A fido2 credential backup and recovery method and system

By employing a three-party collaborative architecture for FIDO2 credential backup and recovery, and utilizing exponential masking and randomization techniques, the security deficiencies of FIDO2 credential backup are addressed, enabling secure and reliable credential recovery without relying on trusted hardware.

CN122247777APending Publication Date: 2026-06-19NANKAI UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NANKAI UNIV
Filing Date
2026-05-25
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing FIDO2 credential backup technology has security deficiencies. Centralized storage is vulnerable to attack, and users cannot independently recover credentials when they lose their authenticator. Existing solutions cannot resist offline brute-force attacks without relying on trusted hardware.

Method used

A three-party collaborative architecture is introduced, consisting of an authenticator, a dependent server, and an independent backup server. Through index masking, randomization, and password-derived indexes, credential backup and recovery are achieved. The recovery process requires real-time online interaction among the three parties, and recovery permissions are distributed to prevent any single party from independently verifying or recovering credentials.

Benefits of technology

It effectively resists offline brute-force attacks, allowing users to recover credentials online using only knowledge factors, protecting identity privacy, reducing the risk of single points of failure, and improving system deployability and operational flexibility.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247777A_ABST
    Figure CN122247777A_ABST
Patent Text Reader

Abstract

This invention discloses a FIDO2 credential backup and recovery method and system, relating to the field of information security technology. It solves the technical problems of existing FIDO2 credential backup schemes, such as the vulnerability of single-third-party hosting to offline brute-force attacks and the need for pre-set backup devices in multi-authenticator schemes. This method involves collaborative execution by the user side, the dependent server, and an independent backup server, sequentially completing system initialization, credential backup, and credential recovery processes. It uses exponential masking technology to securely process the credential private key. The recovery process requires real-time online interaction among the three parties to complete the demasking calculation; if any single party is compromised, it will be impossible to independently verify the password or recover the credential. This invention does not require modification of the existing FIDO2 standard or authenticator firmware, effectively resists both offline and online password guessing attacks, protects user identity privacy, and provides users with a secure, convenient, and auditable FIDO2 credential backup and recovery path.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security technology, specifically to a FIDO2 credential backup and recovery method and system. Background Technology

[0002] The FIDO2 (FastIDentityOnline2) protocol implements a passwordless authentication mechanism based on public-key cryptography through the WebAuthn standard and the CTAP protocol. The user device (i.e., the authenticator) generates a non-exportable private key credential for each dependent account. During authentication, the private key remains on the device, effectively resisting phishing attacks and the risk of server-side credential leakage. However, this non-exportable credential security feature also introduces a significant usability flaw: when the authenticator is lost, damaged, or replaced, users cannot migrate their original credentials to the new device, potentially causing them to permanently lose access to the dependent account.

[0003] To address the aforementioned issues, existing technologies offer several credential backup and recovery solutions. Patent publication number CN117527185A discloses a high-security identity authentication method and system based on blockchain. This solution combines FIDO2 passwordless authentication technology with blockchain, utilizing the immutability of blockchain to store encrypted backup data. If a user device is lost, the backup data can be recovered using the stored encryption key. Furthermore, existing technologies propose a backup authenticator scheme based on Asynchronous Remote Key Generation (ARKG). This scheme allows the master authenticator to generate a set of public keys, and the backup authenticator can recover the corresponding private key in a subsequent stage, thereby achieving credential recoverability without exposing the master authenticator's private key. These existing technologies represent two mainstream credential backup technology paths: one relies on distributed ledgers or trusted cloud services for encrypted storage and synchronization, while the other achieves credential recovery through a key derivation mechanism between the master and backup authenticators.

