Authenticator

Last updated

An authenticator is a means used to confirm a user's identity, [1] [2] that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. [3] [4] In the simplest case, the authenticator is a common password.

Contents

Using the terminology of the NIST Digital Identity Guidelines, [3] the party to be authenticated is called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates possession and control of one or more authenticators to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

Classification

Authenticators may be characterized in terms of secrets, factors, and physical forms.

Authenticator secrets

Every authenticator is associated with at least one secret that the claimant uses to demonstrate possession and control of the authenticator. Since an attacker could use this secret to impersonate the user, an authenticator secret must be protected from theft or loss.

The type of secret is an important characteristic of the authenticator. There are three basic types of authenticator secret: a memorized secret and two types of cryptographic keys, either a symmetric key or a private key.

Memorized secret

A memorized secret is intended to be memorized by the user. A well-known example of a memorized secret is the common password, also called a passcode, a passphrase, or a personal identification number (PIN).

An authenticator secret known to both the claimant and the verifier is called a shared secret. For example, a memorized secret may or may not be shared. A symmetric key is shared by definition. A private key is not shared.

An important type of secret that is both memorized and shared is the password. In the special case of a password, the authenticator is the secret.

Cryptographic key

A cryptographic authenticator is one that uses a cryptographic key. Depending on the key material, a cryptographic authenticator may use symmetric-key cryptography or public-key cryptography. Both avoid memorized secrets, and in the case of public-key cryptography, there are no shared secrets as well, which is an important distinction.

Examples of cryptographic authenticators include OATH authenticators and FIDO authenticators. The name OATH is an acronym from the words "Open AuTHentication" while FIDO stands for Fast IDentity Online. Both are the results of an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication.

By way of counterexample, a password authenticator is not a cryptographic authenticator. See the #Examples section for details.

Symmetric key

A symmetric key is a shared secret used to perform symmetric-key cryptography. The claimant stores their copy of the shared key in a dedicated hardware-based authenticator or a software-based authenticator implemented on a smartphone. The verifier holds a copy of the symmetric key.

Public-private key pair

A public-private key pair is used to perform public-key cryptography. The public key is known to (and trusted by) the verifier while the corresponding private key is bound securely to the authenticator. In the case of a dedicated hardware-based authenticator, the private key never leaves the confines of the authenticator.

Authenticator factors and forms

An authenticator is something unique or distinctive to a user (something that one has), is activated by either a PIN (something that one knows), or is a biometric ("something that is unique to oneself"). An authenticator that provides only one of these factors is called a single-factor authenticator whereas a multi-factor authenticator incorporates two or more factors. A multi-factor authenticator is one way to achieve multi-factor authentication. A combination of two or more single-factor authenticators is not a multi-factor authentication, yet may be suitable in certain conditions.

Authenticators may take a variety of physical forms (except for a memorized secret, which is intangible). One can, for example, hold an authenticator in one's hand or wear one on the face, wrist, or finger. [5] [6] [7]

It is convenient to describe an authenticator in terms of its hardware and software components. An authenticator is hardware-based or software-based depending on whether the secret is stored in hardware or software, respectively.

An important type of hardware-based authenticator is called a security key, [8] also called a security token (not to be confused with access tokens, session tokens, or other types of security tokens). A security key stores its secret in hardware, which prevents the secret from being exported. A security key is also resistant to malware since the secret is at no time accessible to software running on the host machine.

A software-based authenticator (sometimes called a software token) may be implemented on a general-purpose electronic device such as a laptop, a tablet computer, or a smartphone. For example, a software-based authenticator implemented as a mobile app on the claimant's smartphone is a type of phone-based authenticator. To prevent access to the secret, a software-based authenticator may use a processor's trusted execution environment or a Trusted Platform Module (TPM) on the client device.

A platform authenticator is built into a particular client device platform, that is, it is implemented on device. In contrast, a roaming authenticator is a cross-platform authenticator that is implemented off device. A roaming authenticator connects to a device platform via a transport protocol such as USB.

Examples

The following sections describe narrow classes of authenticators. For a more comprehensive classification, see the NIST Digital Identity Guidelines. [9]

Single-factor authenticators

To use an authenticator, the claimant must explicitly indicate their intent to authenticate. For example, each of the following gestures is sufficient to establish intent:

The latter is called a test of user presence (TUP). To activate a single-factor authenticator (something that one has), the claimant may be required to perform a TUP, which avoids unintended operation of the authenticator.

