A research paper by Nils Höll, written for the course "Applied Concepts of Web Engineering" at the University of Duisburg-Essen.
Warning
THIS REPOSITORY IS ARCHIVED - Further development moved to Codeberg
Passwords are insecure and annoying to use, especially if one tries to use them in a secure way. We know the
problems regarding this form of authentication, there are dozens of studies and articles about why passwords
should not be used anymore, how they can be made more secure, and why people still reuse already weak
credentials despite better knowledge.
Those findings and their conclusions - that we need better forms of authentication for web applications - are
supported by the almost regular credential leaks from companies in all branches, collected by sites like Have I Been Pwned or the Hasso-Plattner-Institut Identity Leak Checker.
One of the many proposals on how to tackle this problem comes from the Fast IDentity Online (FIDO)
Alliance. Their new authentication framework, Fast IDentity Online 2 (FIDO2), promises an open standard
for secure and easy to use web authentication.
This paper analyzes the current body of knowledge regarding the security and usability of FIDO2 and tries to draw a conclusion whether or not it could replace legacy passwords in the future.
To read the full paper please refer to the PDF document hoell2020_fido2-auth.