured":"Vaios Bolgouras Anna Angelogianni Ilias Politis and Christos Xenakis. 2022. Trusted and Secure Self-sovereign Identity Framework. Association for Computing Machinery New York NY USA. DOI:10.1145\/3538969.3544436","DOI":"10.1145\/3538969.3544436"},{"key":"e_1_3_3_36_2","unstructured":"Broadcom. 2020. MAG and Samsung SDS Nexsign Integration. Retrieved January 18 2021 from https:\/\/techdocs.broadcom.com\/us\/en\/ca-enterprise-software\/layer7-api-management\/mobile-api-gateway\/4-1\/solutions-and-integrations\/mag-and-samsung-sds-nexsign-integration.html?src=contextnavpagetreemode"},{"key":"e_1_3_3_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.22"},{"key":"e_1_3_3_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/MCOMSTD.001.1900020"},{"key":"e_1_3_3_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363258"},{"key":"e_1_3_3_40_2","article-title":"On Making U2F Protocol Leakage-Resilient via Re-keying","author":"Chang Donghoon","year":"2017","unstructured":"Donghoon Chang, Sweta Mishra, Somitra Kumar Sanadhya, and Ajit Pratap Singh1. 2017. On Making U2F Protocol Leakage-Resilient via Re-keying. Cryptology ePrint Archive, Report 2017\/721. Retrieved 14 April 2024 from https:\/\/eprint.iacr.org\/2017\/721","journal-title":"Cryptology ePrint Archive, Report 2017\/721"},{"key":"e_1_3_3_41_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2017.05.048"},{"key":"e_1_3_3_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICComm.2018.8484268"},{"key":"e_1_3_3_43_2","volume-title":"Proceedings of the 15th Symposium on Usable Privacy and Security (SOUPS 2019)","author":"Ciolino St\u00e9phane","year":"2019","unstructured":"St\u00e9phane Ciolino, Simon Parkin, and Paul Dunphy. 2019. Of two minds about two-factor: Understanding everyday FIDO U2F usability through device comparison and experience sampling. In Proceedings of the 15th Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA. Retrieved from https:\/\/www.usenix.org\/conference\/soups2019\/presentation\/ciolino"},{"key":"e_1_3_3_44_2","unstructured":"Citrix. 2020. Introducing end-to-end password-less authentication using FIDO2. Retrieved January 5 2021 from https:\/\/www.citrix.com\/blogs\/2020\/10\/01\/introducing-end-to-end-password-less-authentication-using-fido2\/"},{"key":"e_1_3_3_45_2","unstructured":"The Mitre Corporation. 2021. CVE-2021-3011. Retrieved November 17 2021 from https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-3011"},{"key":"e_1_3_3_46_2","first-page":"160","volume-title":"Proceedings of the Financial Cryptography and Data Security","author":"Das Sanchari","year":"2018","unstructured":"Sanchari Das, Andrew Dingman, and L. Jean Camp. 2018. Why johnny doesn\u2019t use two factor a two-phase usability study of the FIDO U2F security key. In Proceedings of the Financial Cryptography and Data Security. Sarah Meiklejohn and Kazue Sako (Eds.), Springer, Berlin, 160\u2013179."},{"key":"e_1_3_3_47_2","unstructured":"Debian. 2018. Package: python3-fido2. Retrieved 14 April 2024 from https:\/\/packages.debian.org\/unstable\/python3-fido2"},{"key":"e_1_3_3_48_2","unstructured":"Samsung Developers. 2016. Tizen API: FIDO Client. Retrieved 14 April 2024 from https:\/\/developer.tizen.org\/dev-guide\/csapi\/api\/Tizen.Account.FidoClient.html"},{"key":"e_1_3_3_49_2","unstructured":"Samsung Developers. 2017. Tizen Native API: FIDO Client. Retrieved 14 April 2024 from https:\/\/docs.tizen.org\/application\/native\/api\/mobile\/5.5\/group__CAPI__FIDO__MODULE.html"},{"key":"e_1_3_3_50_2","unstructured":"Samsung Developers. 