A Security Evaluation of FIDO’s UAF Protocol in Mobile and Embedded Devices

  • Christoforos Panos
  • Stefanos Malliaros
  • Christoforos Ntantogian
  • Angeliki Panou
  • Christos XenakisEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 766)


The FIDO (Fast Identity Online) Universal Authentication Framework is a new authentication mechanism that replaces passwords, simplifying the process of user authentication. To this end, FIDO transfers user verification tasks from the authentication server to the user’s personal device. Therefore, the overall assurance level of user authentication is highly dependent on the security and integrity of the user’s device involved. This paper analyses the functionality of FIDO’s UAF protocol and identifies a list of critical vulnerabilities that may compromise the authenticity, privacy, availability, and integrity of the UAF protocol, allowing an attacker to launch a number of attacks, such as, capturing the data exchanged between a user and an online service, impersonating a user at any UAF compatible online service, impersonating online services to the user, and presenting fake information to the user’s screen during a transaction.


Authentication FIDO Security analysis Trusted computing TPM Remote attestation TrustZone Mobile and embedded devices 



This research has been funded by the European Commission in part of the ReCRED project (Horizon H2020 Framework Programme of the European Union under GA number 653417).


  1. 1.
    Das, A., et al.: The tangled web of password reuse. In: NDSS, vol. 14 (2014)Google Scholar
  2. 2.
  3. 3.
    Yahoo Hacked: 450,000 passwords posted online.
  4. 4.
  5. 5.
    FIDO Alliance: Fido security reference.
  6. 6.
    Srinivas, S., et al.: Universal 2nd factor (U2F) overview. FIDO Alliance Proposed Standard, pp. 1–5 (2015)Google Scholar
  7. 7.
    FIDO Alliance: FIDO UAF Protocol Specification v1.1: FIDO Alliance Proposed Standard (2016)Google Scholar
  8. 8.
    FIDO Alliance: FIDO Certified Products. Accessed 5 June 2017
  9. 9.
    FIDO Alliance: Fido security reference (2014).
  10. 10.
    Panos, C., et al.: A specification-based intrusion detection engine for infrastructure-less networks. Comput. Commun. 54, 67–83 (2014)CrossRefGoogle Scholar
  11. 11.
    Trusted Computing Platform Alliance: TCPA main specification v. 1.2.
  12. 12.
    Winter, J.: Trusted computing building blocks for embedded linux-based ARM trustzone platforms. In: Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing. ACM (2008)Google Scholar
  13. 13.
    Common Criteria for Information Technology Security Evaluation. SAMSUNG SDS FIDO Server Solution V1.1 Certification Report (2016)Google Scholar
  14. 14.
    Helfmeier, C., Nedospasov, D., Tarnovsky, C., Krissler, J.S., Boit, C., Seifert, J.-P.: Breaking and entering through the silicon. In: Computer and Communications Security (CCS), pp. 733–744 (2013)Google Scholar
  15. 15.
    Cooijmans, T., de Ruiter, J., Poll, E.: Analysis of secure key storage solutions on Android. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices. ACM (2014)Google Scholar
  16. 16.
    Cooijmans, T., et al.: Secure key storage and secure computation in Android. Master’s thesis, Radboud University Nijmegen (2014)Google Scholar
  17. 17.
    Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-18178-8_30 CrossRefGoogle Scholar
  18. 18.
    Shen, D.: Exploiting Trustzone on Android. In: Black Hat USA (2015)Google Scholar
  19. 19.
    Rosenberg, D.: Qsee trustzone kernel integer over flow vulnerability. In: Black Hat Conference (2014)Google Scholar
  20. 20.
    Abhishek, P.C.: Student research abstract: analysing the vulnerability exploitation in Android with the device-mapper-verity (dm-verity) (2017)Google Scholar
  21. 21.
    Does, T., Maarse, M.: Subverting Android 6.0 fingerprint authentication (2016)Google Scholar
  22. 22.
    Loutfi, I., Jøsang, A.: FIDO trust requirements. In: Buchegger, S., Dam, M. (eds.) NordSec 2015. LNCS, vol. 9417, pp. 139–155. Springer, Cham (2015). doi: 10.1007/978-3-319-26502-5_10 CrossRefGoogle Scholar
  23. 23.
    Hu, K., Zhang, Z.: Security analysis of an attractive online authentication standard: FIDO UAF protocol. IEEE China Commun. 13(12), 189–198 (2016)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Christoforos Panos
    • 1
  • Stefanos Malliaros
    • 2
  • Christoforos Ntantogian
    • 2
  • Angeliki Panou
    • 2
  • Christos Xenakis
    • 2
    Email author
  1. 1.Department of Informatics and TelecommunicationsUniversity of AthensAthensGreece
  2. 2.Department of Digital SystemsUniversity of PiraeusPireasGreece

Personalised recommendations