TUSH-Key: Transferable User Secrets on Hardware Key

TL;DR

This paper introduces TUSH-Key, a novel hardware-based system enabling secure, seamless, cross-platform passwordless authentication by managing transferable user secrets, addressing limitations of existing FIDO passkeys.

Contribution

The paper presents TUSH-Key, a new private key management system that allows device transferability and synchronization for passwordless authentication, overcoming proprietary and cross-platform issues.

Findings

Enables cross-platform device synchronization for passwordless login.

Addresses security and privacy concerns of proprietary cloud-based passkeys.

Demonstrates seamless user experience across multiple devices.

Abstract

Passwordless authentication was first tested for seamless and secure merchant payments without the use of passwords or pins. It opened a whole new world of authentications giving up the former reliance on traditional passwords. It relied on the W3C Web Authentication (WebAuthn) and Client to Authenticator Protocol (CTAP) standards to use the public key cryptosystem to uniquely attest a user's device and then their identity. These standards comprise of the FIDO authentication standard. As the popularity of passwordless is increasing, more and more users and service providers are adopting to it. However, the concept of device attestation makes it device-specific for a user. It makes it difficult for a user to switch devices. FIDO Passkeys were aimed at solving the same, synchronizing the private cryptographic keys across multiple devices so that the user can perform passwordless authentication even from devices not explicitly enrolled with the service provider. However, passkeys have certain drawbacks including that it uses proprietary end to end encryption algorithms, all keys pass through proprietary cloud provider, and it is usually not very seamless when dealing with cross-platform key synchronization. To deal with the problems and drawbacks of FIDO Passkeys, the paper proposes a novel private key management system for passwordless authentication called Transferable User Secret on Hardware Key (TUSH-Key). TUSH-Key allows cross-platform synchronization of devices for seamless passwordless logins with FIDO2 specifications.