無密碼時代來臨 ? 初探 FIDO 驗證標準

Transcript

1. 無密碼時代來臨 ? 初探 FIDO 驗證標準 Marcus @ MOPCON 2022

2. AGENDA 2 無密碼時代 ￮ Password 的那些小事 ￮ 驗證與授權 FIDO ￮

   原理與特性 ￮ 驗證流程 Take Away ￮ 總結

3. 3 I’m Marcus ▸ 專注在後端開發的工程師 ▸ 喜歡上技術課程 / 研討會吸收新知識 ▸

   分享學習技術於 Blog & fb 粉絲團 Hello! Blog : m@rcus 學習筆記 Fb : 粉絲團

4. 4 • 提供投影片、參考資料連結 • 有任何問題，歡迎會後聯繫討論

5. 無密碼時代 Passwordless 1

6. 6 Number of sites deemed dangerous by Google Safe Browsing

   (2007 - 2019) Problem Password Authentication

7. 7 Number of sites deemed dangerous by Google Safe Browsing

   (2007 - 2019) 你的密碼 複雜 嗎 ?

8. 9 123456 1qaz2wsx !QAZ2wsx 5TF-RSX- gcw-bMg@ 密碼複雜度

9. 10 我們如何 驗證 ?

10. “ != 11 你是誰 可以做什麼 Authorization Authentication

11. 舉例 : 芝麻開門 ￮ 至尊寶 對 門 說 芝麻開門 ￮

    判斷通關密語是否正確 ￮ 開啟 / 關閉 大話西遊 12 主體 對象 請求 邏輯 規範 (Policy / Rule) 驗證結果 Reference link

12. 13 Authentication Something you know Something you have Something you

    are

13. 14 常見驗證方式 password Single sign-on Two-factor authentication SMS OTP TOTP

    Push Notifications Biometrics

14. 15 真的 安全 嗎 ? Reference link

15. 16 evilginx2 Reference link

16. “those who do not learn from history are doomed to

    repeat it.” That seems to be the case, as we have continued to see poor password practices as one of the leading causes of data breaches dating back to 2009. ” . 17 Passwords suck 82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse. 13% increase in Ransomware breaches—more than in the last 5 years combined. Strong Authentication ? Reference link

17. FIDO 原理與流程 2

18. “ What’s FIDO ? 20

19. 21 What is FIDO ? ￮ FIDO alliance ￮ Fast

    IDentity Online ￮ Simpler、stronger authentication ￮ FIDO2 ￮ Standards ￮ CTAP + WebAuthN ￮ Online authentication using public key cryptography

20. 22 FIDO History Reference link

21. 23 Three Standards of FIDO

22. 24 U2FUniversal Second Factor UAF Universal Authentication Framework FIDO2 Fast

    IDentity Online Reference link

23. 25 How does FIDO2 work ? User Verification FIDO Protocol

    User (Device owner) Device (Authenticator) RP Server (Web Server)

24. 26 High level architecture WebAuthn Authenticator RP Server Internal Authenticator

    External Authenticator CTAP RP App Server FIDO Server Metadata WebAuthn Authenticator types • Platform authenticator • External authenticator Communication • WebAuthn • CTAP Relying Party • Service leveraging FIDO authentication

25. 27 What’s WebAuthN ?

26. “ ￮ The Web Authentication API is a core component

    of the FIDO2 Project under the guidance of the FIDO Alliance The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. 30 - wikipedia

27. 32 WebAuthN ￮ Specification by W3C and FIDO ￮ Enable

    password-less authentication between servers, browsers ￮ Create a private-public keypair (Random + credential ID) ￮ Register and authenticate users using public key Private/public Key Public Key Cryptography World Wide Web Consortium Credential

28. 33 WebAuthN API ￮ Fast IDentity Online ￮ Online authentication

    using public key cryptography ￮ Security key ￮ CTAP + WebAuthn Reference link

29. 34 How does fido2 work ? User Verification WebAuthn User

    Device RP Server Registration & Authentication

30. 35 Client Registration 3 4 5 Reference link Reference link

31. 36 Client Authentication 3 4 Reference link Reference link

32. 37 Demo : WebAutnN.me

33. “ What makes FIDO2 difference ? 39

34. 40 What makes FIDO2 difference ￮ Strong online Authentication ￮

    Scoped (isolated) ￮ Multi-factor authentication ￮ Browser and platform support

35. 41 Strong Authentication Password Password-less Authentication / Verification Authentication Verification

36. 42 Sample.com Sample.com evil - sample.com cannot be used WebAuthn

    CTAP Scoped Protocol

37. Multi-factor Authentication 43 Something you have Something you know Something

    you are + OR

38. 44 Browser & platform support

39. 47 Using WebAuthn webauthn.io

40. 48 Using WebAuthN by yubico Reference link

41. 49 開發一時爽，除錯火葬場 by Ant

42. 50 Hype Driven Development Reference link

43. Takeaway 總結 3

44. 53

45. 54 Thank You ! { MOPCON。Everyone } Does anyone have

    any questions? Marcus 的學習筆記 marcus tung Reference Link list