Slide 1
Slide 1 text
Android/ChromeͰମݧͰ͖Δ
ೝূͷͨΊͷඪ४Խ༷ͷ
ݱࡏͱະདྷ
@ritou (Ryo Ito) 2022/10/6 - DroidKaigi 2022
Slide 2
Slide 2 text
ൃදͷ༰
• C͚αʔϏεʹ͓͚ΔϢʔβʔೝূͷมભ
• Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX

2
Slide 3
Slide 3 text
ˏritou
• Digital Identity ؔ࿈ͷϒϩάࣥචɺษڧձ࣮ࢪ #idcon #iddance
• ΤόϯδΣϦετ @ OIDF-J
• ΤϯδχΞ ˏ גࣜձࣾMIXI

3
Slide 4
Slide 4 text
C͚αʔϏεʹ͓͚Δ
Ϣʔβʔೝূͷมભ
Slide 5
Slide 5 text
ᶃύεϫʔυೝূ
Slide 6
Slide 6 text
ύεϫʔυೝূ
(هԱγʔΫϨοτ, Memorized Secrets)

6
• ೝূཁૉ : ࣝ
• Ϣʔβʔ/αʔϏε͕ύεϫʔυΛڞ༗
• ϢʔβʔࣝผࢠͱύεϫʔυͷΈ߹ΘͤΛݕূ
Slide 7
Slide 7 text
ύεϫʔυೝূͰ
ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅

7
• Ϣʔβʔ
• ύεϫʔυΛΕͳ͍
• ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ͍·Θ͞ͳ͍
• ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍
• αʔϏε
• ύεϫʔυΛ҆શʹཧ͢Δ
• ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
Slide 8
Slide 8 text
ύεϫʔυೝূʹ͓͚Δ
ϢʔβʔɺαʔϏεͷݱঢ়

8
• Ϣʔβʔ
• ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏
• ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏
• αʔϏε
• ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏
• ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
Slide 9
Slide 9 text
ΞΧϯτϦΧόϦʔ
• “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮
• ಛఆͷೝূํ͕ࣜ͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ
• ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ
• ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷΈ߹Θ͕ͤҰൠత
• ϝʔϧϦϯΫೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ
• ੈͷதʹύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔଘࡏ͢Δ
Slide 10
Slide 10 text
ϝʔϧ/SMSʹΑΔOTP
(ܦ࿏֎ೝূ, Out-of-Band Devices)

10
• ೝূཁૉ : ॴ༗
• αʔϏε͕ϢʔβʔʹSMS/ϝʔϧͰϫϯλΠϜύεϫʔυΛૹΓڞ༗
• ϦϯΫૹ৴&ΫϦοΫ͜ΕΛ؆ུԽͨ͠ͷͱଊ͑ΒΕΔ
• “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜
ͱͰɺΞΧϯτϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳͬͨ
Slide 11
Slide 11 text
ᶄ2ஈ֊/ཁૉೝূͷීٴ
Slide 12
Slide 12 text
ύεϫʔυೝূʹ͓͚Δ
ϢʔβʔɺαʔϏεͷݱঢ়

12
• Ϣʔβʔ
• ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏
• ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏
• αʔϏε
• ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏
• ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
Slide 13
Slide 13 text
ύεϫʔυϦετ߈ܸɺ
ύεϫʔυεϓϨʔ߈ܸ

13
• ύεϫʔυϦετ߈ܸ
• Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ
• ಉ͡ύεϫʔυΛ͍ճ͍ͯͨ͠ΒΞτ
• ύεϫʔυεϓϨʔ߈ܸ
• ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ
• ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞτ
• ͜ΕΒͷ߈ܸͷରࡦͱͯ͠ɺՃೝূ͕ීٴ
Slide 14
Slide 14 text
ιϑτΣΞTOTP
(୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)

14
• ೝূཁૉ : ॴ༗
• Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ͯ͠ɺϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰ
ੜͨ͠OTPΛݕূ (RFC6238)
• 2010Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google AuthenticatorͱͱʹTOTP
ೝূΛఏڙ։࢝
• ۚ༥ػؔͳͲͰRSA/VerisignͳͲͷϋʔυΣΞτʔΫϯ͕ΘΕ͍ͯ
͕ͨίετ໘ʹ՝͕͋ͬͨ
Slide 15
Slide 15 text
ϞόΠϧΞϓϦͷpush௨
(ܦ࿏֎ೝূ, Out-of-Band Devices)