2016. TizenFX API References. Retrieved 14 April 2024 from https:\/\/developer.samsung.com\/smarttv\/develop\/api-references\/tizenfx-api-references.html"},{"key":"e_1_3_3_51_2","unstructured":"eBay. 2016. UAF - Universal Authentication Framework. Retrieved January 18 2021 from https:\/\/github.com\/eBay\/UAF"},{"key":"e_1_3_3_52_2","unstructured":"ENISA. 2020. Threat Landscape 2020 - Phishing. Retrieved January 5 2021 from https:\/\/www.enisa.europa.eu\/publications\/phishing"},{"key":"e_1_3_3_53_2","unstructured":"Europol. 2020. The SIM Highjackers: How criminals are stealing millions by highjacking phone numbers. Retrieved January 5 2021 from https:\/\/www.europol.europa.eu\/newsroom\/news\/sim-highjackers-how-criminals-are-stealing-millions-highjacking-phone-numbers"},{"key":"e_1_3_3_54_2","doi-asserted-by":"publisher","DOI":"10.1145\/3063955.3063982"},{"key":"e_1_3_3_55_2","doi-asserted-by":"publisher","DOI":"10.3390\/s21082686"},{"key":"e_1_3_3_56_2","first-page":"19","volume-title":"Proceedings of the 16th Symposium on Usable Privacy and Security (SOUPS 2020)","author":"Farke Florian M.","year":"2020","unstructured":"Florian M. Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, and Markus D\u00fcrmuth. 2020. \u201cYou still use the password after all\u201d \u2013 Exploring FIDO2 Security Keys in a Small Company. In Proceedings of the 16th Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, 19\u201335. Retrieved from https:\/\/www.usenix.org\/conference\/soups2020\/presentation\/farke"},{"key":"e_1_3_3_57_2","first-page":"23","article-title":"Finger-print identification","volume":"22","author":"Faulds Henry","year":"1880","unstructured":"Henry Faulds. 1880. Finger-print identification. Nature 22 (1880), 23.","journal-title":"Nature"},{"key":"e_1_3_3_58_2","doi-asserted-by":"publisher","unstructured":"Haonan Feng Jingjing Guan Hui Li Xuesong Pan and Ziming Zhao. 2023. FIDO gets verified: A formal analysis of the universal authentication framework protocol. IEEE Transactions on Dependable and Secure Computing 20 5 (2023) 4291\u20134310. 10.1109\/TDSC.2022.3217259","DOI":"10.1109\/TDSC.2022.3217259"},{"key":"e_1_3_3_59_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24363"},{"key":"e_1_3_3_60_2","unstructured":"FIDO Alliance. 2019. Android Now FIDO2 Certified Accelerating Global Migration Beyond Passwords. Retrieved January 18 2021 from https:\/\/fidoalliance.org\/android-now-fido2-certified-accelerating-global-migration-beyond-passwords\/"},{"key":"e_1_3_3_61_2","unstructured":"FIDO Alliance. 2020. Authentication Attitudes Usage & FIDO Brand Research Report. Retrieved December 4 2020 from https:\/\/media.fidoalliance.org\/wp-content\/uploads\/2020\/05\/FIDO-Consumer-Research-Report.pdf"},{"key":"e_1_3_3_62_2","unstructured":"FIDO Alliance. 2020. Certification Overview. Retrieved January 5 2021 from https:\/\/fidoalliance.org\/certification\/authenticator-certification-levels\/"},{"key":"e_1_3_3_63_2","unstructured":"FIDO Alliance. 2020. FIDO Showcase. Retrieved December 21 2020 from https:\/\/fidoalliance.org\/fido-certified-showcase\/"},{"key":"e_1_3_3_64_2","unstructured":"FIDO Alliance. 2021. FIDO Authenticator Allowed Restricted Operating Environments List. Retrieved August 21 2021 from https:\/\/fidoalliance.org\/specs\/fido-security-requirements-v1.0-fd-20170524\/fido-authenticator-allowed-restricted-operating-environments-list_20170524.html\/"},{"key":"e_1_3_3_65_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417292"},{"key":"e_1_3_3_66_2","unstructured":"Alex Gaynor. 2021. Quantifying Memory Unsafety and Reactions to It. USENIX Association."},{"key":"e_1_3_3_67_2","unstructured":"FIDO Alliance. 