[0004] The aforementioned existing technologies still have security vulnerabilities in practical deployments. Blockchain-based or cloud-synchronized solutions entrust encrypted backup data to a single third-party entity (such as a cloud service provider or blockchain network). If this entity is compromised, attackers can obtain the encrypted backup data and attempt to brute-force user passwords offline, thereby recovering the credential private key. While ARKG-based multi-authenticator solutions avoid centralized storage, they require users to hold backup authenticators in advance. If a user only has one authenticator and that device is lost, the recovery process cannot be initiated. Therefore, how to provide users with a feasible path to complete online credential recovery using only knowledge factors, while ensuring security (i.e., preventing independent credential recovery even if any single party is compromised), has become a pressing technical problem in this field. Summary of the Invention

[0005] The purpose of this invention is to overcome the shortcomings of existing technologies and provide a FIDO2 credential backup and recovery method and system. By introducing a three-party collaborative architecture of an authenticator, a dependent server, and an independent backup server, and through cryptographic constructions such as exponential masking, randomization, and password derivation exponents, the backup records can resist offline brute-force attacks without relying on trusted hardware. The recovery process requires real-time online interaction among the three parties. If any single party is compromised, it will be impossible to independently verify password guessing or recover credentials. Thus, without changing the existing FIDO2 authentication process, it provides users with a deployable and auditable credential recovery path.

[0006] To address the aforementioned technical problems, this invention provides the following technical solution: On one hand, a FIDO2 credential backup and recovery method, which is collaboratively executed by the user side, the dependent server, and the independent backup server, including a system initialization phase, a credential backup phase, and a credential recovery phase. During the system initialization phase, the dependent server and the independent backup server are configured with long-term secret parameters for subsequent interactions, and the user side holds the knowledge factor and generates an unexportable credential private key in the authenticator. During the credential backup phase, the user side performs cryptographic masking on the credential private key based on the knowledge factor, generates a masked component, and sends it to the dependent server. The dependent server transforms the masked component using its long-term secret parameters and returns it to the user side. The user side generates a backup record based on the transformed masked component and sends the backup record to an independent backup server for persistent storage. During this process, neither the dependent server nor the independent backup server obtains the plaintext of the knowledge factor and the credential private key. During the credential recovery phase, the user initiates a recovery request by inputting candidate knowledge factors into the new authenticator; the independent backup server, the dependent server, and the user perform cryptographic demasking operations through multi-party online interaction based on the backup records and candidate knowledge factors; the user completes the recovery of the credential private key locally only when the candidate knowledge factors are verified correctly; each recovery attempt requires the real-time online participation of the dependent server and the independent backup server.

[0007] Furthermore, the system initialization phase includes: Selecting a prime-order cyclic group Among them, the prime order cyclic group The order is , It is a prime number; Define a hash function Hash function Map binary strings of arbitrary length to modulo... Integer ring ; Dependent server from model Integer ring Selecting a long-term key And based on generators Calculate and publish public key Public key Equal to generator long-term key Power of; Independent backup server from model Integer ring Selecting an independent backup server for long-term confidentiality ; and public parameters With public key The common parameters are provided to both the user side and the independent backup server. Including prime-order cyclic groups Generator Prime-order cyclic group The level and hash function .

[0008] Furthermore, the credential backup phase includes: The user-side FIDO2 authenticator generates the first random number. Second random number Third random number The first random number Second random number Third random number All belong to the category of models Integer ring ; And based on password With the first random number Calculate the password derivation index ; Based on password derivation index Private key for credentials Exponential masking is used to obtain the masking component. and challenge weight Generate auxiliary parameters ; And utilize the public key of the dependent server Generate a second random number masking value This enables the dependent server to perform recovery based on auxiliary parameters. Long-term key with dependent server Restore the second random number ; The user side will mask the components. Send to the dependent server, the dependent server processes the masking component. Perform long-term key based on dependent server The exponential transform yields the transformed masking component. And return to the user; The user sends backup record T to a separate backup server for storage. Backup record T contains a first random number. Transformed masking components Auxiliary parameters Challenge weight With the second random number masking value .

[0009] Furthermore, the second random number masking value Implemented via bitwise XOR: using the public key of the dependent server. The third random number The power is used as a one-time masking key to pair the second random number. XOR masking is performed, and the dependent server adjusts auxiliary parameters during the recovery phase. Long-term key of dependent server The exponentiation operation yields a one-time masking key to recover the second random number. .

[0010] Furthermore, the credential recovery phase includes: The independent backup server reads backup record T and generates a fourth random number. Fifth random number The fourth random number Fifth random number All belong to the category of models Integer ring ; For the transformed masking components With challenge weight The first blinding value is obtained by performing exponential blinding separately. With the second blinding value and the first random number With the second blinding value Send to the user.

