Designing Passwordless Authentication with the Tillitis TKey for Secure Web Login - A user-friendly authentication method using cryptographic hardware

Abstract

The growing frequency of cyber threats, coupled with increasing regulatory demands, has intensified the need for secure user-friendly alternatives to traditional password-based authentication systems. This thesis presents a proof of concept implementation of a passwordless authentication solution using the Tillitis TKey, a cryptographic USB device designed for secure identity verification. The proposed solution uses a hardware based challenge-response authentication, implemented using a modern web stack, using a Svelte frontend and utilizing the Web Serial API for browser based hardware communication. To further increase security, and as an option for future hardware development, optional biometric authentication using facial recognition was introduced as a second factor. The project involved translating TKey Go libraries written by Tillitis into TypeScript, to simplify browser based execution, thereby enhancing usability for the development team. Although the system has certain limitations, such as restricted comparability with some browsers and operating systems, it demonstrates the feasibility and advantages of using of using hardware-based passwordless authentication on the web. The thesis also discusses technical trade-offs, ethical considerations that were made, outlines future work, including OAuth integration, secure key life-cycle management and improved usability. Another limitation of the project is lack of formal security audit, which was deemed to be outside the scope of this project. The Tillitis TKey is treated as a trusted component from the manufacturer, and the web application serves as a proof of concept rather than a production ready authentication service that is equipped to handle real world user data and account protection. Overall, the project provides a foundation for developing secure and privacy-conscious authentication systems as alternatives to traditional password-based authentication services.