Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WebAuthn/FIDOのUX徹底解説 ~実サービスへの導入イメージを添えて~ / builderscon tokyo 2019 ritou

ritou
August 30, 2019

WebAuthn/FIDOのUX徹底解説 ~実サービスへの導入イメージを添えて~ / builderscon tokyo 2019 ritou

ritou

August 30, 2019
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. WebAuthn/FIDOͷUXపఈղઆ
    ~࣮αʔϏε΁ͷಋೖΠϝʔδΛఴ͑ͯ~
    ͍ͱ͏Γΐ͏!SJUPV

    CVJMEFSTDPOUPLZP

    View full-size slide

  2. ͍ͱ͏Γΐ͏
    • (ג)ϛΫγΟ ΤϯδχΞ - Identity / Platform / Payment?
    • OpenID ϑΝ΢ϯσʔγϣϯɾδϟύϯ ΤόϯδΣϦετ
    • Blog : ritou.hatenablog.com
    • Twitter : @ritou (ळాͷೣ)
    • ˌidcon, #iddance
    !2

    View full-size slide

  3. WebAuthnؔ࿈ͷൃද
    !3
    https://speakerdeck.com/ritou

    View full-size slide

  4. ຊ୊ͷલʹ
    • ࠓ࢖ΘΕ͍ͯΔϢʔβʔೝূ
    • FIDO/WebAuthn֓ཁ
    !4

    View full-size slide

  5. ύεϫʔυೝূ
    • ஌ࣝ৘ใ (SYK:Something You Know) Λར༻
    • ཁ͕݅ຬͨ͞ΕΔͳΒ͹ࢸߴͷೝূํࣜ
    • Ϣʔβʔ
    • αʔϏε
    !5

    View full-size slide

  6. ύεϫʔυೝূʹ͓͚Δཁ݅
    • Ϣʔβʔ
    • ਪଌෆՄೳͳจࣈྻΛੜ੒
    • αʔϏεຖʹҟͳΔจࣈྻΛ؅ཧ
    • ֘౰αʔϏεʹͷΈೖྗ
    !6

    View full-size slide

  7. ύεϫʔυೝূͷݱঢ়
    • Ϣʔβʔ
    • ਪଌෆՄೳͳจࣈྻΛੜ੒ -> ؆୯ɺਪଌՄೳ
    • αʔϏεຖʹҟͳΔจࣈྻΛ؅ཧ -> ࢖͍ճ͠
    • ֘౰αʔϏεʹͷΈೖྗ -> ॊೈͳରԠ
    !7

    View full-size slide

  8. ύεϫʔυೝূʹ͓͚Δཁ݅
    • αʔϏε
    • ਪଌෆՄೳͳจࣈྻΛڐ༰
    • ύεϫʔυΛ҆શʹ؅ཧ
    • ༷ʑͳڴҖ΁ͷରࡦ
    !8

    View full-size slide

  9. ύεϫʔυೝূͷݱঢ়
    • αʔϏε
    • ਪଌෆՄೳͳจࣈྻΛڐ༰ -> ӳ਺࠷େ8จࣈ
    • ύεϫʔυΛ҆શʹ؅ཧ -> ͦͷ··อଘ/࿙Ӯ
    • ༷ʑͳڴҖ΁ͷରࡦ -> Ϧετ߈ܸରࡦͳͲ
    !9

    View full-size slide

  10. ύεϫʔυೝূͷݱঢ়
    • ͲͪΒ΋ཁ݅Λຬ͍ͨͯ͠ͳ͍
    • ݪҼ͸ਓྨͷεϖοΫෆ଍(1೥ͿΓ2ճ໨)
    !10

    View full-size slide

  11. ύεϫʔυೝূͷݱঢ়
    • Ϣʔβʔ͸ϋʔυ/ιϑτ΢ΣΞͷαϙʔτ͕ඞཁ
    • ύεϫʔυೖྗΦϖϨʔλͱͯ͠΋༏लͰ͸ͳ͍
    • αʔϏεͷίετ΋όΧʹͳΒͳ͍
    • Ϧετ߈ܸରࡦ͸Πλνͬ͜͝ʹʁ
    • ໌Δ͍ະདྷ͕ݟ͑ͳ͍ೝূํࣜɺ΍ΊͪΌ͑͹ʁ
    !11