[0011] Furthermore, the new FIDO2 authenticator on the user side generates a sixth random number. The sixth random number Belongs to the model Integer ring ; Based on candidate passwords With the first random number Calculate the candidate password derivation index And for the second blinding value The third blinding value is obtained by performing an exponential operation. Then it is sent to a separate backup server; Independent backup servers will blind the third value With the first blinding value and the second random number masking value Auxiliary parameters Forward to the dependent server.

[0012] Furthermore, the dependent server generates a seventh random number. The seventh random number Belongs to the model Integer ring ; Using the second random number mask value Auxiliary parameters and the long-term key of the dependent server Restore the second random number ; And calculate the combination coefficients. The combination coefficient Long-term key with dependent server The difference between minus 1 is relevant; The dependent server then blinded the third value. With the first blinding value Perform exponential transformations to eliminate the second random number. And introduce a seventh random number To obtain the first intermediate value With the second intermediate value And return to a separate backup server.

[0013] Furthermore, the independent backup server provides the first intermediate value With the second intermediate value Perform unblinding processing separately to eliminate the fifth random number generated by the independent backup server. With the fourth random number The first unblinding value is obtained. With the second unblinding value and the first unblinding value Second unblinding value With combination coefficients Send to the user; The user side uses the first unblinding value. With the second unblinding value Perform combination operations to obtain the combined value ; If and only if the candidate password is correct, the candidate password derivation index is increased. Equal to password derivation index At that time, the user side relies on the combined value Candidate password derivation index With combination coefficients Restore the original credential private key within the FIDO2 authenticator. Import the new FIDO2 authenticator; otherwise, output a termination symbol and terminate the recovery process.

[0014] Furthermore, the independent backup server configures a token bucket-based rate limiting policy for each user identifier or backup record T, limiting the maximum number of recovery attempts allowed within a preset time window, and records an audit log for each recovery request to suppress online password guessing attacks. Neither the dependent server nor the independent backup server stores user passwords. Or credentials private key ; The backup record T is computationally resistant to offline exhaustive search and introduces independent random numbers in each recovery interaction, including a fourth random number. Fifth random number The sixth random number The seventh random number This prevents independent backup servers from inferring the linkability of the same user or the same credentials based on multiple interactions.

[0015] On the other hand, a FIDO2 credential backup and recovery system, applicable to a FIDO2 credential backup and recovery method, the system comprising: a user terminal, a FIDO2 authenticator module, a dependent server, and an independent backup server; The user terminal works in conjunction with the FIDO2 authenticator module to perform password derivation, credential private key exponent masking, backup record generation, and exponent calculation and local credential private key recovery during the recovery phase. The dependent server performs the exponential transformation of the masking component, the recovery of the second random number, the calculation of the combination coefficients, and the generation of intermediate values; The independent backup server performs backup record storage, blinding and unblinding processing, and recovery request forwarding. It also configures a token bucket-based rate limiting policy for each user identifier or backup record and records audit logs for all recovery requests.

[0016] Compared with existing technologies, this FIDO2 credential backup and recovery method and system has the following advantages: I. This invention constructs a collaborative credential backup and recovery architecture involving the user side, the dependent server, and the independent backup server. It employs exponential masking technology to transform the credential private key, distributing the credential private key recovery authority among the three entities. The recovery process requires real-time online interaction among the three parties to complete the demasking operation. Neither the dependent server nor the independent backup server stores the user password or the plaintext of the credential private key. If any one party is compromised, the attacker cannot independently verify the password guess or recover the credential private key, effectively resisting offline brute-force attacks. At the same time, users do not need to hold a backup authenticator in advance; online credential recovery can be completed solely based on knowledge factors.

[0017] Second, this invention eliminates the linkability between different recovery requests by introducing independently generated random numbers in each recovery interaction for blinding processing, thus protecting user identity privacy. The independent backup server adopts a token bucket-based rate limiting strategy and records audit logs, which can effectively suppress online password guessing attacks. This solution does not require modification of the existing FIDO2 standard interface and authenticator firmware and can be deployed as an additional service. The dependent party and the backup server can be managed separately by different operating entities, further reducing the risk of single point of failure and improving the system's deployability and operational flexibility.

