Fast IDentity Online with Anonymous Credentials (FIDO-AC)


Wei-Zhu Yeoh, CISPA Helmholtz Center for Information Security; Michal Kepkowski, Macquarie University; Gunnar Heide, CISPA Helmholtz Center for Information Security; Dali Kaafar, Macquarie University; Lucjan Hanzlik, CISPA Helmholtz Center for Information Security


Web authentication is a critical component of today's Internet and the digital world we interact with. The FIDO2 protocol enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments, following the passwordless authentication approach based on cryptography and biometric verification. However, there is little to no connection between the authentication process and users' attributes. More specifically, the FIDO protocol does not specify methods that could be used to combine trusted attributes with the FIDO authentication process generically and allow users to disclose them to the relying party arbitrarily. In essence, applications requiring attributes verification (e.g., age or expiry date of a driver's license, etc.) still rely on ad-hoc approaches that do not satisfy the data minimization principle and do not allow the user to check the disclosed data. A primary recent example is the data breach on Singtel Optus, one of the major telecommunications providers in Australia, where very personal and sensitive data (e.g., passport numbers) were leaked. This paper introduces FIDO-AC, a novel framework that combines the FIDO2 authentication process with the user's digital and non-shareable identity. We show how to instantiate this framework using off-the-shelf FIDO tokens and any electronic identity document, e.g., the ICAO biometric passport (ePassport). We demonstrate the practicality of our approach by evaluating a prototype implementation of the FIDO-AC system.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {291124,
author = {Wei-Zhu Yeoh and Michal Kepkowski and Gunnar Heide and Dali Kaafar and Lucjan Hanzlik},
title = {Fast {IDentity} Online with Anonymous Credentials ({{{{{FIDO-AC}}}}})},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {3029--3046},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video