WebAuthn and FIDO2 are the modern open standards that promise strong, phishing-resistant and — perhaps most importantly — easy-to-use multi-factor authentication (MFA) through the use of built-in biometrics or security keys. But one question remains, “What if I lose my authenticator and get locked out of my account?”
The current solution for account recovery is that a user registers more than one authenticator to every account. Not only is this approach cumbersome and inconvenient, but the handling of an additional authenticator every time it’s needed to register with a new service increases the risk that it gets lost, therefore defeating the purpose. A few alternative solutions have been proposed, but until now, there were none that offered an excellent user experience without compromising on security.
This session will provide an overview of the recently-proposed extension to the W3C WebAuthn protocol. The solution — led by Yubico engineers and verified by cryptographic researchers at the Surrey Center for Cyber Security — introduces a user-friendly solution for backup authenticators, without sharing secrets or private keys. Standardization work remains to be done, but with cryptographic security proof in place, this work can form a solid basis for WebAuthn account recovery moving forward.