Passkeys Authentication

Transcript

1. Braulio Martinez Software Engineer brauliomlm brauliomartinezlm [email protected]

2. Your Software Partner. Your Ally.

3. Passkeys Authentication

4. Motivation Context The Workings Adoption Take the step Future Resources

5. Authentication Factors

6. Knowledge factors ◦ Password ◦ PIN K

7. Possession factors ◦ Bank card ◦ USB physical key P

8. Inherent factors ◦ Fingerprint scan ◦ Voice recognition ◦ Face

   recognition ◦ Typing pattern I

9. ATM authentication Factors: ◦ Bank card - Possession ◦ 4-digit

   PIN - Knowledge

10. WhatsApp’s authentication Factors: ◦ Phone number ownership - Possession ▪

    Proved by typing a code received via SMS ◦ [Optional] 6-digit PIN - Knowledge

11. Passwords ◦ Prone to phishing, brute force, etc ◦ All

    users compromised if hackers access a DB or a server ◦ Repetition across systems ◦ Bad UX

12. 2B credentials leaked in 2025 https://deepstrike.io/blog/compromised-credential-statistics-2025

13. Most used second factors ◦ One Time Password (OTP) via

    SMS ◦ Time based OTP ▪ Apps (e.g. Google Authenticator) ▪ Physical

14. 64% of users use some kind of second authentication factor

    as of 2024 https://tinyurl.com/4veap5mr

15. By 2024, 90% of organizations in the world have suffered

    phishing attacks. The avg cost per breach of 4.88M https://zensec.co.uk/blog/2025-phishing-statistics-the-alarming-rise-in -attacks/

16. Phishing & Replay Attack Example (AiTM)

17. None
18. None

19. Attacks in the AI World

20. Traditional Auth Factors’ fundamental problem? Strong Reliance on Human Judgement

21. Motivation Context The Workings Adoption Take the step Future Resources

22. What is WebAuthn?

23. WebAuthn (Web Authentication) is a standard that defines a set

    of rules for APIs to enable users to strongly register and authenticate on applications using public key based cryptography.

24. Who created it?

25. +

26. None

27. What was the standardization process?

28. May, 2016 W3C First Public Working Draft

29. March, 2019 W3C Recommendation, Standard Level 1

30. April, 2021 W3C Recommendation, Standard Level 2

31. January, 2026 W3C Candidate Standard Level 3

32. Where do people collaborate on the standard?

33. https://github.com/w3c/webauthn/issues

34. Motivation Context The Workings Adoption Take the step Future Resources

35. WebAuthn

36. What does it provide?

37. Possession factor

38. USB dongle

39. Phone

40. WebAuthn Spec

41. The WebAuthn Spec ◦ WebAuthn Credential ◦ 3 entities ◦

    2 user flows

42. WebAuthn Credential

43. 1. Strong

44. 2. Scoped

45. Digital Signatures

46. The Entities ◦ Authenticator ◦ Client ◦ Relying Party

47. The Entities ◦ Authenticator => User Device ▪ Creating and

    holding credentials securely, signing ◦ Client => Web Browser (or Native APIs for mobile) ◦ Relying Party => Web App

48. The User Flows ◦ Attestation => Registration (of a credential)

    ◦ Assertion => Authentication (of a credential)

49. Behind the scenes

50. Registration

51. None
52. None
53. None
54. None
55. None

56. 🔑 🔐

57. None
58. None
59. None

60. Authentication

61. None
62. None
63. None
64. None
65. None

66. 📜

67. None
68. None

69. v(📜, 🔑) = ✅

70. v(origin) = ✅

71. None

72. The Code

73. cedarcode/webauthn-ruby

74. # Gemfile gem "webauthn" # config/initializers/webauthn.rb WebAuthn.configure do |config| config.origin

    = "https://your-app.com" end

75. Registration

76. None

77. # app/views/registrations/new.html.erb <%= form_with url: registration_path, ... do |form| %>

    <%= form.text_field :username %> <%= form.text_field :nickname %> <%= form.submit ‘Sign Up’ %> <% end %>

78. # app/controllers/credentials_controller.rb def create user = User.new(...) options = WebAuthn::Credential.options_for_create(...)

