Table of Contents
Fetching ...

QES-Backed Virtual FIDO2 Authenticators: Architectural Options for Secure, Synchronizable WebAuthn Credentials

Kemal Bicakci, Fatih Mehmet Varli, Muhammet Emir Korkmaz, Yusuf Uzunay

TL;DR

The paper tackles the portability limitation of FIDO2/WebAuthn by introducing a Virtual FIDO2 Authenticator (VFA) that is cryptographically protected by a PKCS#11 QES token and supports cloud-synced, encrypted credentials. It presents a baseline design where the FIDO2 material is encrypted under a master key $K_{ ext{master}}$ derived from the token, with ciphertexts stored in an untrusted cloud, ensuring hardware-rooted confidentiality while preserving standard WebAuthn interfaces; it also analyzes an OPRF-based hardened variant that binds derivation to a local user verification factor to mitigate cross-protocol misuse, though without a full prototype. The work includes a working prototype for the baseline, performance measurements showing modest overhead (e.g., PKCS#11 sign latency around 42 ms during unlock, MakeCredential ~15 ms, GetAssertion ~7 ms, cloud sync ~220 ms), and a thorough security analysis highlighting key protection, device-theft resistance, and server-side compatibility. Collectively, the approach offers a practical path toward high-assurance, multi-device WebAuthn credentials without ceding cloud control of cryptographic material, with future work including attestation integration, broader cryptographic support, and formal analyses.

Abstract

FIDO2 and the WebAuthn standard offer phishing-resistant, public-key based authentication but traditionally rely on device-bound cryptographic keys that are not naturally portable across user devices. Recent passkey deployments address this limitation by enabling multi-device credentials synchronized via platform-specific cloud ecosystems. However, these approaches require users and organizations to trust the corresponding cloud or phone providers with the protection and availability of their authentication material. In parallel, qualified electronic signature (QES) tokens and smart-card--based PKCS#11 modules provide high-assurance, hardware-rooted identity, yet they are not directly compatible with WebAuthn flows. This paper explores architectural options for bridging these technologies by securing a virtual FIDO2 authenticator with a QES-grade PKCS#11 key and enabling encrypted cloud synchronization of FIDO2 private keys. We first present and implement a baseline architecture in which the cloud stores only ciphertext and the decryption capability remains anchored exclusively in the user's hardware token. We then propose a hardened variant that introduces an Oblivious Pseudorandom Function (OPRF)-based mechanism bound to a local user-verification factor, thereby mitigating cross-protocol misuse and ensuring that synchronization keys cannot be repurposed outside the intended FIDO2 semantics; this enhanced design is analyzed but not implemented. Both architectures preserve a pure WebAuthn/FIDO2 interface to relying parties while offering different trust and deployment trade-offs. We provide the system model, threat analysis, implementation of the baseline architecture, and experimental evaluation, followed by a discussion of the hardened variant's security implications for high-assurance authentication deployments.

QES-Backed Virtual FIDO2 Authenticators: Architectural Options for Secure, Synchronizable WebAuthn Credentials

TL;DR

The paper tackles the portability limitation of FIDO2/WebAuthn by introducing a Virtual FIDO2 Authenticator (VFA) that is cryptographically protected by a PKCS#11 QES token and supports cloud-synced, encrypted credentials. It presents a baseline design where the FIDO2 material is encrypted under a master key derived from the token, with ciphertexts stored in an untrusted cloud, ensuring hardware-rooted confidentiality while preserving standard WebAuthn interfaces; it also analyzes an OPRF-based hardened variant that binds derivation to a local user verification factor to mitigate cross-protocol misuse, though without a full prototype. The work includes a working prototype for the baseline, performance measurements showing modest overhead (e.g., PKCS#11 sign latency around 42 ms during unlock, MakeCredential ~15 ms, GetAssertion ~7 ms, cloud sync ~220 ms), and a thorough security analysis highlighting key protection, device-theft resistance, and server-side compatibility. Collectively, the approach offers a practical path toward high-assurance, multi-device WebAuthn credentials without ceding cloud control of cryptographic material, with future work including attestation integration, broader cryptographic support, and formal analyses.

Abstract

FIDO2 and the WebAuthn standard offer phishing-resistant, public-key based authentication but traditionally rely on device-bound cryptographic keys that are not naturally portable across user devices. Recent passkey deployments address this limitation by enabling multi-device credentials synchronized via platform-specific cloud ecosystems. However, these approaches require users and organizations to trust the corresponding cloud or phone providers with the protection and availability of their authentication material. In parallel, qualified electronic signature (QES) tokens and smart-card--based PKCS#11 modules provide high-assurance, hardware-rooted identity, yet they are not directly compatible with WebAuthn flows. This paper explores architectural options for bridging these technologies by securing a virtual FIDO2 authenticator with a QES-grade PKCS#11 key and enabling encrypted cloud synchronization of FIDO2 private keys. We first present and implement a baseline architecture in which the cloud stores only ciphertext and the decryption capability remains anchored exclusively in the user's hardware token. We then propose a hardened variant that introduces an Oblivious Pseudorandom Function (OPRF)-based mechanism bound to a local user-verification factor, thereby mitigating cross-protocol misuse and ensuring that synchronization keys cannot be repurposed outside the intended FIDO2 semantics; this enhanced design is analyzed but not implemented. Both architectures preserve a pure WebAuthn/FIDO2 interface to relying parties while offering different trust and deployment trade-offs. We provide the system model, threat analysis, implementation of the baseline architecture, and experimental evaluation, followed by a discussion of the hardened variant's security implications for high-assurance authentication deployments.
Paper Structure (50 sections, 6 equations, 2 figures, 2 tables, 1 algorithm)

This paper contains 50 sections, 6 equations, 2 figures, 2 tables, 1 algorithm.

Figures (2)

  • Figure 1: High-level architecture: the virtual FIDO2 authenticator is locally protected by a PKCS#11 e-signature token and uses encrypted cloud storage for synchronizable FIDO credentials. The server remains a pure WebAuthn/FIDO2 relying party.
  • Figure 2: Threat model for the proposed architecture. Adversaries include remote malware, a cloud attacker with database access, and a physical attacker capable of stealing the device and/or the e-signature token. The design aims to preserve FIDO2 private-key confidentiality and prevent unauthorized authentications without the PKCS#11 token.