Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
認証のあれやこれや
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Toshiboumi Ohta
May 11, 2018
Technology
0
360
認証のあれやこれや
第十四回セキュリティ共有勉強会での発表
認証、FIDO
Toshiboumi Ohta
May 11, 2018
Tweet
Share
More Decks by Toshiboumi Ohta
See All by Toshiboumi Ohta
0727.pdf
bugbird
0
410
Other Decks in Technology
See All in Technology
SREのプラクティスを用いた3領域同時 マネジメントへの挑戦 〜SRE・情シス・セキュリティを統合した チーム運営術〜
coconala_engineer
2
670
Ruby版 JSXのRuxが気になる
sansantech
PRO
0
160
Red Hat OpenStack Services on OpenShift
tamemiya
0
120
SREチームをどう作り、どう育てるか ― Findy横断SREのマネジメント
rvirus0817
0
320
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
kekke_n
1
450
15 years with Rails and DDD (AI Edition)
andrzejkrzywda
0
200
CDK対応したAWS DevOps Agentを試そう_20260201
masakiokuda
1
350
StrandsとNeptuneを使ってナレッジグラフを構築する
yakumo
1
120
AIエージェントに必要なのはデータではなく文脈だった/ai-agent-context-graph-mybest
jonnojun
0
110
Amazon Bedrock Knowledge Basesチャンキング解説!
aoinoguchi
0
150
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
1
2.8k
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
genda
4
1.3k
Featured
See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
69
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
2.8k
Context Engineering - Making Every Token Count
addyosmani
9
660
Ethics towards AI in product and experience design
skipperchong
2
200
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
0
140
Practical Orchestrator
shlominoach
191
11k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