2021. FIDO Device Onboard Specification Proposed Standard. Retrieved August 14 April 2024 from https:\/\/fidoalliance.org\/specs\/FDO\/fido-device-onboard-v1.0-ps-20210323\/fido-device-onboard-v1.0-ps-20210323.html"},{"key":"e_1_3_3_68_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00047"},{"key":"e_1_3_3_69_2","unstructured":"Google. 2021. Build your first WebAuthn app. Retrieved 14 April 2024 from https:\/\/codelabs.developers.google.com\/codelabs\/webauthn-reauth#0"},{"key":"e_1_3_3_70_2","unstructured":"Google. 2020. Github CTAP2 test tool. Retrieved 14 April 2024 from https:\/\/github.com\/google\/CTAP2-test-tool"},{"key":"e_1_3_3_71_2","unstructured":"Google. 2020. How we built the Chrome DevTools WebAuthn tab. Retrieved 14 April 2024 from https:\/\/developer.chrome.com\/blog\/webauthn-tab\/"},{"key":"e_1_3_3_72_2","unstructured":"Google. 2017. Google APIs for Android: FIDO. Retrieved December 21 2020 from https:\/\/developers.google.com\/android\/reference\/packages#fido"},{"key":"e_1_3_3_73_2","first-page":"96","article-title":"Blind software-assisted conformance and security assessment of FIDO2\/WebAuthn implementations","volume":"13","author":"Grammatopoulos Athanasios Vasileios","year":"2022","unstructured":"Athanasios Vasileios Grammatopoulos, Ilias Politis, and Christos Xenakis. 2022. Blind software-assisted conformance and security assessment of FIDO2\/WebAuthn implementations. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 13, 2 (2022), 96\u2013127.","journal-title":"Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications"},{"key":"e_1_3_3_74_2","doi-asserted-by":"publisher","DOI":"10.1002\/9781119672357"},{"key":"e_1_3_3_75_2","doi-asserted-by":"publisher","DOI":"10.1145\/3190619.3190640"},{"key":"e_1_3_3_76_2","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom50675.2020.00076"},{"key":"e_1_3_3_77_2","unstructured":"Timon Hackenjos Benedikt Wagner Julian Herr Jochen Rill Marek Wehmer Niklas Goerke and Ingmar Baumgart. 2022. FIDO2 with two displays - Or how to protect security-critical web transactions against malware attacks. arXiv:2206.13358. Retrieved 14 April 2024 from https:\/\/arxiv.org\/abs\/2206.13358"},{"key":"e_1_3_3_78_2","article-title":"Token meets Wallet: Formalizing Privacy and Revocation for FIDO2","author":"Hanzlik Lucjan","year":"2022","unstructured":"Lucjan Hanzlik, Julian Loss, and Benedikt Wagner. 2022. Token meets Wallet: Formalizing Privacy and Revocation for FIDO2. Cryptology ePrint Archive, Report 2022\/084. Retrieved 14 April 2024 from https:\/\/ia.cr\/2022\/084","journal-title":"Cryptology ePrint Archive, Report 2022\/084"},{"key":"e_1_3_3_79_2","unstructured":"Red Hat. [n.d.]. Authentication using FIDO Protocol UAF and U2F. Retrieved March 5 2021 from https:\/\/access.redhat.com\/solutions\/3076761"},{"key":"e_1_3_3_80_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICC.2017.7997246"},{"key":"e_1_3_3_81_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCTCS52002.2021.00046"},{"key":"e_1_3_3_82_2","doi-asserted-by":"publisher","DOI":"10.1109\/CC.2016.7897543"},{"key":"e_1_3_3_83_2","unstructured":"Galen Hunt George Letey and Edmund B. Nightingale. [n.d.]. The Seven Properties of Highly Secured Devices. Retrieved March 5 2021 from https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/11\/Seven-Properties-of-Highly-Secured-Devices-2nd-Edition-R1.pdf"},{"key":"e_1_3_3_84_2","volume-title":"Web Authentication: An API for accessing Public Key Credentials - Level 2","author":"Jones Michael","year":"2021","unstructured":"Michael Jones, Jeff Hodges, Emil Lundberg, J. C. Jones, and Akshay Kumar. 