Passkeys. The Why, The What, The How

Transcript

1. Passkeys Tim Condon @0xTim The Why, The What, The How

2. Passkeys @0xTim - brokenhands.io Introduction • Founder of Broken Hands

   • Vapor Core Team • SSWG and SWWG Member • Organise ServerSide.swift, NSManchester, Vapor London • @0xTim

3. Why

4. Authentication

5. I’d like to borrow this book please Sure, who are

   you? My name is Tim Can you prove who you are? Here is my ID

6. Authentication != Authorisation

7. I’d like to borrow this book please Let me check

   you are allowed to I’m from the iOS course Sorry, this book is only for law students

8. I’d like to borrow this book please Sure, who are

   you? My name is Tim Can you prove who you are? Here is my ID
9. None

10. Passkeys @0xTim - brokenhands.io Tim Condon @0xTim +447700 900234 [email protected]

    93.241.27.131

11. Proving Identity

12. Passkeys @0xTim - brokenhands.io Tim Condon

13. Passkeys @0xTim - brokenhands.io

14. Why Passwords?

15. None
16. None
17. None
18. None

19. However

20. password qwerty password123 123456 password1 123456789 00000 iloveyou qwerty123 admin

21. None
22. None
23. None
24. None
25. None
26. None
27. None

28. Securing Accounts

29. Passkeys @0xTim - brokenhands.io bcrypt Argon2 PBKDF2

30. None

31. 2FA

32. Passkeys @0xTim - brokenhands.io Something you know Password Security question

    PIN number Memorable Word Something you have RSA Token Authenticator App SMS App Approval Email account Security Key Something you are FaceID TouchID Iris scanner Heartbeat analysis

33. Passkeys @0xTim - brokenhands.io

34. None
35. None
36. None

37. www.google.com www.goog1e.com Credentials 2FA Code Access Token Phishing Attack

38. None
39. None

40. Passkeys

41. What

42. None

43. FIDO Alliance “Passkeys are a replacement for passwords that provide

    faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing- resistant.”
44. None
45. None
46. None
47. None

48. Crypto (The Useful One)

49. Asymmetric Cryptography Symmetric Cryptography

50. Passkeys @0xTim - brokenhands.io Private Key Public Key 13*17 221

    Asymmetric Cryptography

51. Passkeys @0xTim - brokenhands.io Private Key Public Key 35742549198872617291353508656626642567 *

    27644437 9.8808264955×10⁴⁴ ✅ ❌ 🔑 🔒

52. Passkeys @0xTim - brokenhands.io Plaintext Cipher Text Plaintext 🔒 🔑

    Encryption

53. Passkeys @0xTim - brokenhands.io Message 🔑 Signature Veri fi cation

    ✅ Signature Message Signature Message 🔒

54. Passkeys

55. Registration

56. I’d like to register please! Sure send me a public

    key! Let me create a key pair OK, here’s the public key 🔒 Ok let me verify that Ok, all looks good 👍, I’ll save that with your username Great, I’ll save the private key with the domain

57. Logging In

58. I’d like to sign in please! Ok here’s a challenge

    for you to sign Let me create a signature using my private key OK, here’s the signature ✍ Ok let me verify that with
 the public key I have Ok, all looks good 👍,
 you’re signed in Let me ask the user to
 authorise and I’ll check the
 domain

59. Advantages

60. None
61. None
62. None
63. None

64. Public Key === Public

65. 5DB443D39783C16EBEF04 E0DED27BAEFBF054BD196 57E6E4FF1ED21010205A6E My Public Key For Google

66. How

67. None

68. Server

69. https://webauthn.guide/

70. https://github.com/swift-server/webauthn-swift

71. import AuthenticationServices

72. class AccountManager: NSObject, ASAuthorizationControllerPresentationContextProviding, ASAuthorizationControllerDelegate { // … }

73. func authorizationController( controller: ASAuthorizationController, didCompleteWithError error: Error) { // Handle

    the error case }

74. iOS Registration

75. let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider( relyingPartyIdentifier: domain) let challenge = try

    await getChallengeFromServer() let platformKeyRequest = publicKeyCredentialProvider .createCredentialRegistrationRequest( challenge: challenge, name: "Tim Condon", userID: userID)

