The advent of end-to-end encrypted (E2EE) messaging and backup services has brought new challenges for usable authentication. Compared to regular web services, the nature of E2EE implies that the provider cannot recover data for users who have forgotten passwords or lost devices. Therefore, new forms of robustness and recoverability are required, leading to a plethora of solutions ranging from randomly-generated recovery codes to threshold-based social verification. These implications also spread to new forms of authentication and legacy web services: passwordless authentication ("passkeys") has become a promising candidate to replace passwords altogether, but are inherently device-bound. However, users expect that they can login from multiple devices and recover their passwords in case of device loss--prompting providers to sync credentials to cloud storage using E2EE, resulting in the very same authentication challenges of regular E2EE services. Hence, E2EE authentication quickly becomes relevant not only for a niche group of dedicated E2EE enthusiasts but for the general public using the passwordless authentication techniques promoted by their device vendors. In this paper we systematize existing research literature and industry practice relating to security, privacy, usability, and recoverability of E2EE authentication. We investigate authentication and recovery schemes in all widely-used E2EE web services and survey passwordless authentication deployment in the top-200 most popular websites. Finally, we present concrete research directions based on observed gaps between industry deployment and academic literature.

翻译：端到端加密（E2EE）消息与备份服务的兴起，为可用身份验证带来了新的挑战。相较于常规网络服务，E2EE的特性意味着服务提供商无法为忘记密码或丢失设备的用户恢复数据。因此，需要新型的鲁棒性与可恢复性机制，从而催生了从随机生成恢复码到基于阈值的社交验证等一系列解决方案。这些影响也延伸至新型身份验证方式及传统网络服务：无密码身份验证（"通行密钥"）已成为替代密码的有力候选方案，但其本质上受设备绑定。然而，用户期望能够从多设备登录并在设备丢失时恢复密码——这促使服务提供商通过E2EE将凭证同步至云存储，进而产生了与常规E2EE服务完全相同的身份验证挑战。因此，E2EE身份验证不仅迅速成为小众E2EE爱好者群体关注的问题，更关系到广大使用设备厂商推广的无密码验证技术的普通用户。本文系统梳理了关于E2EE身份验证的安全性、隐私性、可用性与可恢复性的现有研究文献与行业实践。我们调研了所有广泛使用的E2EE网络服务的身份验证与恢复方案，并对全球前200热门网站的无密码身份验证部署情况进行了普查。最后，基于观察到的行业部署与学术研究之间的差距，我们提出了具体的研究方向。