Slide 1

Slide 1 text

Use Cases of 'Passkey' and the Challenges in UX ༷ʑͳϢʔεέʔεʹར༻Ͱ͖Δ "ύεΩʔ" ͷ ಋೖࣄྫͷ঺հͱUXͷ՝୊ղઆ Ryo Ito (@ritou) DroidKaigi 2023ʢ2023/09/15 15:00-15:40ʣ

Slide 2

Slide 2 text

Ryo Ito (@ritou) • Engineer at MIXI, Inc. • Evangelist at OpenID Foundation Japan 2

Slide 3

Slide 3 text

Today’s GOAL To understand: • The overview of Passkey • Two typical use cases of Passkey and their required features • UX challenges when introducing Passkey into consumer services • The relationship between Passkey and ID Federation 3

Slide 4

Slide 4 text

Overview

Slide 5

Slide 5 text

Rough Overview of User Authentication • Password authentication is vulnerable • Generation of hard-to-guess strings • Memorization of multiple passwords • Countermeasures against phishing • Risks of leaks from services and secondary damage • Passkey authentication solves these challenges 5

Slide 6

Slide 6 text

The Current Status of User Authentication • Human-managed credential management is vulnerable • System-managed credential management is required • Use of a password manager solves most problems, but it's dif fi cult to make it mandatory • Passkey assumes system-managed credential management and can enforce it on users 6

Slide 7

Slide 7 text

FIDO, FIDO2, Passkey • FIDO • Security Using Public Key Cryptography • Usability Using Local Authentication 7

Slide 8

Slide 8 text

FIDO, FIDO2, Passkey • FIDO • Security Using Public Key Cryptography • Usability Using Local Authentication 8

Slide 9

Slide 9 text

FIDO, FIDO2, Passkey • FIDO2 • WebAuthn API + CTAP for Web Application • Phishing Resistance Through Browser Mediation 9

Slide 10

Slide 10 text

FIDO, FIDO2, Passkey • Passkey : FIDO Credentials for Password-less Authentication • Device-bounded credentials + Multi-device credentials • Device-bounded : Security Key, Platform Authenticator without key synchronization • Platform Authenticator with key synchronization in Platform Account • External Password Manager 10

Slide 11

Slide 11 text

FIDO, FIDO2, Passkey • Passkey : FIDO Credentials for Password-less Authentication • Device-bounded credentials + Multi-device credentials • Device-bounded : Security Key, Platform Authenticator without key synchronization • Platform Authenticator with key synchronization in Platform Account • External Password Manager 11

Slide 12

Slide 12 text

Passkey on 1Password 12

Slide 13

Slide 13 text

Use Cases

Slide 14

Slide 14 text

Use Cases • SignIn: Primary or optional authentication methods • Re-Authentication 14

Slide 15

Slide 15 text

Identi fi er fi rst SignIn @ Yahoo! JAPAN 15

Slide 16

Slide 16 text

Identi fi er fi rst SignIn • Service fi rst identi fi es user and requires authentication if Passkey is available • Note that having Passkey registered does not mean that Passkey is available 16

Slide 17

Slide 17 text

One button SignIn @ GitHub 17

Slide 18

Slide 18 text

One button SignIn • When the user clicks the button, the service requests authentication with an available Passkey • In the browser dialog, the user selects a Passkey to use, or uses another device's Passkey 18

Slide 19

Slide 19 text

Auto fi ll (Conditional UI) @ MIXI M 19

Slide 20

Slide 20 text

Auto fi ll (Conditional UI) @ Money Forward ID 20

Slide 21

Slide 21 text

Auto fi ll (Conditional UI) • Browser displays the available Passkeys near the HTML input form or when focused, and the user selects from them or uses another device's Passkey • Passkey available with the same UX as password suggestions by Password Manager 21

Slide 22

Slide 22 text

Hybrid transport @ MIXI M 22

Slide 23

Slide 23 text

Hybrid transport • If the device requesting authentication and a nearby mobile device are connected via BLE, the mobile device's Passkey can be used • A UX that requires multiple Hybrid fl ows is too bad. It is also important to seamlessly require Passkey registration for each device 23

Slide 24

Slide 24 text

Use Cases • SignIn: Primary or optional authentication methods • Re-Authentication 24

Slide 25

Slide 25 text

Re-Authentication @ MIXI M, GitHub 25

Slide 26

Slide 26 text

Re-Authentication • To protect speci fi c services • Credential Management • Personal Information Management • Payment services • Fine-tuned Session Management • Expired Session • High-risk environment • Credential updated in another session • Low AAL(Authentication Assurance Level) 26

Slide 27

Slide 27 text

Related Features • SignIn • Passkey registration promotion after successful non-Passkey login • SignUp • Create Account with passkey • Credential Management • Promote passkey • Create, Update(passkey’s name), Revoke • Account Recovery • Passkey registration promotion after recovery password 27