[0018] Other advantages, objectives and features of the invention will be set forth in part in the description which follows, and in part will be apparent to those skilled in the art from the following examination or study, or may be learned from the practice of the invention. Attached Figure Description

[0019] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0020] Figure 1 This is a flowchart of the system initialization phase of the present invention; Figure 2 This is a flowchart of the credential backup stage of the present invention; Figure 3 This is a flowchart of the credential recovery stage of the present invention. Detailed Implementation

[0021] To further illustrate the technical means and effects of the present invention in achieving its intended purpose, the following detailed description of the specific implementation methods, structures, features, and effects of the present invention, in conjunction with the accompanying drawings and preferred embodiments, is provided below.

[0022] Example In this embodiment, all group operations are performed on a cyclic group of prime order. The exponential operation is performed in the modulo operation. Integer ring The operation is performed in the following way. X raised to the power of a represents raising the group element X to the power of the exponent a. Indicates that a is in the model Integer ring Multiplicative inverse on. Symbol This represents a bitwise XOR operation. (Symbol) This indicates a string concatenation operation.

[0023] The authenticator's private key credential is denoted as , Belongs to the model Integer ring And it satisfies the non-derivative attribute. The user knowledge factor is denoted as... The long-term confidentiality index of the dependent server is denoted as... The corresponding public key is denoted as The long-term confidentiality index of the backup server is denoted as... Prime-order cyclic group The generator is denoted as ,group The order is denoted as , For safe prime numbers. The hash function is denoted as... Hash function Map binary strings of arbitrary length to modulo... Integer ring .

[0024] The first random number generated by the user is denoted as . The second random number generated on the user side is denoted as... The third random number generated on the user side is denoted as... The password derivation index is denoted as... The amount of the concealed voucher is recorded as follows: The challenge weight is recorded as follows: The auxiliary public key is denoted as... The masking value of the second random number is denoted as... The transformed masking component is denoted as... The backup record is denoted as T.

[0025] The fourth random number generated by the backup server is denoted as The fifth random number generated by the backup server is denoted as... The first blinding value is denoted as The second blinding value is denoted as The sixth random number generated by the new authenticator on the user side is denoted as... The candidate password derivation index is denoted as... The third blinding value is denoted as The seventh random number generated by the dependent server is denoted as... The combination coefficient is denoted as... The first intermediate value is denoted as The second intermediate value is denoted as The first solution blind value is denoted as The second blind value is denoted as... The combined value is denoted as The terminator is denoted as... .

[0026] like Figures 1 to 3 As shown, the overall process of the method of the present invention includes a system initialization stage, a credential backup stage, and a credential recovery stage. The system initialization stage prepares the necessary cryptographic parameters and key materials for the operation of the entire system.

[0027] Specifically, the dependent server first selects a prime-order cyclic group. ,group The order is , A 2048-bit safe prime number. The dependent server defines the hash function. Hash function Implemented using the SHA-256 algorithm, this method maps binary strings of arbitrary length to modulo 256. Integer ring Dependent server from model Integer ring Randomly select long-term secrecy index And based on generators Calculate the public key Public key The calculation formula is: ; in, a prime-order cyclic group generator, This refers to the long-term confidentiality index of the dependent server.

[0028] Backup server from model Integer ring Randomly select its long-term secrecy index The dependent server will provide common parameters. With public key Published to all user-side devices and backup servers via a trusted method. Public parameters Its composition includes prime-order cyclic groups Generator ,group The level and hash function .

[0029] It is understandable that the system initialization phase only needs to be executed once. The generated public parameters and public key can be used indefinitely and do not need to be regenerated with the generation or updating of user credentials. The long-term confidentiality index of the dependent server and backup server must be strictly kept confidential and must not be disclosed to any third party.

[0030] like Figure 2 As shown, the credential backup process begins after the user completes FIDO2 registration and generates a non-exportable credential private key within the authenticator. Then it is executed. The credential backup process is completed collaboratively by the user, the dependent server, and the backup server.

[0031] Step B1: The user-side FIDO2 authenticator generates the first random number. Second random number and the third random number First random number Second random number With the third random number All from the model Integer ring Randomly selected from the list. The user-side authenticator is based on the password entered by the user. With the first random number Calculate the password derivation index Password Derivation Index The calculation formula is: ; in, The hash function defined during the system initialization phase. The knowledge factor password entered by the user. The first random number generated for the user. This indicates a string concatenation operation.

