Upgrade to Pro — share decks privately, control downloads, hide ads and more …

FIDO2/WebAuthn

 FIDO2/WebAuthn

Thinktecture Webinar about FIDO2/WebAuthn

Boris Wilhelms

June 08, 2022
Tweet

More Decks by Boris Wilhelms

Other Decks in Technology

Transcript

  1. FIDO2 / WebAuthn
    Boris Wilhelms
    @boriswilhelms
    Consultant

    View full-size slide

  2. Boris Wilhelms
    • Consultant and Architect at Thinktecture AG
    • Focus on
    • Identity- & Access-Management solutions
    • Web-based, cloud native application architectures
    • .NET Core
    • Email: [email protected]
    • Twitter: @boriswilhelms
    FIDO2 / WebAuthn
    Who am I?

    View full-size slide

  3. Passwords suck
    FIDO2 / WebAuthn

    View full-size slide

  4. - We need to remember password, so
    - we tend to reuse them
    - we choose simple ones
    - we “write” them down
    - We don’t know how secure they are stored
    - > 1300 data breaches in 2021
    - Have I been pwned database contains around 12.000.000.000 breached account
    - They are phishable
    - Password rules usually makes things worse
    Why password suck
    FIDO2 / WebAuthn

    View full-size slide

  5. But we have MFA? Don’t we?
    FIDO2 / WebAuthn

    View full-size slide

  6. SMS/Call
    - Don’t use it. Sim swap is real
    - Cell phone traffic can be easily intercepted
    - we don’t know how secure they are generated
    Authenticator Apps
    - Heavily depends on the phone and app security
    And both are still phishable and “brute forceable”…
    But we have MFA with…
    FIDO2 / WebAuthn

    View full-size slide

  7. So, what is the alternative?
    FIDO2 / WebAuthn

    View full-size slide

  8. - FIDO2 is a set of specifications provided by the FIDO Alliance and the World Wide Web Consortium (W3C)
    - CTAP
    - WebAuthn
    - The goal is to provide strong authentication without a password
    - FIDO2 can be used
    - as an additional factor for authentication
    - to replace the password (passwordless)
    - to replace username & password (usernameless / discoverable credentials)
    - FIDO2 uses Public Key cryptography to ensure strong authentication without passwords
    - WebAuthn is phishing save
    FIDO2
    FIDO2 / WebAuthn

    View full-size slide

  9. FIDO2 / WebAuthn
    FIDO2
    Relaying Party
    Client/Browser
    Platform Authenticator
    Cross-Platform Authenticator
    WebAuthn
    CTAP

    View full-size slide

  10. Platform authenticators
    FIDO2 / WebAuthn
    FIDO2 - Authenticators
    - Authenticator build into your operating system
    - Usually needs a TPM
    - Is bound to your device
    - Not portable!
    - User verification depends on operating system and hardware

    View full-size slide

  11. Cross-Platform authenticators
    - Additional piece of hardware
    - Different transports
    - BLE, USB-A, USB-C, NFC, etc.
    - Can be used on multiple devices; is portable!
    - Usually has a little bit of memory to store discoverable credentials
    - User verification depends on authenticator
    - Usually PIN is supported
    FIDO2 / WebAuthn
    FIDO2 - Authenticators

    View full-size slide

  12. Register an authenticator
    FIDO2 / WebAuthn

    View full-size slide

  13. Register
    - Call navigator.credentials.create()
    - Relaying Party (RP) passes
    - a challenge (random data)
    - data describing the RP: display name & id (domain of the RP)
    - data describing the User: id, name, display name
    - data about which public keys are acceptable by the RP
    - data about which authenticator can be used
    - (cross-)platform authenticator, discoverable credentials, user verification needed
    - data about which attestation is needed
    FIDO2 / WebAuthn
    WebAuthn

    View full-size slide

  14. Register
    - navigator.credentials.create() returns
    - credentials id (needed for later authentication)
    - a public key (needed for later authentication)
    - ClientDataJson: data created by the client and RP and passed to the authenticator (challenge, origin, etc)
    - AuthenticatorData: data about the authenticator
    - attestation data if requested
    - Format of attestation data varies by authenticator
    - Metadata Blob provided by FIDO alliance is needed to validate attestation data
    FIDO2 / WebAuthn
    WebAuthn

    View full-size slide

  15. Authentication
    FIDO2 / WebAuthn

    View full-size slide

  16. Authentication without discoverable credentials
    - Call navigator.credentials.get()
    - Relaying Party (RP) passes
    - domain of the RP
    - a challenge (random data)
    - one or more credential ids (received via the registration process)
    - navigator.credentials.get() returns
    - ClientDataJson: data created by the client and RP and passed to the authenticator (challenge, origin, etc)
    - AuthenticatorData: data about the authenticator
    - the signature generated using AuthenticatorData and ClientDataJson by the authenticators private key
    FIDO2 / WebAuthn
    WebAuthn

    View full-size slide

  17. Discoverable credentials (username- and passwordless)
    - User Id is stored on authenticator device
    - Authenticators have limited space!
    - On navigator.credentials.create() set
    - authenticatorSelection.residentKey: required
    - authenticatorSelection.requireResidentKey: true
    - navigator.credentials.get() returns
    - additionally the user id
    FIDO2 / WebAuthn
    WebAuthn

    View full-size slide

  18. Why is it not phishable?
    - Browser validates RP id (domain of the RP passed to create() and get())
    - Browser created ClientDataJSON and passes it to the authenticator
    - Contains challange and actual origin
    - Authenticator signs ClientDataJSON
    - RP rebuilds ClientDataJSON with its stored data and validates signature
    - RP id is usually used by the authenticator to derive the private key
    FIDO2 / WebAuthn
    WebAuthn

    View full-size slide

  19. So, everything good now?
    FIDO2 / WebAuthn

    View full-size slide

  20. Issues
    - UX depends on browser and operating system
    - On Windows: everything is passed to Windows Hello
    - On Linux: Browsers have their own dialogs
    - Firefox on non windows: Does not work with PIN secured keys
    - There is no way to “backup” a key.
    - There is no defined recovery process if key is lost
    - Fallback to “unsecure” ways like reset via email
    - If key is lost it must be revocable by the user
    - Their for it can not be the only way to login
    - If key is lost and not PIN protected, someone might have free access to your system
    - Platform-authenticator are currently bound to the machine
    FIDO2 / WebAuthn
    WebAuthn

    View full-size slide

  21. Issues
    - Very complex specification (around 160 pages)
    - Signature validation and attestation parsing and
    validation is complex and might be hard. Use
    libraries on server side!!!
    FIDO2 / WebAuthn
    WebAuthn

    View full-size slide

  22. So, everything will be good?
    FIDO2 / WebAuthn

    View full-size slide

  23. Future
    - All major vendors are committed to implement and extend WebAuthn
    - Microsoft, Apple, Google
    - Synchronization of platform-authenticators is coming
    - WebAuthn credentials will be tied to your Microsoft-, iCloud-, Google Account
    - Mobile device will be cross-platform authenticator via BLE in future
    - Already possible with Chrome and Android
    - Already usable on a lot of “big” websites
    - Microsoft Account, Google Account, github, ebay, facebook, etc..
    FIDO2 / WebAuthn
    WebAuthn

    View full-size slide

  24. FIDO2 / WebAuthn
    Boris Wilhelms
    [email protected]
    @boriswilhelms
    Thank you!

    View full-size slide