Skip to Main content Skip to Navigation
Conference papers

Please Remember Me: Security Analysis of U2F Remember Me Implementations in The Wild

Abstract : Users and service providers are increasingly aware of the security issues that arise because of password breaches. Recent studies show that password authentication can be made more secure by relying on second-factor authentication (2FA). Supported by leading web service providers, the FIDO Alliance defines the Universal 2nd Factor (U2F) protocols, an industrial standard that proposes a challenge-response 2FA solution. The U2F protocols have been thoughtfully designed to ensure high security. In particular, U2F solutions using dedicated hardware tokens fare well in term of security compared to other 2FA authentication systems. Thus, numerous service providers propose U2F in their authentication settings. Although much attention was paid to make U2F easy to use, many users express inconvenience because of the repeated extra step that it would take to log in. In order to address this, several service providers offer a remember me feature that removes the need for 2FA login on trusted devices. In this paper, we present the first systematic analysis of this undocumented feature, and we show that its security implications are not well understood. After introducing the corresponding threat models, we provide an experimental study of existing implementations of remember me. Here, we consider all the supporting websites considered by Yubico. The findings are worrisome: our analyses indicate how bad implementations can make U2F solutions vulnerable to multiple attacks. Moreover, we show that existing implementations do not correspond to the initial security analysis provided by U2F. We also implement two attacks using the identified design flaws. Finally, we discuss several countermeasures that make the remember me feature more secure. We end this work by disclosing a practical attack against Facebook in which an attacker can permanently deactivate the enabled 2FA options of a targeted victim without knowing their authentication credentials.
Document type :
Conference papers
Complete list of metadata

Cited literature [32 references]  Display  Hide  Download

https://hal.inria.fr/hal-02865105
Contributor : Gwendal Patat <>
Submitted on : Thursday, June 11, 2020 - 3:07:59 PM
Last modification on : Wednesday, August 5, 2020 - 3:48:53 AM

File

SSTIC2020-Article-please_remem...
Files produced by the author(s)

Identifiers

  • HAL Id : hal-02865105, version 1

Citation

Gwendal Patat, Mohamed Sabt. Please Remember Me: Security Analysis of U2F Remember Me Implementations in The Wild. Actes SSTIC 2020, 18ème Symposium sur la sécurité des technologies de l'information et des communications (SSTIC 2020), 2020, Rennes, France. ⟨hal-02865105⟩

Share

Metrics

Record views

128

Files downloads

924