Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WebAuthn Explained

Pradheepa P
November 06, 2023
Programming
0
61

WebAuthn Explained

Web Authentication is a new standard by FIDO enabling the creation and use of strong, attested, scoped, credentials using public key cryptography. By using the authenticators like YubiKey, web applications can create a digital identity without any password and hence could prevent the risk of phishing, and stolen passwords. In this talk, we will discuss about what, why, and how of WebAuthn.

Pradheepa P

November 06, 2023
Tweet

More Decks by Pradheepa P

See All by Pradheepa P
Securing Amazon API Gateway using Auth0
pradheepa
0
16
Securing Amazon HTTP APIs with JWT authorizers
pradheepa
0
14
Fostering Inclusivity and Equality
pradheepa
0
27
Take Your Authentication Beyond Passwords
pradheepa
0
59
Building Modern GraphQL APIs
pradheepa
0
22

Other Decks in Programming

See All in Programming
Quine, Polyglot, 良いコード
qnighy
4
640
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
910
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
8
2.2k
Jakarta EE meets AI
ivargrimstad
0
520
Macとオーディオ再生 2024/11/02
yusukeito
0
370
Ethereum_.pdf
nekomatu
0
460
C++でシェーダを書く
fadis
6
4.1k
詳細解説! ArrayListの仕組みと実装
yujisoftware
0
580
イベント駆動で成長して委員会
happymana
1
320
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.1k
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110

Featured

See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
GraphQLとの向き合い方2022年版
quramy
43
13k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Agile that works and the tools we love
rasmusluckow
327
21k
Become a Pro
speakerdeck
PRO
25
5k
GitHub's CSS Performance
jonrohan
1030
460k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
A Tale of Four Properties
chriscoyier
156
23k
Thoughts on Productivity
jonyablonski
67
4.3k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M

Transcript

  1. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. WebAuthn Explained Pradheepa Pullanieswaran Staff Developer Advocate, Okta Twitter : @pradheepa www.pradheepap.com

  2. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Agenda 01 Why WebAuthn 02 What is WebAuthn 03 How to WebAuthn 04 Demo 05 Q&A

  3. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Why WebAuthn

  4. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. - Username and Password - Digital Identity of the user Authentication

  5. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Passwords… Are they secure?

  6. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only.

  7. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. 80% Passwords are the root cause of over 80% of data breaches. 90 Users have more than 90 online accounts. 51% Up to 51% of passwords are reused.

  8. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Password, qwerty are the most common passwords. Easily guessed and vulnerable to brute force attacks Password rules with • Special Characters • Symbols • Minimum length • Upper Case • Lower Case etc Easy to guess Problem Solution

  9. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. A1Password!, vh64Zw#yrJRcM^ Credential Stuffing Up to 51% of passwords are reused. Use MFA Complex passwords Problem Solution

  10. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Any MFAs better than no MFA. But is this enough?

  11. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. SMS Coverage Issues Delay Cost Sim Swap User Experience Usability Adaptability Phishable Vulnerability Authenticator Phone Security App Security Multi-Factor Authentication

  12. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. What about passwordless?

  13. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. What is WebAuthn

  14. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. WebAuthentication (WebAuthn) - Global authentication standard based on public key cryptography. - A better alternative for securing our sensitive information online. - Allows servers to register and authenticate users using public key cryptography instead of a password. - Browser based API implementation of FIDO2 standard

  15. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Public Key Cryptography K Private K Public Digitally Signed with Private Key Verified the message using the public key

  16. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Signed Message Signature

  17. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Signer Signs Message Signature Signer Verifier

  18. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Signer Signs Message Signature Signer Verifier Hashing Function #######

  19. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Signer Signs Message Signature Signer Verifier K Private Hashing Function ####### Encrypt

  20. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Verifier Verifies Message Signature Signer Verifier K Private Hashing Function ####### Encrypt Hashing Function #######

  21. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Verifier Verifies Message Signature Signer Verifier K Private Hashing Function ####### Encrypt Hashing Function ####### Decrypt K Public #######

  22. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Verifier Verifies Message Signature Signer Verifier Hashing Function ####### Encrypt Hashing Function ####### Decrypt K Public ####### Equals?