A password is a secret that is intended to be memorized by the claimant and shared with the verifier. Password authentication is the process whereby the claimant demonstrates knowledge of the password by transmitting it over the network to the verifier. If the transmitted password agrees with the previously shared secret, user authentication is successful.

OATH OTP

Example of one-time passwords Aegis Authenticator 3.2 screenshot.png
Example of one-time passwords

One-time passwords (OTPs) have been used since the 1980s.[ citation needed ] In 2004, an Open Authentication Reference Architecture for the secure generation of OTPs was announced at the annual RSA Conference. [10] [11] The Initiative for Open Authentication (OATH) launched a year later.[ citation needed ] Two IETF standards grew out of this work, the HMAC-based One-time Password (HOTP) algorithm and the Time-based One-time Password (TOTP) algorithm specified by RFC 4226 and RFC 6238, respectively. By OATH OTP, we mean either HOTP or TOTP. OATH certifies conformance with the HOTP and TOTP standards. [12]

A traditional password (something that one knows) is often combined with a one-time password (something that one has) to provide two-factor authentication. [13] Both the password and the OTP are transmitted over the network to the verifier. If the password agrees with the previously shared secret, and the verifier can confirm the value of the OTP, user authentication is successful.

One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier. Using the authenticator, the claimant generates an OTP using a cryptographic method. The verifier also generates an OTP using the same cryptographic method. If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.

A well-known example of an OATH authenticator is Google Authenticator, [14] a phone-based authenticator that implements both HOTP and TOTP.

Mobile Push

A mobile push authenticator is essentially a native app running on the claimant's mobile phone. The app uses public-key cryptography to respond to push notifications. In other words, a mobile push authenticator is a single-factor cryptographic software authenticator. A mobile push authenticator (something that one has) is usually combined with a password (something that one knows) to provide two-factor authentication. Unlike one-time passwords, mobile push does not require a shared secret beyond the password.

After the claimant authenticates with a password, the verifier makes an out-of-band authentication request to a trusted third party that manages a public-key infrastructure on behalf of the verifier. The trusted third party sends a push notification to the claimant's mobile phone. The claimant demonstrates possession and control of the authenticator by pressing a button in the user interface, after which the authenticator responds with a digitally signed assertion. The trusted third party verifies the signature on the assertion and returns an authentication response to the verifier.

The proprietary mobile push authentication protocol runs on an out-of-band secondary channel, which provides flexible deployment options. Since the protocol requires an open network path to the claimant's mobile phone, if no such path is available (due to network issues, e.g.), the authentication process can not proceed. [13]

FIDO U2F

A FIDO Universal 2nd Factor (U2F) authenticator (something that one has) is a single-factor cryptographic authenticator that is intended to be used in conjunction with an ordinary web password. Since the authenticator relies on public-key cryptography, U2F does not require an additional shared secret beyond the password.

To access a U2F authenticator, the claimant is required to perform a test of user presence (TUP), which helps prevent unauthorized access to the authenticator's functionality. In practice, a TUP consists of a simple button push.

A U2F authenticator interoperates with a conforming web user agent that implements the U2F JavaScript API. [15] A U2F authenticator necessarily implements the CTAP1/U2F protocol, one of the two protocols specified in the FIDO Client to Authenticator Protocol. [16]

Unlike mobile push authentication, the U2F authentication protocol runs entirely on the front channel. Two round trips are required. The first round trip is ordinary password authentication. After the claimant authenticates with a password, the verifier sends a challenge to a conforming browser, which communicates with the U2F authenticator via a custom JavaScript API. After the claimant performs the TUP, the authenticator signs the challenge and returns the signed assertion to the verifier via the browser.

Multi-factor authenticators

To use a multi-factor authenticator, the claimant performs full user verification. The multi-factor authenticator (something that one has) is activated by a PIN (something that one knows), or a biometric (something that is unique to oneself"; e.g. fingerprint, face or voice recognition), or some other verification technique. [3] ,

ATM card

To withdraw cash from an automated teller machine (ATM), a bank customer inserts an ATM card into a cash machine and types a Personal Identification Number (PIN). The input PIN is compared to the PIN stored on the card's chip. If the two match, the ATM withdrawal can proceed.

Note that an ATM withdrawal involves a memorized secret (i.e., a PIN) but the true value of the secret is not known to the ATM in advance. The machine blindly passes the input PIN to the card, which compares the customer's input to the secret PIN stored on the card's chip. If the two match, the card reports success to the ATM and the transaction continues.

An ATM card is an example of a multi-factor authenticator. The card itself is something that one has while the PIN stored on the card's chip is presumably something that one knows. Presenting the card to the ATM and demonstrating knowledge of the PIN is a kind of multi-factor authentication.