15
• ೝূཁૉ : ॴ༗
• ϞόΠϧΞϓϦʹ௨ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK
• Ϣʔβʔ͕ར༻͍ͯ͠Δͷ௨ (Apple, Google)
• ܦ࿏ͷ҆શੑ͕ΩϞ
• ϞόΠϧΞϓϦ/ݸผͷ௨ͷํ͕SMSEϝʔϧΑΓ҆શ?
• Push௨ΛૹΓ·ͬͯ͘Ͳ͏ʹ͔͠Α͏ͱ͢Δ߈ܸൃੜ
Slide 16
Slide 16 text
όοΫΞοϓίʔυ
(ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)

16
• ೝূཁૉ : ॴ༗
• Ϣʔβʔʹ୯Ұ͋Δ͍ෳͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷΛݕূ
• TOTP͕͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷϢʔβʔ͕औΕΔϦ
ΧόϦʔखஈͱͯ͠͠Εͬͱ࠾༻͞Ε͍ͯΔ
Slide 17
Slide 17 text
ᶅϑΟογϯάʹڧ͍ೝূํࣜ
ͦͯ͠ύεϫʔυϨε
Slide 18
Slide 18 text
ύεϫʔυೝূʹ͓͚Δ
ϢʔβʔɺαʔϏεͷݱঢ়

18
• Ϣʔβʔ
• ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏
• ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏
• αʔϏε
• ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏
• ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
Slide 19
Slide 19 text
ݱ࣮

19
• ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ͚1Ґʂ
• B͚ͰMicrosoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ
ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද
• 20219݄Ҏ߱ɺ1ສҎ্ͷ৫͕ඪతʹ
Slide 20
Slide 20 text
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
!"#$%&'()*+,-./012
Slide 21
Slide 21 text
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
!"#$%&'()*+,-./012 345'()*+,-./6789:
Slide 22
Slide 22 text
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
!"#$%&'()*+,-./012 345'()*+,-./6789:
;<=>?@AB6CD89:
Slide 23
Slide 23 text
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
!"#$%&'()*+,-./012
EFEGH!"#$%&'()*12
JKLMNOL#$PQR*STU
;<=>?@AB6CD89:
345'()*+,-./6789:
Slide 24
Slide 24 text
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
!"#$%&'()*+,-./012
EFEGH!"#$%&'()*12
JKLMNOL#$PQR*STU
;<=>?@AB6CD89:
3VO'()*789:
345'()*+,-./6789:
Slide 25
Slide 25 text
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
!"#$%&'()*+,-./012
EFEGH!"#$%&'()*12
JKLMNOL#$PQR*STU
WXY9Z
[#$\%]#^.0_`
;<=>?@AB6CD89:
3VO'()*789:
345'()*+,-./6789:
Slide 26
Slide 26 text
͜Ε·Ͱͷೝূํࣜ
ϑΟογϯάੑΛ࣋ͨͳ͍

26
• ͍ͣΕਓ͕ؒߦ͏அͷ෦͕ऑͱͳΔ
• ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP: ࠷ॳͷURLΛ֬ೝͤ
ͣೖྗ
• ެࣜΞϓϦͳͲͷPush௨&ಉҙ : ࠷ॳͷURLΛ֬ೝͤͣʹಉҙ
• ࣄલ֬ೝɺཤྺɺ௨ͱ͍ͬͨΈ͋Δ͕ࠜຊతͳରࡦͰͳ͍
Slide 27
Slide 27 text
FIDOೝূ w/ UserPresense
(୯Ұཁૉ҉߸σόΠε, Single-Factor Cryptographic Devices)

27
• ೝূཁૉ : ॴ༗
• อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛར༻
• ηΩϡϦςΟΩʔ : PCʹ͚ͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩ
Slide 28
Slide 28 text
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
!"#$%&'()*+,-./012
aabcdef6gh4i
!"#$%&'()*j4ik
lmnFAB6opbqr5
;<=>?@AB6CD89:
345'()*+,-./6789:
Slide 29
Slide 29 text
FIDOೝূ w/ UserVeri
fi
cation
(ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)

