PassKeys and WebAuthN: What you want to know

Transcript

1. G E T S T R E A M . I O
   PassKeys and WebAuthN
   
   
   What you want to know
   

   View Slide

2. G E T S T R E A M . I O
   Jeroen Leenarts
   ● iOS Developer Relations Lead
   
   
   ● Podcast: AppForce1
   
   
   ● Book: Being a Lead Developer
   
   
   ● Over 20 years of experience
   

   View Slide

3. G E T S T R E A M . I O
   Why talk about
   
   
   PassKeys and WebAuthN?
   

   View Slide

4. G E T S T R E A M . I O
   Stream Chat
   ● The #1 Chat API for Custom Messaging Apps.
   
   
   ● Add fast, real-time messaging to your application
   in days
   
   
   ● Free trial available, no credit card required
   .N
   ET
   SD
   K
   too
   

   View Slide

5. G E T S T R E A M . I O
   Trusted by many companies
   

   View Slide

6. G E T S T R E A M . I O
   What you want to know about
   WebAuthN and Passkeys
   

   View Slide

7. G E T S T R E A M . I O
   ●Based on industry standards for account
   authentication
   
   
   ●Passkeys are easier to use than passwords and
   far more secure.
   
   
   ●Adopt passkeys to give people a simple, secure
   way to sign in to your apps and websites across
   platforms — with no passwords required.
   PassKeys, Apple’s pitch
   

   View Slide

8. G E T S T R E A M . I O
   ●Based on FIDO Alliance and W3C standards
   
   
   ○ WebAuthN
   
   
   ●With Apple sauce to streamline usage
   Sounds great, but what is it?
   

   View Slide

9. G E T S T R E A M . I O
   ●Since iOS 15
   
   
   ○ Passkeys sync through iCloud Keychain
   
   
   ●With iOS 16
   
   
   ○ Sharable through Apple handoff
   
   
   ○ QR-code based local handshake for off
   device authentication
   What Apple adds to WebAuthN
   

   View Slide

10. G E T S T R E A M . I O
    ●The relying party
    
    
    ○ Service provider that wants to authenticate users
    
    
    ●The authenticator
    
    
    ○ A PassKey in the KeyChain or other a secure token
    
    
    ●The web browser or app
    
    
    ○ acts as the channel between the relying party and authenticator
    
    
    ●The user
    
    
    ○ Has to affirmatively interact with the authenticator to prove
    physical presence.
    WebAuthN requires 4 parties
    

    View Slide

11. G E T S T R E A M . I O
    ●Enrollment
    
    
    ○ Basically the registration of the user and
    secure element with your service
    
    
    ○ Allows for attestation of the secure element
    
    
    ●Assertion
    
    
    ○ Login by proving a user has access to the
    secure element
    Two phases
    

    View Slide

12. G E T S T R E A M . I O
    ●Roaming Authenticators
    
    
    ○ Discrete device
    
    
    ■ Yubikey or a Google Titan key.
    
    
    ■ USB, Bluetooth or RFID link, enabling a web browser to communicate with the device.
    
    
    ●Virtual Authenticators
    
    
    ○ Pure software
    
    
    ■ Private keys in a database that likely doesn’t reside in secure hardware.
    
    
    ■ Often have some security drawbacks
    
    
    ●Platform Authenticators
    
    
    ○ Built into a device.
    
    
    ■ Apple’s Secure Enclave
    
    
    ■ Convenient, but bound to a particular device
    
    
    ● Device loss or reset will destroy the keys
    
    
    ● PassKeys turns the Secure Enclave into a Secure Virtual Authenticator
    WebAuthN Authenticator flavours
    

    View Slide

13. G E T S T R E A M . I O
    ●I do not have the QR code bits working yet
    
    
    ○ Apple is very sparse on their server side example
    
    
    ■
    (
    There is none)
    
    
    ●Tim Condon did create a quick Vapor based implementation
    
    
    ○ Unvetted, unreviewed, only for play right now
    
    
    ●Other parties online have amazing login examples
    
    
    ○ Auth0, WebAuthN, Yubico, etc
    My current knowledge on the topic
    

    View Slide

14. G E T S T R E A M . I O
    A quick demo
    https://webauthn.io/
    

    View Slide

15. G E T S T R E A M . I O
    ●Vapor is working on a Swift based
    implementation
    
    
    ●Once available I will add it to
    Stream’s Vapor integration project
    Great, now show me some Swift
    

    View Slide

16. G E T S T R E A M . I O
    I can show you something
    already though
    https://webauthn.io/
    

    View Slide

17. G E T S T R E A M . I O
    Work in progress, still need to get to the iOS bits
    

    View Slide

18. G E T S T R E A M . I O
    ●Too early to tell
    
    
    ●Signs are good
    
    
    ●It is all based on industry standards
    
    
    ●Google, Apple, Microsoft and many
    others are onboard
    Are WebAuthN and PassKeys a thing or not?
    

    View Slide

19. G E T S T R E A M . I O
    ●Beyond Swift many integrations are
    already available
    
    
    ○ Go, Python, PHP, etc, etc…
    
    
    ●DUO Security and Yubico have been
    a big drivers of FIDO and WebAuthN
    adoption
    Are WebAuthN and PassKeys a thing or not?
    

    View Slide

20. G E T S T R E A M . I O
    ●How to transition your logins between iOS
    and Android?
    
    
    ○ We don’t really want a lockin on our
    credentials right?
    
    
    ○ FIDO has something in the works for this
    Still some questions remain
    

    View Slide

21. G E T S T R E A M . I O
    Questions?
    

    View Slide

22. G E T S T R E A M . I O
    Thank You.
    

    View Slide

23. G E T S T R E A M . I O
    https://developer.apple.com/passkeys/
    
    
    https://developer.apple.com/videos/play/wwdc2022/10092/
    
    
    https://developer.apple.com/documentation/authenticationservices/public-
    private_key_authentication/supporting_passkeys
    
    
    https://support.apple.com/en-us/HT213305
    
    
    https://en.wikipedia.org/wiki/WebAuthn
    
    
    https://webauthn.io/
    
    
    https://webauthn.me/
    
    
    https://www.yubico.com/authentication-standards/webauthn/
    
    
    https://oauth.net/webauthn/
    More info here
    

    View Slide