Slide 1
Slide 1 text
Use Cases of 'Passkey' and
the Challenges in UX
༷ʑͳϢʔεέʔεʹར༻Ͱ͖Δ "ύεΩʔ" ͷ
ಋೖࣄྫͷհͱUXͷ՝ղઆ
Ryo Ito (@ritou)
DroidKaigi 2023ʢ2023/09/15 15:00-15:40ʣ
Slide 2
Slide 2 text
Ryo Ito (@ritou)
• Engineer at MIXI, Inc.
• Evangelist at OpenID Foundation Japan
2
Slide 3
Slide 3 text
Today’s GOAL
To understand:
• The overview of Passkey
• Two typical use cases of Passkey and their required features
• UX challenges when introducing Passkey into consumer services
• The relationship between Passkey and ID Federation
3
Slide 4
Slide 4 text
Overview
Slide 5
Slide 5 text
Rough Overview of User Authentication
• Password authentication is vulnerable
• Generation of hard-to-guess strings
• Memorization of multiple passwords
• Countermeasures against phishing
• Risks of leaks from services and secondary damage
• Passkey authentication solves these challenges
5
Slide 6
Slide 6 text
The Current Status of User Authentication
• Human-managed credential management is vulnerable
• System-managed credential management is required
• Use of a password manager solves most problems, but it's dif
fi
cult
to make it mandatory
• Passkey assumes system-managed credential management and
can enforce it on users
6
Slide 7
Slide 7 text
FIDO, FIDO2, Passkey
• FIDO
• Security Using Public Key Cryptography
• Usability Using Local Authentication
7
Slide 8
Slide 8 text
FIDO, FIDO2, Passkey
• FIDO
• Security Using Public Key Cryptography
• Usability Using Local Authentication
8
Slide 9
Slide 9 text
FIDO, FIDO2, Passkey
• FIDO2
• WebAuthn API + CTAP for Web Application
• Phishing Resistance Through Browser Mediation
9
Slide 10
Slide 10 text
FIDO, FIDO2, Passkey
• Passkey : FIDO Credentials for Password-less Authentication
• Device-bounded credentials + Multi-device credentials
• Device-bounded : Security Key, Platform Authenticator without key
synchronization
• Platform Authenticator with key synchronization in Platform
Account
• External Password Manager
10
Slide 11
Slide 11 text
FIDO, FIDO2, Passkey
• Passkey : FIDO Credentials for Password-less Authentication
• Device-bounded credentials + Multi-device credentials
• Device-bounded : Security Key, Platform Authenticator without key
synchronization
• Platform Authenticator with key synchronization in Platform
Account
• External Password Manager
11
Slide 12
Slide 12 text
Passkey on 1Password
12
Slide 13
Slide 13 text
Use Cases
Slide 14
Slide 14 text
Use Cases
• SignIn: Primary or optional authentication methods
• Re-Authentication
14
Slide 15
Slide 15 text
Identi
fi
er
fi
rst SignIn @ Yahoo! JAPAN
15
Slide 16
Slide 16 text
Identi
fi
er
fi
rst SignIn
• Service
fi
rst identi
fi
es user and requires authentication if
Passkey is available
• Note that having Passkey registered does not mean that Passkey is
available
16
Slide 17
Slide 17 text
One button SignIn @ GitHub
17
Slide 18
Slide 18 text
One button SignIn
• When the user clicks the button, the service requests
authentication with an available Passkey
• In the browser dialog, the user selects a Passkey to use, or uses
another device's Passkey
18
Slide 19
Slide 19 text
Auto
fi
ll (Conditional UI) @ MIXI M
19
Slide 20
Slide 20 text
Auto
fi
ll (Conditional UI) @ Money Forward ID
20
Slide 21
Slide 21 text
Auto
fi
ll (Conditional UI)
• Browser displays the available Passkeys near the HTML input
form or when focused, and the user selects from them or uses
another device's Passkey
• Passkey available with the same UX as password suggestions by
Password Manager
21
Slide 22
Slide 22 text
Hybrid transport @ MIXI M
22
Slide 23
Slide 23 text
Hybrid transport
• If the device requesting authentication and a nearby mobile
device are connected via BLE, the mobile device's Passkey can
be used
• A UX that requires multiple Hybrid
fl
ows is too bad. It is also
important to seamlessly require Passkey registration for each device
23
Slide 24
Slide 24 text
Use Cases
• SignIn: Primary or optional authentication methods
• Re-Authentication
24
Slide 25
Slide 25 text
Re-Authentication @ MIXI M, GitHub
25
Slide 26
Slide 26 text
Re-Authentication
• To protect speci
fi
c services
• Credential Management
• Personal Information Management
• Payment services
• Fine-tuned Session Management
• Expired Session
• High-risk environment
• Credential updated in another session
• Low AAL(Authentication Assurance Level)
26
Slide 27
Slide 27 text
Related Features
• SignIn
• Passkey registration promotion after successful non-Passkey login
• SignUp
• Create Account with passkey
• Credential Management
• Promote passkey
• Create, Update(passkey’s name), Revoke
• Account Recovery
• Passkey registration promotion after recovery password
27
Slide 28
Slide 28 text
Passkey for Native App
Slide 29
Slide 29 text
Native Support or Web Application integration
• Native Support
• Utilizing functions/libraries provided for app developers from each platform
