In order to prevent attacks such as phishing, an enterprise needs their users to log in using a World Wide Web Consortium (W3C) Web Authentication (WebAuthn)-based authenticator. Current WebAuthn authenticator devices present a number of problems for an enterprise. For example, outsourcing authentication device distribution logistics to a device vendor brings great operational benefits to an enterprise, however this traditionally requires that a large amount of trust be placed in the vendor. Techniques are presented herein that split an authenticator's secret between the two parties (i.e., an enterprise and a vendor), requiring active collaboration by the parties to issue an authenticator. This prevents both the device vendor alone, and read-only compromises of the enterprise, from issuing unauthorized or duplicated keys, while maintaining the ability to delegate logistics management to the vendor.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Barnes, Richard; Goodman, Adam; and Hoffman, Carson, "TWO-PARTY WEBAUTHN TOKEN ACTIVATION", Technical Disclosure Commons, (December 12, 2022)