Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The world of Passkeys 🤝🏽 Ruby

The world of Passkeys 🤝🏽 Ruby

Can you recall a world without having to remember passwords? If Passkeys becomes widely available, that world is a few steps away in our future. Instead of remembering passwords, we will use our biometrics, already available in our phones, laptops, and desktops, and public key encryption!
To a future with no passwords!

Helio Cola

October 08, 2023
Tweet

More Decks by Helio Cola

Other Decks in Programming

Transcript

  1. The world of Passkeys


    🤝


    Ruby
    Helio Cola


    https://hac-rods.me

    View full-size slide

  2. Hi!
    Hi, I am Helio Cola!


    • ~22 years developing SW


    • ~12 years since I started working with RoR


    • ==> https://hac-rods.me/


    • ==> https://ruby.social/@hacrods
    _______________

    View full-size slide

  3. Agenda
    • What, Who, Why


    • The Passkeys Iceberg!


    • How it works


    • Some interesting things


    • Some
    f
    lu
    ff
    y stu
    ff


    • 🤝 Ruby!
    _______________

    View full-size slide

  4. Before I start
    Raise your hand…


    • if you’ve heard about Passkeys before


    • if you read anything about it


    • if you set Passkeys on your GitHub account
    _______________

    View full-size slide

  5. What are Passkeys
    • Are a replacement for passwords


    • It is part of a web authentication standard


    • It is a public/private key pair used for challenge based authentication


    • It is uses public key cryptography (invented in the 1970s)


    • Sometimes it is protected by your device biometrics


    • Sometimes it is discoverable
    _______________

    View full-size slide

  6. What are Passkeys
    A password is something that can be remembered
    and typed, and a passkey is a secret stored on
    one’s devices, unlocked with biometrics.
    _______________
    Source: https://passkeys.dev/docs/intro/what-are-passkeys/

    View full-size slide

  7. Who
    • Passkeys is part of the WebAuthn standard


    • Created by W3C and FIDO


    • By folks from: Nok Nok Labs, Microsoft, PayPal, Google…


    • And others like: Mozilla, Yubico, Apple, Qualcomm, Cisco…


    • And many others…
    _______________

    View full-size slide

  8. Who
    • First version of Web
    Authentication API was published
    in May 2016


    • Created by folks from: Nok Nok
    Labs, Microsoft, PayPal, and
    Google
    Source: https://www.w3.org/TR/2016/WD-webauthn-20160531/
    _______________

    View full-size slide

  9. The Passkeys Iceberg
    This talk
    CTAP1
    UAF U2F
    FIDO2
    Apple iCloud
    Microsoft Hello Google
    CDA Cli DPK
    WebAuthn
    Passkeys
    RP
    UV
    UP
    UVRA
    CDA Auth
    FIDO
    W3C
    CTAP2
    1970s Public key cryptography
    2016: W3C: A Web API for accessing
    scoped credentials
    _______________

    View full-size slide

  10. To remember
    Passkey is a public and private key pair,


    protected by your device biometrics,


    used for a challenge based authentication
    _______________

    View full-size slide

  11. What is Passkey
    _______________
    “Passkey is a public and private key pair”


    • A private and public key, used to encrypt and decrepit data


    • A core concept of public key encryption


    “protected by your device biometrics”


    • To use it, your device will
    f
    irst use its biometrics


    “used for a challenge based authentication”


    • User is asked to sign with private key


    • Web app/site checks with users’ public key

    View full-size slide

  12. How it works
    _______________
    • Registration


    User sign up for a new service: email, username etc…


    • Authentication


    With my email/username and my passkeys


    • Re-authentication


    In case of sensitive transactions

    View full-size slide

  13. Registration
    _______________
    spkeym.com
    User
    (& Browser & OS)
    1. I want to sign up
    2. Send me your public key 3. Create a Passkeys
    for SPKeyM
    Cloud Acc
    4. Face ID &
    create a Passkeys
    5. Sync private key
    5. Here is your public
    key
    6. Here is my public
    key and username
    7. Your sign up is completed

    View full-size slide

  14. Authentication
    _______________
    spkeym.com
    User
    (& Browser & OS)
    1. I want to sign in
    2. Please sign this data 3. Sign this data with
    SPKeyM Passkeys
    4. Face ID &
    create signature
    with private key
    5. Here is my signature
    6. Here is my digital
    signature
    7. Signature is valid! You
    are authenticated

    View full-size slide

  15. Some interesting things
    _______________
    • Sites don’t store “critical auth” information


    What if the DB of mysite.com gets leaked?