    View full-size slide

  12. ࣍ͷҰख
    • 2(ஈ֊|ཁૉ)ೝূͱݺ͹ΕΔ௥Ճೝূ
    • ϫϯλΠϜύεϫʔυ
    • खݩͷεϚϗ/σόΠεͰڐՄ
    !12

    View full-size slide

  13. ϫϯλΠϜύεϫʔυೝূ
    • ϫϯλΠϜύεϫʔυΛར༻
    • ϝʔϧ/SMSʹΑΓ഑ૹ
    • ιϑτ/ϋʔυ΢ΣΞͰੜ੒
    • όοΫΞοϓίʔυ͔Β
    !13

    View full-size slide

  14. ϫϯλΠϜύεϫʔυೝূͷΩϞ
    • ϫϯλΠϜύεϫʔυΛར༻
    • ϝʔϧ/SMSʹΑΓ഑ૹ -> ௨৴࿏ͱૹड৴
    • ιϑτ/ϋʔυ΢ΣΞͰੜ੒ -> 伴ͷ؅ཧ
    • όοΫΞοϓίʔυ͔Β -> ίʔυҰཡͷ؅ཧ
    !14

    View full-size slide

  15. ϫϯλΠϜύεϫʔυೝূͷΩϞ
    • ϫϯλΠϜύεϫʔυΛར༻ (※ࣗಈೖྗ΋͋Γ)
    • ϝʔϧ/SMSʹΑΓ഑ૹ -> Ϣʔβʔ͕ೖྗ
    • ιϑτ/ϋʔυ΢ΣΞͰੜ੒ -> Ϣʔβʔ͕ೖྗ
    • όοΫΞοϓίʔυ͔Β -> Ϣʔβʔ͕ೖྗ
    !15

    View full-size slide

  16. ϫϯλΠϜύεϫʔυͱ
    ϑΟογϯά߈ܸ
    !16
    ϑΟογϯάϝʔϧɺ
    ϝοηʔδ
    ϑΟογϯάαΠτ
    ʢFYBNQMFJOGPʣ
    ਖ਼نͷαΠτ
    FYBNQMFDPN

    *%ύεϫʔυ

    ϫϯλΠϜ
    ύεϫʔυ
    औಘͨ͠
    *%ύεϫʔυ

    ϫϯλΠϜ
    ύεϫʔυ

    View full-size slide

  17. खݩͷσόΠεͰڐՄ
    • खݩͷσόΠεʹ௨஌
    • ϩοΫղআͱ૊Έ߹Θͤ
    • σόΠε΍ઐ༻ΞϓϦ΁ͷ
    ϓογϡͳͲͰ࣮ݱ
    !17

    View full-size slide

  18. ௥ՃೝূͷޮՌ
    • ϫϯλΠϜύεϫʔυ
    • ϑΟογϯάαΠτ͕ಉظతʹਖ਼نͷαΠτʹΞΫ
    ηε͢ΔͱೝূΛಥഁ͞ΕΔՄೳੑ΋
    • खݩͷσόΠεͰڐՄ
    • ͳΜͰ΋͔ΜͰ΋ڐՄͨ͠ΒNG
    • ϑΟογϯάαΠτ͕ಉظతʹਖ਼نͷαΠτʹΞΫ
    ηε͢Δͱؾ෇͔ͳ͍ͰڐՄͯ͠͠·͏Մೳੑ΋
    !18

    View full-size slide

  19. FIDO / WebAuthn ֓ཁ

    View full-size slide

  20. FIDO(First IDentity Online)
    • ϩʔΧϧೝূΛར༻
    • ύεϫʔυ΍ੜମ৘ใ͕௨৴࿏ΛྲྀΕͳ͍
    • (ੜମೝূʹݶΒͣ)༷ʑͳೝূํࣜͱͷ૊Έ߹Θͤ
    ͕Մೳ
    • ެ։伴҉߸ํࣜΛ༻͍ͨ̎ͭͷػೳ
    • ొ࿥ : ॺ໊ͱެ։伴৘ใΛૹ৴
    • ೝূ : ॺ໊Λૹ৴
    !20

