Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The world of Passkeys 🤝🏽 Ruby

The world of Passkeys 🤝🏽 Ruby

Can you recall a world without having to remember passwords? If Passkeys becomes widely available, that world is a few steps away in our future. Instead of remembering passwords, we will use our biometrics, already available in our phones, laptops, and desktops, and public key encryption!
To a future with no passwords!

Helio Cola

October 08, 2023

More Decks by Helio Cola

Other Decks in Programming


  1. Hi! Hi, I am Helio Cola! • ~22 years developing

    SW • ~12 years since I started working with RoR • ==> https://hac-rods.me/ • ==> https://ruby.social/@hacrods _______________
  2. Agenda • What, Who, Why • The Passkeys Iceberg! •

    How it works • Some interesting things • Some f lu ff y stu ff • 🤝 Ruby! _______________
  3. Before I start Raise your hand… • if you’ve heard

    about Passkeys before • if you read anything about it • if you set Passkeys on your GitHub account _______________
  4. What are Passkeys • Are a replacement for passwords •

    It is part of a web authentication standard • It is a public/private key pair used for challenge based authentication • It is uses public key cryptography (invented in the 1970s) • Sometimes it is protected by your device biometrics • Sometimes it is discoverable _______________
  5. What are Passkeys A password is something that can be

    remembered and typed, and a passkey is a secret stored on one’s devices, unlocked with biometrics. _______________ Source: https://passkeys.dev/docs/intro/what-are-passkeys/
  6. Who • Passkeys is part of the WebAuthn standard •

    Created by W3C and FIDO • By folks from: Nok Nok Labs, Microsoft, PayPal, Google… • And others like: Mozilla, Yubico, Apple, Qualcomm, Cisco… • And many others… _______________
  7. Who • First version of Web Authentication API was published

    in May 2016 • Created by folks from: Nok Nok Labs, Microsoft, PayPal, and Google Source: https://www.w3.org/TR/2016/WD-webauthn-20160531/ _______________
  8. The Passkeys Iceberg This talk CTAP1 UAF U2F FIDO2 Apple

    iCloud Microsoft Hello Google CDA Cli DPK WebAuthn Passkeys RP UV UP UVRA CDA Auth FIDO W3C CTAP2 1970s Public key cryptography 2016: W3C: A Web API for accessing scoped credentials _______________
  9. To remember Passkey is a public and private key pair,

    protected by your device biometrics, used for a challenge based authentication _______________
  10. What is Passkey _______________ “Passkey is a public and private

    key pair” • A private and public key, used to encrypt and decrepit data • A core concept of public key encryption “protected by your device biometrics” • To use it, your device will f irst use its biometrics “used for a challenge based authentication” • User is asked to sign with private key • Web app/site checks with users’ public key
  11. How it works _______________ • Registration User sign up for

    a new service: email, username etc… • Authentication With my email/username and my passkeys • Re-authentication In case of sensitive transactions
  12. Registration _______________ spkeym.com User (& Browser & OS) 1. I

    want to sign up 2. Send me your public key 3. Create a Passkeys for SPKeyM Cloud Acc 4. Face ID & create a Passkeys 5. Sync private key 5. Here is your public key 6. Here is my public key and username 7. Your sign up is completed
  13. Authentication _______________ spkeym.com User (& Browser & OS) 1. I

    want to sign in 2. Please sign this data 3. Sign this data with SPKeyM Passkeys 4. Face ID & create signature with private key 5. Here is my signature 6. Here is my digital signature 7. Signature is valid! You are authenticated
  14. Some interesting things _______________ • Sites don’t store “critical auth”

    information What if the DB of mysite.com gets leaked? • The private key is either in your device and/or synced with your Cloud Account (Apple, Google, Microsoft…) Good luck trying to break into their systems! • Unique per site, by design • Strong, by design • (“BUT”) Your browser, OS, and device now do “critical auth” things!
  15. The fl uffy stuff Passkeys are: • Intuitive • Automatically

    unique per site • Breach resistant • Phishing resistant (and protected with device biometrics) _______________
  16. And there is more • Discoverable vs Non-discoverable • Device

    bound passkeys • Auto f ill UI • Cross-Device Authentication (CDA) • Roaming Authenticator • User Presence (UP) and User Veri f ication (UV) • User-Verifying Roaming Authenticator • And there is more… Source: https://passkeys.dev/docs/reference/terms _______________
  17. Why • Passwords are di ff icult and time consuming

    to manage • The most common password are easy to guess Source: https://nordpass.com/most-common-passwords-list/ https://s1.nordcdn.com/nord/misc/0.55.0/nordpass/200-most-common-passwords-en.pdf _______________
  18. Why And also all this other things: • Authenticator apps

    • SMS OTP • Email code • Magic links _______________
  19. Hello Ruby! The trailblazers: • Gonzalo and Braulio from CedarCode:

    https://www.cedarcode.com • Petr Hlavicka: https://petr.codes • Thomas Cannon: https://thomascannon.me _______________
  20. CedarCode • Web Agency based in Uruguay • Authors of

    webauthn-ruby gem Source: https://github.com/cedarcode/webauthn-ruby/blob/master/webauthn.gemspec Gonzalo Rodriguez Braulio Martinez _______________
  21. webauthn-ruby gem • Gonzalo released V0.0.0 on May, 9th 2018

    • And so was webauthn-rails-demo-app It is live: https://webauthn.cedarcode.com/ • Latest release is v3.0.0, in February, 2023 _______________
  22. Petr Hlavicka • Petr is a Ruby on Rails developer

    Can be found at: https://petr.codes/ • In 2021, he wrote an article: “Multi-Factor Authentication for Rails With WebAuthn and Devise” Originally published at HoneyBagder.io blog: https://www.honeybadger.io/blog/multi- factor-2fa-authentication-rails-webauthn-devise/ Companion Rails app: https://github.com/CiTroNaK/webauthn-with-devise _______________
  23. Thomas Cannon • Creator of Ruby-Passkeys GitHub Org https://github.com/ruby-passkeys Can

    be found at: https://thomascannon.me/ • And the creator of gems: warden-webauthn (v0.3.0) devise-passkeys (v0.3.0) • And Rails template app “devise-passkeys-template” _______________
  24. This is it folks! _______________ • Thank y’all for your

    time and your attention • Thank you to all organizers and sponsors of RubyConfTH • If you have any question ==> f ind me here today… • Or in the internet ==> https://ruby.social/@hacrods