Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PassKeys and WebAuthN: What you want to know

Jeroen Leenarts (AppForce1)
June 15, 2022
Programming
0
480

PassKeys and WebAuthN: What you want to know

PassKeys are pitched by Apple as the next best thing for account security. But did you know it has been in essence been around for a couple years? And is in fact an implementation of WebAuthN.

In my talk I show you some basics about WebAuthN and PassKeys to help you get started.

More info here
https://developer.apple.com/passkeys/ https://developer.apple.com/videos/play/wwdc2022/10092/ https://developer.apple.com/documentation/authenticationservices/public- private_key_authentication/supporting_passkeys https://support.apple.com/en-us/HT213305 https://en.wikipedia.org/wiki/WebAuthn
https://webauthn.io/
https://webauthn.me/ https://www.yubico.com/authentication-standards/webauthn/ https://oauth.net/webauthn/

Jeroen Leenarts (AppForce1)

June 15, 2022
Tweet

More Decks by Jeroen Leenarts (AppForce1)

See All by Jeroen Leenarts (AppForce1)
Building a Vapor Swift backend integration with authentication and authorization
jeroenleenarts
0
460
The developer’s manual: working with and managing software developers
jeroenleenarts
0
30
Being a Lead Software Developer
jeroenleenarts
1
280
SECONDARY SKILLS AS A DEVELOPER
jeroenleenarts
0
820
Try Swift intro
jeroenleenarts
0
12
Micro Frameworks: What, why and how?
jeroenleenarts
0
19
mDevcon 2015: See the time on your wrist
jeroenleenarts
0
120
A inspirational presentation at a company's hackathon
jeroenleenarts
0
92
Secure Coding practices
jeroenleenarts
0
690

Other Decks in Programming

See All in Programming
How to send distibuted traces to Datadog using build own OpenTelemetry-Lambda distribution
aereal
3
120
エンジニアが開発生産性を上げるためにやる最初の一歩
ktchiroyah
0
130
開発生産性の観点から考える自動テスト(2024/06版) / Automated Test Knowledge from Savanna 202406 Findy dev-prod-con edition
twada
PRO
14
6.3k
自分好みの TS バンドラを Rust で作れる!Deno の内部ライブラリの活用 – Denoで変わるランタイムの景色 実践事例 Lunch LT
pizzacat83
4
540
5分でわかるExplicitly Built Modules
giginet
PRO
0
170
アプリケーションをリプレイスしたら チームとサービス運用に向き合えた
kazatohiei
1
320
過去や未来を扱うのは難しい? 過去と未来に立ち向かうための勘所
shinpeim
2
430
iOS 開発で便利なツールたち
mitsuharu
0
140
30分でわかるつくって、壊して、直して学ぶ Kubernetes入門
aoi1
6
780
Secure Development with PHP
dbrumann
2
180
デプロイ・QA・Four keys を自動化×見える化する freee の統合デリバリー基盤
akito0922
1
360
Breaking the Ceiling: Scaling Your Impact at the Staff-Plus Level (InfoQ-DevSummit-Boston)
thiagoghisi
0
130

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
119
18k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
The Cult of Friendly URLs
andyhume
74
5.8k
Fashionably flexible responsive web design (full day workshop)
malarkey
399
65k
Building an army of robots
kneath
300
42k
StorybookのUI Testing Handbookを読んだ
zakiyama
14
4.8k
A designer walks into a library…
pauljervisheath
201
24k
Docker and Python
trallard
36
2.8k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
42
4.7k
jQuery: Nuts, Bolts and Bling
dougneiner
60
7.3k
Designing with Data
zakiwarfel
96
4.9k

Transcript

  1. G E T S T R E A M .

    I O PassKeys and WebAuthN What you want to know

  2. G E T S T R E A M .

    I O Jeroen Leenarts • iOS Developer Relations Lead • Podcast: AppForce1 • Book: Being a Lead Developer • Over 20 years of experience

  3. G E T S T R E A M .

    I O Why talk about PassKeys and WebAuthN?

