Tweet
Tweet

Slide 1

Slide 1 text

Passkeys and Identity Federation ritou ~ OpenID Summit Tokyo 2024 ~

Slide 2

Slide 2 text

Contents • Features • Bene fi ts of supporting passkeys for each IdP/RP of ID Federation • Related Speci fi cations 2

Slide 3

Slide 3 text

Features

Slide 4

Slide 4 text

Passkey • Security • Public Key Cryptography • Phishing Resistance • Usability • Local Authentication • Synced Passkey with Password Manager 4

Slide 5

Slide 5 text

Passkey • Issues • Account Recovery • Cross-platform Synchronization • Phase • 2023: Management, SignIn • 2024: SignUp, Migration from Password 5

Slide 6

Slide 6 text

ID Federation • Usage • Authentication • Identity Proo fi ng • OpenID Connect • Widely Supported Environment • Extensions for Various Use-cases 6

Slide 7

Slide 7 text

ID Federation • Issues • UX without Browser Mediation • Privacy Risk • IdP-induced Trouble • Unsupported Speci fi cations 7

Slide 8

Slide 8 text

Passkey for ID Federation RP

Slide 9

Slide 9 text

Passkey Advantage as Authentication Method • UX with Conditional Mediation • Reduced Privacy Risk • Controllable Authenticator-induced Trouble • Ease of use for Re-Authentication 9

Slide 10

Slide 10 text

Complement ID Federation with Passkey • Usability Improvement • Appeal to users who avoid ID Federation 10 4JHO*OXJUIʜ

Slide 11

Slide 11 text

Complement Passkey with ID Federation • Strong authentication method options • Support for Passkey unavailable environments 11 w 1BTTXPSE w 1BTTXPSE 5051 w 1BTTLFZ w *%'FEFSBUJPO w 1BTTLFZ

Slide 12

Slide 12 text

Passkey for ID Federation IdP

Slide 13

Slide 13 text

Advantages of IdP using Passkey • Protect multiple RPs • Account Recovery(MFA Options, ID Proo fi ng) 13 1BTTLFZ *E1 31 31 31 31

Slide 14

Slide 14 text

Related OIDC / OAuth 2.0 Specs

Slide 15

Slide 15 text

OpenID Connect Core 1.0 15 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response

Slide 16

Slide 16 text

OpenID Connect Core 1.0 16 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ

Slide 17

Slide 17 text

OpenID Connect Core 1.0 17 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ BDS@WBMVFTDMBJNT BDSBNS

Slide 18

Slide 18 text

OpenID Connect Core 1.0 18 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3F"VUIX 1BTTLFZ BDS@WBMVFTDMBJNT NBY@BHF MPHJO@IJOU JE@UPLFO@IJOU BDSBNS BVUI@UJNF

Slide 19

Slide 19 text

OpenID Connect Core 1.0 • Authentication Request Parameters for End-User Authentication • acr_values, claims • Claims for End-User Authentication • acr, amr, auth_time • Authentication Request Parameters for Re-Authentication • max_age, login_hint, id_token_hint 19

Slide 20

Slide 20 text

OpenID Connect Extended Authentication Pro fi le (EAP) ACR Values 1.0 (draft 01) 20 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ BDSBNS BDS@WBMVFTDMBJNT

Slide 21

Slide 21 text

OpenID Connect Extended Authentication Pro fi le (EAP) ACR Values 1.0 (draft 01) • “acr” • “phr”: Phishing-Resistant • “phrh”: Phishing-Resistant Hardware-Protected • “amr” • “pop”: Proof-of-possession of a key • Other value is de fi ned in RFC8176 21

Slide 22

Slide 22 text

RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol 22 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF 4FSWFS (5) Resource Access

Slide 23

Slide 23 text

RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol 23 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF 4FSWFS (5) Resource Access BDS BVUI@UJNF BDS BVUI@UJNF 1BTTXPSE

Slide 24

Slide 24 text

RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol 24 31 01 End User (1) Request Authentication (2), (7) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF 4FSWFS (5) Resource Access BDS BVUI@UJNF BDS BVUI@UJNF (6) Error with challenge 1BTTLFZ BDS@WBMVFTDMBJNT NBY@BHF BDS NBY@BHF

Slide 25

Slide 25 text

RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol • Use-case • IdP: Authentication/Authorization Service • RP: SPA/Native App • RS: Payment, Healthcare, … 25

Slide 26

Slide 26 text

Summary • Passkey and ID Federation have distinct features and complement each other when combined • There are bene fi ts to both IdP and RP in ID Federation to support passkey • Let's support speci fi cations for handling authentication states 26

Slide 27

Slide 27 text

Fin @ritou