Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A passwordless future!

A passwordless future!

A passwordless future for Java developers

Deepu K Sasidharan

November 09, 2023
Tweet

More Decks by Deepu K Sasidharan

Other Decks in Programming

Transcript

  1. A Passwordless
    Future!
    Passkeys and WebAuthn for Java developers
    Deepu K Sasidharan

    View full-size slide

  2. @oktaDev | @deepu105 | deepu.tech
    ➔ JHipster co-lead developer
    ➔ Java Champion
    ➔ Creator of KDash, JDL Studio
    ➔ Developer Advocate @ Okta
    ➔ OSS aficionado, polyglot dev,
    author, speaker
    Hi, I’m Deepu K Sasidharan
    @[email protected] deepu.tech
    @deepu105 deepu05

    View full-size slide

  3. @oktaDev | @deepu105 | deepu.tech
    Why passwordless?

    View full-size slide

  4. @oktaDev | @deepu105 | deepu.tech
    The
    password
    problem

    View full-size slide

  5. @oktaDev | @deepu105 | deepu.tech
    The Human
    problem
    ● Social engineerable
    ● Easy to phish/harvest/replay
    ● Shareable
    ● Reusable

    View full-size slide

  6. @oktaDev | @deepu105 | deepu.tech
    Knowledge
    based
    ● Easy to remember == easy to guess
    ● Complex passwords == not easy to
    remember
    ● Too many passwords to remember
    ● Password managers help but it is an
    overhead

    View full-size slide

  7. @oktaDev | @deepu105 | deepu.tech
    Password
    management
    ● Storing passwords in database
    ● Data breaches
    ● Password resets/Forgotten passwords
    ● Multi-factor authentication flows

    View full-size slide

  8. @oktaDev | @deepu105 | deepu.tech
    What is Passwordless?

    View full-size slide

  9. © Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only.
    @oktaDev | @deepu105 | deepu.tech
    Passwordless
    Biometric
    Magic links
    OTPs
    Push notifications

    View full-size slide

  10. © Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only.
    @oktaDev | @deepu105 | deepu.tech
    Passwordless future == Passkeys
    It is a unique cryptographic key pair

    View full-size slide

  11. © Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only.
    @oktaDev | @deepu105 | deepu.tech
    WebAuthn == W3C specification
    WebAuthn is the specification that allows for passkeys implementation

    View full-size slide

  12. © Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only.
    @oktaDev | @deepu105 | deepu.tech
    FIDO == Authentication standard
    Based on public key cryptography.

    View full-size slide

  13. © Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only.
    @oktaDev | @deepu105 | deepu.tech
    Passkeys == Passwordless
    FIDO credential with
    WebAuthn.
    It uses asymmetric public key cryptography

    View full-size slide

  14. © Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only.
    @oktaDev | @deepu105 | deepu.tech
    Passkeys
    Synced
    Hardware
    bound
    ● Private key synced between devices in same
    ecosystem and backed up to cloud
    ● Better usability
    ● One time enrollment
    ● Can be restored on device loss or on new
    device
    ● Less secure than hardware bound passkeys
    ● Private key stored only on the device
    ● Not as convenient as synced passkeys
    ● Each device needs enrollment
    ● No recovery or backups
    ● Most secure option

    View full-size slide

  15. @oktaDev | @deepu105 | deepu.tech
    Web Authentication
    W3C recommendation
    Works with:
    ● Credential Management Level 1
    ● FIDO 2.0 Client to Authenticator
    Protocol 2
    Illustration based on https://webauthn.me/introduction
    User interaction

    View full-size slide

  16. @oktaDev | @deepu105 | deepu.tech
    Synced passkeys registration flow
    Illustration based on https://fidoalliance.org/how-fido-works/

    View full-size slide

  17. @oktaDev | @deepu105 | deepu.tech
    Synced passkeys login flow
    Illustration based on https://fidoalliance.org/how-fido-works/

    View full-size slide

  18. @oktaDev | @deepu105 | deepu.tech
    Why passkeys?