Secure Shell

Secure Shell (SSH) is a client-server protocol that uses public-key cryptography to create a secure channel over the network. In contrast to a traditional password, an SSH key is a cryptographic authenticator. The primary authenticator secret is the SSH private key, which is used by the client to digitally sign a message. The corresponding public key is used by the server to verify the message signature, which confirms that the claimant has possession and control of the private key.

To avoid theft, the SSH private key (something that one has) may be encrypted using a passphrase (something that one knows). To initiate a two-factor authentication process, the claimant supplies the passphrase to the client system.

Like a password, the SSH passphrase is a memorized secret but that is where the similarity ends. Whereas a password is a shared secret that is transmitted over the network, the SSH passphrase is not shared, and moreover, use of the passphrase is strictly confined to the client system. Authentication via SSH is an example of passwordless authentication since it avoids the transmission of a shared secret over the network. In fact, SSH authentication does not require a shared secret at all.

FIDO2

Example of WebAuthn (Pixiv with Bitwarden) Bitwarden Passkey window screenshot.png
Example of WebAuthn (Pixiv with Bitwarden)

The FIDO U2F protocol standard became the starting point for the FIDO2 Project, a joint effort between the World Wide Web Consortium (W3C) and the FIDO Alliance. Project deliverables include the W3C Web Authentication (WebAuthn) standard and the FIDO Client to Authenticator Protocol (CTAP). [17] Together WebAuthn and CTAP provide a strong authentication solution for the web.

A FIDO2 authenticator, also called a WebAuthn authenticator, uses public-key cryptography to interoperate with a WebAuthn client, that is, a conforming web user agent that implements the WebAuthn JavaScript API. [18] The authenticator may be a platform authenticator, a roaming authenticator, or some combination of the two. For example, a FIDO2 authenticator that implements the CTAP2 protocol [16] is a roaming authenticator that communicates with a WebAuthn client via one or more of the following transport options: USB, near-field communication (NFC), or Bluetooth Low Energy (BLE). Concrete examples of FIDO2 platform authenticators include Windows Hello [19] and the Android operating system. [20]

A FIDO2 authenticator may be used in either single-factor mode or multi-factor mode. In single-factor mode, the authenticator is activated by a simple test of user presence (e.g., a button push). In multi-factor mode, the authenticator (something that one has) is activated by either a PIN (something that one knows) or a biometric ("something that is unique to oneself").

Security code

First and foremost, strong authentication begins with multi-factor authentication. The best thing one can do to protect a personal online account is to enable multi-factor authentication. [13] [21] There are two ways to achieve multi-factor authentication:

  1. Use a multi-factor authenticator
  2. Use a combination of two or more single-factor authenticators

In practice, a common approach is to combine a password authenticator (something that one knows) with some other authenticator (something that one has) such as a cryptographic authenticator.

Generally speaking, a cryptographic authenticator is preferred over an authenticator that does not use cryptographic methods. All else being equal, a cryptographic authenticator that uses public-key cryptography is better than one that uses symmetric-key cryptography since the latter requires shared keys (which may be stolen or misused).

Again all else being equal, a hardware-based authenticator is better than a software-based authenticator since the authenticator secret is presumably better protected in hardware. This preference is reflected in the NIST requirements outlined in the next section.

NIST authenticator assurance levels

NIST defines three levels of assurance with respect to authenticators. The highest authenticator assurance level (AAL3) requires multi-factor authentication using either a multi-factor authenticator or an appropriate combination of single-factor authenticators. At AAL3, at least one of the authenticators must be a cryptographic hardware-based authenticator. Given these basic requirements, possible authenticator combinations used at AAL3 include:

  1. A multi-factor cryptographic hardware-based authenticator
  2. A single-factor cryptographic hardware-based authenticator used in conjunction with some other authenticator (such as a password authenticator)

See the NIST Digital Identity Guidelines for further discussion of authenticator assurance levels. [9]

Restricted authenticators

Like authenticator assurance levels, the notion of a restricted authenticator is a NIST concept. [3] The term refers to an authenticator with a demonstrated inability to resist attacks, which puts the reliability of the authenticator in doubt. Federal agencies mitigate the use a restricted authenticator by offering subscribers an alternative authenticator that is not restricted and by developing a migration plan in the event that a restricted authenticator is prohibited from use at some point in the future.

