A Novel Protocol Using Captive Portals for FIDO2 Network Authentication

TL;DR

This work addresses the challenge of applying passwordless authentication to network access by introducing FIDO2CAP, a protocol that integrates WebAuthn/FIDO2 with captive portals. It presents an architecture and dual ceremonies for registration and authentication, accommodating both discoverable and non-discoverable credentials, and validates the concept via a functional prototype that interfaces with OpenNDS through a WebAuthn-enabled web app (WAWA). The prototype demonstrates compatibility across major OS/browser combinations and includes a 15-user usability study in a hotel-like Wi-Fi scenario, highlighting usability gains and practical challenges. The results suggest that passwordless network authentication via FIDO2CAP is feasible and can improve security, with clear directions for broader deployment and refinement to address browser-specific captive portal limitations.

Abstract

FIDO2 authentication is starting to be applied in numerous web authentication services, aiming to replace passwords and their known vulnerabilities. However, this new authentication method has not been integrated yet with network authentication systems. In this paper, we introduce FIDO2CAP: FIDO2 Captive-portal Authentication Protocol. Our proposal describes a novel protocol for captive-portal network authentication using FIDO2 authenticators, as security keys and passkeys. For validating our proposal, we have developed a prototype of FIDO2CAP authentication in a mock scenario. Using this prototype, we performed an usability experiment with 15 real users. This work makes the first systematic approach for adapting network authentication to the new authentication paradigm relying on FIDO2 authentication.

Figures (14)

• Figure 1: User personal computer compatible with FIDO2: W3C WebAuthn and FIDO CTAP standards. The web application interacts with the OS via the WebAuthn API of the web browser. The personal computer can have a compatible credential storage for WebAuthn credentials, or interact with a security key via FIDO CTAP1/2.
• Figure 2: Architecture of the FIDO2 Captive-Portal Authentication (FIDO2CAP) Protocol.
• Figure 3: Authentication message flow in FIDO2CAP. The User Equipment is connected to the Captive Portal, getting redirected to the WAWA server URI. The user performs FIDO2 authentication at the WAWA User Portal UI. After verifying the authentication, the Enforcement Device allows the access to User Equipment, ending captivity.
• Figure 4: Registration message flow in FIDO2CAP. The Registrar has the required permissions to access the Registration Portal UI. After specifying the username, FIDO2 registration starts. Finally, the FIDO2 credentials (referred as Authenticator) are registered linked with the user account.
• Figure 5: Communication between OpenNDS Authmon module and the developed WAWA server (FAS server). The User Equipment, gets redirected to the WAWA UI hosted at the FAS server and, once authenticated, it is authorised by OpenNDS. In blue, the particular operation of OpenNDS we considered for the integration of the developed WAWA server.