Technical Report on a Virtual CTAP2 WebAuthn Authenticator
This work addresses the problem of passwordless authentication adoption for users and developers by offering an open-source alternative to physical hardware keys, though it is incremental as it builds on existing standards.
The researchers tackled the slow adoption of passwordless authentication by developing a virtual WebAuthn authenticator, which provides secure software authentication for devices without hardware keys and supports TPM-based key generation.
Even though passwordless authentication to online accounts offers greater security and protection from attack, passwords remain prevalent. Passwordless authentication adoption is impacted by the slow adoption of external hardware keys required to generate the security keys within the authentication protocol. We have developed a virtual WebAuthn authenticator in order to provide an extensible open source platform for understanding the associated standards of WebAuthn and CTAP2. Our authenticator provides secure software authentication for devices that do not have access to a physical hardware interface. Our authenticator also provides an alternative to an external physical hardware key and supports the use of a trusted platform module (TPM) on a device to generate the security keys within a WebAuthn protocol.