FIDO2 Pairs PQC To Defend Against Future Quantum Threats
Quantum LEAP in Authentication: PQC Protects FIDO2 From Future Computing Threats
In response to large-scale quantum computers, modern authentication systems, especially FIDO2 for passwordless logins, are undergoing a security migration. This change requires adding Post-Quantum Cryptography (PQC) to security keys and protocols to ensure secure access in a rapidly evolving digital environment.
FIDO2 is an industry standard that unifies the FIDO Alliance Client to Authenticator Protocol (CTAP) and W3C Web Authentication using hardware-backed cryptography. Modern implementations mostly employ RSA and ECDSA with SHA-256. Shor's Algorithm, a quantum algorithm that does discrete logarithms and integer factorisation in polynomial time, can attack these methods, compromising public-key cryptography.
Quantum-Resilience is Critical
This is due to the necessity to address quantum computing vulnerabilities, specifically “harvest now, decrypt later” (HNDL) attacks. In an HNDL scenario, powerful quantum computers record, store, and decode encrypted communications. Even if current communications are intercepted and the unauthorised party waits for quantum decryption advances, PQC cannot reveal the secret.
During this transition phase, FIDO2 PQC security migration studies focus on protecting against both classical and quantum attacks.
Two main security strategies:
Most early implementations, like Google's OpenSK and other research, use hybrid signature techniques. This critical security precaution uses a conventional technology (like ECDSA) and a promising, NIST-standardized PQC algorithm (like CRYSTALS-Dilithium) for authentication. This hybrid technique's security advantage is that the classical algorithm protects against new PQC algorithm attacks. However, the PQC algorithm remains secure if a quantum computer breaks the conventional algorithm.
After these new methods are completely standardised and exposed to extensive public cryptanalysis, pure PQC, which uses only quantum-resistant algorithms, is the long-term goal.
Security requires interoperability and standardisation. Recent collaboration between the FIDO Alliance and NIST to produce PQC-friendly specifications includes adding PQC algorithms to the CBOR Object Signing and Encryption (COSE) codelist.
Implementation Issues and Technical Feasibility
PQC algorithms take longer to calculate and have larger key and signature sizes than classical algorithms, which makes implementation difficult. Side-channel attacks using physical factors like power usage are more likely to target these advanced algorithms. Security studies help identify compromise points and develop effective software and hardware to protect authenticator private keys.
Research has proven that quantum-resilient FIDO2 authentication processes may be built using the CRYSTALS-Dilithium signature method and CRYSTALS-Kyber key exchange.
Practical PQC Authentication Prototype: Qey
Using a physical prototype security key called “The Qey,” Aditya Mitra and Sibi Chakkaravarthy Sethuraman tested the Module Lattice-based Digital Signature Algorithm (ML-DSA), based on the Crystals-Dilithium standard.
Hardware and Software Configuration: The Qey prototype system used a USB 2.0-connected microcontroller with an ARM Cortex A-53 processor. PQC requires a lot of processing power and there are few hardware accelerators for it, hence the system runs on a reduced version of Debian. The gadget appears as a USB Human Interface gadget (HID) to the host computer and functions as a FIDO key.
PQC algorithms should use Open Quantum Safe (OQS) ML-DSA functions, according to NIST. A custom Python implementation of CTAP allowed communication with popular FIDO2 services. The key supports ML-DSA-44 and ML-DSA-65 and uses ES256 as a backup.
Even though the key and signature sizes may be larger than those of ECDSA, ML-DSA has a low computational overhead. Comparing ML-DSA against current methods, the average delay was 10 milliseconds (10,000 microseconds), well within authentication limits. For instance, ML-DSA-44 authentication averaged 17,800.6 microseconds and ES-256 3,192.7.
Future Development and Resilience
Because it uses FIDO2 standards, the Qey is resistant to Man-in-the-Middle (MITM) attacks and Phishing (by using Relying Party identity verification). The key's HNDL defences are strengthened by PQC.
Unfortunately, a MicroSD card stores key cryptographic secrets, limiting the prototype. Since PQC-compliant secure storage media like Secure Elements (SE) and Trusted Platform Modules (TPM) are unavailable, this decision was necessary. The current Qey is vulnerable to physical attacks if an attacker has the key. In future iterations, researchers may use biometric authentication approaches and hybrid cryptography to solve this challenge. Online authentication systems for powerful quantum computers will benefit from this study.
