WebAuthn Explained

Transcript

1. © Okta and/or its affiliates. All rights reserved. Confidential Information

   of Okta – For Recipient’s Internal Use Only. WebAuthn Explained Pradheepa Pullanieswaran Staff Developer Advocate, Okta Twitter : @pradheepa www.pradheepap.com

2. © Okta and/or its affiliates. All rights reserved. Confidential Information

   of Okta – For Recipient’s Internal Use Only. Agenda 01 Why WebAuthn 02 What is WebAuthn 03 How to WebAuthn 04 Demo 05 Q&A

3. © Okta and/or its affiliates. All rights reserved. Confidential Information

   of Okta – For Recipient’s Internal Use Only. Why WebAuthn

4. © Okta and/or its affiliates. All rights reserved. Confidential Information

   of Okta – For Recipient’s Internal Use Only. - Username and Password - Digital Identity of the user Authentication

5. © Okta and/or its affiliates. All rights reserved. Confidential Information

   of Okta – For Recipient’s Internal Use Only. Passwords… Are they secure?

6. © Okta and/or its affiliates. All rights reserved. Confidential Information

   of Okta – For Recipient’s Internal Use Only.

7. © Okta and/or its affiliates. All rights reserved. Confidential Information

   of Okta – For Recipient’s Internal Use Only. 80% Passwords are the root cause of over 80% of data breaches. 90 Users have more than 90 online accounts. 51% Up to 51% of passwords are reused.

8. © Okta and/or its affiliates. All rights reserved. Confidential Information

   of Okta – For Recipient’s Internal Use Only. Password, qwerty are the most common passwords. Easily guessed and vulnerable to brute force attacks Password rules with • Special Characters • Symbols • Minimum length • Upper Case • Lower Case etc Easy to guess Problem Solution

9. © Okta and/or its affiliates. All rights reserved. Confidential Information

   of Okta – For Recipient’s Internal Use Only. A1Password!, vh64Zw#yrJRcM^ Credential Stuffing Up to 51% of passwords are reused. Use MFA Complex passwords Problem Solution

10. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Any MFAs better than no MFA. But is this enough?

11. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. SMS Coverage Issues Delay Cost Sim Swap User Experience Usability Adaptability Phishable Vulnerability Authenticator Phone Security App Security Multi-Factor Authentication

12. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. What about passwordless?

13. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. What is WebAuthn

14. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. WebAuthentication (WebAuthn) - Global authentication standard based on public key cryptography. - A better alternative for securing our sensitive information online. - Allows servers to register and authenticate users using public key cryptography instead of a password. - Browser based API implementation of FIDO2 standard

15. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Public Key Cryptography K Private K Public Digitally Signed with Private Key Verified the message using the public key

16. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Signed Message Signature

17. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Signer Signs Message Signature Signer Verifier

18. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Signer Signs Message Signature Signer Verifier Hashing Function #######

19. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Signer Signs Message Signature Signer Verifier K Private Hashing Function ####### Encrypt

20. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Verifier Verifies Message Signature Signer Verifier K Private Hashing Function ####### Encrypt Hashing Function #######

21. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Verifier Verifies Message Signature Signer Verifier K Private Hashing Function ####### Encrypt Hashing Function ####### Decrypt K Public #######

22. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Verifier Verifies Message Signature Signer Verifier Hashing Function ####### Encrypt Hashing Function ####### Decrypt K Public ####### Equals?

23. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Verifier Verifies Message Signature Signer Verifier 1. Message is not tampered 2. The Signer has the private key

24. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. WebAuthn Registration

25. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Hey, I am Meenu. I want to create a new account. User www.webauthn.me (Relying Party)

26. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Sure, Give me your public key. User www.webauthn.me (Relying Party)

27. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. User hmm.. Creating the keypairs www.webauthn.me (Relying Party)

28. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. User Here it is! www.webauthn.me (Relying Party)

29. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Thanks, Registration is complete User www.webauthn.me (Relying Party)

30. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. WebAuthn Authentication

31. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Hey, I am Meenu. I want to sign in to my account. User www.webauthn.me (Relying Party)

32. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. User Please sign this challenge to identify you 6vRQpCdg 6vRQpCdg www.webauthn.me (Relying Party)

33. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. User www.webauthn.me (Relying Party) Signing now with the private key… Here is my signed message 6vRQpCdg 6vRQpCdg

34. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. User Application Server (Relying Party) Verifying the signature with the public key Great !!! You are in. 6vRQpCdg 6vRQpCdg

35. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Who creates public & private key?

36. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Roaming Authenticators - Bluetooth - NFC - USB pc: https://hwsecurity.dev/img/security-keys-fido-passwordless.png

37. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Platform Authenticators Secured Enclave accessed via - Windows Hello - Finger Print - Face ID

38. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Protocols

39. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. - CTAP1/U2F Protocol and CTAP2 - Describes how an application (i.e. browser) and operating system establish communications with a compliant authentication device. - FIDO CTAP1 enables an external and portable authenticator (such as a hardware security key) to interoperate with a client platform CTAP - Client-to-Authenticator Protocol

40. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. - CTAP2 is backward compatible and describes specification both Platform and Roaming authenticators - Handled by the device. Developers don’t have to worry about the implementation part. CTAP - Client-to-Authenticator Protocol

41. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. - Specifies the communication between the browser and the application (Relying Party) - Implementation of webauthn api is handled by the application developer. WebAuthn

42. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/

43. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Registration Ceremony

44. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. pc: https://mvallim.github.io/kubernetes-under-the-hood/

45. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Players Authenticator WebAuthn API Relying Party www.webauthn.me User

46. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Create an account Registration Username : Meenu

47. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Create credential Username : Meenu rpId : www.webauthn.me challenge : we345yiom

48. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. 1. Validate if origin matches RP ID 2. Create key pairs using navigator.credentials.create Username : Meenu rpId : www.webauthn.me clientData : challenge + rpId

49. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Please provide the consent to prove user presence

50. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Touches the authenticator to provide consent

51. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Creating keypair Creating CredentialId Creating attestation object to prove the integrity of the authenticator Public Key Credential Id Attestation Signed Challenge

52. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Verify Origin Verify Challenge Verify Attestation Signature Store userid, Credential Id, Public Key Public Key Credential Id Attestation Signed Challenge

53. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. UserId Credential Id Public Key Attestation OK Registration Complete

54. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Authentication Ceremony

55. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Players authenticator WebAuthn API Relying Party www.webauthn.me User

56. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Sign in Username : Meenu Authentication

57. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. rpId : www.webauthn.me credential Id: [ xyersdfs ] Challenge: ewertjk347sd Server Challenge - Get Credentials

58. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. rpId : www.webauthn.me credential Id: xyersdfs client data: challenge+ origin Authenticator

59. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Please provide the consent User Presence / Verification

60. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. 1. Retrieves Private Key 2. Builds and sign the response using the private key Creating Signed assertion Authenticator data client data hash: challenge+ origin Signature

61. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Challenge Response Authenticator data client data hash: challenge+ origin Signature

62. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. ➔ Validates Signature with public key ➔ Validates Challenge ➔ Validates the assertion OK Sign in Complete

63. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. https://www.webauthn.me https://webauthn.guide https://www.okta.com/blog/2019/05/the-ultimate-guide-to-webauthn- registration-and-auth-flows/ https://developers.yubico.com/WebAuthn FIDO2 – Creating a passwordless future By John Craddock References

64. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Yubikeys available at the booth.

65. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only.

66. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Questions?

67. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Thank You