EAP-FIDO: A Novel EAP Method for Using FIDO2 Credentials for Network Authentication
Martiño Rivera-Dourado, Christos Xenakis, Alejandro Pazos, Jose Vázquez-Naya
TL;DR
This paper addresses the security and usability challenges of network access authentication by introducing EAP-FIDO, an Extensible Authentication Protocol method that embeds FIDO2 CTAP2 flows inside a PEAP/EAP-TTLS tunnel to enable passwordless, phishing-resistant authentication within IEEE 802.1X protected networks. The authors design a three-party architecture (User Equipment, EAP Authenticator, Authentication Server) and a three-stage operation (Initialisation, FIDO-Start, FIDO-Request) with a clearly defined EAP-FIDO data packet format and a session-bound key derivation mechanism using $K$ and the Master Session Key $MSK$ via HKDF from an ECDH exchange. They implement a functional prototype inside the Hostapd/wpa_supplicant stack using libfido2, evaluate performance in wired and Wi‑Fi deployments, and perform a security analysis covering confidentiality, MITM, and replay threat models. The results show practical authentication times around $0.5$–$0.6$ seconds in realistic environments, with a fast re-authentication cookie dramatically reducing user interaction overhead, demonstrating the feasibility and potential of passwordless network access in corporate and public hotspot contexts. Overall, EAP-FIDO provides a compatible, scalable path to leverage existing FIDO2 credentials for secure network access without modifying Access Points, offering significant practical impact for enterprise security and user experience.
Abstract
The adoption of FIDO2 authentication by major tech companies in web applications has grown significantly in recent years. However, we argue FIDO2 has broader potential applications. In this paper, we introduce EAP-FIDO, a novel Extensible Authentication Protocol (EAP) method for use in IEEE 802.1X-protected networks. This allows organisations with WPA2/3-Enterprise wireless networks or MACSec-enabled wired networks to leverage FIDO2's passwordless authentication in compliance with existing standards. Additionally, we provide a comprehensive security and performance analysis to support the feasibility of this approach.