Passwords have been the most common form of authentication for Internet services. However, they are known to be vulnerable to new threats such as password-list attacks that allow unauthorized access to user accounts. In addition, passwords are difficult to remember and long ones are tedious to input on user devices. The awardees developed and commercialized request-and-response personal authentication using public-key cryptography, which is free from the above-mentioned security and usability problems.

In the request-and-response authentication technology using public-key cryptography, users leverage an authenticator in a user device such as a smartphone equipped with biometric (e.g., fingerprint and face) authentication capabilities (Fig. 1). Upon authentication, an authentication server requests authentication by sending a string of random characters to the user device. An authenticator in the user device signs the received string with the private key of the user verified by his/her biometrics and then returns the signed string to the authentication server. This scheme guarantees the authentication server that the received signed string is identical to the one and only string it used for its authentication request, leading to usable and secure authentication. This is one of the core technologies to constitute the technical specification, WebAuthn (Web Authentication)(1), which was originally developed by the FIDO (Fast Identity Online) Alliance, a standardization body for a new authentication specification to replace the password and recommended by W3C (World Wide Web Consortium), the world’s largest body for Internet-related standards. The Yahoo! JAPAN authentication server, which was developed by the awardees, was endorsed in conformance to FIDO specifications and interoperability with authenticators manufactured by others in 2015 followed by its conformance to the FIDO2 specification and its interoperability with authenticators manufactured by others in 2018, both for the first time in the world. The awardees also took a lead in harmonizing FIDO Alliance members to support the recovery method of the access privileges essential to a lost user device and published the detailed recovery in a FIDO white paper(2) as a co-editor. In addition to these efforts, the awardees published tutorial papers(3, 4, 5) and web articles and delivered invited lectures about passwordless authentication thereby contributing to the dissemination of passwordless authentication.

The awardees introduced FIDO2-compliant passwordless authentication to the Yahoo! JAPAN service, which has the largest number of users in Japan (Nielsen, 2021), for Android devices in 2018 for the first time in the world followed by the introduction for iOS devices in 2020 again as first in the world. They also completed the commercialization of FIDO2-compliant passwordless authentication for Windows and macOS devices (2021). As of September 2022, a total of 17.5 million people had used the Yahoo JAPAN service. The awardees compared the usability of a FIDO-based, a password (PWD)-based, and SMS (short message service)-based authentication in the Yahoo! JAPAN service (Fig. 2) by a subjective and objective evaluation(6, 7). The results demonstrate that, compared to PWD-based authentication, the FIDO-based authentication marked a 2-point higher subjective usability score (SUS) and took 13-seconds less time to authenticate, both with a statistically significant difference. The paper(8) reporting these results received the 2021 CSS (Computer Security Symposium) Paper Award and the 2022 IPSJ (Information Processing Society of Japan) Yamashita SIG Research Award, representing its academic acclaim.

The passwordless authentication technology developed by the awardees have been widely used in a variety of applications such as banking apps and QR-code payment through WebAuthn deployment to the commercial service. These achievements have received the 69th Electrical Science and Engineering Award and the 2021 IPSJ Industrial Achievement Award. The accomplishments by the awardees are outstanding and deserves the IEICE Achievement Award.

References

1. W3C. “Web Authentication: An API for Accessing Public Key Credentials – Level 1,” W3C Recommendation, 2019.
2. H. Gomi, B. Leddy, and D. H. Saxe. “Recommended Account Recovery Practices for FIDO Relying Parties,” FIDO Alliance white paper, Feb. 2019.
3. H. Gomi. “FIDO: Next Generation Authentication Standardization,” Activity Notes on Standardization, The Journal of the Institute of Image Information and Television Engineers, vol. 70, no. 3, pp. 481-484, Jan. 2016 (in Japanese).
4. H. Gomi and W. Oogami. “FIDO Authentication and Its Technology: Technical Specifications and Standardization Activities,” IEICE Fundamentals Review, vol. 12, no. 2, pp. 115-125, Oct. 2018 (in Japanese).
5. H. Izawa and H. Gomi. “What Financial Institutions Should Consider When Deploying Next-Generation Authentication Technologies: Focusing on FIDO,” Monetary and Economic Studies, vol. 35, no. 4, Institute for Monetary and Economic Studies, Bank of Japan, pp. 21-54, Feb. 2016 (in Japanese).
6. W. Oogami, H. Gomi, S. Yamaguchi, S. Yamanaka, and H. Higurashi. “Observation Study on Usability Challenges for Fingerprint Authentication,” Proc. USENIX Conference on Usable Privacy and Security (SOUPS), Aug. 2020.
7. S. Yamaguchi, H. Gomi, W. Oogami, and T. Higurashi. “Usability Analysis and Evaluation of WebAuthn-based Passwordless Biometric Authentication,” IPSJ Journal, vol. 64, no. 4, pp.1-14, Apr. 2023 (in Japanese, to appear).
8. S. Yamaguchi, H. Gomi, W. Oogami, and T. Higurashi. “Usability Study of WebAuthn-based　Passwordless Biometric Authentication Using Crowdsourcing,” Proc. Computer Security Symposium (CSS), pp. 207-214, Oct. 2021 (in Japanese).