2021. Web Authentication: An API for accessing Public Key Credentials - Level 2. W3C Recommendation. Retrieved from https:\/\/www.w3.org\/TR\/2021\/REC-webauthn-2-20210408\/"},{"key":"e_1_3_3_85_2","doi-asserted-by":"publisher","DOI":"10.1145\/3549015.3554208"},{"key":"e_1_3_3_86_2","doi-asserted-by":"crossref","unstructured":"Michal Kepkowski Lucjan Hanzlik Ian Wood and Mohamed Ali Kaafar. 2022. How not to handle keys: Timing attacks on FIDO authenticator privacy. arXiv:2205.08071. Retrieved 14 April 2024 from https:\/\/arxiv.org\/abs\/2205.08071","DOI":"10.56553\/popets-2022-0129"},{"key":"e_1_3_3_87_2","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev56634.2023.00017"},{"key":"e_1_3_3_88_2","unstructured":"Strong Key. 2021. Crypto-Based Authentication. Retrieved March 5 2021 from https:\/\/encryptedweb.org\/authentication\/"},{"key":"e_1_3_3_89_2","doi-asserted-by":"publisher","DOI":"10.1155\/2021\/6245306"},{"key":"e_1_3_3_90_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICDMW51313.2020.00100"},{"key":"e_1_3_3_91_2","doi-asserted-by":"publisher","DOI":"10.1145\/3291533.3291573"},{"key":"e_1_3_3_92_2","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom50675.2020.00254"},{"key":"e_1_3_3_93_2","doi-asserted-by":"publisher","DOI":"10.3390\/s21020520"},{"key":"e_1_3_3_94_2","doi-asserted-by":"publisher","unstructured":"Dhruv Kuchhal Muhammad Saad Adam Oest and Frank Li. 2023. Evaluating the Security Posture of Real-world FIDO2 Deployments. Association for Computing Machinery New York NY USA. DOI:10.1145\/3576915.3623063","DOI":"10.1145\/3576915.3623063"},{"key":"e_1_3_3_95_2","series-title":"LNI","first-page":"59","volume-title":"Proceedings of the Open Identity Summit 2021, Copenhagen, Denmark, Juni 1-2, 2021","volume":"312","author":"Kunke Johannes","year":"2021","unstructured":"Johannes Kunke, Stephan Wiefling, Markus Ullmann, and Luigi Lo Iacono. 2021. Evaluation of account recovery strategies with fido2-based passwordless authentication. In Proceedings of the Open Identity Summit 2021, Copenhagen, Denmark, Juni 1-2, 2021(LNI, Vol. P-312). Heiko Ro\u00dfnagel, Christian H. Schunck, and Sebastian M\u00f6dersheim (Eds.), Gesellschaft f\u00fcr Informatik e.V., 59\u201370."},{"key":"e_1_3_3_96_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCNC46108.2020.9045440"},{"key":"e_1_3_3_97_2","first-page":"91","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security 21)","author":"Lassak Leona","year":"2021","unstructured":"Leona Lassak, Annika Hildebrandt, Maximilian Golla, and Blase Ur. 2021. \u201cIt\u2019s stored, hopefully, on an encrypted server\u2019\u2019: Mitigating users\u2019 misconceptions about FIDO2 biometric WebAuthn. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 91\u2013108. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/lassak"},{"key":"e_1_3_3_98_2","first-page":"61","volume-title":"Proceedings of the 16th Symposium on Usable Privacy and Security (SOUPS 2020)","author":"Lee Kevin","year":"2020","unstructured":"Kevin Lee, Benjamin Kaiser, Jonathan Mayer, and Arvind Narayanan. 2020. An empirical study of wireless carrier authentication for SIM swaps. In Proceedings of the 16th Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, 61\u201379. Retrieved from https:\/\/www.usenix.org\/conference\/soups2020\/presentation\/lee"},{"key":"e_1_3_3_99_2","doi-asserted-by":"publisher","DOI":"10.1155\/2020\/8819790"},{"key":"e_1_3_3_100_2","doi-asserted-by":"publisher","unstructured":"H. Luo C. Wang H. Luo F. Zhang F. Lin and G. Xu. 2021. G2F: A secure user authentication for rapid smart home IoT management. IEEE Internet of Things Journal 8 13 (2021) 10884\u201310895. 10.1109\/JIOT.2021.3050710","DOI":"10.1109\/JIOT.2021.3050710"},{"key":"e_1_3_3_101_2","doi-asserted-by":"publisher","unstructured":"Luka Malisa. 