    if user.valid? session[:current_registration] = { challenge: options.challenge, ... } respond_to do |format| format.json { render json: options } end end end

79. # app/javascript/credentials.js navigator.credentials.create({ publicKey: { … } })

80. # app/javascript/credentials.js navigator.credentials.create({ publicKey: { … } })

81. # app/javascript/credentials.js navigator.credentials.create({ publicKey: { … } }). then(function(credential) {

    registerCredentialWithServer(credential); });

82. # app/javascript/credentials.js navigator.credentials.create({ publicKey: { … } }). then(function(credential) {

    registerCredentialWithServer(credential); });

83. # app/controllers/credentials_controller.rb def register credential = WebAuthn::Credential.from_create(params[:credential]) credential.verify(…) current_user.webauthn_credentials.create!( webauthn_id:

    credential.id, public_key: credential.public_key ) # return success end

84. Authentication

85. None

86. # app/views/sessions/new.html.erb <%= form_with url: session_path, ... do |form| %>

    <%= form.text_field :username %> <%= form.submit ‘Sign In’ %> <% end %>

87. # app/controllers/sessions_controller.rb def create user = User.find_by(...) if user options

    = WebAuthn::Credential.options_for_get( allow: user.credentials.pluck(:external_id), ... ) session[:current_authentication] = { challenge: options.challenge, ... } respond_to do |format| format.json { render json: options } end end end

88. # app/javascript/credentials.js navigator.credentials.get({ publicKey: { allowedCredentials: [{ id: registeredCredId, …

    }] } })

89. # app/javascript/credentials.js navigator.credentials.get({ publicKey: { allowedCredentials: [{ id: registeredCredId, …

    }] } })

90. # app/javascript/credentials.js navigator.credentials.get({ publicKey: { allowedCredentials: [{ id: registeredCredId, …

    }] } }).then(function(credential) { authenticateCredentialWithServer(credential); });

91. # app/javascript/credentials.js navigator.credentials.get({ publicKey: { allowedCredentials: [{ id: registeredCredId, …

    }] } }).then(function(credential) { authenticateCredentialWithServer(credential); });

92. # app/controllers/credentials_controller.rb def authenticate credential = WebAuthn::Credential.from_get(params[:credential]) registered_credential = current_user

    .webauthn_credentials .find_by(webauthn_id: credential.id) credential.verify(…, public_key: registered_credential.public_key) # return success end

93. WebAuthn as a 2nd Factor 1st: Password - Knowledge 2nd:

    WebAuthn Credential - Possession

94. Optional: Local User Verification

95. Inherence

96. Knowledge

97. navigator.credentials.get({ publicKey: { …, “userVerification”: “required” }});

98. WebAuthn as a 2nd & 3rd Factor 1st: Password -

    Knowledge 2nd: WebAuthn Credential - Possession 3rd: WebAuthn User Verification - Knowledge or Inherence

99. WebAuthn as a 2nd & 3rd Factor 1st: Password -

    Knowledge 2nd: WebAuthn Credential - Possession 3rd: WebAuthn User Verification - Knowledge or Inherence

100. WebAuthn as 1st & 2nd factor 1st: WebAuthn Credential -

     Possession 2nd: WebAuthn User Verification - Knowledge or Inherence

101. Password-less 🙉

102. Can AI Agents fake the “User Gesture” ? • User

     Presence - No • Optionally: User Verification - No

103. Motivation Context The Workings Adoption Take the step Future Resources

104. Early days challenges with WebAuthn 🚧 Device loss recovery UX

     🚧 Portability across devices

105. How can we solve this for mass adoption?

106. Passkeys May, 2022 https://tinyurl.com/2m4h6yeh

107. Discoverable WebAuthn Credential

108. Multi device / Synced Passkeys

109. Passkeys Newest Features (Part 1) • Conditional/Autofill UI (Conditional Mediation)

     - Get site creds in authenticator • Credential Backup State Flags (BE/BS) - E.g enforce other factor • Cross Device Authentication - Roaming authenticators • Client Capabilities API - getClientCapabilities()

110. Passkeys Newest Features (Part 2) • Credential conditional creation -

     prompts user to create passkey on non-passkey flows • Related Origin Requests (ROR) (cedarcode.com, cedarcode.net ) - Through RP exposing .well-known/webauthn • Signals API - Remove unused credentials, among others • AAGUID - Authenticator metadata to allow device ID