    View full-size slide

  19. @oktaDev | @deepu105 | deepu.tech
    Secure
    ● Phishing resistant
    ● Remote attack resistant
    ● Breach resistant
    ● Not reusable
    ● Not shareable*
    ● Superior to password + traditional
    MFA
    ● Require biometric or physical keys

    View full-size slide

  20. @oktaDev | @deepu105 | deepu.tech
    Human
    experience
    ● Flexible
    ● Uniform and familiar
    ● One time registration ceremony
    ● No credential fatigue

    View full-size slide

  21. @oktaDev | @deepu105 | deepu.tech
    Scalable
    ● Backed up and replicated across
    devices in the same ecosystem
    ● Discoverable
    ● Recoverable
    ● Multi-device capable
    ● Cross-device authentication

    View full-size slide

  22. @oktaDev | @deepu105 | deepu.tech
    Passkeys security and usability spectrum

    View full-size slide

  23. @oktaDev | @deepu105 | deepu.tech
    menti.com
    Code: 4278 1170

    View full-size slide

  24. @oktaDev | @deepu105 | deepu.tech
    Let’s see passkeys
    in action
    Spring Boot web app using Auth0 by Okta as IdP

    View full-size slide

  25. @oktaDev | @deepu105 | deepu.tech
    a0.to/jfall-passkey
    # Create a Spring Boot web app
    $ curl -G https://start.spring.io/starter.tgz \
    -d dependencies=web,okta -d baseDir=passkey-demo | tar -xzvf -
    # Add controller for @GetMapping("/")
    # Create an Auth0 account and configure tenant to enable passkeys
    # Login to the tenant
    $ auth0 login
    # Create an Auth0 app
    $ auth0 apps create \
    /-name "Spring Boot Passkeys" \
    /-description "Spring Boot Example" \
    /-type regular \
    /-callbacks http://localhost:8080/login/oauth2/code/okta \
    /-logout-urls http://localhost:8080 \
    /-reveal-secrets
    # Update OIDC credentials
    # Start the app
    $ ./gradlew bootRun

    View full-size slide

  26. @oktaDev | @deepu105 | deepu.tech
    How does it differ from FIDO
    MFA?

    View full-size slide

  27. @oktaDev | @deepu105 | deepu.tech
    Passkeys
    ● Implemented using WebAuthn and FIDO2
    ● Can be synced or hardware-bound
    ● Discoverable by browsers
    ● Can be used for account registration as first
    factor
    ● Enrollment required only once for synced
    passkeys
    FIDO MFA
    ● Implemented using WebAuthn and FIDO2
    ● Only hardware bound
    ● Not discoverable
    ● Can only be second factor after account
    registration with password
    ● Enrollment required on each device
    Passkeys vs FIDO MFA

    View full-size slide

  28. @oktaDev | @deepu105 | deepu.tech
    Challenges

    View full-size slide

  29. @oktaDev | @deepu105 | deepu.tech
    ● W3C Recommendation
    ● OS/Browser dependency
    ● OS/Browser support
    ● Cloud vendor reliance
    ● Enterprise use cases

    View full-size slide

  30. @oktaDev | @deepu105 | deepu.tech
    Compatibility matrix: Platform Authenticators (TPM, TouchID, etc.)
    https://webauthn.me/browser-support

    View full-size slide

  31. @oktaDev | @deepu105 | deepu.tech
    Compatibility matrix: Roaming Authenticators (Yubikey, Titan, etc.)
    https://webauthn.me/browser-support

    View full-size slide

  32. @oktaDev | @deepu105 | deepu.tech
    WebAuthn for Java

    View full-size slide

  33. @oktaDev | @deepu105 | deepu.tech
    WebAuthn4j
    FIDO2 conformant
    Supports attestation validation
    Supports all attestation formats
    Suitable for relying party server implementation
    Supports passkeys
    Used by Keycloak and Spring Security
    Kotlin friendly
    Java WebAuthn libraries
    java-webauthn-server
    Not 100% FIDO2 conformant
    Supports attestation validation
    All attestation formats not supported
    Suitable for relying party server implementation
    Supports passkeys
    From Yubico

    View full-size slide

  34. @oktaDev | @deepu105 | deepu.tech
    WebAuthn with
    Spring Security
    in action
    Spring Boot web app as a relying party using WebAuthn4j

    View full-size slide

  35. @oktaDev | @deepu105 | deepu.tech
    a0.to/jfall-webauthn
    WebAuthn4J Spring Security
    # Clone the repo
    $ git clone https://github.com/deepu105/webauthn4j-spring-boot-passkeys-demo
    # Start the app
    $ ./gradlew bootRun

    View full-size slide

  36. @oktaDev | @deepu105 | deepu.tech
    https://passkeys.dev
    https://passkey.org/
    https://webauthn.me
    https://webauthn.io/
    Resources

    View full-size slide

  37. @oktaDev | @deepu105 | deepu.tech
    Passkeys login challenge
    a0.to/jfall
    ● Complete the challenge and
    visit our booth to win some
    cool prizes
    ● Only for first 30 completed
    submissions

    View full-size slide

  38. @oktaDev | @deepu105 | deepu.tech
    Thank You
    Subscribe to our newsletter
    a0.to/nl-signup/java
    Try our free Spring Boot +
    Passkeys workshop
    a0.to/spring-boot

    View full-size slide