Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing user accounts with WebAuthn

Arnelle Balane
February 27, 2021
Technology
0
31

Securing user accounts with WebAuthn

The Web Authentication API (also called WebAuthn) uses public-key cryptography instead of passwords or SMS for two-factor authentication in websites. In this talk, we will learn how to use the Web Authentication API, both in the browser-side as well as setting up the server-side to support WebAuthn.

Arnelle Balane

February 27, 2021
Tweet

More Decks by Arnelle Balane

See All by Arnelle Balane
Introduction to building Chrome Extensions
arnellebalane
0
80
Color Palettes Of The Most Colorful Birds
arnellebalane
0
95
Let's build a video streaming app using Web technologies
arnellebalane
0
110
Let's build a video calling app with Web technologies and Firebase!
arnellebalane
0
120
Ridiculous Scientific Names
arnellebalane
0
150
Fishes With Terrestrial-Animal Names
arnellebalane
0
130
Making the Web more capable with Project Fugu
arnellebalane
0
94
Frontend Web Development in 2021+
arnellebalane
0
140
Extending CSS using Houdini
arnellebalane
0
91

Other Decks in Technology

See All in Technology
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
480
Amazon Personalizeの レコメンドシステム構築、実際何するの? 〜大体10分で具体的なイメージをつかむ〜
kniino
1
100
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.9k
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
390
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
組織成長を加速させるオンボーディングの取り組み
sudoakiy
2
170
TypeScript、上達の瞬間
sadnessojisan
46
13k
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Teambox: Starting and Learning
jrom
133
8.8k
Site-Speed That Sticks
csswizardry
0
26
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Bash Introduction
62gerente
608
210k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
96
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k

Transcript

  1. Securing user accounts with WebAuthn Arnelle Balane @arnellebalane

  2. Arnelle Balane Tech Lead @ Newlogic Google Developers Expert for

    Web Technologies @arnellebalane UncaughtException @uncaughtxcptn Subscribe to our channel! /UncaughtException

  3. bit.ly/cds-cebu-webauthn

  4. Passwords aren’t enough

  5. username: arnelle password: password

  6. Threat: Guessed Passwords username: arnelle password: password

  7. Top 200 Most Common Passwords (source: NordPass)

  8. Passwords must: • have 12 or more characters • contain

    at least 1 number • contain at least 1 uppercase letter • contain at least 1 lowercase letter • contain at least 1 special symbol

  9. Passwords must: • have 12 or more characters • contain

    at least 1 number • contain at least 1 uppercase letter • contain at least 1 lowercase letter • contain at least 1 special symbol U5XmcaJD>X(,"?qa

  10. Passwords must: • have 12 or more characters • contain

    at least 1 number • contain at least 1 uppercase letter • contain at least 1 lowercase letter • contain at least 1 special symbol Password+1!? 🙄

  11. Password Reuse Password+1!?

  12. Threat: Credential Stuffing username: arnelle password: Password+1!?

  13. username: arnelle password: Password+1!? username: arnelle password: Password+1!? another very

    important service Threat: Credential Stuffing

  14. One Time Passwords (OTP) username: arnelle password: Password+1!? OTP: 123456

    SMS

  15. Threat: Phishing username: arnelle password: Password+1!? OTP: 123456 username: arnelle

    password: Password+1!? OTP: 123456

  16. Password Managers • no need to memorize passwords • stronger

    passwords

  17. • use existing social media accounts Social Login

  18. WebAuthn (Web Authentication API)

  19. Public Key Cryptography public key private key

  20. Public Key Cryptography + + = =

  21. None
  22. None

  23. username: arnelle password: Password+1!?

  24. challenge-message

  25. challenge-message

  26. None

  27. Terminologies Relying Party (RP) Client Authenticator

  28. Terminologies WebAuthn CTAP2

  29. Terminologies WebAuthn CTAP2 FIDO2

  30. Authenticators Roaming Authenticators (Yubikey, Titan Key, etc.) Platform Authenticators (Face

    ID, Touch ID, etc.)

  31. Demo time! ✨ webauthn-api.arnelle.me

  32. Registration

  33. PublicKeyCredentialCreationOptions Registration

  34. { "challenge": "Xr0koZvdaxrhJJ...", "rp": { "id": "webauthn-api.arnelle.me", "name": "WebAuthn Demo"

    }, "user": { "id": "[email protected]", "name": "[email protected]", "displayName": "Arnelle Balane" }, "pubKeyCredParams": [ { "alg": -7, "type": "public-key" } ] }

  35. Registration Call WebAuthn API

  36. navigator.credentials.create({ publicKey: { challenge: toArrayBuffer('Xr0koZvdaxrhJJ...'), rp: { id: 'webauthn-api.arnelle.me', name:

    'WebAuthn Demo' }, user: { id: toArrayBuffer('[email protected]'), name: '[email protected]', displayName: 'Arnelle Balane', }, pubKeyCredParams: [ { alg: -7, type: 'public-key' } ] } });
  37. None

  38. Registration PublicKeyCredential

  39. PublicKeyCredential { id: 'UG2APqfTRoyK3SAILd2n8ANsitRK...', rawId: ArrayBuffer(), type: 'public-key', response: {

    clientDataJSON: ArrayBuffer(), attestationObject: ArrayBuffer() } }

  40. Registration PublicKeyCredential

  41. Authentication

  42. PublicKeyCredentialRequestOptions Authentication

  43. { "challenge": "Xr0koZvdaxrhJJ...", "rpId": "webauthn-api.arnelle.me", "allowCredentials": [ { "id": "UG2APqfTRoyK3SAILd2n8ANsitRK...",

    "type": "public-key" } ] }

  44. Authentication Call WebAuthn API

  45. navigator.credentials.get({ publicKey: { challenge: toArrayBuffer('Xr0koZvdaxrhJJ...'), rpId: 'webauthn-api.arnelle.me', allowCredentials: [ {

    id: toArrayBuffer('UG2APqfTRoyK3SAI...'), type: 'public-key' } ] } })
  46. None

  47. Authentication PublicKeyCredential

  48. PublicKeyCredential { id: 'UG2APqfTRoyK3SAILd2n8ANsitRK...', rawId: ArrayBuffer(), type: 'public-key', response: {

    clientDataJSON: ArrayBuffer(), authenticatorData: ArrayBuffer(), signature: ArrayBuffer(), userHandle: ArrayBuffer() } }

  49. Authentication PublicKeyCredential

  50. webauthn.io

  51. webauthn.me

  52. dongleauth.info

  53. • MDN: PublicKeyCredentialCreationOptions • MDN: PublicKeyCredentialRequestOptions • w3.org/TR/webauthn-2 Other Resources

  54. Thank you! Securing user accounts with WebAuthn Arnelle Balane @arnellebalane