Currently, the use of the public switched telephone network is restricted by NIST. In particular, the out-of-band transmission of one-time passwords (OTPs) via recorded voice messages or SMS messages is restricted. Moreover, if an agency chooses to use voice- or SMS-based OTPs, that agency must verify that the OTP is being transmitted to a phone and not an IP address since Voice over IP (VoIP) accounts are not routinely protected with multi-factor authentication. [9]

Comparison

It is convenient to use passwords as a basis for comparison since it is widely understood how to use a password. [22] On computer systems, passwords have been used since at least the early 1960s. [23] [24] More generally, passwords have been used since ancient times. [25]

In 2012, Bonneau et al. evaluated two decades of proposals to replace passwords by systematically comparing web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security. [26] (The cited technical report is an extended version of the peer-reviewed paper by the same name. [27] ) They found that most schemes do better than passwords on security while every scheme does worse than passwords on deployability. In terms of usability, some schemes do better and some schemes do worse than passwords.

Google used the evaluation framework of Bonneau et al. to compare security keys to passwords and one-time passwords. [28] They concluded that security keys are more usable and deployable than one-time passwords, and more secure than both passwords and one-time passwords.

See also

Related Research Articles

<span class="mw-page-title-main">Password</span> Text used for user authentication to prove identity

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control both access to, and the operation of, cryptographic programs and systems, especially those that derive an encryption key from a passphrase. The origin of the term is by analogy with password. The modern concept of passphrases is believed to have been invented by Sigmund N. Porter in 1982.

In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

S/KEY is a one-time password system developed for authentication to Unix-like operating systems, especially from dumb terminals or untrusted public computers on which one does not want to type a long-term password. A user's real password is combined in an offline device with a short set of characters and a decrementing counter to form a single-use password. Because each password is only used once, they are useless to password sniffers.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

<span class="mw-page-title-main">Security token</span> Device used to gain access to restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.

Strong authentication is a notion with several definitions.

Living in the intersection of cryptography and psychology, password psychology is the study of what makes passwords or cryptographic keys easy to remember or guess.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

<span class="mw-page-title-main">FIDO Alliance</span> Industry consortium working on authentication mechanisms

The FIDOAlliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords". FIDO addresses the lack of interoperability among devices that use strong authentication and reduces the problems users face creating and remembering multiple usernames and passwords.

Rublon is a multi-factor authentication platform operated by the Polish company Rublon sp. z o.o., headquartered in Zielona Góra, Poland, that offers an extra layer of security for users logging into networks, servers, endpoints, and desktop, cloud, web and mobile applications. Rublon MFA secures remote access and local logins using hardware and software authenticators, including the Rublon Authenticator mobile app, which holds the digital identity of the account owner. Numerous Rublon MFA connectors allow strong authentication to be implemented for all or selected users. Individually configurable security policies allow customizing Rublon MFA to suit the organization’s needs. Rublon's multi-factor authentication platform helps protect enterprise data and achieve regulatory compliance.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device by Yubico

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials that are available across multiple devices are commonly referred to as passkeys.

The Client to Authenticator Protocol (CTAP) or X.1278 enables a roaming, user-controlled cryptographic authenticator to interoperate with a client platform such as a laptop.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

<span class="mw-page-title-main">Passwordless authentication</span> Identity authentication method

Passwordless authentication is an authentication method in which a user can log in to a computer system without entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.

<span class="mw-page-title-main">OnlyKey</span> Hardware security token

OnlyKey is a multi-function hardware security key combining features of a password manager, two-factor authentication (2FA) token, file encryption token, and secure storage device. The device incorporates hardware storage for password and username combinations, while also acting as a portable password manager.