29
• ೝূཁૉ : ॴ༗ + ࣝ/ੜମ
• ެ։伴҉߸ + ϩʔΧϧೝূ
• อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛॴ༗͠ɺΞΫςΟ
ϕʔτͷͨΊʹ2ཁૉͷೝূΛඞཁͱ͢Δͷ
• ηΩϡϦςΟΩʔ : PINʹΑΔೝূ
• εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬)
Slide 30
Slide 30 text
FIDOೝূͷ՝

30
• 伴ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ
• Authenticator(ηΩϡϦςΟΩʔɺରԠ)͕յΕͨΓͳ͘ͳͬͨ
Γɺަͨ͠ࡍʹ࠶ొ͕ඞཁ
• ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?
• ಉఔͷೝূڧΛ࣋ͭೝূํࣜͱ???
• ෳͷAuthenticatorΛొ͓ͯ͘͠ඞཁੑ͕͋Δ
Slide 31
Slide 31 text
Passkey - ”FIDO multi-device credentials”

31
• 伴ใ͕σόΠεͰͳ͘Ϣʔβʔʹඥ͚ͮΒΕΔΑ͏ʹͳΔ
• ͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴ཧͱผ
• ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔͷվળ
• खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ (ޙ͔Βհ)
Slide 32
Slide 32 text
Passkey - ”FIDO multi-device credentials”

32
• ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ
1. Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ
• iCloud KeychainʹΑΔಉظ -> AppleϢʔβʔʹ伴͕ඥ͚ͮΒΕΔ
2. ϩάΞτͯ͠ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ)
3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ
બ͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ
Slide 33
Slide 33 text
Passkey - ”FIDO multi-device credentials”

33
• ෳϓϥοτϑΥʔϜΛލ͙߹ͷUXվળ
1. ࣄલʹAndroidͰύεΩʔΛొ
2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ
Մೳ (caBLEͱݺΕΔଓํ๏)
3. ͦͷޙʹTouchID͕ཁٻ͞Εɺࠓޙ͜ͷͰTouchIDͷΈͰ
ϩάΠϯՄೳʹͳΔ
Slide 34
Slide 34 text
ᶆ
ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બࢶ
Slide 35
Slide 35 text
ID࿈ܞʹΑΔϩάΠϯ

35
• Identity Provider(IdP)ͷϢʔβʔใΛར༻͢Δ
• දతͳϓϩτίϧ͕OpenID Connect, OAuth 2.0 + Ϣʔβʔใ
APIͳͲ
• Ϣʔβʔࣝผࢠͷඥ͚Λཧ͢Δ͜ͱͰϩάΠϯʹར༻
• ଐੑใΛ׆༻ͯ͠UXΛ্
• ֬ೝࡁΈϝʔϧΞυϨεɺి൪߸ɺຊਓ֬ೝใͳͲ
Slide 36
Slide 36 text
ID࿈ܞͷ՝

36
• IdPͱ৺த
• ΞΧϯτBAN, ো࣌ʹͦΕΛར༻͢ΔαʔϏε͑ͳ͘ͳ
ΔՄೳੑ͕͋Δ
• IdPͷΞΧϯτ͕ͬऔΒΕͯ͠·ͬͨΒαʔϏεѱ༻͞ΕΔ
Slide 37
Slide 37 text
Identity Wallet
(ؔ࿈Ωʔϫʔυ: SSI, DID, Veri
fi
able Credentials)

37
• IdPʹґଘ͢ΔͷͰͳ͘ɺݸਓ͕ࣗͷใΛཧ͢ΔελΠϧ
• Ծ௨՟͋ͨΓͰʹ͢Δׂ୲
• Issuer : Ϣʔβʔใͷఏڙɺূ໌ॻͷൃߦ
• Holder(Wallet) : ϢʔβʔใΛཧ͢ΔΞϓϦϒϥβػೳ
• Veri
fi
er : Holder ʹใΛཁٻ͠ɺऔಘͨ͠ใΛݕূͯ͠ར༻
• Open Wallet Foundation͕ઃཱ͞Ε͕ͯ࣌ਐΜͰ͍͘ؾ
Slide 38
Slide 38 text
҆શੑɺརศੑΛߴΊΔ
Ξϓϩʔν
Slide 39
Slide 39 text
՝ΛΧόʔ͢ΔΈ͕ඞཁ