    View full-size slide

  21. FIDOͷϢʔεέʔε
    !21
    • ύεϫʔυϨεೝূͱͯ͠ (ॴ࣋+ϩʔΧϧೝূ)
    • ௥Ճೝূͱͯ͠ (ॴ࣋)
    • ࠶ೝূͷํ๏ͱͯ͠

    View full-size slide

  22. FIDO2 Project
    • FIDO2 : WebΞϓϦέʔγϣϯ͔Β΋FIDO
    • WebAuthn (Web Authentication API)
    • FIDOΛར༻͢ΔαʔϏε͕ݺͼग़͢
    JavaScript API
    • CTAP (Client To Authenticator Protocol)
    • ηΩϡϦςΟΩʔͱ΍ΓͱΓ͢ΔͨΊͷ࢓༷
    • ϒϥ΢β͕࣮૷
    !22

    View full-size slide

  23. WebAuthn(WebAuthentication API)
    • 2019/3/4 W3Cקࠂ https://www.w3.org/TR/
    webauthn/
    • ఆٛ͞Ε͍ͯΔ2ͭͷAPI
    • navigator.credentials.create() : ొ࿥
    • navigator.credentials.get() : ೝূ
    !23

    View full-size slide

  24. WebAuthn - ొ৔ਓ෺
    !24
    • Relying Party : WebΞϓϦ
    • Authenticator : ηΩϡϦςΟΩʔɺσόΠε
    • Client : Webϒϥ΢β

    View full-size slide

  25. WebAuthn - ొ৔ਓ෺
    !25
    IUUQTHJIZPKQEFWDPMVNOOFXZFBSXFCBVUIO QBHF

    View full-size slide

  26. WebAuthn - ొ৔ਓ෺
    !26
    IUUQTHJIZPKQEFWDPMVNOOFXZFBSXFCBVUIO QBHF

    View full-size slide

  27. WebAuthn - ొ࿥ϑϩʔ
    !27
    1. ొ࿥༻ύϥϝʔλ࡞੒

    (RP৘ใ,Ϣʔβʔ৘ใ,
    ϩʔΧϧೝূͷ༗ແͳͲ)
    3. Authenticator/Platform
    ͷػೳΛݺͼग़͢
    2. JS APIͷݺͼग़͠
    4.ϩʔΧϧೝূ
    伴ϖΞੜ੒
    ॺ໊࡞੒
    5. ৽͍͠ެ։伴ͱॺ໊
    6. JS API͔Βͷ໭Γ஋ 7.֤छݕূ
    ެ։伴ͷอଘ
    Authenticator
    (SecurityKey etc…)
    Client
    (ϒϥ΢β)
    Relying Party
    (αʔϏε)

    View full-size slide

  28. ొ࿥༻ύϥϝʔλͷࢦఆྫ
    !28
    • Attachment : Authenticatorͷछྨ
    • User Verification : ϩʔΧϧೝূͷཁٻ
    • Require ResidentKey : Ϣʔβʔ৘ใΛอଘ

    View full-size slide

  29. Attachment : Undefined
    (macOS + Google Chrome)
    !29
    Ϣʔβʔ͕ར༻͢Δ"VUIFOUJDBUJPSΛબ୒

    View full-size slide

  30. Platform Authenticator
    (macOS + Google Chrome)
    !30

    View full-size slide

  31. Cross-Platform Authenticator
    (macOS + Google Chrome)
    !31

    View full-size slide

  32. Attachment : Undefined
    (Windows10 + MS Edge)
    !32
    8JOEPXT)FMMP༏ઌ Ωϟϯηϧˠ$SPTT1MBUGPSN

    View full-size slide

  33. ొ࿥༻ύϥϝʔλͷࢦఆྫ
    !33
    • Attachment : Authenticatorͷछྨ
    • User Verification : ϩʔΧϧೝূͷཁٻ
    • Require ResidentKey : Ϣʔβʔ৘ใΛอଘ