  4. G E T S T R E A M .

    I O Stream Chat • The #1 Chat API for Custom Messaging Apps. • Add fast, real-time messaging to your application in days • Free trial available, no credit card required .N ET SD K too

  5. G E T S T R E A M .

    I O Trusted by many companies

  6. G E T S T R E A M .

    I O What you want to know about WebAuthN and Passkeys

  7. G E T S T R E A M .

    I O •Based on industry standards for account authentication •Passkeys are easier to use than passwords and far more secure. •Adopt passkeys to give people a simple, secure way to sign in to your apps and websites across platforms — with no passwords required. PassKeys, Apple’s pitch

  8. G E T S T R E A M .

    I O •Based on FIDO Alliance and W3C standards ◦ WebAuthN •With Apple sauce to streamline usage Sounds great, but what is it?

  9. G E T S T R E A M .

    I O •Since iOS 15 ◦ Passkeys sync through iCloud Keychain •With iOS 16 ◦ Sharable through Apple handoff ◦ QR-code based local handshake for off device authentication What Apple adds to WebAuthN

  10. G E T S T R E A M .

    I O •The relying party ◦ Service provider that wants to authenticate users •The authenticator ◦ A PassKey in the KeyChain or other a secure token •The web browser or app ◦ acts as the channel between the relying party and authenticator •The user ◦ Has to affirmatively interact with the authenticator to prove physical presence. WebAuthN requires 4 parties

  11. G E T S T R E A M .

    I O •Enrollment ◦ Basically the registration of the user and secure element with your service ◦ Allows for attestation of the secure element •Assertion ◦ Login by proving a user has access to the secure element Two phases

  12. G E T S T R E A M .

    I O •Roaming Authenticators ◦ Discrete device ▪ Yubikey or a Google Titan key. ▪ USB, Bluetooth or RFID link, enabling a web browser to communicate with the device. •Virtual Authenticators ◦ Pure software ▪ Private keys in a database that likely doesn’t reside in secure hardware. ▪ Often have some security drawbacks •Platform Authenticators ◦ Built into a device. ▪ Apple’s Secure Enclave ▪ Convenient, but bound to a particular device • Device loss or reset will destroy the keys • PassKeys turns the Secure Enclave into a Secure Virtual Authenticator WebAuthN Authenticator flavours

  13. G E T S T R E A M .

    I O •I do not have the QR code bits working yet ◦ Apple is very sparse on their server side example ▪ ( There is none) •Tim Condon did create a quick Vapor based implementation ◦ Unvetted, unreviewed, only for play right now •Other parties online have amazing login examples ◦ Auth0, WebAuthN, Yubico, etc My current knowledge on the topic

  14. G E T S T R E A M .

    I O A quick demo https://webauthn.io/

  15. G E T S T R E A M .

    I O •Vapor is working on a Swift based implementation •Once available I will add it to Stream’s Vapor integration project Great, now show me some Swift

  16. G E T S T R E A M .

    I O I can show you something already though https://webauthn.io/

  17. G E T S T R E A M .

    I O Work in progress, still need to get to the iOS bits

  18. G E T S T R E A M .

    I O •Too early to tell •Signs are good •It is all based on industry standards •Google, Apple, Microsoft and many others are onboard Are WebAuthN and PassKeys a thing or not?

  19. G E T S T R E A M .

    I O •Beyond Swift many integrations are already available ◦ Go, Python, PHP, etc, etc… •DUO Security and Yubico have been a big drivers of FIDO and WebAuthN adoption Are WebAuthN and PassKeys a thing or not?

  20. G E T S T R E A M .

    I O •How to transition your logins between iOS and Android? ◦ We don’t really want a lockin on our credentials right? ◦ FIDO has something in the works for this Still some questions remain

  21. G E T S T R E A M .

    I O Questions?

  22. G E T S T R E A M .

    I O Thank You.

  23. G E T S T R E A M .

    I O https://developer.apple.com/passkeys/ https://developer.apple.com/videos/play/wwdc2022/10092/ https://developer.apple.com/documentation/authenticationservices/public- private_key_authentication/supporting_passkeys https://support.apple.com/en-us/HT213305 https://en.wikipedia.org/wiki/WebAuthn https://webauthn.io/ https://webauthn.me/ https://www.yubico.com/authentication-standards/webauthn/ https://oauth.net/webauthn/ More info here