39
• Ϣʔβʔ͕Ͱ͖Δͷ
• ύεϫʔυϚωʔδϟʔͷར༻
• αʔϏε͕Ͱ͖Δ͜ͱ : खݩͷεϚʔτϑΥϯΛ༻͍ͯརศੑΛ͋͛
ΔΈΛಋೖ
• SMS OTP : WebOTP
• WebAuthn
Slide 40
Slide 40 text
ύεϫʔυϚωʔδϟʔͷར༻

40
• ύεϫʔυੜɺཧΛͤΔ = ೝূཁૉΛ”ॴ༗”ʹมߋ
• TOTPରԠόοΫΞοϓίʔυΛอଘͰ͖Δͷ͋Δ
• Ϛελʔύεϫʔυཧ͕ॏཁʹͳΔ(SPOFͱݴ͑Δ)
• ϒϥβ / OSਵͷͷ vs ಠཱͨ͠αʔϏε
• ར༻ελΠϧʹԠͯ͡બྑͦ͞͏
Slide 41
Slide 41 text
Android / Chrome
Ͱ࣮ݱͰ͖ΔϩάΠϯUX
Slide 42
Slide 42 text
ࠓճͷΩʔϫʔυ :
“खݩͷεϚϗͰϩάΠϯ”
(a.k.a Decoupled Authentication)
Slide 43
Slide 43 text
WebOTP https://web.dev/web-otp/

43
• SMSͰૹΒΕͨϫϯλΠϜύεϫʔυΛ҆શʹऔಘ͢ΔͨΊͷΈ
• υϝΠϯΛؚΉϫϯλΠϜύεϫʔυͷϝοηʔδϑΥʔϚοτ
• JavaScript هड़ + input λά
• Android ͷ SMS Retriever API ͱಉ
Slide 44
Slide 44 text
WebOTP - Android Chrome
ϒϥβΛ։͍ͨ··OTPΛऔಘՄೳ

44
Slide 45
Slide 45 text
WebOTP - Android Chrome
ϒϥβΛ։͍ͨ··OTPΛऔಘՄೳ

45
Slide 46
Slide 46 text
WebOTP - (Desktop / Android) Chrome
ಉظ͍ͯ͠ΔAndroidͷ௨Ͱಉҙ->సૹ

46
Slide 47
Slide 47 text
WebOTP - (Desktop / Android) Chrome
ಉظ͍ͯ͠ΔAndroidͷ௨Ͱಉҙ->సૹ

47
Slide 48
Slide 48 text
WebOTP https://web.dev/web-otp/

48
• ϝοηʔδʹؚ·ΕΔυϝΠϯͱҰக͍ͯ͠Δ͔Λϒϥβ͕ݕূ
• ”͜ͷΈΛ͏ͱ͖” ϑΟογϯάੑΛ࣋ͭ
• ڥ͝ͱͷରԠෆཁɺඞཁͳͷϒϥβ͕WebOTPʹରԠ͍ͯ͠
Δ͔Ͳ͏͔͚ͩ
• ༷௨Γ࣮͢Δ͚ͩͰChrome͕ରԠͯ͘͠ΕΔ
Slide 49
Slide 49 text
WebAuthn https://www.w3.org/TR/webauthn-2/

49
• WebΞϓϦέʔγϣϯ͔ΒFIDOೝূΛར༻͢ΔͨΊͷϒϥβAPI
• ϒϥβ͕հೖ͠ɺ伴ใ͕originʹඥ͚ͮΒΕΔͨΊʹϑΟογϯάੑΛ࣋ͭ
• Platform Authenticator(εϚϗ/PCࣗମ) / Roaming Authenticator(ηΩϡϦςΟΩʔ)
͕ೝূثͱͯ͠ར༻Մೳ
• खݩͷεϚʔτϑΥϯΛ༻͍ͯ伴ใͷొ/ೝূΛ࣮ݱ͢ΔΈ͕͋Δ
• caBLE (cloud-assisted BLE) : QRίʔυ + BLE
• ChromeͰಉظ͞Ε͍ͯΔ : Push௨ + BLE
Slide 50
Slide 50 text
WebAuthn w/ caBLE
QRίʔυ + BLE ͰϩάΠϯ

