A passwordless future!

Transcript

1. A Passwordless Future! Passkeys and WebAuthn for Java developers Deepu

   K Sasidharan

2. @oktaDev | @deepu105 | deepu.tech ➔ JHipster co-lead developer ➔

   Java Champion ➔ Creator of KDash, JDL Studio ➔ Developer Advocate @ Okta ➔ OSS aficionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @[email protected] deepu.tech @deepu105 deepu05

3. @oktaDev | @deepu105 | deepu.tech Why passwordless?

4. @oktaDev | @deepu105 | deepu.tech The password problem

5. @oktaDev | @deepu105 | deepu.tech The Human problem • Social

   engineerable • Easy to phish/harvest/replay • Shareable • Reusable

6. @oktaDev | @deepu105 | deepu.tech Knowledge based • Easy to

   remember == easy to guess • Complex passwords == not easy to remember • Too many passwords to remember • Password managers help but it is an overhead

7. @oktaDev | @deepu105 | deepu.tech Password management • Storing passwords

   in database • Data breaches • Password resets/Forgotten passwords • Multi-factor authentication flows

8. @oktaDev | @deepu105 | deepu.tech What is Passwordless?

9. © Okta and/or its affiliates. All rights reserved. Confidential Information

   of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech Passwordless Biometric Magic links OTPs Push notifications

10. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech Passwordless future == Passkeys It is a unique cryptographic key pair

11. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech WebAuthn == W3C specification WebAuthn is the specification that allows for passkeys implementation

12. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech FIDO == Authentication standard Based on public key cryptography.

13. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech Passkeys == Passwordless FIDO credential with WebAuthn. It uses asymmetric public key cryptography

14. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech Passkeys Synced Hardware bound • Private key synced between devices in same ecosystem and backed up to cloud • Better usability • One time enrollment • Can be restored on device loss or on new device • Less secure than hardware bound passkeys • Private key stored only on the device • Not as convenient as synced passkeys • Each device needs enrollment • No recovery or backups • Most secure option

15. @oktaDev | @deepu105 | deepu.tech Web Authentication W3C recommendation Works

    with: • Credential Management Level 1 • FIDO 2.0 Client to Authenticator Protocol 2 Illustration based on https://webauthn.me/introduction User interaction

16. @oktaDev | @deepu105 | deepu.tech Synced passkeys registration flow Illustration

    based on https://fidoalliance.org/how-fido-works/

17. @oktaDev | @deepu105 | deepu.tech Synced passkeys login flow Illustration

    based on https://fidoalliance.org/how-fido-works/

18. @oktaDev | @deepu105 | deepu.tech Why passkeys?

19. @oktaDev | @deepu105 | deepu.tech Secure • Phishing resistant •

    Remote attack resistant • Breach resistant • Not reusable • Not shareable* • Superior to password + traditional MFA • Require biometric or physical keys

20. @oktaDev | @deepu105 | deepu.tech Human experience • Flexible •

    Uniform and familiar • One time registration ceremony • No credential fatigue

21. @oktaDev | @deepu105 | deepu.tech Scalable • Backed up and

    replicated across devices in the same ecosystem • Discoverable • Recoverable • Multi-device capable • Cross-device authentication

22. @oktaDev | @deepu105 | deepu.tech Passkeys security and usability spectrum

23. @oktaDev | @deepu105 | deepu.tech menti.com Code: 4278 1170

24. @oktaDev | @deepu105 | deepu.tech Let’s see passkeys in action

    Spring Boot web app using Auth0 by Okta as IdP

25. @oktaDev | @deepu105 | deepu.tech a0.to/jfall-passkey # Create a Spring

    Boot web app $ curl -G https://start.spring.io/starter.tgz \ -d dependencies=web,okta -d baseDir=passkey-demo | tar -xzvf - # Add controller for @GetMapping("/") # Create an Auth0 account and configure tenant to enable passkeys # Login to the tenant $ auth0 login # Create an Auth0 app $ auth0 apps create \ /-name "Spring Boot Passkeys" \ /-description "Spring Boot Example" \ /-type regular \ /-callbacks http://localhost:8080/login/oauth2/code/okta \ /-logout-urls http://localhost:8080 \ /-reveal-secrets # Update OIDC credentials # Start the app $ ./gradlew bootRun

26. @oktaDev | @deepu105 | deepu.tech How does it differ from

    FIDO MFA?

27. @oktaDev | @deepu105 | deepu.tech Passkeys • Implemented using WebAuthn

    and FIDO2 • Can be synced or hardware-bound • Discoverable by browsers • Can be used for account registration as first factor • Enrollment required only once for synced passkeys FIDO MFA • Implemented using WebAuthn and FIDO2 • Only hardware bound • Not discoverable • Can only be second factor after account registration with password • Enrollment required on each device Passkeys vs FIDO MFA

28. @oktaDev | @deepu105 | deepu.tech Challenges

29. @oktaDev | @deepu105 | deepu.tech • W3C Recommendation • OS/Browser

    dependency • OS/Browser support • Cloud vendor reliance • Enterprise use cases

30. @oktaDev | @deepu105 | deepu.tech Compatibility matrix: Platform Authenticators (TPM,

    TouchID, etc.) https://webauthn.me/browser-support

31. @oktaDev | @deepu105 | deepu.tech Compatibility matrix: Roaming Authenticators (Yubikey,

    Titan, etc.) https://webauthn.me/browser-support

32. @oktaDev | @deepu105 | deepu.tech WebAuthn for Java

33. @oktaDev | @deepu105 | deepu.tech WebAuthn4j FIDO2 conformant Supports attestation

    validation Supports all attestation formats Suitable for relying party server implementation Supports passkeys Used by Keycloak and Spring Security Kotlin friendly Java WebAuthn libraries java-webauthn-server Not 100% FIDO2 conformant Supports attestation validation All attestation formats not supported Suitable for relying party server implementation Supports passkeys From Yubico

34. @oktaDev | @deepu105 | deepu.tech WebAuthn with Spring Security in

    action Spring Boot web app as a relying party using WebAuthn4j

35. @oktaDev | @deepu105 | deepu.tech a0.to/jfall-webauthn WebAuthn4J Spring Security #

    Clone the repo $ git clone https://github.com/deepu105/webauthn4j-spring-boot-passkeys-demo # Start the app $ ./gradlew bootRun

36. @oktaDev | @deepu105 | deepu.tech https://passkeys.dev https://passkey.org/ https://webauthn.me https://webauthn.io/ Resources

37. @oktaDev | @deepu105 | deepu.tech Passkeys login challenge a0.to/jfall •

    Complete the challenge and visit our booth to win some cool prizes • Only for first 30 completed submissions

38. @oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our

    newsletter a0.to/nl-signup/java Try our free Spring Boot + Passkeys workshop a0.to/spring-boot