76. let authController = ASAuthorizationController( authorizationRequests: [ platformKeyRequest ] ) authController.delegate

    = self authController.presentationContextProvider = self authController.performRequests()

77. func authorizationController( controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) { switch authorization.credential

    { case let credentialRegistration as ASAuthorizationPlatformPublicKeyCredentialRegistration: // Send public key to the server try completeRegistration( data: credentialRegistration.rawAttestationObject) // User has been registered didFinishSignIn() case let credentialAssertion as ASAuthorizationPlatformPublicKeyCredentialAssertion: // Log in default: // Handle } }

78. Server Registration

79. // step 1 for registration authSessionRoutes.get("makeCredential") { req -> PublicKeyCredentialCreationOptions

    in let options = req.webAuthn.beginRegistration(user: userObject) // Store challenge req.session.data["registrationChallenge"] = Data(options.challenge).base64EncodedString() return options }

80. // step 2 for registration authSessionRoutes.post("makeCredential") { req -> HTTPStatus

    in // Get the user to register and challenge let (user, challenge) = try req.retrieveRegistrationDataFromSession() // Verify the credential the client sent us let credential = try await req.webAuthn.finishRegistration( challenge: challenge, credentialCreationData: req.content.decode(RegistrationCredential.self), confirmCredentialIDNotRegisteredYet: { credentialID in let existingCredential = try await WebAuthnCredential .query(on: req.db).filter(\.$id == credentialID).first() return existingCredential == nil } ) try await WebAuthnCredential( from: credential, userID: user.requireID()).save(on: req.db) return .ok }

81. iOS Login

82. let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider( relyingPartyIdentifier: domain) let challenge = try

    await getChallengeFromServer() let platformKeyRequest = publicKeyCredentialProvider .createCredentialAssertionRequest( challenge: challenge)

83. let authController = ASAuthorizationController( authorizationRequests: [ platformKeyRequest ] ) authController.delegate

    = self authController.presentationContextProvider = self authController.performRequests()

84. func authorizationController( controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) { switch authorization.credential

    { case let credentialRegistration as ASAuthorizationPlatformPublicKeyCredentialRegistration: // Registration case let credentialAssertion as ASAuthorizationPlatformPublicKeyCredentialAssertion: try completeLogIn( signature: credentialAssertion.signature, userID: credentialAssertion.userID, data: credentialAssertion.rawClientDataJSON) default: // Handle } }

85. Server Login

86. // step 1 for authentication authSessionRoutes.get("authenticate") { req -> PublicKeyCredentialRequestOptions

    in let options = try req.webAuthn.beginAuthentication() req.session.data["authChallenge"] = Data(options.challenge).base64EncodedString() return options }

87. // step 2 for authentication authSessionRoutes.post("authenticate") { req -> HTTPStatus

    in // Obtain the challenge we stored on the server for this session let challenge = try req.getAuthChallenge() // Decode the credential the client sent us let authenticationCredential = try req.content.decode(AuthenticationCredential.self) // find the credential the stranger claims to possess guard let credential = try await WebAuthnCredential .query(on: req.db) .filter(\.$id == authenticationCredential.id.urlDecoded.asString()) .with(\.$user).first() else { throw Abort(.unauthorized) } // … }

88. // step 2 for authentication continued authSessionRoutes.post("authenticate") { req ->

    HTTPStatus in // ... let verifiedAuthentication = try req.webAuthn.finishAuthentication( credential: authenticationCredential, expectedChallenge: [UInt8](challenge), credentialPublicKey: [UInt8](URLEncodedBase64(credential.publicKey) .urlDecoded.decoded!), credentialCurrentSignCount: credential.currentSignCount ) // if we successfully verified the user, update the sign count credential.currentSignCount = verifiedAuthentication.newSignCount try await credential.save(on: req.db) // finally authenticate the user req.auth.login(credential.user) return .ok }

89. Resources

90. https://demo.passkeys.brokenhands.io/

91. https://www.passkeycentral.org

92. https://developer.apple.com/videos/play/wwdc2022/10092/

93. https://developers.google.com/identity/passkeys

94. Thank you! @0xTim

95. Questions? @0xTim