Slide 28

Slide 28 text

Passkey for Native App

Slide 29

Slide 29 text

Native Support or Web Application integration • Native Support • Utilizing functions/libraries provided for app developers from each platform • https://developer.android.com/training/sign-in/passkeys • Native apps can provide a similar UX using the same credentials as web apps • https://developer.android.com/design/ui/mobile/guides/patterns/passkeys • Web Application integration • Requesting passkey authentication in web browser • Dependent on browser usage patterns and support status 29

Slide 30

Slide 30 text

Android & Passkey : SignUp 30

Slide 31

Slide 31 text

Android & Passkey : SignIn 31

Slide 32

Slide 32 text

Android & Passkey : Credential Management 32

Slide 33

Slide 33 text

Android & Passkey : Account Recovery 33

Slide 34

Slide 34 text

Native Support or Web Application integration • Native Support • Utilizing functions/libraries provided for app developers from each platform • Native apps can provide a similar UX using the same credentials as web apps • Web Application integration • Requesting passkey authentication in web browser • Dependent on browser usage patterns and support status 34

Slide 35

Slide 35 text

Challenges of Passkey

Slide 36

Slide 36 text

Challenges for registration • User Veri fi cation at passkey registration • More seamless Passkey registration is required (so that Google automatically generates a passkey when you log in to your Android device) 36

Slide 37

Slide 37 text

Challenges for Authentication • Unfriendly error screen "No passkey available." • It is the RP that needs this error • One-way Hybrid Transport • Fallback authentication method required 37

Slide 38

Slide 38 text

Challenges for Recovery • Best practices for passkey recovery • Two passkey registrations are dif fi cult • Self-recovery through eKYC and ID Federation 38

Slide 39

Slide 39 text

Challenges for Credential Management • Delete and update passkeys synchronized with Authenticator and RP • Unavailable passkey listed in Auto fi ll • Username not synchronized 39

Slide 40

Slide 40 text

Passkey and ID Federation

Slide 41

Slide 41 text

Features of ID Federation • Simpli fi ed new account registration • Achieves a single sign-on-like user experience (UX) in authentication • Shares attribute information of the IdP account with the Relying Party (RP) under appropriate consent (such as pro fi le information, email, etc.) 41

Slide 42

Slide 42 text

Weaknesses of ID Federation • Services and users who do not want to use a speci fi c IdP and wish to avoid privacy issues that could arise from consolidating identities • Impact when the IdP account is unavailable (due to outages or account BAN) • Re-authentication requirements are de fi ned in speci fi cations, but are rarely implemented in toC IdPs 42

Slide 43

Slide 43 text

Passkey without ID Federation • Implementing secure and convenient authentication equivalent to IdP • Avoiding privacy issues by not integrating with IdP 43

Slide 44

Slide 44 text

Passkey @ Identity Provider • Protecting high-value accounts • Providing security and convenience to RP”s” 44

Slide 45

Slide 45 text

Passkey @ Relying Party • Applying Passkeys to the weaknesses of ID Federation • Alternative measures when Federation is unavailable • Re-authentication • Applying ID Federation to the weaknesses of Passkeys • Federation w/ Platform Accounts as a recovery method for Passkeys 45

Slide 46

Slide 46 text

Passkey @ Relying Party • Applying Passkeys to the weaknesses of ID Federation • Alternative measures when Federation is unavailable • Re-authentication • Applying ID Federation to the weaknesses of Passkeys • Federation w/ Platform Accounts as a recovery method for Passkeys 46

Slide 47

Slide 47 text

Conclusion

Slide 48

Slide 48 text

Overview Passkey is a mechanism that allows users to manage their FIDO credentials through the system. It offers the security of public key cryptography along with the convenience of local authentication, and it is evolving to support cross-device and cross-platform use. 48

Slide 49

Slide 49 text

Use Cases • For the sign-in UX, the service needs to choose from several patterns to match the existing sign-in UX. • Passkey can be used for re-authentication to protect speci fi c functions and for fi ne-tuned session management. 49

Slide 50

Slide 50 text

Challenges of Passkey • For Passkey to be widely adopted, it needs to be easier and less stressful to register. • For users who are not familiar with Passkey, it's essential to reduce error messages and guide them toward fallback options or recovery methods. • Information that might be changed, like usernames, should be simultaneously updated in both the RP and the Authenticator, and unnecessary Passkeys should be deleted at the same time. 50

Slide 51

Slide 51 text

Passkey and ID Federation • IdP can increase the security and convenience of federated RPs by using Passkey. • RP combines ID federation and Passkey to compensate for each other's weaknesses. 51

Slide 52

Slide 52 text

Any Questions? Ask the Speaker or mention to @ritou at X 52