[0032] Step B2: The user-side authenticator derives an index based on the password. Private key for credentials Perform exponential masking and calculate the masking credential component. With challenge weight Concealing the amount of evidence The calculation formula is: ; in, This is the private key for credentials that cannot be exported from the authenticator. The password derivation index is calculated in step B1.

[0033] Challenge weight The calculation formula is: ; in, This is the private key for credentials that cannot be exported from the authenticator. The second random number generated on the user side. The password derivation index is calculated in step B1.

[0034] The user-side authenticator calculates the auxiliary public key. Auxiliary public key The calculation formula is: ; in, a prime-order cyclic group generator, A third random number generated for the user.

[0035] The user-side authenticator utilizes the public key of the dependent server. Generate a second random number masking value The masking value of the second random number. This is achieved through bitwise XOR operations, and the calculation formula is as follows: ; in, The second random number generated on the user side. This indicates a bitwise XOR operation. For the public key of the dependent server, A third random number generated for the user.

[0036] This is understandable, given that it relies on the public key of the server. The discrete logarithm problem is computationally infeasible; no entity other than the dependent server can obtain the auxiliary public key. Calculated of Therefore, it is impossible to recover the second random number. .

[0037] Step B3: The user sends the masked credential component to the dependent server via a TLS encrypted channel. The dependent server receives the masked credential component. Subsequently, utilizing its long-term secrecy index For the portion of the concealed credentials Perform an exponential transform to obtain the transformed masking component. The masking component after transformation The calculation formula is: ; in, The masking credential component sent to the user side. This refers to the long-term confidentiality index of the dependent server.

[0038] The dependent server transmits the transformed masked component via a TLS encrypted channel. The data is returned to the user. The dependent server does not store any user data or intermediate results related to this backup.

[0039] Step B4: The user side receives the transformed masked component. Then, a complete backup record T is generated. Backup record T consists of a first random number. Transformed masking components auxiliary public key Challenge weight and the masking value of the second random number The user sends backup record T to the backup server via a TLS encrypted channel. Upon receiving backup record T, the backup server associates it with the user identifier and persists it to its location.

[0040] It is understandable that the backup record T does not contain the user password. Or credentials private key The plaintext information is contained within the backup record T. All components in the backup record T are exponentially masked, making it computationally resistant to offline brute-force attacks. Even if the backup server is completely compromised, attackers cannot offline verify password guessing or recover credential private keys from the backup record T.

[0041] like Figure 3 As shown, the credential recovery process is executed when a user loses, damages, or replaces their FIDO2 authenticator. The credential recovery process is completed collaboratively by the user-side new authenticator, the dependent server, and the backup server.

[0042] Step R1: The user initiates a credential recovery request on the new authenticator, providing their user identifier. Upon receiving the recovery request, the backup server reads the corresponding backup record T based on the user identifier. The backup server generates a fourth random number. With the fifth random number The fourth random number With the fifth random number All from the model Integer ring Randomly selected from the list.

[0043] Backup server for transformed masked components With challenge weight Perform exponential blinding separately to obtain the first blinding value. With the second blinding value First blinding value The calculation formula is: ; in, To back up the transformed masked components in record T, The fourth random number generated for the backup server.

[0044] Second blinding value The calculation formula is: ; in, To back up the challenge component in record T, The fifth random number generated for the backup server.

[0045] The backup server sends the first random number to the new authenticator on the user side via a TLS encrypted channel. With the second blinding value .

[0046] Step R2: The new authenticator on the user side receives the first random number. With the second blinding value Then, the user is prompted to enter a candidate password. The new user-side authenticator generates a sixth random number. The sixth random number From the model Integer ring Randomly selected from the list.

[0047] The new user-side authenticator is based on candidate passwords entered by the user. With the first random number Calculate the candidate password derivation index Candidate password derivation index The calculation formula is: ; in, The hash function defined during the system initialization phase. For the candidate passwords entered by the user, The first random number sent to the backup server. This indicates a string concatenation operation.

[0048] The new user-side authenticator uses the second blinding value. Perform exponential operations to obtain the third blinding value. Third blinding value The calculation formula is: ; in, The second blinding value sent to the backup server. To calculate the candidate password derivation index, The sixth random number generated for the new authenticator on the user side.

