Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless authentication by Cody Salas, Yubico

Transcript

1. © 2024 Yubico © 2024 Yubico Passkeys Developing APIs to

   enable passwordless authentication Cody Salas Sr. Developer Advocate | Solutions Architect @ Yubico Apidays New York 2024
2. None

3. © 2024 Yubico What are passkeys?

4. © 2024 Yubico Passkeys at a glance Replacement for passwords

   Phishing-resistant Discoverable FIDO2 credential FIDO2 Standard WebAuthn and CTAP2 specification Ubiquitous FIDO2 capable devices They are Supported by Available from Identified with

5. © 2024 Yubico Passwords vs Passkeys Password • String of

   characters • Single factor Something you know • Can be reused across multiple services Passkey Cryptographic key pair Multiple factors Something you have (device) + Something you know (PIN) or Something you are (biometric) Origin-bound and unique to each service

6. © 2024 Yubico Cryptographic key pairs Encrypts message w/ public

   key Alice Bob Generates key pair Holds private key Decrypts message w/ private key Send public key Send encrypted message

7. © 2024 Yubico Cryptographic key pairs Issues authentication challenge Authenticator

   Application Generates passkey Holds private key Signs challenge w/ private key Send public key Send authentication challenge Verifies challenge response

8. © 2024 Yubico How it works Application (Authenticating service) Client

   (Browser/platform) External authenticator (Security key / Hardware token) FIDO2 Standard WebAuthn and CTAP2 specification • Authentication standard • Hosted by the FIDO Alliance • Combination of: WebAuthn API + CTAP2 protocol • WebAuthn API – Browser API used to perform credential registration and authentication • CTAP2 – Protocol used by platforms to communicate with external authenticators WebAuthn CTAP2 The open FIDO2 standard allows for all FIDO2 capable devices to be usable across every major browser, platform, and ecosystem

9. © 2024 Yubico Architecture of a passkey application

10. © 2024 Yubico

11. © 2024 Yubico Relying party server and API

12. © 2024 Yubico Responsible for issuing and validating registration and

    authentication challenges *Unlike consuming a password, passkeys require a multi-step process RP sends reg/auth challenges to a client who will execute them against the WebAuthn API The client will return the result of the WebAuthn call to the RP for processing Can enforce policy-based rules against reg/auth requests The purpose of the RP is to manage passkeys not user information *this is the responsibility of the identity provider What is a relying party?

13. © 2024 Yubico API endpoints API method categories Registration (attestation)

    • POST /attestation/options – send the registration challenge (PublicKeyCredentialCreateOptions) • POST /attestation/result – receive the public key of the newly created passkey Authentication (assertion) • POST /assertion/options – send the authentication challenge (PublicKeyCredentialRequestOptions) • POST /assertion/result – receive the challenge signed by the passkey’s private key Credential management • GET /user/credentials – allows a user to see the credentials associated to their account • DELETE /user/credentials/{id} – allows a user to remove a credential from their account • PUT /user/credentials/{id} – allows a user to change metadata for a specific credential (never the credential itself)

14. © 2024 Yubico Registration flow Create a new passkey, and

    register it to the RP Authenticator Client Relying party Initialize the reg ceremony Issue a reg Challenge /attestation/options Call WebAuthn API – Attempt to create passkey Passkey created - Return credential Return response to relying party /attestation/options Return registration result

15. © 2024 Yubico Defined as PublicKeyCredentialCreationOptions in the WebAuthn spec

    Some fields are defined as a BufferArray, but can be translated to b64 and b64url encoding • challenge • user.id authenticatorSelection is used to define characteristics such as • Should the credential be discoverable? • Should the user input a PIN/biometric when created? • Should only a specific modality be used? Registration Options

16. © 2024 Yubico

17. © 2024 Yubico Authentication flow Find a passkey, and attempt

    to respond to the challenge from the RP Authenticator Client Relying party Initialize the auth ceremony Issue an auth Challenge /assertion/options Call WebAuthn API – Attempt to find passkey Passkey found - Return challenge response Return response to relying party /assertion/result Return authentication result

18. © 2024 Yubico Defined as PublicKeyCredentialRequestOptions in the WebAuthn spec

    The rpId field is what helps to ensure that the request is origin-bound userVerification is used to denote is a user should present a PIN or biometric during auth timeout is primarily used by the RP to reject stale requests Authentication Options

19. © 2024 Yubico

20. © 2024 Yubico SDKs and libraries Don’t attempt to build

    the WebAuthn RP logic and components on your own There are numerous server-side libraries that can be used Our example was built using Yubico’s java-webauthn-server library https://github.com/Yubico/java-webauthn-server Other libraries can be found on community resources https://passkeys.dev/docs/tools-libraries/libraries/

21. © 2024 Yubico This presentation The world of passkeys

22. © 2024 Yubico Resource summary Sample project • https://github.com/YubicoLabs/passkey-workshop Community

    resources • https://passkeys.dev • https://github.com/herrjemand/awesome-webauthn Don’t forget to checkout Yubico’s Developer Program • https://developers.yubico.com • https://github.com/YubicoLabs

23. © 2024 Yubico © 2024 Yubico Questions???

24. © 2024 Yubico © 2022 Yubico