Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing user accounts with WebAuthn

Arnelle Balane
February 27, 2021
Technology
0
31

Securing user accounts with WebAuthn

The Web Authentication API (also called WebAuthn) uses public-key cryptography instead of passwords or SMS for two-factor authentication in websites. In this talk, we will learn how to use the Web Authentication API, both in the browser-side as well as setting up the server-side to support WebAuthn.

Arnelle Balane

February 27, 2021
Tweet

More Decks by Arnelle Balane

See All by Arnelle Balane
Introduction to building Chrome Extensions
arnellebalane
0
79
Color Palettes Of The Most Colorful Birds
arnellebalane
0
94
Let's build a video streaming app using Web technologies
arnellebalane
0
110
Let's build a video calling app with Web technologies and Firebase!
arnellebalane
0
120
Ridiculous Scientific Names
arnellebalane
0
150
Fishes With Terrestrial-Animal Names
arnellebalane
0
130
Making the Web more capable with Project Fugu
arnellebalane
0
93
Frontend Web Development in 2021+
arnellebalane
0
140
Extending CSS using Houdini
arnellebalane
0
90

Other Decks in Technology

See All in Technology
コンテナのトラブルシューティング目線から AWS SAW についてしゃべってみる
kazzpapa3
1
120
10分でわかるfreee エンジニア向け会社説明資料
freee
18
520k
第23回Ques_タイミーにおけるQAチームの在り方 / QA Team in Timee
takeyaqa
0
140
エンジニア候補者向け資料2024.11.07.pdf
macloud
0
4.5k
データ活用促進のためのデータ分析基盤の進化
takumakouno
2
110
Platform Engineering ことはじめ
oracle4engineer
PRO
8
760
Deno+JSRでパッケージを作って公開する
askua
0
100
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
140
Microsoft Fabric OneLake の実体について
ryomaru0825
0
180
Spring Frameworkの新標準!? ~ RestClientとHTTPインターフェース入門 ~
ogiwarat
2
240
ドメイン名の終活について - JPAAWG 7th -
mikit
13
5.1k
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k

Featured

See All Featured
The Cult of Friendly URLs
andyhume
78
6k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
Teambox: Starting and Learning
jrom
133
8.8k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9k
Writing Fast Ruby
sferik
627
61k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Rails Girls Zürich Keynote
gr2m
93
13k
Producing Creativity
orderedlist
PRO
341
39k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k

Transcript

  1. Securing user accounts with WebAuthn Arnelle Balane @arnellebalane

  2. Arnelle Balane Tech Lead @ Newlogic Google Developers Expert for

    Web Technologies @arnellebalane UncaughtException @uncaughtxcptn Subscribe to our channel! /UncaughtException

  3. bit.ly/cds-cebu-webauthn

  4. Passwords aren’t enough

  5. username: arnelle password: password

  6. Threat: Guessed Passwords username: arnelle password: password

  7. Top 200 Most Common Passwords (source: NordPass)

  8. Passwords must: • have 12 or more characters • contain

    at least 1 number • contain at least 1 uppercase letter • contain at least 1 lowercase letter • contain at least 1 special symbol

  9. Passwords must: • have 12 or more characters • contain

    at least 1 number • contain at least 1 uppercase letter • contain at least 1 lowercase letter • contain at least 1 special symbol U5XmcaJD>X(,"?qa

  10. Passwords must: • have 12 or more characters • contain

    at least 1 number • contain at least 1 uppercase letter • contain at least 1 lowercase letter • contain at least 1 special symbol Password+1!? 🙄

  11. Password Reuse Password+1!?

  12. Threat: Credential Stuffing username: arnelle password: Password+1!?

  13. username: arnelle password: Password+1!? username: arnelle password: Password+1!? another very

    important service Threat: Credential Stuffing

  14. One Time Passwords (OTP) username: arnelle password: Password+1!? OTP: 123456

    SMS

  15. Threat: Phishing username: arnelle password: Password+1!? OTP: 123456 username: arnelle

    password: Password+1!? OTP: 123456

  16. Password Managers • no need to memorize passwords • stronger

    passwords

  17. • use existing social media accounts Social Login

  18. WebAuthn (Web Authentication API)

  19. Public Key Cryptography public key private key

  20. Public Key Cryptography + + = =

  21. None
  22. None

  23. username: arnelle password: Password+1!?

  24. challenge-message

  25. challenge-message

  26. None

  27. Terminologies Relying Party (RP) Client Authenticator

  28. Terminologies WebAuthn CTAP2

  29. Terminologies WebAuthn CTAP2 FIDO2

  30. Authenticators Roaming Authenticators (Yubikey, Titan Key, etc.) Platform Authenticators (Face

    ID, Touch ID, etc.)

  31. Demo time! ✨ webauthn-api.arnelle.me

  32. Registration

  33. PublicKeyCredentialCreationOptions Registration

  34. { "challenge": "Xr0koZvdaxrhJJ...", "rp": { "id": "webauthn-api.arnelle.me", "name": "WebAuthn Demo"

    }, "user": { "id": "[email protected]", "name": "[email protected]", "displayName": "Arnelle Balane" }, "pubKeyCredParams": [ { "alg": -7, "type": "public-key" } ] }

  35. Registration Call WebAuthn API

  36. navigator.credentials.create({ publicKey: { challenge: toArrayBuffer('Xr0koZvdaxrhJJ...'), rp: { id: 'webauthn-api.arnelle.me', name:

    'WebAuthn Demo' }, user: { id: toArrayBuffer('[email protected]'), name: '[email protected]', displayName: 'Arnelle Balane', }, pubKeyCredParams: [ { alg: -7, type: 'public-key' } ] } });
  37. None

  38. Registration PublicKeyCredential

  39. PublicKeyCredential { id: 'UG2APqfTRoyK3SAILd2n8ANsitRK...', rawId: ArrayBuffer(), type: 'public-key', response: {

    clientDataJSON: ArrayBuffer(), attestationObject: ArrayBuffer() } }

  40. Registration PublicKeyCredential

  41. Authentication

  42. PublicKeyCredentialRequestOptions Authentication

  43. { "challenge": "Xr0koZvdaxrhJJ...", "rpId": "webauthn-api.arnelle.me", "allowCredentials": [ { "id": "UG2APqfTRoyK3SAILd2n8ANsitRK...",

    "type": "public-key" } ] }

  44. Authentication Call WebAuthn API

  45. navigator.credentials.get({ publicKey: { challenge: toArrayBuffer('Xr0koZvdaxrhJJ...'), rpId: 'webauthn-api.arnelle.me', allowCredentials: [ {

    id: toArrayBuffer('UG2APqfTRoyK3SAI...'), type: 'public-key' } ] } })
  46. None

  47. Authentication PublicKeyCredential

  48. PublicKeyCredential { id: 'UG2APqfTRoyK3SAILd2n8ANsitRK...', rawId: ArrayBuffer(), type: 'public-key', response: {

    clientDataJSON: ArrayBuffer(), authenticatorData: ArrayBuffer(), signature: ArrayBuffer(), userHandle: ArrayBuffer() } }

  49. Authentication PublicKeyCredential

  50. webauthn.io

  51. webauthn.me

  52. dongleauth.info

  53. • MDN: PublicKeyCredentialCreationOptions • MDN: PublicKeyCredentialRequestOptions • w3.org/TR/webauthn-2 Other Resources

  54. Thank you! Securing user accounts with WebAuthn Arnelle Balane @arnellebalane