    View full-size slide

  34. AuthenticatorͱϩʔΧϧೝূ
    !34
    '*%0ηΩϡϦςΟΩʔσόΠεʛ#JP1BTT'*%0cඈఱδϟύϯ

    IUUQTGUTBGFDPKQQSPEVDUTGJEP

    View full-size slide

  35. AuthenticatorͱϩʔΧϧೝূ
    !35
    %JTDPWFS:VCJ,FZTc4USPOH5XP'BDUPS"VUIFOUJDBUJPOGPS4FDVSF-PHJOc:VCJDP

    IUUQTXXXZVCJDPDPNQSPEVDUTZVCJLFZIBSEXBSF

    View full-size slide

  36. User Verification : Required
    (macOS + Google Chrome)
    !36
    ϩʔΧϧೝূͷͳ͍σόΠεͰ΋1*/ͷར༻͕Մೳ

    View full-size slide

  37. User Verification : Required
    (Windows10 + MS Edge)
    !37

    View full-size slide

  38. ొ࿥༻ύϥϝʔλͷࢦఆྫ
    !38
    • Attachment : Authenticatorͷछྨ
    • User Verification : ϩʔΧϧೝূͷཁٻ
    • Require ResidentKey : Ϣʔβʔ৘ใΛอଘ

    View full-size slide

  39. Require ResidentKey : True
    (macOS + Google Chrome)
    !39
    69͕มΘΔ৔߹΋

    View full-size slide

  40. WebAuthn - ೝূϑϩʔ
    !40
    Authenticator
    (SecurityKey etc…)
    Client
    (ϒϥ΢β)
    Relying Party
    (αʔϏε)
    1. ೝূ༻ύϥϝʔλ࡞੒

    (ެ։伴৘ใ,
    ϩʔΧϧೝূͷ༗ແͳͲ)
    3. Authenticator/Platform
    ͷػೳΛݺͼग़͢
    2. JS APIͷݺͼग़͠
    4.ϩʔΧϧೝূ
    ॺ໊࡞੒
    5. ॺ໊
    6. JS API͔Βͷ໭Γ஋ 7.֤छݕূ
    ೝূॲཧ

    View full-size slide

  41. ೝূ༻ύϥϝʔλͷࢦఆྫ
    !41
    • AllowCredentials : ެ։伴ͷࢦఆ
    • ͋Γ : RP͕อ͍࣋ͯ͠Δެ։伴Λࢦఆ
    • ͳ͠(ۭ) : Authenticator ʹอଘ͞Ε͍ͯΔ
    ৘ใΛར༻

    View full-size slide

  42. allowCredentialsࢦఆ͋Γ
    (macOS + Google Chrome)
    !42
    ࢦఆͨ͠ެ։ݤʹඥͮ͘"VUIFOUJDBUPSΛཁٻ

    View full-size slide

  43. allowCredentialsࢦఆ͋Γ
    (Windows10 + MS Edge)
    !43

    View full-size slide

  44. ೝূ༻ύϥϝʔλͷࢦఆྫ
    !44
    • AllowCredentials : ެ։伴ͷࢦఆ
    • ͋Γ : RP͕อ͍࣋ͯ͠Δެ։伴Λࢦఆ
    • ͳ͠(ۭ) : Authenticator ʹอଘ͞Ε͍ͯΔ
    ৘ใΛར༻ -> Resident Key

    View full-size slide

  45. allowCredentialsࢦఆͳ͠
    (macOS + Google Chrome)
    !45
    ϩʔΧϧೝূอଘ͞Ε͍ͯΔϢʔβʔ৘ใ͔Βબ୒

    View full-size slide

  46. allowCredentialsࢦఆͳ͠
    (macOS + Google Chrome)
    !46
    ηΩϡϦςΟΩʔͷ৔߹΋࠷ޙʹϢʔβʔ৘ใબ୒

    View full-size slide

  47. allowCredentialsࢦఆͳ͠
    (Windows10 + MS Edge)
    !47
    8JOEPXT)FMMPͰ͸Ϣʔβʔબ୒ϩʔΧϧೝূ

    View full-size slide

  48. allowCredentialsࢦఆͳ͠
    (Windows10 + MS Edge)
    !48
    ηΩϡϦςΟΩʔͷ৔߹͸ϩʔΧϧೝূޙϢʔβʔબ୒