0
1.1k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
230
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
1.9k
Building a Modern Day E-commerce SEO Strategy
aleyda
45
8.7k
Mobile First: as difficult as doing things right
swwweet
225
10k
Transcript
ೝূͷ͋Ε͜Ε ୈ̍̐ճηΩϡϦςΟڞ༗ษڧձ
͓͠ͳ͕͖ ೝূͬͯͳΜ͚ͩͬʁ ύεʢϑϨʔζʛϫʔυʣʹ͍ͭͯ Ϧςϥγʔʹґଘ͠ͳ͍ೝূͬͯՄೳʁ FIDOೝূʹ͍ͭͯ
ೝূͬͯͳΜ͚ͩͬʁ
ʮೝূʯͷ͓͞Β͍ ୭Կʢ͍͔͢ʣ ʮ୭͔ʁʯ ໊Γ ʮࢁ།ܧͰ͢ʯ ೝূใΛ֬ೝͯ͠ೝূ ʮ໔ڐূͳͲࣸਅೖΓͰຊਓ֬ೝͰ͖ΔͷΛݟͤͯʯ
WebΞϓϦέʔγϣϯͷ߹ ϩάΠϯϑΥʔϜͷදࣔ ϢʔβIDʢ໊Γʣ ύεʢϑϨʔζʛϫʔυʣʢೝূใʣ র߹Ͱ͖ΕϩάΠϯʢೝՄʣ
WebΞϓϦέʔγϣϯͷೝূ Basicೝূ Digestೝূ ϑΥʔϜϕʔεೝূ TLSೝূʢΫϥΠΞϯτೝূʣ ΞϓϦέʔγϣϯ࿈ܞೝূ
ೝূใͱͯ͠͏ͷ ར༻ऀݻ༗ͷࣝ ύεʢϑϨʔζʛϫʔυʣͳͲ ར༻ऀͷॴ༗ ཚදɺϋʔυΣΞτʔΫϯͳͲ ར༻ऀͷಛੑ ੜମใʢࢦɺɺ੩຺ύλʔϯɺ࠼ etc…ʣ
ͦΕͧΕͷ ύεʢϑϨʔζʛϫʔυʣ ΕͨΒΞτ ॴ༗ ౪·ΕͨΓฆࣦͨ͠ΒΞτ ੜମใ ݸਓใͰ͋Γʮ͓ΘΓʯ͕Ͱ͖ͳ͍
ύεʢϑϨʔζʛϫʔυʣ ʹ͍ͭͯ͘ޠΖ͏
ύεʢϑϨʔζʛϫʔυʣ σόΠεΛඞཁͱ͠ͳ͍ ߈ܸੑϦςϥγʔґଘ ϢʔβͷϦςϥγʔ γεςϜӡ༻ऀͷϦςϥγʔ
ύεϫʔυͷఆظతߋ৽ ʮ૯ͨΓ߈ܸʯʹ༗ޮͩͬͨ…͔ʁ ଟ༷Խ͢Δύεϫʔυ߈ܸ ύεϫʔυɾεϓϨʔ߈ܸ ࣙॻ߈ܸ ϦετܕΞΧϯτ߈ܸ
ύεϫʔυɾεϓϨʔ߈ܸ a.k.a. ϦόʔεɾϒϧʔτϑΥʔε߈ܸ JAL / ANA ͷαΠτʢ2014ʣ ձһ൪߸͕7ܻʙ9ܻ ύεϫʔυ͕4ܻʙ6ܻ ϢʔβID͕؆୯ʹਪଌͰ͖Δ߹༗ޮ
ࣙॻ߈ܸ ଟ༻͞Ε͍ͯΔՄೳੑ͕͋Δ୯ޠΛࣙॻొ ਓͷߟ͑Δ͜ͱେମಉ͡ Dragon, letmein, qazwsx, etc… ʮ࣮ʯʹج͍ͮͯʑڧԽ͞Ε͍ͯΔ
ϦετܕΞΧϯτ߈ܸ ϢʔβIDͱύεϫʔυͷΈ߹ΘͤΛ͏ Ͳ͔͜ͷʮ΅͍ʯαʔϏε͕ʮ͓࿙Β͠ʯ WebΞϓϦέʔγϣϯͷ૿Ճ Ͳ͏͍ͯ͠·Θͨ͘͠ͳΔ ͔ͳΓʮώοτʯ͕ߴ͍w
ΞΧϯτϩοΫ༗ޮʁ ී௨༗ޮͰ͕͢… େنαΠτͩͱ͍͜ͱ͋Δ ී௨ϩʔυόϥϯα͍·͢Α…Ͷʁ ฒྻ߈ܸͰΞΧϯτϩοΫ͕ൃಈ͢Δલ ʹ200݅Ҏ্ͷࢼߦΛڐͯ͠ɺ৵ೖ͞ΕΔ
ڧ͍ύεʢϑϨʔζʛϫʔυʣ จࣈछΛ૿͢ ಉ͡จࣈͳΒจࣈछΛ૿͢ͷਖ਼ٛ ͨͩ͠US / JIS ΩʔϘʔυʹቕΔ https://xkcd.com/936/
ڧ͍ύεϑϨʔζ
ύεʢϑϨʔζʛϫʔυʣͷ ʮ֮͑ΒΕͳ͍ύεϫʔυʯʹҙຯ͕ͳ͍ Ϧςϥγʔ͕ඞཁ ֶతͳܮ ύεϫʔυΛ͍֮͑ͯΒΕΔهԱྗ ݁ہʮ͋ͳͨ·͔ͤʯͰ৴༻͢Δ͔͠ͳ͍
গ͠ͰϚγʹ͢Δ ύεϫʔυڧͷνΣοΧʔ จࣈ จࣈछͷࠞ߹Λཁٻ ΞΧϯτID ͱͷൺֱɹetc… ͰϢʔβϏϦςΟ͕ѱԽ͠·͢ΑͶʁ
