Upgrade to Pro — share decks privately, control downloads, hide ads and more …

無密碼時代來臨 ? 初探 FIDO 驗證標準

Marcus
October 18, 2022

無密碼時代來臨 ? 初探 FIDO 驗證標準

密碼一直是讓人又愛又恨的東西,隨著網路的世界越來越複雜,對於密碼複雜度與安全性的要求也越來越高,不時資安大廠都會發表關於密碼外洩的新聞,使用者為了方便使用相同帳密遭到破解造成的經濟損失不計其數,有沒有一個更好更安全的方式可以解決困擾已久問題呢 ?
無密碼認證(Passwordless Authentication)技術在這幾年越來越多人開始討論,在今年全球密碼日當天,Google、微軟、蘋果共同發出聲明將支持 ( FIDO Fast Identity Online)身分認證方式,為何科技大廠會選擇 FIDO 網路身分驗證呢 ? 其背後的原理到底是如何做到無密碼登入的呢 ? 手機裝置要如何支援呢 ? 在這 Session 預計與大家分享
1. 甚麼是 FIDO
2. 原理與特性
3. FIDO 的下一步

Marcus

October 18, 2022
Tweet

More Decks by Marcus

Other Decks in Technology

Transcript

  1. AGENDA 2 無密碼時代 ○ Password 的那些小事 ○ 驗證與授權 FIDO ○

    原理與特性 ○ 驗證流程 Take Away ○ 總結
  2. 3 I’m Marcus ▸ 專注在後端開發的工程師 ▸ 喜歡上技術課程 / 研討會吸收新知識 ▸

    分享學習技術於 Blog & fb 粉絲團 Hello! Blog : m@rcus 學習筆記 Fb : 粉絲團
  3. 6 Number of sites deemed dangerous by Google Safe Browsing

    (2007 - 2019) Problem Password Authentication
  4. 7 Number of sites deemed dangerous by Google Safe Browsing

    (2007 - 2019) 你的密碼 複雜 嗎 ?
  5. 舉例 : 芝麻開門 ○ 至尊寶 對 門 說 芝麻開門 ○

    判斷通關密語是否正確 ○ 開啟 / 關閉 大話西遊 12 主體 對象 請求 邏輯 規範 (Policy / Rule) 驗證結果 Reference link
  6. “those who do not learn from history are doomed to

    repeat it.” That seems to be the case, as we have continued to see poor password practices as one of the leading causes of data breaches dating back to 2009. ” . 17 Passwords suck 82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse. 13% increase in Ransomware breaches—more than in the last 5 years combined. Strong Authentication ? Reference link
  7. 21 What is FIDO ? ○ FIDO alliance ○ Fast

    IDentity Online ○ Simpler、stronger authentication ○ FIDO2 ○ Standards ○ CTAP + WebAuthN ○ Online authentication using public key cryptography
  8. 25 How does FIDO2 work ? User Verification FIDO Protocol

    User (Device owner) Device (Authenticator) RP Server (Web Server)
  9. 26 High level architecture WebAuthn Authenticator RP Server Internal Authenticator

    External Authenticator CTAP RP App Server FIDO Server Metadata WebAuthn Authenticator types • Platform authenticator • External authenticator Communication • WebAuthn • CTAP Relying Party • Service leveraging FIDO authentication
  10. “ ○ The Web Authentication API is a core component

    of the FIDO2 Project under the guidance of the FIDO Alliance The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. 30 - wikipedia
  11. 32 WebAuthN ○ Specification by W3C and FIDO ○ Enable

    password-less authentication between servers, browsers ○ Create a private-public keypair (Random + credential ID) ○ Register and authenticate users using public key Private/public Key Public Key Cryptography World Wide Web Consortium Credential
  12. 33 WebAuthN API ○ Fast IDentity Online ○ Online authentication

    using public key cryptography ○ Security key ○ CTAP + WebAuthn Reference link
  13. 34 How does fido2 work ? User Verification WebAuthn User

    Device RP Server Registration & Authentication
  14. 40 What makes FIDO2 difference ○ Strong online Authentication ○

    Scoped (isolated) ○ Multi-factor authentication ○ Browser and platform support
  15. 53

  16. 54 Thank You ! { MOPCON。Everyone } Does anyone have

    any questions? Marcus 的學習筆記 marcus tung Reference Link list