    View full-size slide

  49. WebAuthnͷϑΟογϯά଱ੑ
    (௥Ճೝূ)
    !49
    ϑΟογϯάϝʔϧɺ
    ϝοηʔδ
    ϑΟογϯάαΠτ
    ʢFYBNQMFJOGPʣ
    ਖ਼نͷαΠτ
    FYBNQMFDPN

    *%ύεϫʔυ

    Ξαʔγϣϯ
    ॺ໊ͳͲ

    औಘͨ͠
    *%ύεϫʔυ

    Ξαʔγϣϯ

    View full-size slide

  50. WebAuthnͷϑΟογϯά଱ੑ
    (௥Ճೝূ)
    !50
    ϑΟογϯάϝʔϧɺ
    ϝοηʔδ
    ϑΟογϯάαΠτ
    ʢFYBNQMFJOGPʣ
    ਖ਼نͷαΠτ
    FYBNQMFDPN

    *%ύεϫʔυ

    Ξαʔγϣϯ
    ॺ໊ͳͲ

    औಘͨ͠
    *%ύεϫʔυ

    Ξαʔγϣϯ
    PSJHJO୯ҐͰ伴ϖΞΛ
    ੜ੒͍ͯ͠ΔͷͰ
    ϑΟογϯάαΠτʹ
    ϩάΠϯͰ͖ͳ͍

    View full-size slide

  51. WebAuthnͷϑΟογϯά଱ੑ
    (௥Ճೝূ)
    !51
    ϑΟογϯάϝʔϧɺ
    ϝοηʔδ
    ϑΟογϯάαΠτ
    ʢFYBNQMFJOGPʣ
    ਖ਼نͷαΠτ
    FYBNQMFDPN

    *%ύεϫʔυ

    Ξαʔγϣϯ
    ॺ໊ͳͲ

    औಘͨ͠
    *%ύεϫʔυ

    Ξαʔγϣϯ
    PSJHJO୯ҐͰ伴ϖΞΛ
    ੜ੒͍ͯ͠ΔͷͰ
    ϑΟογϯάαΠτʹ
    ϩάΠϯͰ͖ͳ͍
    ϑΟογϯάαΠτ޲͚ͷ
    ΞαʔγϣϯΛਖ਼نͷαΠτʹ
    ૹͬͯ΋ݕূࣦഊ͢Δ

    View full-size slide

  52. ࠷ۙ஫໨ͷFIDO/WebAuthnͷରԠঢ়گ
    !52
    • Android
    • Authenticator: Android 7.0~, Security Key
    • Client: Chrome, Firefox
    • Windows 10
    • Authenticator: Windows Hello, Security
    Key
    • Client : Microsoft Edge, Chrome, Firefox…

    View full-size slide

  53. WebAuthnͷ࣮૷ʹ͍ͭͯ
    !53
    • ͜͜Ͱ͸঺հ͠·ͤΜ

    View full-size slide

  54. ͍Α͍Αຊ୊
    FIDO / WebAuthn UX

    View full-size slide

  55. ঺հ͢ΔϢʔεέʔε
    • ௥Ճͷೝূํࣜͱͯ͠: ύεϫʔυೝূ + FIDO
    • ϝΠϯͷೝূํࣜͱͯ͠: ύεϫʔυೝূ or FIDO
    !55

    View full-size slide

  56. Dropbox - ొ࿥
    !57
    ઃఆલʹύεϫʔυ֬ೝΛཁٻ

    View full-size slide

  57. Dropbox - ొ࿥
    !58
    σόΠε৘ใʹର͢Δ
    ΞΫηεڐՄ֬ೝΛཁٻ "UUFTUBUJPOOPOF

    View full-size slide

  58. Dropbox - ొ࿥
    !59
    ໊લΛ͚ͭͯ׬ྃ

    View full-size slide

  59. Dropbox - ೝূ
    !60
    ύεϫʔυೝূͷޙʹೝূΛཁٻ

    View full-size slide

  60. Dropbox - ೝূ
    !61
    ιʔγϟϧϩάΠϯޙʹ΋ೝূΛཁٻ

    View full-size slide

  61. Dropboxͷಋೖྫ
    • ̎ஈ֊ೝূͷ2ͭ໨Ҏ߱ͷೝূํࣜͱͯ͠ઃఆ
    • ར༻ՄೳͳAuthenticatorʹ੍ݶͳ͠
    • ొ࿥ॲཧޙʹ໊લΛઃఆ
    • ύεϫʔυೝূ͚ͩͰ͸ͳ͘ɺιʔγϟϧϩάΠϯ
    ͷޙʹ΋ཁٻ͞ΕΔ
    !62

