Slide 1

Slide 1 text

A Passwordless Future! Passkeys and WebAuthn for Java developers Deepu K Sasidharan

Slide 2

Slide 2 text

@oktaDev | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Java Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ OSS aficionado, polyglot dev, author, speaker ➔ Developer Advocate @ Okta Hi, I’m Deepu K Sasidharan @[email protected] deepu.tech @deepu105 deepu05

Slide 3

Slide 3 text

@oktaDev | @deepu105 | deepu.tech Why passwordless?

Slide 4

Slide 4 text

@oktaDev | @deepu105 | deepu.tech The password problem

Slide 5

Slide 5 text

@oktaDev | @deepu105 | deepu.tech The human problem

Slide 6

Slide 6 text

@oktaDev | @deepu105 | deepu.tech Phishing Knowledge-based Remote replay Data breach Reuse & share Password management

Slide 7

Slide 7 text

@oktaDev | @deepu105 | deepu.tech Passwordless Biometric Magic links OTPs Push notifications

Slide 8

Slide 8 text

@oktaDev | @deepu105 | deepu.tech Passwordless future == Passkeys

Slide 9

Slide 9 text

@oktaDev | @deepu105 | deepu.tech Public-key cryptography Pair of mathematically linked keys

Slide 10

Slide 10 text

@oktaDev | @deepu105 | deepu.tech

Slide 11

Slide 11 text

@oktaDev | @deepu105 | deepu.tech

Slide 12

Slide 12 text

@oktaDev | @deepu105 | deepu.tech Authenticator Can create and store public-private key pairs

Slide 13

Slide 13 text

@oktaDev | @deepu105 | deepu.tech Roaming authenticators Removable device via USB, NFC, Bluetooth • Yubikey • Google Titan • Smartphones Platform authenticators Built into the device • TouchID • FaceID • Smartphone authenticators • Windows Hello

Slide 14

Slide 14 text

@oktaDev | @deepu105 | deepu.tech == Authentication standard Based on public key cryptography. FIDO

Slide 15

Slide 15 text

@oktaDev | @deepu105 | deepu.tech FIDO2 WebAuthentication (WebAuthn) Client to Authenticator Protocol (CTAP)

Slide 16

Slide 16 text

@oktaDev | @deepu105 | deepu.tech == W3C standard WebAuthn is the standard that allows for passkeys implementation WebAuthn

Slide 17

Slide 17 text

@oktaDev | @deepu105 | deepu.tech Illustration based on https://webauthn.me/introduction

Slide 18

Slide 18 text

@oktaDev | @deepu105 | deepu.tech Client to Authenticator Protocol Communicate with authenticators over USB, NFC, and Bluetooth

Slide 19

Slide 19 text

@oktaDev | @deepu105 | deepu.tech

Slide 20

Slide 20 text

@oktaDev | @deepu105 | deepu.tech == Discoverable passwordless FIDO credentials It uses asymmetric public key cryptography Passkeys

Slide 21

Slide 21 text

@oktaDev | @deepu105 | deepu.tech Passkeys Synced Device-bound ● Private key synced between devices in same ecosystem and backed up to cloud ● Better usability ● One time enrollment ● Can be restored on device loss or on new device ● Less secure than device-bound passkeys ● Private key stored only on the device ● Not as convenient as synced passkeys ● Each device needs enrollment ● No recovery or backups ● Most secure option

Slide 22

Slide 22 text

@oktaDev | @deepu105 | deepu.tech How does the magic happen?

Slide 23

Slide 23 text

@oktaDev | @deepu105 | deepu.tech Registration flow

Slide 24

Slide 24 text

@oktaDev | @deepu105 | deepu.tech Authentication flow

Slide 25

Slide 25 text

@oktaDev | @deepu105 | deepu.tech Why passkeys?

Slide 26

Slide 26 text

@oktaDev | @deepu105 | deepu.tech Phishing Knowledge-based Remote replay Data breach Reuse & share Password management

Slide 27

Slide 27 text

@oktaDev | @deepu105 | deepu.tech Easier to maintain Not reusable & shareable* Breach resistant Remote attack resistant Phishing resistant Discoverable

Slide 28

Slide 28 text

@oktaDev | @deepu105 | deepu.tech Passkeys security and usability spectrum

Slide 29

Slide 29 text

@oktaDev | @deepu105 | deepu.tech menti.com Code: 7175 4535

Slide 30

Slide 30 text

@oktaDev | @deepu105 | deepu.tech Challenges

Slide 31

Slide 31 text

@oktaDev | @deepu105 | deepu.tech ● OS/Browser support ● Cloud vendor reliance ● Enterprise use cases ● Reset & recovery