  23. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Verifier Verifies Message Signature Signer Verifier 1. Message is not tampered 2. The Signer has the private key

  24. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. WebAuthn Registration

  25. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Hey, I am Meenu. I want to create a new account. User www.webauthn.me (Relying Party)

  26. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Sure, Give me your public key. User www.webauthn.me (Relying Party)

  27. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. User hmm.. Creating the keypairs www.webauthn.me (Relying Party)

  28. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. User Here it is! www.webauthn.me (Relying Party)

  29. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Thanks, Registration is complete User www.webauthn.me (Relying Party)

  30. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. WebAuthn Authentication

  31. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Hey, I am Meenu. I want to sign in to my account. User www.webauthn.me (Relying Party)

  32. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. User Please sign this challenge to identify you 6vRQpCdg 6vRQpCdg www.webauthn.me (Relying Party)

  33. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. User www.webauthn.me (Relying Party) Signing now with the private key… Here is my signed message 6vRQpCdg 6vRQpCdg

  34. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. User Application Server (Relying Party) Verifying the signature with the public key Great !!! You are in. 6vRQpCdg 6vRQpCdg

  35. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Who creates public & private key?

  36. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Roaming Authenticators - Bluetooth - NFC - USB pc: https://hwsecurity.dev/img/security-keys-fido-passwordless.png

  37. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Platform Authenticators Secured Enclave accessed via - Windows Hello - Finger Print - Face ID

  38. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Protocols

  39. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. - CTAP1/U2F Protocol and CTAP2 - Describes how an application (i.e. browser) and operating system establish communications with a compliant authentication device. - FIDO CTAP1 enables an external and portable authenticator (such as a hardware security key) to interoperate with a client platform CTAP - Client-to-Authenticator Protocol

  40. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. - CTAP2 is backward compatible and describes specification both Platform and Roaming authenticators - Handled by the device. Developers don’t have to worry about the implementation part. CTAP - Client-to-Authenticator Protocol

  41. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. - Specifies the communication between the browser and the application (Relying Party) - Implementation of webauthn api is handled by the application developer. WebAuthn

  42. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/

  43. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Registration Ceremony

  44. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. pc: https://mvallim.github.io/kubernetes-under-the-hood/

  45. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Players Authenticator WebAuthn API Relying Party www.webauthn.me User

  46. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Create an account Registration Username : Meenu

  47. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Create credential Username : Meenu rpId : www.webauthn.me challenge : we345yiom

  48. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. 1. Validate if origin matches RP ID 2. Create key pairs using navigator.credentials.create Username : Meenu rpId : www.webauthn.me clientData : challenge + rpId

  49. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Please provide the consent to prove user presence

  50. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Touches the authenticator to provide consent

  51. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Creating keypair Creating CredentialId Creating attestation object to prove the integrity of the authenticator Public Key Credential Id Attestation Signed Challenge

  52. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Verify Origin Verify Challenge Verify Attestation Signature Store userid, Credential Id, Public Key Public Key Credential Id Attestation Signed Challenge

  53. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. UserId Credential Id Public Key Attestation OK Registration Complete

  54. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Authentication Ceremony

  55. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Players authenticator WebAuthn API Relying Party www.webauthn.me User

  56. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Sign in Username : Meenu Authentication

  57. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. rpId : www.webauthn.me credential Id: [ xyersdfs ] Challenge: ewertjk347sd Server Challenge - Get Credentials

  58. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. rpId : www.webauthn.me credential Id: xyersdfs client data: challenge+ origin Authenticator

  59. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Please provide the consent User Presence / Verification

  60. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. 1. Retrieves Private Key 2. Builds and sign the response using the private key Creating Signed assertion Authenticator data client data hash: challenge+ origin Signature

  61. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Challenge Response Authenticator data client data hash: challenge+ origin Signature

  62. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. ➔ Validates Signature with public key ➔ Validates Challenge ➔ Validates the assertion OK Sign in Complete

  63. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. https://www.webauthn.me https://webauthn.guide https://www.okta.com/blog/2019/05/the-ultimate-guide-to-webauthn- registration-and-auth-flows/ https://developers.yubico.com/WebAuthn FIDO2 – Creating a passwordless future By John Craddock References

  64. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Yubikeys available at the booth.

  65. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only.

  66. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Questions?

  67. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Thank You