Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WebAuthn/FIDOのUX徹底解説 ~実サービスへの導入イメージを添えて~ / builderscon tokyo 2019 ritou

ritou
August 30, 2019
Technology
11
6.7k

WebAuthn/FIDOのUX徹底解説 ~実サービスへの導入イメージを添えて~ / builderscon tokyo 2019 ritou

下記カンファレンスでの発表資料です。
https://builderscon.io/builderscon/tokyo/2019/session/c9da9bfb-c97c-4f93-a496-ff83b3ca61bc

ritou

August 30, 2019
Tweet

More Decks by ritou

See All by ritou
パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1
ritou
6
6.9k
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022
ritou
2
3.1k
C向けサービスで 使われている認証方式と安全な使い方
ritou
13
2.6k
現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19
ritou
2
670
GNAP超入門 ~ IW2021 C15
ritou
2
4.4k
OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3
ritou
1
1.2k
ID連携の標準化仕様紹介とセキュアな実装のためのアプローチ 2021 / Identity Federation Protocols 2021
ritou
3
7.9k
JWT Boot Camp 2020
ritou
1
6.3k
iddance2_ritou.pdf
ritou
1
3.9k

Other Decks in Technology

See All in Technology
モノリスからの脱却に向けた 物流システムリプレイスの概要紹介 / Towards Decentralized Logistics System Replacement from Monolithic Structure
yumayabe
0
240
KEDAによるイベント駆動ジョブスケール / Event-driven job scale by KEDA
kohbis
2
150
MySQL Architectures - Design the Right Solution for Your Needs
lefred
1
110
「Go Style Guide」から学んだ可読性の高いコードの書き方
andpad
5
2.1k
新リリース:microCMSテンプレート
microcms
1
640
ブロックテーマでどう変わる?新しいWordPressのWebサイト制作
tbshiki
0
140
データマイニングと機械学習-SVM
trycycle
0
140
1人目QA奮闘記-2023年ver-/QA Engineer's Struggle 2023
mii3king
1
370
[春のDojo祭り'23] いまからでも遅くない!データベース超入門 ハンズオン編
leekwangsoo1995
2
310
ChatGPTとこころを整理してみる
nagauta
0
360
net/http/httptest.Server のアプローチをテスト戦略に活用する / Go Conference 2023
k1low
4
200
Oracle Database Technology Night #67 Oracle Database High Availability concept
oracle4engineer
PRO
0
550

Featured

See All Featured
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
The Invisible Customer
myddelton
113
12k
Git: the NoSQL Database
bkeepers
PRO
420
60k
Become a Pro
speakerdeck
PRO
7
3.4k
How STYLIGHT went responsive
nonsquared
89
4.3k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
3
540
Automating Front-end Workflow
addyosmani
1352
200k
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.3k
Typedesign – Prime Four
hannesfritz
34
1.6k
Design by the Numbers
sachag
272
18k
Teambox: Starting and Learning
jrom
124
8k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.3k

Transcript

  1. WebAuthn/FIDOͷUXపఈղઆ
    ~࣮αʔϏε΁ͷಋೖΠϝʔδΛఴ͑ͯ~
    ͍ͱ͏Γΐ͏!SJUPV

    CVJMEFSTDPOUPLZP

    View Slide

  2. ͍ͱ͏Γΐ͏
    • (ג)ϛΫγΟ ΤϯδχΞ - Identity / Platform / Payment?
    • OpenID ϑΝ΢ϯσʔγϣϯɾδϟύϯ ΤόϯδΣϦετ
    • Blog : ritou.hatenablog.com
    • Twitter : @ritou (ळాͷೣ)
    • ˌidcon, #iddance
    !2

    View Slide

  3. WebAuthnؔ࿈ͷൃද
    !3
    https://speakerdeck.com/ritou

    View Slide

  4. ຊ୊ͷલʹ
    • ࠓ࢖ΘΕ͍ͯΔϢʔβʔೝূ
    • FIDO/WebAuthn֓ཁ
    !4

    View Slide

  5. ύεϫʔυೝূ
    • ஌ࣝ৘ใ (SYK:Something You Know) Λར༻
    • ཁ͕݅ຬͨ͞ΕΔͳΒ͹ࢸߴͷೝূํࣜ
    • Ϣʔβʔ
    • αʔϏε
    !5

    View Slide

  6. ύεϫʔυೝূʹ͓͚Δཁ݅
    • Ϣʔβʔ
    • ਪଌෆՄೳͳจࣈྻΛੜ੒
    • αʔϏεຖʹҟͳΔจࣈྻΛ؅ཧ
    • ֘౰αʔϏεʹͷΈೖྗ
    !6

