Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication
This addresses a critical barrier to widespread adoption of passwordless authentication for users and systems, though it is incremental as it evaluates existing mechanisms.
The paper tackles the problem of account recovery in FIDO2-based passwordless authentication, evaluating 12 mechanisms and finding that current methods have drawbacks, with some relying on passwords, but identifies promising solutions.
Threats to passwords are still very relevant due to attacks like phishing or credential stuffing. One way to solve this problem is to remove passwords completely. User studies on passwordless FIDO2 authentication using security tokens demonstrated the potential to replace passwords. However, widespread acceptance of FIDO2 depends, among other things, on how user accounts can be recovered when the security token becomes permanently unavailable. For this reason, we provide a heuristic evaluation of 12 account recovery mechanisms regarding their properties for FIDO2 passwordless authentication. Our results show that the currently used methods have many drawbacks. Some even rely on passwords, taking passwordless authentication ad absurdum. Still, our evaluation identifies promising account recovery solutions and provides recommendations for further studies.