Web authentication is a critical component of today's Internet and the
digital world we interact with. The FIDO2 protocol enables users to leverage
common devices to easily authenticate to online services in both mobile and
desktop environments following the passwordless authentication approach based
on cryptography and biometric verification. However, there is little to no
connection between the authentication process and users' attributes. More
specifically, the FIDO protocol does not specify methods that could be used to
combine trusted attributes with the FIDO authentication process generically and
allows users to disclose them to the relying party arbitrarily. In essence,
applications requiring attributes verification (e.g. age or expiry date of a
driver's license, etc.) still rely on ad-hoc approaches, not satisfying the
data minimization principle and not allowing the user to vet the disclosed
data. A primary recent example is the data breach on Singtel Optus, one of the
major telecommunications providers in Australia, where very personal and
sensitive data (e.g. passport numbers) were leaked. This paper introduces
FIDO-AC, a novel framework that combines the FIDO2 authentication process with
the user's digital and non-shareable identity. We show how to instantiate this
framework using off-the-shelf FIDO tokens and any electronic identity document,
e.g., the ICAO biometric passport (ePassport). We demonstrate the practicality
of our approach by evaluating a prototype implementation of the FIDO-AC system.Comment: to be published in the 32nd USENIX Security Symposium(USENIX 2023