Tweet
Tweet

Slide 1

Slide 1 text

無密碼時代來臨 ? 初探 FIDO 驗證標準 Marcus @ MOPCON 2022

Slide 2

Slide 2 text

AGENDA 2 無密碼時代 ○ Password 的那些小事 ○ 驗證與授權 FIDO ○ 原理與特性 ○ 驗證流程 Take Away ○ 總結

Slide 3

Slide 3 text

3 I’m Marcus ▸ 專注在後端開發的工程師 ▸ 喜歡上技術課程 / 研討會吸收新知識 ▸ 分享學習技術於 Blog & fb 粉絲團 Hello! Blog : m@rcus 學習筆記 Fb : 粉絲團

Slide 4

Slide 4 text

4 • 提供投影片、參考資料連結 • 有任何問題,歡迎會後聯繫討論

Slide 5

Slide 5 text

無密碼時代 Passwordless 1

Slide 6

Slide 6 text

6 Number of sites deemed dangerous by Google Safe Browsing (2007 - 2019) Problem Password Authentication

Slide 7

Slide 7 text

7 Number of sites deemed dangerous by Google Safe Browsing (2007 - 2019) 你的密碼 複雜 嗎 ?

Slide 8

Slide 8 text

9 123456 1qaz2wsx !QAZ2wsx 5TF-RSX- gcw-bMg@ 密碼複雜度

Slide 9

Slide 9 text

10 我們如何 驗證 ?

Slide 10

Slide 10 text

“ != 11 你是誰 可以做什麼 Authorization Authentication

Slide 11

Slide 11 text

舉例 : 芝麻開門 ○ 至尊寶 對 門 說 芝麻開門 ○ 判斷通關密語是否正確 ○ 開啟 / 關閉 大話西遊 12 主體 對象 請求 邏輯 規範 (Policy / Rule) 驗證結果 Reference link

Slide 12

Slide 12 text

13 Authentication Something you know Something you have Something you are

Slide 13

Slide 13 text

14 常見驗證方式 password Single sign-on Two-factor authentication SMS OTP TOTP Push Notifications Biometrics

Slide 14

Slide 14 text

15 真的 安全 嗎 ? Reference link

Slide 15

Slide 15 text

16 evilginx2 Reference link

Slide 16

Slide 16 text

“those who do not learn from history are doomed to repeat it.” That seems to be the case, as we have continued to see poor password practices as one of the leading causes of data breaches dating back to 2009. ” . 17 Passwords suck 82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse. 13% increase in Ransomware breaches—more than in the last 5 years combined. Strong Authentication ? Reference link

Slide 17

Slide 17 text

FIDO 原理與流程 2

Slide 18

Slide 18 text

“ What’s FIDO ? 20

Slide 19

Slide 19 text

21 What is FIDO ? ○ FIDO alliance ○ Fast IDentity Online ○ Simpler、stronger authentication ○ FIDO2 ○ Standards ○ CTAP + WebAuthN ○ Online authentication using public key cryptography

Slide 20

Slide 20 text

22 FIDO History Reference link

Slide 21

Slide 21 text

23 Three Standards of FIDO

Slide 22

Slide 22 text

24 U2FUniversal Second Factor UAF Universal Authentication Framework FIDO2 Fast IDentity Online Reference link

Slide 23

Slide 23 text

25 How does FIDO2 work ? User Verification FIDO Protocol User (Device owner) Device (Authenticator) RP Server (Web Server)

Slide 24

Slide 24 text

26 High level architecture WebAuthn Authenticator RP Server Internal Authenticator External Authenticator CTAP RP App Server FIDO Server Metadata WebAuthn Authenticator types • Platform authenticator • External authenticator Communication • WebAuthn • CTAP Relying Party • Service leveraging FIDO authentication

Slide 25

Slide 25 text

27 What’s WebAuthN ?

Slide 26

Slide 26 text

“ ○ The Web Authentication API is a core component of the FIDO2 Project under the guidance of the FIDO Alliance The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. 30 - wikipedia

Slide 27

Slide 27 text

32 WebAuthN ○ Specification by W3C and FIDO ○ Enable password-less authentication between servers, browsers ○ Create a private-public keypair (Random + credential ID) ○ Register and authenticate users using public key Private/public Key Public Key Cryptography World Wide Web Consortium Credential

Slide 28

Slide 28 text

33 WebAuthN API ○ Fast IDentity Online ○ Online authentication using public key cryptography ○ Security key ○ CTAP + WebAuthn Reference link

Slide 29

Slide 29 text

34 How does fido2 work ? User Verification WebAuthn User Device RP Server Registration & Authentication

Slide 30

Slide 30 text

35 Client Registration 3 4 5 Reference link Reference link

Slide 31

Slide 31 text

36 Client Authentication 3 4 Reference link Reference link

Slide 32

Slide 32 text

37 Demo : WebAutnN.me

Slide 33

Slide 33 text

“ What makes FIDO2 difference ? 39

Slide 34

Slide 34 text

40 What makes FIDO2 difference ○ Strong online Authentication ○ Scoped (isolated) ○ Multi-factor authentication ○ Browser and platform support

Slide 35

Slide 35 text

41 Strong Authentication Password Password-less Authentication / Verification Authentication Verification

Slide 36

Slide 36 text

42 Sample.com Sample.com evil - sample.com cannot be used WebAuthn CTAP Scoped Protocol

Slide 37

Slide 37 text

Multi-factor Authentication 43 Something you have Something you know Something you are + OR

Slide 38

Slide 38 text

44 Browser & platform support

Slide 39

Slide 39 text

47 Using WebAuthn webauthn.io

Slide 40

Slide 40 text

48 Using WebAuthN by yubico Reference link

Slide 41

Slide 41 text

49 開發一時爽,除錯火葬場 by Ant

Slide 42

Slide 42 text

50 Hype Driven Development Reference link

Slide 43

Slide 43 text

Takeaway 總結 3

Slide 44

Slide 44 text

53

Slide 45

Slide 45 text

54 Thank You ! { MOPCON。Everyone } Does anyone have any questions? Marcus 的學習筆記 marcus tung Reference Link list