The world of Passkeys 🤝🏽 Ruby

Transcript

1. The world of Passkeys 🤝 Ruby Helio Cola https://hac-rods.me

2. Hi! Hi, I am Helio Cola! • ~22 years developing

   SW • ~12 years since I started working with RoR • ==> https://hac-rods.me/ • ==> https://ruby.social/@hacrods _______________

3. Agenda • What, Who, Why • The Passkeys Iceberg! •

   How it works • Some interesting things • Some f lu ff y stu ff • 🤝 Ruby! _______________

4. Before I start Raise your hand… • if you’ve heard

   about Passkeys before • if you read anything about it • if you set Passkeys on your GitHub account _______________

5. What are Passkeys • Are a replacement for passwords •

   It is part of a web authentication standard • It is a public/private key pair used for challenge based authentication • It is uses public key cryptography (invented in the 1970s) • Sometimes it is protected by your device biometrics • Sometimes it is discoverable _______________

6. What are Passkeys A password is something that can be

   remembered and typed, and a passkey is a secret stored on one’s devices, unlocked with biometrics. _______________ Source: https://passkeys.dev/docs/intro/what-are-passkeys/

7. Who • Passkeys is part of the WebAuthn standard •

   Created by W3C and FIDO • By folks from: Nok Nok Labs, Microsoft, PayPal, Google… • And others like: Mozilla, Yubico, Apple, Qualcomm, Cisco… • And many others… _______________

8. Who • First version of Web Authentication API was published

   in May 2016 • Created by folks from: Nok Nok Labs, Microsoft, PayPal, and Google Source: https://www.w3.org/TR/2016/WD-webauthn-20160531/ _______________

9. The Passkeys Iceberg This talk CTAP1 UAF U2F FIDO2 Apple

   iCloud Microsoft Hello Google CDA Cli DPK WebAuthn Passkeys RP UV UP UVRA CDA Auth FIDO W3C CTAP2 1970s Public key cryptography 2016: W3C: A Web API for accessing scoped credentials _______________

10. To remember Passkey is a public and private key pair,

    protected by your device biometrics, used for a challenge based authentication _______________

11. What is Passkey _______________ “Passkey is a public and private

    key pair” • A private and public key, used to encrypt and decrepit data • A core concept of public key encryption “protected by your device biometrics” • To use it, your device will f irst use its biometrics “used for a challenge based authentication” • User is asked to sign with private key • Web app/site checks with users’ public key

12. How it works _______________ • Registration User sign up for

    a new service: email, username etc… • Authentication With my email/username and my passkeys • Re-authentication In case of sensitive transactions

13. Registration _______________ spkeym.com User (& Browser & OS) 1. I

    want to sign up 2. Send me your public key 3. Create a Passkeys for SPKeyM Cloud Acc 4. Face ID & create a Passkeys 5. Sync private key 5. Here is your public key 6. Here is my public key and username 7. Your sign up is completed

14. Authentication _______________ spkeym.com User (& Browser & OS) 1. I

    want to sign in 2. Please sign this data 3. Sign this data with SPKeyM Passkeys 4. Face ID & create signature with private key 5. Here is my signature 6. Here is my digital signature 7. Signature is valid! You are authenticated

15. Some interesting things _______________ • Sites don’t store “critical auth”

    information What if the DB of mysite.com gets leaked? • The private key is either in your device and/or synced with your Cloud Account (Apple, Google, Microsoft…) Good luck trying to break into their systems! • Unique per site, by design • Strong, by design • (“BUT”) Your browser, OS, and device now do “critical auth” things!

16. Demo time! _______________

17. The fl uffy stuff Passkeys are: • Intuitive • Automatically

    unique per site • Breach resistant • Phishing resistant (and protected with device biometrics) _______________

18. And there is more • Discoverable vs Non-discoverable • Device

    bound passkeys • Auto f ill UI • Cross-Device Authentication (CDA) • Roaming Authenticator • User Presence (UP) and User Veri f ication (UV) • User-Verifying Roaming Authenticator • And there is more… Source: https://passkeys.dev/docs/reference/terms _______________

19. Why • Passwords are di ff icult and time consuming

    to manage • The most common password are easy to guess Source: https://nordpass.com/most-common-passwords-list/ https://s1.nordcdn.com/nord/misc/0.55.0/nordpass/200-most-common-passwords-en.pdf _______________

20. Why And also all this other things: • Authenticator apps

    • SMS OTP • Email code • Magic links _______________

21. Hello Ruby! Passkeys 🤝 Ruby

22. Hello Ruby! The trailblazers: • Gonzalo and Braulio from CedarCode:

    https://www.cedarcode.com • Petr Hlavicka: https://petr.codes • Thomas Cannon: https://thomascannon.me _______________

23. CedarCode • Web Agency based in Uruguay • Authors of

    webauthn-ruby gem Source: https://github.com/cedarcode/webauthn-ruby/blob/master/webauthn.gemspec Gonzalo Rodriguez Braulio Martinez _______________

24. webauthn-ruby gem • Gonzalo released V0.0.0 on May, 9th 2018

    • And so was webauthn-rails-demo-app It is live: https://webauthn.cedarcode.com/ • Latest release is v3.0.0, in February, 2023 _______________

25. Petr Hlavicka • Petr is a Ruby on Rails developer

    Can be found at: https://petr.codes/ • In 2021, he wrote an article: “Multi-Factor Authentication for Rails With WebAuthn and Devise” Originally published at HoneyBagder.io blog: https://www.honeybadger.io/blog/multi- factor-2fa-authentication-rails-webauthn-devise/ Companion Rails app: https://github.com/CiTroNaK/webauthn-with-devise _______________

26. Thomas Cannon • Creator of Ruby-Passkeys GitHub Org https://github.com/ruby-passkeys Can

    be found at: https://thomascannon.me/ • And the creator of gems: warden-webauthn (v0.3.0) devise-passkeys (v0.3.0) • And Rails template app “devise-passkeys-template” _______________

27. Future of Passkeys _______________

28. This is it folks! _______________ • Thank y’all for your

    time and your attention • Thank you to all organizers and sponsors of RubyConfTH • If you have any question ==> f ind me here today… • Or in the internet ==> https://ruby.social/@hacrods