2017. Security of User Interfaces: Attacks and Countermeasures. Ph.D. Dissertation. ETH Z\u00fcrich. 10.3929\/ethz-b-000217453. Doctor of Sciences thesis.","DOI":"10.3929\/ethz-b-000217453"},{"key":"e_1_3_3_102_2","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(12)70044-1"},{"key":"e_1_3_3_103_2","doi-asserted-by":"publisher","DOI":"10.1109\/TLA.2018.8795121"},{"key":"e_1_3_3_104_2","unstructured":"David Weston. 2020. Meet the Microsoft Pluton processor \u2013 The security chip designed for the future of Windows PCs. Retrieved 14 April 2024 from https:\/\/www.microsoft.com\/security\/blog\/2020\/11\/17\/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs\/"},{"key":"e_1_3_3_105_2","unstructured":"Microsoft. 2021. Support passwordless authentication with FIDO2 keys in apps you develop. Retrieved 14 April 2024 from https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/support-fido2-authentication"},{"key":"e_1_3_3_106_2","unstructured":"Microsoft. 2020. How it works: Azure AD Multi-Factor Authentication. Retrieved March 5 2021 from https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-mfa-howitworks"},{"key":"e_1_3_3_107_2","first-page":"2057","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security 20)","author":"Moghimi Daniel","year":"2020","unstructured":"Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger. 2020. TPM-FAIL: TPM meets timing and lattice attacks. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2057\u20132073. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/moghimi-tpm"},{"key":"e_1_3_3_108_2","first-page":"1631","volume-title":"Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS\u20192017)","author":"Nemec Matus","year":"2017","unstructured":"Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, and Vashek Matyas. 2017. The return of coppersmith\u2019s attack: Practical factorization of widely used RSA moduli. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS\u20192017). ACM, 1631\u20131648."},{"key":"e_1_3_3_109_2","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-207"},{"key":"e_1_3_3_110_2","unstructured":"Okta. 2020. Okta FastPass. Retrieved 14 April 2024 from https:\/\/www.okta.com\/fastpass\/"},{"key":"e_1_3_3_111_2","doi-asserted-by":"publisher","DOI":"10.3390\/cryptography2010001"},{"key":"e_1_3_3_112_2","unstructured":"Oracle. 2021. Packages Released on Oracle Linux Yum Server. Retrieved April 20 2021 from https:\/\/yum.oracle.com\/whatsnew.html"},{"key":"e_1_3_3_113_2","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2018.8489316"},{"key":"e_1_3_3_114_2","unstructured":"OWASP. 2010. Secure Coding Practices-Quick Reference Guide. Retrieved 14 April 2024 from https:\/\/owasp.org\/www-project-secure-coding-practices-quick-referenceguide\/assets\/docs\/OWASP_SCP_Quick_Reference_Guide_v21.pdf"},{"key":"e_1_3_3_115_2","first-page":"57","volume-title":"Proceedings of the 17th Symposium on Usable Privacy and Security (SOUPS 2021)","author":"Owens Kentrell","year":"2021","unstructured":"Kentrell Owens, Olabode Anise, Amanda Krauss, and Blase Ur. 2021. User perceptions of the usability and security of smartphones as FIDO2 roaming authenticators. In Proceedings of the 17th Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, 57\u201376. Retrieved from https:\/\/www.usenix.org\/conference\/soups2021\/presentation\/owens"},{"key":"e_1_3_3_116_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-67639-5_11"},{"key":"e_1_3_3_117_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2958763"},{"key":"e_1_3_3_118_2","volume-title":"Proceedings of the 18\u00e8me Symposium sur la s\u00e9curit\u00e9 des Technologies de l\u2019information et des Communications (SSTIC)","author":"Patat G.","year":"2020","unstructured":"G. Patat and M. Sabt. 2020. Please remember me: Security analysis of U2F remember me implementations in the wild. In Proceedings of the 18\u00e8me Symposium sur la s\u00e9curit\u00e9 des Technologies de l\u2019information et des Communications (SSTIC). Rennes, France."