[0049] The new user-side authenticator transmits the third blinded value via a TLS encrypted channel. Send to the backup server. The backup server receives the third blinding value. Then, the third blinding value First blinding value auxiliary public key and the masking value of the second random number Forwarded to the dependent server via a TLS encrypted channel.

[0050] Step R3: After receiving the message forwarded by the backup server, the dependent server generates a seventh random number. The seventh random number From the model Integer ring Randomly selected from the list.

[0051] Dependent server uses auxiliary public key Its long-term secrecy index Calculate the one-time masking key. The formula for calculating the one-time masking key is: ; in, A secondary public key forwarded by the backup server. This refers to the long-term confidentiality index of the dependent server.

[0052] The dependent server uses a one-time masking key and a masking value of a second random number. Restore the second random number Second random number The recovery formula is: ; in, The masking value for the second random number forwarded by the backup server. This indicates a bitwise XOR operation. This is the one-time masking key obtained through calculation.

[0053] Dependent server calculates combination coefficients Combination coefficients The calculation formula is: ; in, The seventh random number generated by the dependent server. This refers to the long-term confidentiality index of the dependent server.

[0054] Dependent server blinding value for third party With the first blinding value Perform exponential transformations separately to obtain the first intermediate value. With the second intermediate value First intermediate value The calculation formula is: ; in, The third blinding value forwarded by the backup server. The seventh random number generated by the dependent server. To recover the second random number, express In the model Integer ring Multiplicative inverse of the above.

[0055] Second median value The calculation formula is: ; in, The first blinding value forwarded by the backup server. The seventh random number generated for the dependent server.

[0056] The dependent server transmits the first intermediate value via a TLS encrypted channel. With the second intermediate value The data is returned to the backup server. The dependent server does not store any user data or intermediate results related to this recovery.

[0057] Step R4: The backup server receives the first intermediate value. With the second intermediate value Then, deblinding is performed to eliminate the generated random numbers, resulting in the first deblinding value. With the second unblinding value. First unblinding value The calculation formula is: ; in, The first intermediate value returned by the dependent server. The fifth random number generated for the backup server. express In the model Integer ring Multiplicative inverse of the above.

[0058] Second unblinding value The calculation formula is: ; in, This is the second intermediate value returned by the dependent server. The fourth random number generated for the backup server. express In the model Integer ring Multiplicative inverse of the above.

[0059] The backup server sends the first unblinding value via a TLS encrypted channel. Second unblinding value and combination coefficients Send to the new authenticator on the user side.

[0060] Step R5: The new authenticator on the user side receives the first unblinding value. Second unblinding value and combination coefficients Then, for the first unblinding value With the second unblinding value Perform combination operations to obtain the combined value. Combined value The calculation formula is: ; in, The second unblinding value sent to the backup server. The first unblinding value sent to the backup server. express In prime-order cyclic group Multiplicative inverse of the above.

[0061] The candidate password derivation index is increased if and only if the user-entered candidate password is correct. Equal to password derivation index At that time, the new authenticator on the user side can be based on the combined value Candidate password derivation index and combination coefficients Restore original credential private key . Credentials and private keys The recovery formula is: ; in, For the calculated combined value, The candidate password derivation index is calculated in step R2. The combination coefficients sent to the backup server express The square of and The product in the modulus Integer ring Multiplicative inverse of the above.

[0062] The new authenticator on the user side will recover the obtained credential private key. Import to local secure storage and mark it as non-exportable. Credential recovery process complete.

[0063] If the user enters an incorrect candidate password, the candidate password derivation index will increase. Not equal to password derivation index Then the new authenticator on the user side will not be able to recover a valid credential private key. Output the terminator symbol And terminate the recovery process.

[0064] It is understandable that each recovery interaction introduces an independent random number. These random numbers are generated independently by different entities and discarded immediately after the interaction is completed. Therefore, the backup server cannot infer the linkability of the same user or the same credentials based on multiple recovery interactions.

