Take Your Authentication Beyond Passwords

Transcript

1. Take your authentication beyond passwords Pradheepa Pullanieswaran Developer Advocate, Okta

2. Ready???

3. None

4. Agenda 1. Problems of Passwords 2. The Journey of Passwordless

   3. Demo 4. Q&A

5. Authentication - Username and Password - Digital Identity of the

   user

6. Passwords… Are they secure?

7. None

8. 80% Passwords are the root cause of over 80% of

   data breaches. 90 Users have more than 90 online accounts. 51% Up to 51% of passwords are reused.

9. Problem of Passwords • Easily guessed and vulnerable to brute

   force attacks. ◦ E.g. “password” • Complex Passwords ◦ E.g. “tYU&56jhfl!m” ◦ Credential Stuffing ◦ Sticky Note • Multi-Factor Authentication ◦ Phishing ◦ Sim Swapping ◦ User Friction & Less adapted • Password Managers ◦ ???

10. https://xkcd.com/936/

11. Passwords Evolution

12. Passwords are like cockroaches of the internet and companies have

    been trying to kill them off for years.- Merritt Maxim, Forrester Research

13. FIDO - Fast Identity Online - Consortium of major global

    players like Apple, Microsoft, Amazon created in 2013 to solve the World's Password Problem. - Working to change the nature of authentication with open standards. - Striving to create credentials more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage.

14. WebAuthn

15. WebAuthn - Browser based API implementation of FIDO2 standard -

    Global authentication standard based on public key cryptography instead of a password.

16. Digitally Signed with Private Key Verified the message using the

    public key Public Key Cryptography
17. None

18. Registration using Passkeys

19. Registration using Passkeys Create an account

20. Registration - Selecting the biometric If the application supports passkey,

    it prompts the user to register with the passkey Username : Pradheepa rpId : www.webauthn.me challenge : we345yiom Conditions for creating the passkeys

21. Registration - Sending Public Key Send Public key

22. Yay!!!, You are in Registration - Process Completed

23. Sign-In using Passkeys

24. Login - Initiating Login Login request

25. Server recognizes you already have passkeys Login - Choosing the

    passkeys Username : Pradheepa rpId : www.webauthn.me challenge : we345yire Sign the challenge with your private key

26. Verifying signed challenge with the public key Login - Sending

    the signed challenge Signed Challenge

27. Yay, You are verified. Login - Process Completed

28. Why Passkeys?

29. Every passkey is bound to a domain ◦ Phishing Resistant

    ◦ By design each website has one passkey

30. No more shared credentials ◦ Attack on server is not

    interesting anymore ◦ No stolen credentials, weak passwords, complex rules for passwords

31. Passkeys are - Highly Secure

32. No transmission of personal and private data ◦ Only public

    key is shared.

33. Demo

34. None

35. Zero Index Newsletter - Auth0 by Okta https://a0.to/nl-signup

36. Wanted to try Auth0? - Free Tier is available

37. Resources • FIDO2 Developer Primer: webauthn.guide • FIDO2 Demo: webauthn.io

    webauthn.me • Python Code - https://github.com/duo-labs/webauthn.io • https://nordpass.com/most-common-passwords-list/ • https://auth0.com/docs/quickstart/backend/python/01-authorization • https://github.com/auth0/auth0-python

38. Feedback Please

39. Thank You !!!