    • The private key is either in your device and/or synced with your Cloud
    Account (Apple, Google, Microsoft…)


    Good luck trying to break into their systems!


    • Unique per site, by design


    • Strong, by design


    • (“BUT”) Your browser, OS, and device now do “critical auth” things!

    View full-size slide

  16. Demo time!
    _______________

    View full-size slide

  17. The
    fl
    uffy stuff
    Passkeys are:


    • Intuitive


    • Automatically unique per site


    • Breach resistant


    • Phishing resistant (and protected with device biometrics)
    _______________

    View full-size slide

  18. And there is more
    • Discoverable vs Non-discoverable


    • Device bound passkeys


    • Auto
    f
    ill UI


    • Cross-Device Authentication (CDA)


    • Roaming Authenticator


    • User Presence (UP) and User Veri
    f
    ication (UV)


    • User-Verifying Roaming Authenticator


    • And there is more…


    Source: https://passkeys.dev/docs/reference/terms
    _______________

    View full-size slide

  19. Why
    • Passwords are di
    ff
    icult and time consuming to manage


    • The most common password are easy to guess
    Source: https://nordpass.com/most-common-passwords-list/


    https://s1.nordcdn.com/nord/misc/0.55.0/nordpass/200-most-common-passwords-en.pdf
    _______________

    View full-size slide

  20. Why
    And also all this other things:


    • Authenticator apps


    • SMS OTP


    • Email code


    • Magic links
    _______________

    View full-size slide

  21. Hello Ruby!
    Passkeys 🤝 Ruby

    View full-size slide

  22. Hello Ruby!
    The trailblazers:


    • Gonzalo and Braulio from CedarCode: https://www.cedarcode.com


    • Petr Hlavicka: https://petr.codes


    • Thomas Cannon: https://thomascannon.me
    _______________

    View full-size slide

  23. CedarCode
    • Web Agency based in Uruguay


    • Authors of webauthn-ruby gem


    Source: https://github.com/cedarcode/webauthn-ruby/blob/master/webauthn.gemspec
    Gonzalo Rodriguez Braulio Martinez
    _______________

    View full-size slide

  24. webauthn-ruby gem
    • Gonzalo released V0.0.0 on May, 9th 2018


    • And so was webauthn-rails-demo-app


    It is live: https://webauthn.cedarcode.com/


    • Latest release is v3.0.0, in February, 2023
    _______________

    View full-size slide

  25. Petr Hlavicka
    • Petr is a Ruby on Rails developer


    Can be found at: https://petr.codes/


    • In 2021, he wrote an article:


    “Multi-Factor Authentication for Rails With WebAuthn and Devise”


    Originally published at HoneyBagder.io blog: https://www.honeybadger.io/blog/multi-
    factor-2fa-authentication-rails-webauthn-devise/


    Companion Rails app: https://github.com/CiTroNaK/webauthn-with-devise
    _______________

    View full-size slide

  26. Thomas Cannon
    • Creator of Ruby-Passkeys GitHub Org


    https://github.com/ruby-passkeys


    Can be found at: https://thomascannon.me/


    • And the creator of gems:


    warden-webauthn (v0.3.0)


    devise-passkeys (v0.3.0)


    • And Rails template app “devise-passkeys-template”
    _______________

    View full-size slide

  27. Future of Passkeys
    _______________

    View full-size slide

  28. This is it folks!
    _______________
    • Thank y’all for your time and your attention


    • Thank you to all organizers and sponsors of RubyConfTH


    • If you have any question ==>
    f
    ind me here today…


    • Or in the internet ==> https://ruby.social/@hacrods

    View full-size slide