• https://developer.android.com/training/sign-in/passkeys
• Native apps can provide a similar UX using the same credentials as web apps
• https://developer.android.com/design/ui/mobile/guides/patterns/passkeys
• Web Application integration
• Requesting passkey authentication in web browser
• Dependent on browser usage patterns and support status
29
Slide 30
Slide 30 text
Android & Passkey : SignUp
30
Slide 31
Slide 31 text
Android & Passkey : SignIn
31
Slide 32
Slide 32 text
Android & Passkey : Credential Management
32
Slide 33
Slide 33 text
Android & Passkey : Account Recovery
33
Slide 34
Slide 34 text
Native Support or Web Application integration
• Native Support
• Utilizing functions/libraries provided for app developers from each platform
• Native apps can provide a similar UX using the same credentials as web
apps
• Web Application integration
• Requesting passkey authentication in web browser
• Dependent on browser usage patterns and support status
34
Slide 35
Slide 35 text
Challenges of Passkey
Slide 36
Slide 36 text
Challenges for registration
• User Veri
fi
cation at passkey registration
• More seamless Passkey registration is required (so that Google
automatically generates a passkey when you log in to your
Android device)
36
Slide 37
Slide 37 text
Challenges for Authentication
• Unfriendly error screen "No passkey available."
• It is the RP that needs this error
• One-way Hybrid Transport
• Fallback authentication method required
37
Slide 38
Slide 38 text
Challenges for Recovery
• Best practices for passkey recovery
• Two passkey registrations are dif
fi
cult
• Self-recovery through eKYC and ID Federation
38
Slide 39
Slide 39 text
Challenges for Credential Management
• Delete and update passkeys synchronized with Authenticator and
RP
• Unavailable passkey listed in Auto
fi
ll
• Username not synchronized
39
Slide 40
Slide 40 text
Passkey and ID Federation
Slide 41
Slide 41 text
Features of ID Federation
• Simpli
fi
ed new account registration
• Achieves a single sign-on-like user experience (UX) in authentication
• Shares attribute information of the IdP account with the Relying
Party (RP) under appropriate consent (such as pro
fi
le information,
email, etc.)
41
Slide 42
Slide 42 text
Weaknesses of ID Federation
• Services and users who do not want to use a speci
fi
c IdP and wish to
avoid privacy issues that could arise from consolidating identities
• Impact when the IdP account is unavailable (due to outages or
account BAN)
• Re-authentication requirements are de
fi
ned in speci
fi
cations, but are
rarely implemented in toC IdPs
42
Slide 43
Slide 43 text
Passkey without ID Federation
• Implementing secure and convenient authentication equivalent to
IdP
• Avoiding privacy issues by not integrating with IdP
43
Slide 44
Slide 44 text
Passkey @ Identity Provider
• Protecting high-value accounts
• Providing security and convenience to RP”s”
44
Slide 45
Slide 45 text
Passkey @ Relying Party
• Applying Passkeys to the weaknesses of ID Federation
• Alternative measures when Federation is unavailable
• Re-authentication
• Applying ID Federation to the weaknesses of Passkeys
• Federation w/ Platform Accounts as a recovery method for
Passkeys
45
Slide 46
Slide 46 text
Passkey @ Relying Party
• Applying Passkeys to the weaknesses of ID Federation
• Alternative measures when Federation is unavailable
• Re-authentication
• Applying ID Federation to the weaknesses of Passkeys
• Federation w/ Platform Accounts as a recovery method for
Passkeys
46
Slide 47
Slide 47 text
Conclusion
Slide 48
Slide 48 text
Overview
Passkey is a mechanism that allows users to manage their FIDO
credentials through the system. It offers the security of public key
cryptography along with the convenience of local authentication, and
it is evolving to support cross-device and cross-platform use.
48
Slide 49
Slide 49 text
Use Cases
• For the sign-in UX, the service needs to choose from several
patterns to match the existing sign-in UX.
• Passkey can be used for re-authentication to protect speci
fi
c
functions and for
fi
ne-tuned session management.
49
Slide 50
Slide 50 text
Challenges of Passkey
• For Passkey to be widely adopted, it needs to be easier and less
stressful to register.
• For users who are not familiar with Passkey, it's essential to reduce
error messages and guide them toward fallback options or recovery
methods.
• Information that might be changed, like usernames, should be
simultaneously updated in both the RP and the Authenticator, and
unnecessary Passkeys should be deleted at the same time.
50
Slide 51
Slide 51 text
Passkey and ID Federation
• IdP can increase the security and convenience of federated RPs by
using Passkey.
• RP combines ID federation and Passkey to compensate for each
other's weaknesses.
51
Slide 52
Slide 52 text
Any Questions?
Ask the Speaker
or
mention to @ritou at X
52