    View full-size slide

  62. GitHub - ొ࿥
    !64
    ొ࿥ॲཧͷલʹ໊લΛઃఆͤ͞Δ

    View full-size slide

  63. GitHub - ొ࿥
    !65
    1MBUGPSN"VUIFOUJDBUPS΋ར༻Մೳ

    View full-size slide

  64. GitHub - ೝূ
    !66
    ύεϫʔυೝূޙʹར༻

    View full-size slide

  65. GitHub - ೝূ
    !67
    ύεϫʔυ֬ೝ࣌ʹ΋ηΩϡϦςΟΩʔΛར༻Մೳ

    View full-size slide

  66. GitHubͷಋೖྫ
    • ̎ཁૉೝূͷ2ͭ໨Ҏ߱ͷೝূํࣜͱͯ͠ઃఆ
    • ར༻ՄೳͳAuthenticatorʹ੍ݶͳ͠
    • ొ࿥ॲཧલʹ໊લΛઃఆ
    • ύεϫʔυೝূͷޙ͚ͩͰ͸ͳ͘ɺ࠶ೝূ࣌ʹ΋η
    ΩϡϦςΟΩʔΛ༻͍ͨೝূ͕Մೳ
    !68

    View full-size slide

  67. Google - ొ࿥
    !70
    "OESPJEҎ߱ͷσόΠεΛ؆୯ʹઃఆͰ͖Δ

    View full-size slide

  68. Google - ొ࿥
    !71
    $SPTT1MBUGPSN"VUIFOUJDBUPS 5JUBOFUDʜ
    ΋ొ࿥Մೳ

    View full-size slide

  69. Google - ೝূ
    !72
    ύεϫʔυೝূޙʹ௥ՃೝূΛཁٻ

    View full-size slide

  70. Google - ೝূ
    !73
    εϚϗͰڐՄ͢Δͱೝূ͕׬ྃ

    View full-size slide

  71. Google - ೝূ
    !74
    ηΩϡϦςΟΩʔΛબ୒ޙɺλοϓ͢Δͱ׬ྃ

    View full-size slide

  72. Googleͷಋೖྫ
    • ̎ஈ֊ೝূͷ2ͭ໨Ҏ߱ͷೝূํࣜͱͯ͠ར༻Մೳ
    • Cross-platform Authenticator
    • Android୺຤΋ར༻Մೳ
    • ϖΞϦϯάͳ͠ͷBluetooth઀ଓ(caBLE)
    • ͍ۙ͏ͪʹ࠶ೝূ࣌ʹ΋ར༻ՄೳʹͳΓͦ͏
    !75

    View full-size slide

  73. ʮ௥Ճೝূͱͯ͠ͷಋೖʯ
    ͷϙΠϯτ
    • ෳ਺ͷೝূํࣜΛఏڙ : ʮ٧Έʹ͍͘ʯ࢓૊Έ
    • Authenticatorͷ੍ݶ
    • ໊લͷઃఆ
    • ೝূཁٻͷλΠϛϯά
    • ύεϫʔυೝূ / ιʔγϟϧϩάΠϯͷޙ
    • ύεϫʔυ֬ೝͷ୅ସͱͯ͠
    !76

    View full-size slide

  74. ঺հ͢ΔϢʔεέʔε
    • ௥Ճͷೝূํࣜͱͯ͠: ύεϫʔυೝূ + FIDO
    • ϝΠϯͷೝূํࣜͱͯ͠: ύεϫʔυೝূ or FIDO
    !77