111. Are multi device (synced) Passkeys as secure as device bound

     Passkeys? https://thehackernews.com/2025/10/how-attackers-bypass-synced-passkeys.html

112. credits to https://thehackernews.com/2025/10/how-attackers-bypass-synced-passkeys.html Synced vs Device-Bound

113. Passkeys In Action

114. Registration

115. None

116. Authentication

117. None

118. WebAuthn Platform/Browser Support (Oct 2019)

119. WebAuthn Platform/Browser Support (since April 2023) iOS Android Windows macOS

     Linux Chrome Edge Safari - - - Firefox Brave

120. Passkeys Support *credits to https://passkeys.dev/device-support/

121. Passkeys Support *credits to https://passkeys.dev/device-support/

122. Some Apps & Companies - Passkey Adoption

123. Passkey Adoption - eCommerce Jornada Sem Redirecionamento (JSR) No-Redirection Journey

124. Motivation Context The Workings Adoption Take the step Future Resources

125. How can we Passkeys to our app?

126. https://github.com/cedarcode/devise-webauthn Devise Authentication? ◦ devise-webauthn - Devise extension ◦ rubygems.org/gems/devise-webauthn

     ◦ Uses webauthn-ruby under the hood ◦ Passkeys as 2nd factor and passwordless logins

127. $ gem install devise-webauthn $ bin/rails generate devise:webauthn:install $ bin/rails

     db:migrate

128. # app/models/user.rb class User < ApplicationRecord devise :database_authenticatable, . .

     . :passkey_authenticatable, :webauthn_two_factor_authenticatable end # config/initializers/webauthn.rb - Generated by install generator WebAuthn.configure do |config| config.allowed_origins = ["https://yourapp.com"] config.rp_name = "Your App Name" end

129. <%= login_with_passkey_form_for(:user) do |form| %> <%= form.submit "Log in with

     passkeys" %> <% end %> <%= login_with_security_key_form_for(@resource) do |form| %> <%= form.submit "Use security key" %> <% end %> <%= passkey_creation_form_for(:user) do |form| %> <%= form.label :name, 'Passkey name' %> <%= form.text_field :name, required: true %> <%= form.submit 'Create Passkey' %> <% end %> Passkey Authentication 1st & only Factor Passkey Authentication 2st Factor Passkey Registration

130. https://devise-webauthn.cedarcode.com

131. medium.com/cedarcode/passkey-authentication -in-rails-8-with-webauthn-rails-c58333abae26 Rails 8+ authentication? ◦ webauthn-rails - dev dependency

     ▪ rubygems.org/gems/webaut hn-rails ▪ webauthn-ruby ▪ 1st and 2nd factor

132. https://github.com/cedarcode/webauthn-rails-demo-app webauthn.cedarcode.com ◦ Blank sheet app ◦ Rails & Stimulus.js

     ◦ Fully passwordless - WebAuthn only

133. https://github.com/cedarcode/webauthn-2fa-rails-demo webauthn-2fa.cedarcode.com ◦ Blank sheet app ◦ Rails & Stimulus.js

     ◦ WebAuthn as 2nd factor

134. https://github.com/mastodon/mastodon/pull/14466 Mastodon ◦ Real life application that uses Devise ◦

     Since Aug. 2020 - Only 2FA

135. Motivation Context The Workings Adoption Take the step Future Resources

136. ◦ webauthn-ruby v3.4.3 ▪ Maintenance and staying on edge on

     dependencies ▪ Evolving as well as the standard keeps changing ◦ passkeys + Digital Credentials ◦ passkeys for checkouts (SPC)

137. Motivation Context The Workings Adoption Take the step Future Resources

138. ◦ https://webauthn.io ◦ https://github.com/cedarcode/webauthn-ruby ◦ https://github.com/cedarcode/devise-webauthn ◦ https://github.com/cedarcode/webauthn-rails ◦ https://fidoalliance.org/passkeys/

     ◦ https://www.corbado.com/blog/ai-agents-passkeys ◦ https://www.w3.org/TR/webauthn

139. Thanks!

140. Braulio Martinez Software Engineer brauliomlm brauliomartinezlm [email protected] WebAuthn Demo