͍ճ͠͞ΕΔͳΒ ͍ճͤΔΑ͏ʹ͢Εʁ
ΞϓϦέʔγϣϯ࿈ܞೝূ OAuth, OpenID, YConnect, SAML APIΛͬͯೝূʢೝՄʣΛ֎෦Ͱߦ͏ ೝূใͷཧ͕ෆཁʹͳΔ ೝূͱೝՄΛࠞಉ͍͚ͯ͠ͳ͍ http://d.hatena.ne.jp/ritou/20120206/1328484575
Ϧςϥγʔʢʹґଘʛظʣ ͠ͳ͍ೝূͬͯͰ͖Δͷʁ
Ϧςϥγʹґଘ͠ͳ͍ೝূ ཚදɺτʔΫϯ ίετ͕ൃੜ ౪ɾฆࣦͷϦεΫ ੜମใೝূ ସ͕ޮ͔ͳ͍ ࿙Ӯ͕ى͖ͨΒΞτʢݸਓใʣ
ଟཁૉೝূ ֤छͷೝূΛΈ߹ΘͤΔ ύεʢϑϨʔζʛϫʔυʣͷґଘੑݮΔ ೝূͳͲΈ߹Θͤͷର CAPTCHA ϢʔβϏϦςΟམͪΔ
facebook ͷଟཁૉೝূ ύεϫʔυೝূ IP / Cookie ʹΑΔೝূ ίʔυδΣωϨʔλʢܞଳݶఆʣ ϝʔϧSMSʹΑΔ௨Λซ༻
WebαʔϏεͷೝূର Ϣʔβʔೝূ αʔόʔೝূʢvia TLSʣ αʔόʔূ໌ॻ ΫϥΠΞϯτೝূʢvia TLSʣ ΫϥΠΞϯτূ໌ॻ ΘΕ͍ͯͳ͔ͬͨ ͱ͍͏Մೳੑ͋Δʁ
ܞଳͷೝূͬͯ Ͳ͏ͳ͍͚ͬͯͨͬʁ
ܞଳͷಛ ෳࡶͳσʔλͷೖྗ͕໘ ը໘͕খ͍͞ʢใྔ͕গͳ͍ʣ ϑϦοΫೖྗͱ͔ͯ͠·͚͢Ͳ ϢʔβೝূͰͳ͘ೝূ
ܞଳͷೝূ UUIDʢUniversally Unique IDentifier) ຊདྷࢄॲཧͳͲͰͷ ID িಥճආ ʮதԝొॲཧʯ͕ෆཁ ࣌ؒใͳͲݻ༗ͷใ͔Βੜ͢Δ
ܞଳͷϢʔβೝূ ౪ɾฆࣦʹରԠ͢Δඞཁ͕͋Δ PINʢPersonal Identification Numberʣ εϫΠϓύλϯ ੜମใ ࢦɺإ etc…
ͦΕɺ͏গ͠ ͳΜͱ͔ͳΓ·ͤΜ͔ʁ
ʹґଘ͠ͳ͍ೝূ ʮϦςϥγʯʹґଘ͠ͳ͍ ৬ɺҠಈதɺࣗ Edge, Firefox, Chrome, Vivaldi PC, Tablet, Smart
phone etc…
FIDOೝূ Fast IDentity Online ೝূใΛ௨৴͠ͳ͍ ެ։伴҉߸ํࣜͷԠ༻ ϞδϡʔϧԽ͞ΕͯϕϯμʔϩοΫɾϑϦʔ ܧଓతೝূɺ҉తೝূɺίϯςΩετೝূ
FIDOೝূͷ֓ཁ ൿີ伴 ެ։伴 νϟϨϯδ ೝূ ൿີ伴Ͱॺ໊ͨ͠νϟϨϯδ ެ։伴Ͱ ॺ໊ͷଥੑ νΣοΫ ൿີͷڞ༗͕ඞཁͳ͍ʂ
ೝূͷํࣜʹґଘ͠ͳ͍ʂ ೝূث FIDOΫϥΠΞϯτ FIDOαʔόʔ
FIDO 2.0 FIDO 1.0 ͷೋͭͷೝূثΛ౷߹ UAFʢUniversal Authentication Frameworkʣ U2FʢUniversal Second
Factorʣ CTAP ͷಋೖ
WebAuthn ͱ CTAP WebAuthn FIDO ೝূثͷͻͱͭ ύεϫʔυʢa.k.a. εΩϧʣʹґଘ͍ͯ͠ͳ͍ ݱࡏ W3C
ͷ CRʢCandidate Recommendationʣ CTAPʢClient To Authenticator Protocolʣ
ͬͱৄ͘͠ʁ FIDOʹ͍ͭͯͷղઆʢຊޠʣ https://www.slideshare.net/FIDOAlliance/fido-83445442 https://fidoalliance.org/wp-content/uploads/FIDOTokyo- gomi-120816-ja.pdf W3Cͷใ https://www.w3.org/2018/04/pressrelease-webauthn-fido2.html.ja
Q&A?