    View full-size slide

  75. Yahoo! JAPAN

    View full-size slide

  76. Yahoo! JAPAN - ొ࿥
    !79
    "OESPJE$ISPNF؀ڥʹݶఆ

    View full-size slide

  77. Yahoo! JAPAN - ొ࿥
    !80
    4.4ϝʔϧ֬ೝίʔυ౳ͱͷซ༻΋Մೳ

    View full-size slide

  78. Yahoo! JAPAN - ೝূ
    !81
    Ϣʔβʔࣝผޙɺ"OESPJE$ISPNFͳΒೝূཁٻ

    View full-size slide

  79. Yahoo! JAPANͷಋೖྫ
    • Android + Chrome ͱݴ͏૊Έ߹Θͤʹݶఆ
    • ͦΕҎ֎ͷ؀ڥͰ͸ϝʔϧ / SMSͰͷ֬ೝίʔ
    υૹ৴౳Λར༻
    • ϢʔβʔࣝผޙʹೝূํࣜΛग़͠Θ͚
    • ొ࿥ޙͷ࠶ೝূͰ΋ಉ͡ೝূํࣜ
    !82

    View full-size slide

  80. Microsoft - ొ࿥
    !84
    8JOEPXT)FMMP͕ಈ࡞͢Δ؀ڥͰ͋Ε͹
    $SPTT1MBUGPSN"VUIFOUJDBUPS΋ར༻Մೳ

    View full-size slide

  81. Microsoft - ొ࿥
    !85
    6TFS7FSJGJDBUJPOSFRVJSFE

    View full-size slide

  82. Cross-Platform Authenticator
    !86
    ΋ͪΖΜ8JOEPXT)FMMP୯ମͰ΋ొ࿥Մೳ

    View full-size slide

  83. Microsoft - ೝূ
    !87
    Ϣʔβʔࣝผલʹೝূཁٻ 3FTJEFOU,FZ

    View full-size slide

  84. Microsoftͷಋೖྫ
    • Windows Hello͕࢖͑Δ؀ڥ + MS Edgeݶఆ
    • Windows Hello୯ମ
    • USB/NFCͳηΩϡϦςΟΩʔ΋ར༻Մೳ
    • αΠϯΠϯΦϓγϣϯͱͯ͠Ϣʔβʔࣝผલʹཁٻ
    • Resident KeyʹΑΔϢʔβʔબ୒
    !88

    View full-size slide

  85. Nulab(ψʔϥϘΞΧ΢ϯτ)

    View full-size slide

  86. ψʔϥϘΞΧ΢ϯτ - ొ࿥
    !90
    ྆ํͷ"VUIFOUJDBUPSʹରԠ

    View full-size slide

  87. ψʔϥϘΞΧ΢ϯτ - ొ࿥
    !91
    ొ࿥ॲཧ׬ྃ࣌ʹ໊લΛઃఆ

    View full-size slide

  88. ψʔϥϘΞΧ΢ϯτ - ೝূ
    !92
    ϝΞυͰࣝผޙʹ8FC"VUIOͷೝূཁٻ

    View full-size slide

  89. ψʔϥϘΞΧ΢ϯτͷಋೖྫ
    • ϝΠϯͷೝূํࣜͱͯ͠ύεϫʔυೝূͱซ༻Մೳ
    • ར༻ՄೳͳAuthenticatorʹ੍ݶͳ͠
    • ෳ਺ొ࿥ՄೳɺϢʔβʔ໊͕લΛ͚ͭΔ
    • Ϣʔβʔࣝผޙʹೝূཁٻ
    !93

    View full-size slide

  90. ʮϝΠϯͷೝূํࣜͱͯ͠ͷಋೖʯ
    ͷϙΠϯτ
    • UserVerification͸ඞਢ
    • αϙʔτ؀ڥ(Authenticator/Client)ͷ੍ݶ
    • ੍ݶ͋Γ = ϝϯςφϯε͕ඞཁ
    • ੍ݶͳ͠ = FIDO2ରԠ؀ڥͳΒ͹উखʹରԠՄೳ
    • ೝূཁٻͷλΠϛϯά
    • ϝΞυͰࣝผޙʹઃఆͱ؀ڥͷ൑ఆ
    • ResidentKeyΛར༻ͯ͠Ϣʔβʔબ୒
    !94

