Key Management Based on Ownership of Multiple Authenticators in Public Key Authentication

Public key authentication (PKA) has been deployed in various services to provide stronger authentication to users. In PKA, a user manages private keys on her devices called authenticators, and registers public keys to services. To protect private keys, authenticators are usually designed not to export private keys outside. Nowadays, a user has multiple authenticators like PCs and smartphones, and struggles to manage multiple public keys in many services every time she starts to use new services and replaces some of her authenticators. To ease the burden, we propose a mechanism where users and services manage public keys based on the owner of authenticators and users can access services with PKA using any of their authenticators. We introduce a key pair called an Ownership Verification Key (OVK) consisting of the private key (OVSK) and the public key (OVPK). All authenticators owned by a user derive the same OVSK from the pre-shared secret. Services verify the ownership of the authenticators using the OVPK to decide whether binding the requested public key to her account. To protect user privacy, authenticators generate an unique OVK for each service. We implement the Proof-of-Concept, show that our proposal achieves some security goals, and discuss how to mitigate threats not completely handled.