},{"key":"e_1_3_3_119_2","unstructured":"pkgs.prg. 2021. Python-fido2 Download for Linux (eopkg rpm xz zst). Retrieved 14 April 2024 from https:\/\/pkgs.org\/download\/python-fido2"},{"key":"e_1_3_3_120_2","doi-asserted-by":"publisher","unstructured":"John C. Polley Ilias Politis Christos Xenakis Adarbad Master and Micha\u0142 K\u0229pkowski. 2021. On an innovative architecture for digital immunity passports and vaccination certificates. arXiv preprint arXiv:2103.04142 (2021). 10.48550\/arXiv.2103.04142. Accessed: 14 April 2024.","DOI":"10.48550\/arXiv.2103.04142"},{"key":"e_1_3_3_121_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-93747-8_2"},{"key":"e_1_3_3_122_2","first-page":"357","volume-title":"Proceedings of the 15th Symposium on Usable Privacy and Security (SOUPS 2019)","author":"Reese Ken","year":"2019","unstructured":"Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A usability study of five two-factor authentication methods. In Proceedings of the 15th Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA, 357\u2013370. Retrieved from https:\/\/www.usenix.org\/conference\/soups2019\/presentation\/reese"},{"key":"e_1_3_3_123_2","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2016.7860546"},{"key":"e_1_3_3_124_2","first-page":"231","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security 21)","author":"Roche Thomas","year":"2021","unstructured":"Thomas Roche, Victor Lomn\u00e9, Camille Mutschler, and Laurent Imbert. 2021. A side journey to titan. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 231\u2013248. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/roche"},{"key":"e_1_3_3_125_2","unstructured":"Samsung. 2021. Using Samsung Pass on my Galaxy device. Retrieved 14 April 2024 from https:\/\/www.samsung.com\/au\/support\/mobile-devices\/using-samsung-pass\/"},{"key":"e_1_3_3_126_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2018.10.030"},{"key":"e_1_3_3_127_2","doi-asserted-by":"publisher","unstructured":"Fabian Schwarz Khue Do Gunnar Heide Lucjan Hanzlik and Christian Rossow. 2022. FeIDo: Recoverable FIDO2 Tokens Using Electronic IDs. Association for Computing Machinery New York NY USA. DOI:10.1145\/3548606.3560584","DOI":"10.1145\/3548606.3560584"},{"key":"e_1_3_3_128_2","unstructured":"Jason Choi. 2020. Extending Keycloak SSO Capabilities with IBM Security Verify. Retrieved March 5 2021 from https:\/\/community.ibm.com\/community\/user\/security\/blogs\/jason-choi1\/2020\/06\/10\/extending-keycloak-sso-capabilities-with-ibm-secur"},{"key":"e_1_3_3_129_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.09.009"},{"key":"e_1_3_3_130_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101745"},{"key":"e_1_3_3_131_2","unstructured":"Joel Snyder. 2020. Using biometrics for authentication in Android. Retrieved April 20 2021 from https:\/\/www.samsungknox.com\/en\/blog\/using-biometrics-for-authentication-in-android"},{"key":"e_1_3_3_132_2","unstructured":"StatCounter. 2020. Mobile Operating System Market Share Worldwide. Retrieved January 18 2021 from https:\/\/gs.statcounter.com\/os-market-share\/mobile\/worldwide"},{"key":"e_1_3_3_133_2","unstructured":"FIDO Alliance. 