[0065] The backup server maintains a rate limit status for each user ID or backup record. The rate limit policy uses a token bucket algorithm. The initial capacity of the token bucket is set to 5, and the token replenishment rate is set to 1 token per hour. When a user initiates a recovery request, the backup server first checks if there are available tokens in the token bucket. If available tokens exist, one token is deducted and the recovery process continues. If no available tokens exist, the recovery request is rejected.

[0066] The backup server logs all recovery requests. The audit log includes the recovery request time, user ID, source IP address, and recovery result. Audit logs are retained for at least 180 days. Audit logs are used solely for post-event security auditing and risk control and may not be used for any other purpose.

[0067] In this embodiment, the prime-order cyclic group Constructed using a 2048-bit secure prime modulus. Hash function. The SHA-256 algorithm is used. All communication between the user side, the dependent server, and the backup server is protected by the TLS 1.3 protocol.

[0068] The backup and recovery logic of this invention can be implemented as an additional service for the dependent server and the backup server. It does not require modification of the standard WebAuthn and CTAP2 interfaces. It also does not require modification of the firmware of existing FIDO2 authenticators. Backup and recovery operations on the user side can be triggered through the user account management page of the dependent website.

[0069] Dependent servers and backup servers can be deployed in different physical locations and managed by different operating entities. This can further reduce the risk of single points of failure and improve the overall security of the system.

[0070] The above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention in any way. Although the present invention has been disclosed above with reference to preferred embodiments, it is not intended to limit the present invention. Any person skilled in the art can make some modifications or alterations to the above-disclosed technical content to create equivalent embodiments without departing from the scope of the present invention. Any simple modifications, equivalent changes and alterations made to the above embodiments based on the technical essence of the present invention without departing from the scope of the present invention shall still fall within the scope of the present invention.

Claims

1. A FIDO2 credential backup and recovery method, characterized by, This method is executed collaboratively by the user side, the dependent server, and the independent backup server, and includes a system initialization phase, a credential backup phase, and a credential recovery phase. During the system initialization phase, the dependent server and the independent backup server are configured with long-term secret parameters for subsequent interactions, and the user side holds the knowledge factor and generates an unexportable credential private key in the authenticator. During the credential backup phase, the user side performs cryptographic masking on the credential private key based on the knowledge factor, generates a masked component, and sends it to the dependent server. The dependent server transforms the masking component using its long-term secret parameters and returns it to the user side; the user side generates a backup record based on the transformed masking component and sends the backup record to an independent backup server for persistent storage; during this process, neither the dependent server nor the independent backup server obtains the plaintext of the knowledge factor and credential private key. During the credential recovery phase, the user initiates a recovery request by inputting candidate knowledge factors into the new authenticator; the independent backup server, the dependent server, and the user perform cryptographic demasking operations through multi-party online interaction based on the backup records and candidate knowledge factors; the user completes the recovery of the credential private key locally only when the candidate knowledge factors are verified correctly; each recovery attempt requires the real-time online participation of the dependent server and the independent backup server.

2. The FIDO2 credential backup and recovery method of claim 1, wherein, The system initialization phase includes: Selecting a cyclic group of prime order wherein the cyclic group of prime order has an order , is a prime number; Defining a hash function , hash function Mapping arbitrary length binary strings to a modulus Ring of integers ; The relying party server generates a long-term key from the modulus Integer ring Selecting a long-term key And based on the generator Computes and publishes a public key The public key Is equal to the long-term key Raised to the power of the generator ; The independent backup server is selected from the module Integer ring The long-term secret of the independent backup server is selected from the integer ring ; and public parameters With public key The common parameters are provided to both the user side and the independent backup server. Including prime-order cyclic groups Generator Prime-order cyclic group The level and hash function .

3. The FIDO2 credential backup and recovery method according to claim 1, characterized in that, The credential backup phase includes: The user-side FIDO2 authenticator generates the first random number. Second random number Third random number The first random number Second random number Third random number All belong to the model Integer ring ; And based on password With the first random number Calculate the password derivation index ; Based on password derivation index Private key for credentials Exponential masking is used to obtain the masking component. and challenge weight Generate auxiliary parameters ; And utilize the public key of the dependent server Generate a second random number masking value This enables the dependent server to perform recovery based on auxiliary parameters. Long-term key with dependent server Restore the second random number ; The user side will mask the components. Send to the dependent server, the dependent server processes the masking component. Perform long-term key based on dependent server The exponential transform yields the transformed masking component. And return to the user; The user sends backup record T to a separate backup server for storage. Backup record T contains a first random number. Transformed masking components Auxiliary parameters Challenge weight With the second random number masking value .