Slide 32

Slide 32 text

@oktaDev | @deepu105 | deepu.tech Passkeys in Spring Boot web app using an IdP Auth0 by Okta as IdP

Slide 33

Slide 33 text

@oktaDev | @deepu105 | deepu.tech # Create a Spring Boot web app $ curl -G https://start.spring.io/starter.tgz \ -d dependencies=web,okta -d baseDir=passkey-demo | tar -xzvf - # Add controller for @GetMapping("/") # Create an Auth0 account and configure tenant to enable passkeys # Login to the tenant $ auth0 login # Create an Auth0 app $ auth0 apps create \ /-name "Spring Boot Passkeys" \ /-description "Spring Boot Example" \ /-type regular \ /-callbacks http://localhost:8080/login/oauth2/code/okta \ /-logout-urls http://localhost:8080 \ /-reveal-secrets # Update OIDC credentials # Start the app $ ./gradlew bootRun a0.to/spring-passkey

Slide 34

Slide 34 text

@oktaDev | @deepu105 | deepu.tech Passkeys in Java apps

Slide 35

Slide 35 text

@oktaDev | @deepu105 | deepu.tech WebAuthn4j ● FIDO2 conformant ● Supports attestation validation ● Supports all attestation formats ● Suitable for relying party server implementation ● Supports passkeys ● Used by Keycloak ● Has Spring Security support ● Kotlin friendly java-webauthn-server ● Not 100% FIDO2 conformant ● Supports attestation validation ● All attestation formats not supported ● Suitable for relying party server implementation ● Supports passkeys ● From Yubico

Slide 36

Slide 36 text

@oktaDev | @deepu105 | deepu.tech Passkeys with Spring Security and WebAuthn4j Spring Boot web app as a relying party server using WebAuthn4j

Slide 37

Slide 37 text

@oktaDev | @deepu105 | deepu.tech WebAuthn4J Spring Security # Clone the repo $ git clone https://github.com/deepu105/webauthn4j-spring-boot-passkeys-demo # Start the app $ ./gradlew bootRun a0.to/spring-webauthn

Slide 38

Slide 38 text

@oktaDev | @deepu105 | deepu.tech Passkeys with Spring Security

Slide 39

Slide 39 text

@oktaDev | @deepu105 | deepu.tech spring-security-webauthn ● Provides default registration and login pages ● Will become a Spring Security core option ● Based on WebAuthn4j ● At experimental stage now ● Expected in Spring Security 6.4 (November, hopefully)

Slide 40

Slide 40 text

@oktaDev | @deepu105 | deepu.tech How does it differ from WebAuthn MFA?

Slide 41

Slide 41 text

@oktaDev | @deepu105 | deepu.tech Passkeys ● Implemented using WebAuthn and FIDO2 ● Can be synced or device-bound ● Discoverable credentials (Resident keys) ● Can be used for account registration as first factor ● Enrollment required only once for synced passkeys WebAuthn MFA ● Implemented using WebAuthn and FIDO2 ● Only device-bound ● Non-Discoverable credentials ● Can only be second factor after account registration with password ● Enrollment required on each device

Slide 42

Slide 42 text

@oktaDev | @deepu105 | deepu.tech https://learnpasskeys.io https://webauthn.me/passkeys https://passkeys.dev https://passkey.org https://fidoalliance.org/passkeys Resources

Slide 43

Slide 43 text

@oktaDev | @deepu105 | deepu.tech Passkeys login challenge ● Complete the challenge and visit our booth to win some cool prizes ● Only for first 15 completed submissions a0.to/passkey-challenge

Slide 44

Slide 44 text

Authorization Authentication Security Single Sign-On | Adaptive Multi-Factor Authentication | Universal Login | Passwordless | Bot Detection & Prevention | Security Center | Breached Password Detection | Brute Force Protection | FGA How we can help: Try Free Today: Free Plan (forever) $0 Up to 7,500 monthly active users. Unlimited user logins. Includes passkeys support*. No credit card required. Special Plans for Startups & Nonprofits Plans for Everyone B2C: your users are consumers B2B: your users are businesses or a mix of businesses and consumers Enterprise: Best for production applications that need to scale - Contact Us Make login our problem. Not yours. a0.to/plg_signup

Slide 45

Slide 45 text

@oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our newsletter a0.to/nl-signup/java Try our free Spring Boot microservices workshop a0.to/spring-boot

Slide 46

Slide 46 text

@oktaDev | @deepu105 | deepu.tech menti results