2019. Support for FIDO2: WebAuthn and CTAP. Retrieved 14 April 2024 from https:\/\/fidoalliance.org\/fido2\/fido2-web-authentication-webauthn\/"},{"key":"e_1_3_3_134_2","unstructured":"The Guardian. 2020. What you need to know about the biggest hack of the US government in years. Retrieved 14 April 2024 from https:\/\/www.theguardian.com\/technology\/2020\/dec\/15\/orion-hack-solar-winds-explained-us-treasury-commerce-department"},{"key":"e_1_3_3_135_2","doi-asserted-by":"publisher","DOI":"10.1109\/ECAI.2017.8166453"},{"key":"e_1_3_3_136_2","unstructured":"Enis Ulqinaku Hala Assal AbdelRahman Abdou Sonia Chiasson and Srdjan Capkun. 2021. Is Real-time phishing eliminated with FIDO? Social engineering downgrade attacks against FIDO protocols. In 30th USENIX Security Symposium (USENIX Security\u201921). USENIX Association 3811\u20133828. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/ulqinaku"},{"key":"e_1_3_3_137_2","doi-asserted-by":"publisher","DOI":"10.1145\/3465481.3469209"},{"key":"e_1_3_3_138_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2022.103190"},{"key":"e_1_3_3_139_2","first-page":"109","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security 20)","author":"Votipka Daniel","year":"2020","unstructured":"Daniel Votipka, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. 2020. Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It. In Proceedings of the 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 109\u2013126. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/votipka-understanding"},{"key":"e_1_3_3_140_2","doi-asserted-by":"publisher","DOI":"10.5220\/0010192703680375"},{"key":"e_1_3_3_141_2","unstructured":"Arch Linux Wiki. 2021. PAM. Retrieved 14 April 2024 from https:\/\/wiki.archlinux.org\/index.php\/PAM"},{"key":"e_1_3_3_142_2","unstructured":"Arch Linux Wiki. 2021. Universal 2nd Factor. Retrieved 14 April 2024 from https:\/\/wiki.archlinux.org\/index.php\/Universal_2nd_Factor"},{"key":"e_1_3_3_143_2","doi-asserted-by":"publisher","DOI":"10.1145\/3544548.3580993"},{"key":"e_1_3_3_144_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2021.06.034"},{"key":"e_1_3_3_145_2","unstructured":"Yahoo Finance. 2020. Another AT&T SIM Swapping Hack Targets Trio of Crypto Execs. Retrieved January 5 2021 from https:\/\/finance.yahoo.com\/news\/another-t-sim-swapping-hack-082039662.html?"},{"key":"e_1_3_3_146_2","unstructured":"Yubico. 2021. WebAuthn Compatibility. Retrieved 14 April 2024 from https:\/\/developers.yubico.com\/WebAuthn\/WebAuthn_Browser_Support\/"},{"key":"e_1_3_3_147_2","unstructured":"Yubico. 2021. Works with YubiKey catalog. Retrieved 14 April 2024 from https:\/\/www.yubico.com\/gr\/works-with-yubikey\/catalog\/#protocol=webauthn&usecase=all&key=all"},{"key":"e_1_3_3_148_2","doi-asserted-by":"publisher","DOI":"10.1145\/3176258.3176946"},{"key":"e_1_3_3_149_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCT46805.2019.8947083"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3654661","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3654661","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:06:10Z","timestamp":1750291570000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3654661"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,26]]},"references-count":148,"journal-issue":{"issue":"8","published-print":{"date-parts":[[2024,8,31]]}},"alternative-id":["10.1145\/3654661"],"URL":"https:\/\/doi.org\/10.1145\/3654661","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,4,26]]},"assertion":[{"value":"2022-10-13","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-03-07","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-04-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}