4. The FIDO2 credential backup and recovery method according to claim 3, characterized in that, Second random number masking value Implemented via bitwise XOR: using the public key of the dependent server. The third random number The power is used as a one-time masking key to pair the second random number. XOR masking is performed, and the dependent server adjusts auxiliary parameters during the recovery phase. Long-term key of dependent server The exponentiation operation yields a one-time masking key to recover the second random number. .

5. The FIDO2 credential backup and recovery method according to claim 1, characterized in that, The credential recovery phase includes: The independent backup server reads backup record T and generates a fourth random number. Fifth random number The fourth random number Fifth random number All belong to the model Integer ring ; For the transformed masking components With challenge weight The first blinding value is obtained by performing exponential blinding separately. With the second blinding value and the first random number With the second blinding value Send to the user.

6. The FIDO2 credential backup and recovery method according to claim 1, characterized in that, The user-side new FIDO2 authenticator generates a sixth random number. The sixth random number Belongs to the model Integer ring ; Based on candidate passwords With the first random number Calculate the candidate password derivation index And for the second blinding value The third blinding value is obtained by performing an exponential operation. Then it is sent to a separate backup server; Independent backup servers will blind the third value With the first blinding value and the second random number masking value Auxiliary parameters Forward to the dependent server.

7. The FIDO2 credential backup and recovery method according to claim 1, characterized in that, The dependent server generates a seventh random number. The seventh random number Belongs to the model Integer ring ; Using the second random number masking value Auxiliary parameters and the long-term key of the dependent server Restore the second random number ; And calculate the combination coefficients. The combination coefficient Long-term key with dependent server The difference between minus 1 is relevant; The dependent server then blinded the third value. With the first blinding value Perform exponential transformations to eliminate the second random number. And introduce a seventh random number To obtain the first intermediate value With the second intermediate value And return to a separate backup server.

8. The FIDO2 credential backup and recovery method according to claim 7, characterized in that, The independent backup server provides the first intermediate value. With the second intermediate value Perform unblinding processing separately to eliminate the fifth random number generated by the independent backup server. With the fourth random number The first unblinding value is obtained. With the second unblinding value and the first unblinding value Second unblinding value With combination coefficients Send to the user; The user side uses the first unblinding value. With the second unblinding value Perform combination operations to obtain the combined value ; If and only if the candidate password is correct, the candidate password derivation index is increased. Equal to password derivation index At that time, the user side relies on the combined value Candidate password derivation index With combination coefficients Restore the original credential private key within the FIDO2 authenticator. Import the new FIDO2 authenticator; otherwise, output a termination symbol and terminate the recovery process.

9. A FIDO2 credential backup and recovery method according to claim 1, characterized in that, The independent backup server configures a token bucket-based rate limiting policy for each user identifier or backup record T, limiting the maximum number of recovery attempts allowed within a preset time window, and records an audit log for each recovery request to suppress online password guessing attacks. Neither the dependent server nor the independent backup server stores user passwords. Or credentials private key ; The backup record T is computationally resistant to offline exhaustive search and introduces independent random numbers in each recovery interaction, including a fourth random number. Fifth random number The sixth random number The seventh random number This prevents independent backup servers from inferring the linkability of the same user or the same credentials based on multiple interactions.

10. A FIDO2 credential backup and recovery system, applicable to the FIDO2 credential backup and recovery method according to any one of claims 1 to 9, characterized in that, The system consists of: user terminals, FIDO2 authenticator modules, dependent server, and independent backup server; The user terminal works in conjunction with the FIDO2 authenticator module to perform password derivation, credential private key exponent masking, backup record generation, and exponent calculation and local credential private key recovery during the recovery phase. The dependent server performs the exponential transformation of the masking component, the recovery of the second random number, the calculation of the combination coefficients, and the generation of intermediate values; The independent backup server performs backup record storage, blinding and unblinding processing, and recovery request forwarding. It also configures a token bucket-based rate limiting policy for each user identifier or backup record and records audit logs for all recovery requests.