References

  1. "National Information Assurance (IA) Glossary" (PDF). Committee on National Security Systems. 26 April 2010. Archived (PDF) from the original on 2022-10-09. Retrieved 31 March 2019.
  2. "Glossary of Telecommunication Terms". Institute for Telecommunication Sciences. 7 August 1996. Retrieved 31 March 2019.
  3. 1 2 3 4 Grassi, Paul A.; Garcia, Michael E.; Fenton, James L. (June 2017). "NIST Special Publication 800-63-3: Digital Identity Guidelines". National Institute of Standards and Technology (NIST). doi: 10.6028/NIST.SP.800-63-3 . Retrieved 5 February 2019.{{cite journal}}: Cite journal requires |journal= (help)
  4. Lindemann, Rolf, ed. (11 April 2017). "FIDO Technical Glossary". FIDO Alliance . Retrieved 26 March 2019.
  5. Bianchi, Andrea; Oakley, Ian (2016). "Wearable authentication: Trends and opportunities" (PDF). It - Information Technology. 58 (5): 255–262. doi:10.1515/itit-2016-0010. S2CID   12772550. Archived (PDF) from the original on 2022-10-09.
  6. Stein, Scott (26 July 2018). "Why can't Wear OS smartwatches be security keys too?". CNET. Retrieved 31 March 2019.
  7. Williams, Brett (27 June 2017). "This smart ring gives you instant mobile payments with beefed up security". Mashable. Retrieved 31 March 2019.
  8. "Case Study: Google Security Keys Work". FIDO Alliance. 7 December 2016. Retrieved 26 March 2019.
  9. 1 2 3 Grassi, Paul A.; Fenton, James L.; Newton, Elaine M.; Perlner, Ray A.; Regenscheid, Andrew R.; Burr, William E.; Richer, Justin P. (2017). "NIST Special Publication 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management". National Institute of Standards and Technology (NIST). doi: 10.6028/NIST.SP.800-63b . Retrieved 5 February 2019.{{cite journal}}: Cite journal requires |journal= (help)
  10. Kucan, Berislav (24 February 2004). "Open Authentication Reference Architecture Announced". Help Net Security. Retrieved 26 March 2019.
  11. "OATH Specifications and Technical Resources". Initiative for Open Authentication . Retrieved 26 March 2019.
  12. "OATH Certification". The Initiative for Open Authentication (OATH). Retrieved 3 February 2019.
  13. 1 2 3 Hoffman-Andrews, Jacob; Gebhart, Gennie (22 September 2017). "A Guide to Common Types of Two-Factor Authentication on the Web". Electronic Frontier Foundation . Retrieved 26 March 2019.
  14. "Google Authenticator". GitHub . Retrieved 3 February 2019.
  15. Balfanz, Dirk; Birgisson, Arnar; Lang, Juan, eds. (11 April 2017). "FIDO U2F JavaScript API". FIDO Alliance . Retrieved 22 March 2019.
  16. 1 2 Brand, Christiaan; Czeskis, Alexei; Ehrensvärd, Jakob; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Powers, Adam; Verrept, Johan, eds. (30 January 2019). "Client to Authenticator Protocol (CTAP)". FIDO Alliance . Retrieved 22 March 2019.
  17. "FIDO2: Moving the World Beyond Passwords". FIDO Alliance. Retrieved 30 January 2019.
  18. Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Liao, Angelo; Lindemann, Rolf; Lundberg, Emil (eds.). "Web Authentication: An API for accessing Public Key Credentials Level 1". World Wide Web Consortium (W3C). Retrieved 30 January 2019.
  19. Simons, Alex (November 20, 2018). "Secure password-less sign-in for your Microsoft account using a security key or Windows Hello". Microsoft . Retrieved 6 March 2019.
  20. "Android Now FIDO2 Certified, Accelerating Global Migration Beyond Passwords". BARCELONA: FIDO Alliance. February 25, 2019. Retrieved 6 March 2019.
  21. "Two-factor authentication (2FA); new guidance from the NCSC". National Cyber Security Centre (NCSC). 8 Aug 2018.
  22. Hunt, Troy (5 November 2018). "Here's Why [Insert Thing Here] Is Not a Password Killer" . Retrieved 24 March 2019.
  23. McMillan, Robert (27 January 2012). "The World's First Computer Password? It Was Useless Too". Wired magazine . Retrieved 22 March 2019.
  24. Hunt, Troy (26 July 2017). "Passwords Evolved: Authentication Guidance for the Modern Era" . Retrieved 22 March 2019.
  25. Malempati, Sreelatha; Mogalla, Shashi (2011-07-31). "An Ancient Indian Board Game as a Tool for Authentication" (PDF). International Journal of Network Security & Its Applications. 3 (4): 154–163. doi:10.5121/ijnsa.2011.3414.
  26. Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes". Technical Report - University of Cambridge. Computer Laboratory. Cambridge, UK: University of Cambridge Computer Laboratory. doi:10.48456/tr-817. ISSN   1476-2986 . Retrieved 22 March 2019.
  27. Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. 2012 IEEE Symposium on Security and Privacy. San Francisco, CA. pp. 553–567. CiteSeerX   10.1.1.473.2241 . doi:10.1109/SP.2012.44.
  28. Lang, Juan; Czeskis, Alexei; Balfanz, Dirk; Schilder, Marius; Srinivas, Sampath (2016). "Security Keys: Practical Cryptographic Second Factors for the Modern Web" (PDF). Financial Cryptography and Data Security 2016. Archived (PDF) from the original on 2022-10-09. Retrieved 26 March 2019.