    View full-size slide

  91. ύεϫʔυϨεʹ޲͚ͯ

    View full-size slide

  92. ύεϫʔυϨε΁ͷಓ
    • ৽نαʔϏεͰ͸ύεϫʔυೝূΛಋೖ͠ͳ͍
    • WebAuthn/FIDO͕࢖͑ͳ͍؀ڥͷέΞ
    • طଘͷαʔϏε͔ΒύεϫʔυೝূΛऔΓআ͘
    1. ґଘΛͳ͘͢
    2. (ڧ੍΋͘͠͸೚ҙͰ)ແޮԽ
    !96

    View full-size slide

  93. ύεϫʔυೝূ΁ͷґଘͱ͸
    • ৽نొ࿥ϑϩʔ
    • ύεϫʔυΛઃఆ͔ͯ͠Βϝʔϧ/SMS֬ೝ
    • ϩάΠϯͰ͖ͳ͍ϦϯΫ
    • ύεϫʔυϦηοτϑϩʔ΁
    • ઃఆมߋͳͲॏཁͳॲཧ
    • ύεϫʔυ֬ೝ
    !97

    View full-size slide

  94. ύεϫʔυೝূ΁ͷґଘΛऔΓআ͘
    • ৽نొ࿥ϑϩʔ
    • ΫϨσϯγϟϧઃఆͱϝʔϧ/SMS֬ೝͷ෼཭
    • ΫϨσϯγϟϧઃఆ෦෼Λ֦ுՄೳʹ͢Δ
    • ϩάΠϯͰ͖ͳ͍ϦϯΫ
    • ผͷೝূํࣜ΍ઃఆมߋ΁ͷ༠ಋ
    • ઃఆมߋͳͲॏཁͳॲཧ
    • ෳ਺ͷೝূํࣜΛڐ༰
    !98

    View full-size slide

  95. ψʔϥϘΞΧ΢ϯτͷ৽نొ࿥
    • ࠷ॳʹύεϫʔυઃఆ
    • ґଘΛऔΓআͨ͘Ίʹ
    • ϝΞυ֬ೝΛઌʹʁ
    !99

    View full-size slide

  96. Dropboxͷύεϫʔυ֬ೝ
    • ηΩϡϦςΟػೳͷલ
    ʹύεϫʔυཁٻ
    • ґଘΛऔΓআͨ͘Ίʹ
    • ઃఆࡁΈͷೝূํࣜ
    ʹ߹Θͤͨ࠶ೝূ
    • υϝΠϯ/origin੔ཧ
    !100

    View full-size slide

  97. Yahoo! JAPANͷ࠶ೝূ
    • ύεϫʔυΛ֬ೝ͍ͯ͠
    ͨͱ͜ΖͰϝΠϯͷೝ
    ূํࣜΛཁٻ
    • SMS / Email
    • WebAutnn
    • υϝΠϯ͕౷Ұ
    !101

    View full-size slide

  98. ύεϫʔυೝূͷແޮԽ
    • ύεϫʔυΛ࢖Θͳ͍ʹϦετ߈ܸΛड͚ͳ͍
    • Yahoo! JAPAN / ψʔϥϘΞΧ΢ϯτ
    !102

    View full-size slide

  99. Yahoo! JAPANͷ
    ύεϫʔυೝূແޮԽ
    !103
    ϝʔϧιϑτͳͲͷύεϫʔυ͸ผ్ઃఆՄೳ

    View full-size slide

  100. ψʔϥϘΞΧ΢ϯτͷ
    ύεϫʔυ࡟আ
    !104
    8FC"VUIOରԠ؀ڥͰ͔͠࢖Θͳ͍ͳΒ࡟আՄೳ

    View full-size slide

  101. ࠓճͷ಺༰
    • WebAuthnΛಋೖͨ͠αʔϏεͷUXΛ঺հͨ͠
    • ࣮αʔϏε΁ͷಋೖ࣌ͷϙΠϯτΛ੔ཧͨ͠
    • ύεϫʔυೝূ͕͋ΔαʔϏε΁ͷಋೖ
    • ύεϫʔυϨε΁ͷҠߦ
    !106

    View full-size slide

  102. • ࣭͝໰ɺײ૝ͳͲ͓଴͓ͪͯ͠Γ·͢
    • ϒϩάͰͷݴٴͳͲ
    • Twitter ͷϋογϡλά or ϝϯγϣϯ
    • ஏ͔͚ͣ͠Ε͹DMͰ΋
    !107
    ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠

    View full-size slide