Upgrade to Pro — share decks privately, control downloads, hide ads and more …



Thinktecture Webinar about FIDO2/WebAuthn

Boris Wilhelms

June 08, 2022

More Decks by Boris Wilhelms

Other Decks in Technology


  1. Boris Wilhelms • Consultant and Architect at Thinktecture AG •

    Focus on • Identity- & Access-Management solutions • Web-based, cloud native application architectures • .NET Core • Email: [email protected] • Twitter: @boriswilhelms FIDO2 / WebAuthn Who am I?
  2. - We need to remember password, so - we tend

    to reuse them - we choose simple ones - we “write” them down - We don’t know how secure they are stored - > 1300 data breaches in 2021 - Have I been pwned database contains around breached account - They are phishable - Password rules usually makes things worse Why password suck FIDO2 / WebAuthn
  3. SMS/Call - Don’t use it. Sim swap is real -

    Cell phone traffic can be easily intercepted - we don’t know how secure they are generated Authenticator Apps - Heavily depends on the phone and app security And both are still phishable and “brute forceable”… But we have MFA with… FIDO2 / WebAuthn
  4. - FIDO2 is a set of specifications provided by the

    FIDO Alliance and the World Wide Web Consortium (W3C) - CTAP - WebAuthn - The goal is to provide strong authentication without a password - FIDO2 can be used - as an additional factor for authentication - to replace the password (passwordless) - to replace username & password (usernameless / discoverable credentials) - FIDO2 uses Public Key cryptography to ensure strong authentication without passwords - WebAuthn is phishing save FIDO2 FIDO2 / WebAuthn
  5. Platform authenticators FIDO2 / WebAuthn FIDO2 - Authenticators - Authenticator

    build into your operating system - Usually needs a TPM - Is bound to your device - Not portable! - User verification depends on operating system and hardware
  6. Cross-Platform authenticators - Additional piece of hardware - Different transports

    - BLE, USB-A, USB-C, NFC, etc. - Can be used on multiple devices; is portable! - Usually has a little bit of memory to store discoverable credentials - User verification depends on authenticator - Usually PIN is supported FIDO2 / WebAuthn FIDO2 - Authenticators
  7. Register - Call navigator.credentials.create() - Relaying Party (RP) passes -

    a challenge (random data) - data describing the RP: display name & id (domain of the RP) - data describing the User: id, name, display name - data about which public keys are acceptable by the RP - data about which authenticator can be used - (cross-)platform authenticator, discoverable credentials, user verification needed - data about which attestation is needed FIDO2 / WebAuthn WebAuthn
  8. Register - navigator.credentials.create() returns - credentials id (needed for later

    authentication) - a public key (needed for later authentication) - ClientDataJson: data created by the client and RP and passed to the authenticator (challenge, origin, etc) - AuthenticatorData: data about the authenticator - attestation data if requested - Format of attestation data varies by authenticator - Metadata Blob provided by FIDO alliance is needed to validate attestation data FIDO2 / WebAuthn WebAuthn
  9. Authentication without discoverable credentials - Call navigator.credentials.get() - Relaying Party

    (RP) passes - domain of the RP - a challenge (random data) - one or more credential ids (received via the registration process) - navigator.credentials.get() returns - ClientDataJson: data created by the client and RP and passed to the authenticator (challenge, origin, etc) - AuthenticatorData: data about the authenticator - the signature generated using AuthenticatorData and ClientDataJson by the authenticators private key FIDO2 / WebAuthn WebAuthn
  10. Discoverable credentials (username- and passwordless) - User Id is stored

    on authenticator device - Authenticators have limited space! - On navigator.credentials.create() set - authenticatorSelection.residentKey: required - authenticatorSelection.requireResidentKey: true - navigator.credentials.get() returns - additionally the user id FIDO2 / WebAuthn WebAuthn
  11. Why is it not phishable? - Browser validates RP id

    (domain of the RP passed to create() and get()) - Browser created ClientDataJSON and passes it to the authenticator - Contains challange and actual origin - Authenticator signs ClientDataJSON - RP rebuilds ClientDataJSON with its stored data and validates signature - RP id is usually used by the authenticator to derive the private key FIDO2 / WebAuthn WebAuthn
  12. Issues - UX depends on browser and operating system -

    On Windows: everything is passed to Windows Hello - On Linux: Browsers have their own dialogs - Firefox on non windows: Does not work with PIN secured keys - There is no way to “backup” a key. - There is no defined recovery process if key is lost - Fallback to “unsecure” ways like reset via email - If key is lost it must be revocable by the user - Their for it can not be the only way to login - If key is lost and not PIN protected, someone might have free access to your system - Platform-authenticator are currently bound to the machine FIDO2 / WebAuthn WebAuthn
  13. Issues - Very complex specification (around 160 pages) - Signature

    validation and attestation parsing and validation is complex and might be hard. Use libraries on server side!!! FIDO2 / WebAuthn WebAuthn
  14. Future - All major vendors are committed to implement and

    extend WebAuthn - Microsoft, Apple, Google - Synchronization of platform-authenticators is coming - WebAuthn credentials will be tied to your Microsoft-, iCloud-, Google Account - Mobile device will be cross-platform authenticator via BLE in future - Already possible with Chrome and Android - Already usable on a lot of “big” websites - Microsoft Account, Google Account, github, ebay, facebook, etc.. FIDO2 / WebAuthn WebAuthn