$30 off During Our Annual Pro Sale. View Details »

無密碼時代來臨 ? 初探 FIDO 驗證標準

Marcus
October 18, 2022

無密碼時代來臨 ? 初探 FIDO 驗證標準

密碼一直是讓人又愛又恨的東西,隨著網路的世界越來越複雜,對於密碼複雜度與安全性的要求也越來越高,不時資安大廠都會發表關於密碼外洩的新聞,使用者為了方便使用相同帳密遭到破解造成的經濟損失不計其數,有沒有一個更好更安全的方式可以解決困擾已久問題呢 ?
無密碼認證(Passwordless Authentication)技術在這幾年越來越多人開始討論,在今年全球密碼日當天,Google、微軟、蘋果共同發出聲明將支持 ( FIDO Fast Identity Online)身分認證方式,為何科技大廠會選擇 FIDO 網路身分驗證呢 ? 其背後的原理到底是如何做到無密碼登入的呢 ? 手機裝置要如何支援呢 ? 在這 Session 預計與大家分享
1. 甚麼是 FIDO
2. 原理與特性
3. FIDO 的下一步

Marcus

October 18, 2022
Tweet

More Decks by Marcus

Other Decks in Technology

Transcript

  1. 無密碼時代來臨 ? 初探 FIDO 驗證標準 Marcus @ MOPCON 2022

  2. AGENDA 2 無密碼時代 ○ Password 的那些小事 ○ 驗證與授權 FIDO ○

    原理與特性 ○ 驗證流程 Take Away ○ 總結
  3. 3 I’m Marcus ▸ 專注在後端開發的工程師 ▸ 喜歡上技術課程 / 研討會吸收新知識 ▸

    分享學習技術於 Blog & fb 粉絲團 Hello! Blog : m@rcus 學習筆記 Fb : 粉絲團
  4. 4 • 提供投影片、參考資料連結 • 有任何問題,歡迎會後聯繫討論

  5. 無密碼時代 Passwordless 1

  6. 6 Number of sites deemed dangerous by Google Safe Browsing

    (2007 - 2019) Problem Password Authentication
  7. 7 Number of sites deemed dangerous by Google Safe Browsing

    (2007 - 2019) 你的密碼 複雜 嗎 ?
  8. 9 123456 1qaz2wsx !QAZ2wsx 5TF-RSX- gcw-bMg@ 密碼複雜度

  9. 10 我們如何 驗證 ?

  10. “ != 11 你是誰 可以做什麼 Authorization Authentication

  11. 舉例 : 芝麻開門 ○ 至尊寶 對 門 說 芝麻開門 ○

    判斷通關密語是否正確 ○ 開啟 / 關閉 大話西遊 12 主體 對象 請求 邏輯 規範 (Policy / Rule) 驗證結果 Reference link
  12. 13 Authentication Something you know Something you have Something you

    are
  13. 14 常見驗證方式 password Single sign-on Two-factor authentication SMS OTP TOTP

    Push Notifications Biometrics
  14. 15 真的 安全 嗎 ? Reference link

  15. 16 evilginx2 Reference link

  16. “those who do not learn from history are doomed to

    repeat it.” That seems to be the case, as we have continued to see poor password practices as one of the leading causes of data breaches dating back to 2009. ” . 17 Passwords suck 82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse. 13% increase in Ransomware breaches—more than in the last 5 years combined. Strong Authentication ? Reference link
  17. FIDO 原理與流程 2

  18. “ What’s FIDO ? 20

  19. 21 What is FIDO ? ○ FIDO alliance ○ Fast

    IDentity Online ○ Simpler、stronger authentication ○ FIDO2 ○ Standards ○ CTAP + WebAuthN ○ Online authentication using public key cryptography
  20. 22 FIDO History Reference link

  21. 23 Three Standards of FIDO

  22. 24 U2FUniversal Second Factor UAF Universal Authentication Framework FIDO2 Fast

    IDentity Online Reference link
  23. 25 How does FIDO2 work ? User Verification FIDO Protocol

    User (Device owner) Device (Authenticator) RP Server (Web Server)
  24. 26 High level architecture WebAuthn Authenticator RP Server Internal Authenticator

    External Authenticator CTAP RP App Server FIDO Server Metadata WebAuthn Authenticator types • Platform authenticator • External authenticator Communication • WebAuthn • CTAP Relying Party • Service leveraging FIDO authentication
  25. 27 What’s WebAuthN ?

  26. “ ○ The Web Authentication API is a core component

    of the FIDO2 Project under the guidance of the FIDO Alliance The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. 30 - wikipedia
  27. 32 WebAuthN ○ Specification by W3C and FIDO ○ Enable

    password-less authentication between servers, browsers ○ Create a private-public keypair (Random + credential ID) ○ Register and authenticate users using public key Private/public Key Public Key Cryptography World Wide Web Consortium Credential
  28. 33 WebAuthN API ○ Fast IDentity Online ○ Online authentication

    using public key cryptography ○ Security key ○ CTAP + WebAuthn Reference link
  29. 34 How does fido2 work ? User Verification WebAuthn User

    Device RP Server Registration & Authentication
  30. 35 Client Registration 3 4 5 Reference link Reference link

  31. 36 Client Authentication 3 4 Reference link Reference link

  32. 37 Demo : WebAutnN.me

  33. “ What makes FIDO2 difference ? 39

  34. 40 What makes FIDO2 difference ○ Strong online Authentication ○

    Scoped (isolated) ○ Multi-factor authentication ○ Browser and platform support
  35. 41 Strong Authentication Password Password-less Authentication / Verification Authentication Verification

  36. 42 Sample.com Sample.com evil - sample.com cannot be used WebAuthn

    CTAP Scoped Protocol
  37. Multi-factor Authentication 43 Something you have Something you know Something

    you are + OR
  38. 44 Browser & platform support

  39. 47 Using WebAuthn webauthn.io

  40. 48 Using WebAuthN by yubico Reference link

  41. 49 開發一時爽,除錯火葬場 by Ant

  42. 50 Hype Driven Development Reference link

  43. Takeaway 總結 3

  44. 53

  45. 54 Thank You ! { MOPCON。Everyone } Does anyone have

    any questions? Marcus 的學習筆記 marcus tung Reference Link list