Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The world of Passkeys 🤝🏽 Ruby

The world of Passkeys 🤝🏽 Ruby

Can you recall a world without having to remember passwords? If Passkeys becomes widely available, that world is a few steps away in our future. Instead of remembering passwords, we will use our biometrics, already available in our phones, laptops, and desktops, and public key encryption!
To a future with no passwords!

Helio Cola

October 08, 2023

More Decks by Helio Cola

Other Decks in Programming


  1. The world of Passkeys


    Helio Cola


    View full-size slide

  2. Hi!
    Hi, I am Helio Cola!

    • ~22 years developing SW

    • ~12 years since I started working with RoR

    • ==> https://hac-rods.me/

    • ==> https://ruby.social/@hacrods

    View full-size slide

  3. Agenda
    • What, Who, Why

    • The Passkeys Iceberg!

    • How it works

    • Some interesting things

    • Some
    y stu

    • 🤝 Ruby!

    View full-size slide

  4. Before I start
    Raise your hand…

    • if you’ve heard about Passkeys before

    • if you read anything about it

    • if you set Passkeys on your GitHub account

    View full-size slide

  5. What are Passkeys
    • Are a replacement for passwords

    • It is part of a web authentication standard

    • It is a public/private key pair used for challenge based authentication

    • It is uses public key cryptography (invented in the 1970s)

    • Sometimes it is protected by your device biometrics

    • Sometimes it is discoverable

    View full-size slide

  6. What are Passkeys
    A password is something that can be remembered
    and typed, and a passkey is a secret stored on
    one’s devices, unlocked with biometrics.
    Source: https://passkeys.dev/docs/intro/what-are-passkeys/

    View full-size slide

  7. Who
    • Passkeys is part of the WebAuthn standard

    • Created by W3C and FIDO

    • By folks from: Nok Nok Labs, Microsoft, PayPal, Google…

    • And others like: Mozilla, Yubico, Apple, Qualcomm, Cisco…

    • And many others…

    View full-size slide

  8. Who
    • First version of Web
    Authentication API was published
    in May 2016

    • Created by folks from: Nok Nok
    Labs, Microsoft, PayPal, and
    Source: https://www.w3.org/TR/2016/WD-webauthn-20160531/

    View full-size slide

  9. The Passkeys Iceberg
    This talk
    UAF U2F
    Apple iCloud
    Microsoft Hello Google
    CDA Cli DPK
    CDA Auth
    1970s Public key cryptography
    2016: W3C: A Web API for accessing
    scoped credentials

    View full-size slide

  10. To remember
    Passkey is a public and private key pair,

    protected by your device biometrics,

    used for a challenge based authentication

    View full-size slide

  11. What is Passkey
    “Passkey is a public and private key pair”

    • A private and public key, used to encrypt and decrepit data

    • A core concept of public key encryption

    “protected by your device biometrics”

    • To use it, your device will
    irst use its biometrics

    “used for a challenge based authentication”

    • User is asked to sign with private key

    • Web app/site checks with users’ public key

    View full-size slide

  12. How it works
    • Registration

    User sign up for a new service: email, username etc…

    • Authentication

    With my email/username and my passkeys

    • Re-authentication

    In case of sensitive transactions

    View full-size slide

  13. Registration
    (& Browser & OS)
    1. I want to sign up
    2. Send me your public key 3. Create a Passkeys
    for SPKeyM
    Cloud Acc
    4. Face ID &
    create a Passkeys
    5. Sync private key
    5. Here is your public
    6. Here is my public
    key and username
    7. Your sign up is completed

    View full-size slide

  14. Authentication
    (& Browser & OS)
    1. I want to sign in
    2. Please sign this data 3. Sign this data with
    SPKeyM Passkeys
    4. Face ID &
    create signature
    with private key
    5. Here is my signature
    6. Here is my digital
    7. Signature is valid! You
    are authenticated

    View full-size slide

  15. Some interesting things
    • Sites don’t store “critical auth” information

    What if the DB of mysite.com gets leaked?

    • The private key is either in your device and/or synced with your Cloud
    Account (Apple, Google, Microsoft…)

    Good luck trying to break into their systems!

    • Unique per site, by design

    • Strong, by design

    • (“BUT”) Your browser, OS, and device now do “critical auth” things!

    View full-size slide

  16. Demo time!

    View full-size slide

  17. The
    uffy stuff
    Passkeys are:

    • Intuitive

    • Automatically unique per site

    • Breach resistant

    • Phishing resistant (and protected with device biometrics)

    View full-size slide

  18. And there is more
    • Discoverable vs Non-discoverable

    • Device bound passkeys

    • Auto
    ill UI

    • Cross-Device Authentication (CDA)

    • Roaming Authenticator

    • User Presence (UP) and User Veri
    ication (UV)

    • User-Verifying Roaming Authenticator

    • And there is more…

    Source: https://passkeys.dev/docs/reference/terms

    View full-size slide

  19. Why
    • Passwords are di
    icult and time consuming to manage

    • The most common password are easy to guess
    Source: https://nordpass.com/most-common-passwords-list/


    View full-size slide

  20. Why
    And also all this other things:

    • Authenticator apps

    • SMS OTP

    • Email code

    • Magic links

    View full-size slide

  21. Hello Ruby!
    Passkeys 🤝 Ruby

    View full-size slide

  22. Hello Ruby!
    The trailblazers:

    • Gonzalo and Braulio from CedarCode: https://www.cedarcode.com

    • Petr Hlavicka: https://petr.codes

    • Thomas Cannon: https://thomascannon.me

    View full-size slide

  23. CedarCode
    • Web Agency based in Uruguay

    • Authors of webauthn-ruby gem

    Source: https://github.com/cedarcode/webauthn-ruby/blob/master/webauthn.gemspec
    Gonzalo Rodriguez Braulio Martinez

    View full-size slide

  24. webauthn-ruby gem
    • Gonzalo released V0.0.0 on May, 9th 2018

    • And so was webauthn-rails-demo-app

    It is live: https://webauthn.cedarcode.com/

    • Latest release is v3.0.0, in February, 2023

    View full-size slide

  25. Petr Hlavicka
    • Petr is a Ruby on Rails developer

    Can be found at: https://petr.codes/

    • In 2021, he wrote an article:

    “Multi-Factor Authentication for Rails With WebAuthn and Devise”

    Originally published at HoneyBagder.io blog: https://www.honeybadger.io/blog/multi-

    Companion Rails app: https://github.com/CiTroNaK/webauthn-with-devise

    View full-size slide

  26. Thomas Cannon
    • Creator of Ruby-Passkeys GitHub Org


    Can be found at: https://thomascannon.me/

    • And the creator of gems:

    warden-webauthn (v0.3.0)

    devise-passkeys (v0.3.0)

    • And Rails template app “devise-passkeys-template”

    View full-size slide

  27. Future of Passkeys

    View full-size slide

  28. This is it folks!
    • Thank y’all for your time and your attention

    • Thank you to all organizers and sponsors of RubyConfTH

    • If you have any question ==>
    ind me here today…

    • Or in the internet ==> https://ruby.social/@hacrods

    View full-size slide