50
PC Android
Slide 51
Slide 51 text
WebAuthn w/ caBLE
Ұར༻ͨ͠Push௨Ͱར༻Մೳ

51
PC Android
Slide 52
Slide 52 text
WebAuthn w/ (Desktop + Android) Chrome
ಉظࡁΈͷ࠷ॳ͔ΒPush௨Ͱར༻Մೳ

52
PC Android
Slide 53
Slide 53 text
WebAuthn

53
• ॳͦͷͷ or USB/NFC/BLEͳͲͰηΩϡϦςΟΩʔͱͭͳ
͙ͱ͍͏ҹ͕ڧ͔͕ͬͨɺखݩͷεϚϗͱͭͳ͙Έ͋Δ
• ୯ͳΔQRίʔυ+ωοτϫʔΫΞΫηεΛ༻͍ͨϩάΠϯͰͳ͘ɺ
BLEͰۙڑʹ͋ΔεϚϗͱ௨৴͢Δ͜ͱͰຊਓҎ֎ͷͰଓ͞Ε
Δ͜ͱΛ͙ߟྀ͞Ε͍ͯΔ
• ChromeͰಉظ͍ͯ͠ΔεϚʔτϑΥϯͰ͋ΕPush௨ͰΑΓָʹར
༻Մೳ
Slide 54
Slide 54 text
·ͱΊ

54
• C͚αʔϏεͰΘΕ͍ͯΔϢʔβʔೝূʹ͍ͭͯৼΓฦͬͨ
• ͦΕͧΕͷೝূํࣜͰͷಛΛཧղ͠Α͏
• Android/ChromeΛ༻͍ͯ “खݩͷεϚϗͰϩάΠϯ” Λ࣮ݱ͢ΔͨΊ
ͷΈΛհͨ͠
• WebΞϓϦϕʔεͷೝূػೳΛఏڙ͍ͯ͠ΔαʔϏεɺϩάΠϯ
ͷUXΛߟ͑Δ࣌ʹҙࣝ͠Α͏
Slide 55
Slide 55 text
ࢀߟϦϯΫ
• ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3
• https://speakerdeck.com/kthrtty/ren-zheng-
nimatuwarusekiyuriteifalsexin-chang-shi
• NIST Special Publication 800-63B Digital Identity Guidelines (༁൛)
• https://openid-foundation-japan.github.io/800-63-3-
fi
nal/
sp800-63b.ja.html
Slide 56
Slide 56 text
ࢀߟϦϯΫ

56
• GTA৽࡞ϦʔΫʹΘΕͨ“ଟཁૉೝূർΕ”߈ܸͱɹ1࣌ؒҎ্௨
߈Ίɺैۀһͷࠜෛ͚ૂ͏
• https://www.itmedia.co.jp/news/articles/2209/28/news050.html
• 2022൛Ϩϙʔτʮ2022 State of Secure Identity ReportʯΛެ։
• https://www.okta.com/jp/press-room/press-releases/
okta-2022ssir/
Slide 57
Slide 57 text
ࢀߟϦϯΫ

57
• σδλϧΥϨοτͷ૬ޓӡ༻ੑΛࢦ͢ஂମɺThe Linux
Foundation͕ઃཱ
• https://japan.zdnet.com/article/35193346/
Slide 58
Slide 58 text
ࢀߟϦϯΫ

58
• Our Take on Passkeys
• https://auth0.com/blog/our-take-on-passkeys/
• Cross-device WebOTP
• https://docs.google.com/document/d/
1SlIaRlH0WEvvLMtQJZMuwZbH5bRs6SCPlxXwwnJQHMU/
edit#heading=h.xgjl2srtytjt
Slide 59
Slide 59 text
࣭ɺҙݟɺײΛ
͓͍ͪͯ͠·͢ɻ
ฐࣾʹڵຯ͕͋Δํੋඇʂ