A Passwordless Future! Passkeys and WebAuthn for Java developers Deepu K Sasidharan

@oktaDev | @deepu105 | deepu.tech ➔ JHipster co-lead developer ➔ Java Champion ➔ Creator of KDash, JDL Studio ➔ Developer Advocate @ Okta ➔ OSS aficionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @deepu105@mastodon.social deepu.tech @deepu105 deepu05

@oktaDev | @deepu105 | deepu.tech Why passwordless?

@oktaDev | @deepu105 | deepu.tech The password problem

@oktaDev | @deepu105 | deepu.tech The Human problem ● Social engineerable ● Easy to phish/harvest/replay ● Shareable ● Reusable

@oktaDev | @deepu105 | deepu.tech Knowledge based ● Easy to remember == easy to guess ● Complex passwords == not easy to remember ● Too many passwords to remember ● Password managers help but it is an overhead

@oktaDev | @deepu105 | deepu.tech Password management ● Storing passwords in database ● Data breaches ● Password resets/Forgotten passwords ● Multi-factor authentication flows

@oktaDev | @deepu105 | deepu.tech What is Passwordless?

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech Passwordless Biometric Magic links OTPs Push notifications

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech Passwordless future == Passkeys It is a unique cryptographic key pair

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech WebAuthn == W3C specification WebAuthn is the specification that allows for passkeys implementation

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech FIDO == Authentication standard Based on public key cryptography.

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech Passkeys == Passwordless FIDO credential with WebAuthn. It uses asymmetric public key cryptography

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only. @oktaDev | @deepu105 | deepu.tech Passkeys Synced Hardware bound ● Private key synced between devices in same ecosystem and backed up to cloud ● Better usability ● One time enrollment ● Can be restored on device loss or on new device ● Less secure than hardware bound passkeys ● Private key stored only on the device ● Not as convenient as synced passkeys ● Each device needs enrollment ● No recovery or backups ● Most secure option

@oktaDev | @deepu105 | deepu.tech Web Authentication W3C recommendation Works with: ● Credential Management Level 1 ● FIDO 2.0 Client to Authenticator Protocol 2 Illustration based on https://webauthn.me/introduction User interaction

@oktaDev | @deepu105 | deepu.tech Synced passkeys registration flow Illustration based on https://fidoalliance.org/how-fido-works/

@oktaDev | @deepu105 | deepu.tech Synced passkeys login flow Illustration based on https://fidoalliance.org/how-fido-works/

@oktaDev | @deepu105 | deepu.tech Why passkeys?

@oktaDev | @deepu105 | deepu.tech Secure ● Phishing resistant ● Remote attack resistant ● Breach resistant ● Not reusable ● Not shareable* ● Superior to password + traditional MFA ● Require biometric or physical keys

@oktaDev | @deepu105 | deepu.tech Human experience ● Flexible ● Uniform and familiar ● One time registration ceremony ● No credential fatigue

@oktaDev | @deepu105 | deepu.tech Scalable ● Backed up and replicated across devices in the same ecosystem ● Discoverable ● Recoverable ● Multi-device capable ● Cross-device authentication

@oktaDev | @deepu105 | deepu.tech Passkeys security and usability spectrum

@oktaDev | @deepu105 | deepu.tech menti.com Code: 4278 1170

@oktaDev | @deepu105 | deepu.tech Let’s see passkeys in action Spring Boot web app using Auth0 by Okta as IdP

@oktaDev | @deepu105 | deepu.tech a0.to/jfall-passkey # Create a Spring Boot web app $ curl -G https://start.spring.io/starter.tgz \ -d dependencies=web,okta -d baseDir=passkey-demo | tar -xzvf - # Add controller for @GetMapping("/") # Create an Auth0 account and configure tenant to enable passkeys # Login to the tenant $ auth0 login # Create an Auth0 app $ auth0 apps create \ /-name "Spring Boot Passkeys" \ /-description "Spring Boot Example" \ /-type regular \ /-callbacks http://localhost:8080/login/oauth2/code/okta \ /-logout-urls http://localhost:8080 \ /-reveal-secrets # Update OIDC credentials # Start the app $ ./gradlew bootRun

@oktaDev | @deepu105 | deepu.tech How does it differ from FIDO MFA?

@oktaDev | @deepu105 | deepu.tech Passkeys ● Implemented using WebAuthn and FIDO2 ● Can be synced or hardware-bound ● Discoverable by browsers ● Can be used for account registration as first factor ● Enrollment required only once for synced passkeys FIDO MFA ● Implemented using WebAuthn and FIDO2 ● Only hardware bound ● Not discoverable ● Can only be second factor after account registration with password ● Enrollment required on each device Passkeys vs FIDO MFA

@oktaDev | @deepu105 | deepu.tech Challenges

@oktaDev | @deepu105 | deepu.tech ● W3C Recommendation ● OS/Browser dependency ● OS/Browser support ● Cloud vendor reliance ● Enterprise use cases

@oktaDev | @deepu105 | deepu.tech Compatibility matrix: Platform Authenticators (TPM, TouchID, etc.) https://webauthn.me/browser-support

@oktaDev | @deepu105 | deepu.tech Compatibility matrix: Roaming Authenticators (Yubikey, Titan, etc.) https://webauthn.me/browser-support

@oktaDev | @deepu105 | deepu.tech WebAuthn for Java

@oktaDev | @deepu105 | deepu.tech WebAuthn4j FIDO2 conformant Supports attestation validation Supports all attestation formats Suitable for relying party server implementation Supports passkeys Used by Keycloak and Spring Security Kotlin friendly Java WebAuthn libraries java-webauthn-server Not 100% FIDO2 conformant Supports attestation validation All attestation formats not supported Suitable for relying party server implementation Supports passkeys From Yubico

@oktaDev | @deepu105 | deepu.tech WebAuthn with Spring Security in action Spring Boot web app as a relying party using WebAuthn4j

@oktaDev | @deepu105 | deepu.tech a0.to/jfall-webauthn WebAuthn4J Spring Security # Clone the repo $ git clone https://github.com/deepu105/webauthn4j-spring-boot-passkeys-demo # Start the app $ ./gradlew bootRun

@oktaDev | @deepu105 | deepu.tech https://passkeys.dev https://passkey.org/ https://webauthn.me https://webauthn.io/ Resources

@oktaDev | @deepu105 | deepu.tech Passkeys login challenge a0.to/jfall ● Complete the challenge and visit our booth to win some cool prizes ● Only for first 30 completed submissions

@oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our newsletter a0.to/nl-signup/java Try our free Spring Boot + Passkeys workshop a0.to/spring-boot