    View Slide

  7. ύεϫʔυೝূͷݱঢ়
    • Ϣʔβʔ
    • ਪଌෆՄೳͳจࣈྻΛੜ੒ -> ؆୯ɺਪଌՄೳ
    • αʔϏεຖʹҟͳΔจࣈྻΛ؅ཧ -> ࢖͍ճ͠
    • ֘౰αʔϏεʹͷΈೖྗ -> ॊೈͳରԠ
    !7

    View Slide

  8. ύεϫʔυೝূʹ͓͚Δཁ݅
    • αʔϏε
    • ਪଌෆՄೳͳจࣈྻΛڐ༰
    • ύεϫʔυΛ҆શʹ؅ཧ
    • ༷ʑͳڴҖ΁ͷରࡦ
    !8

    View Slide

  9. ύεϫʔυೝূͷݱঢ়
    • αʔϏε
    • ਪଌෆՄೳͳจࣈྻΛڐ༰ -> ӳ਺࠷େ8จࣈ
    • ύεϫʔυΛ҆શʹ؅ཧ -> ͦͷ··อଘ/࿙Ӯ
    • ༷ʑͳڴҖ΁ͷରࡦ -> Ϧετ߈ܸରࡦͳͲ
    !9

    View Slide

  10. ύεϫʔυೝূͷݱঢ়
    • ͲͪΒ΋ཁ݅Λຬ͍ͨͯ͠ͳ͍
    • ݪҼ͸ਓྨͷεϖοΫෆ଍(1೥ͿΓ2ճ໨)
    !10

    View Slide

  11. ύεϫʔυೝূͷݱঢ়
    • Ϣʔβʔ͸ϋʔυ/ιϑτ΢ΣΞͷαϙʔτ͕ඞཁ
    • ύεϫʔυೖྗΦϖϨʔλͱͯ͠΋༏लͰ͸ͳ͍
    • αʔϏεͷίετ΋όΧʹͳΒͳ͍
    • Ϧετ߈ܸରࡦ͸Πλνͬ͜͝ʹʁ
    • ໌Δ͍ະདྷ͕ݟ͑ͳ͍ೝূํࣜɺ΍ΊͪΌ͑͹ʁ
    !11

    View Slide

  12. ࣍ͷҰख
    • 2(ஈ֊|ཁૉ)ೝূͱݺ͹ΕΔ௥Ճೝূ
    • ϫϯλΠϜύεϫʔυ
    • खݩͷεϚϗ/σόΠεͰڐՄ
    !12

    View Slide

  13. ϫϯλΠϜύεϫʔυೝূ
    • ϫϯλΠϜύεϫʔυΛར༻
    • ϝʔϧ/SMSʹΑΓ഑ૹ
    • ιϑτ/ϋʔυ΢ΣΞͰੜ੒
    • όοΫΞοϓίʔυ͔Β
    !13

    View Slide

  14. ϫϯλΠϜύεϫʔυೝূͷΩϞ
    • ϫϯλΠϜύεϫʔυΛར༻
    • ϝʔϧ/SMSʹΑΓ഑ૹ -> ௨৴࿏ͱૹड৴
    • ιϑτ/ϋʔυ΢ΣΞͰੜ੒ -> 伴ͷ؅ཧ
    • όοΫΞοϓίʔυ͔Β -> ίʔυҰཡͷ؅ཧ
    !14

    View Slide

  15. ϫϯλΠϜύεϫʔυೝূͷΩϞ
    • ϫϯλΠϜύεϫʔυΛར༻ (※ࣗಈೖྗ΋͋Γ)
    • ϝʔϧ/SMSʹΑΓ഑ૹ -> Ϣʔβʔ͕ೖྗ
    • ιϑτ/ϋʔυ΢ΣΞͰੜ੒ -> Ϣʔβʔ͕ೖྗ
    • όοΫΞοϓίʔυ͔Β -> Ϣʔβʔ͕ೖྗ
    !15

    View Slide

  16. ϫϯλΠϜύεϫʔυͱ
    ϑΟογϯά߈ܸ
    !16
    ϑΟογϯάϝʔϧɺ
    ϝοηʔδ
    ϑΟογϯάαΠτ
    ʢFYBNQMFJOGPʣ
    ਖ਼نͷαΠτ
    FYBNQMFDPN

    *%ύεϫʔυ

    ϫϯλΠϜ
    ύεϫʔυ
    औಘͨ͠
    *%ύεϫʔυ

    ϫϯλΠϜ
    ύεϫʔυ

    View Slide

  17. खݩͷσόΠεͰڐՄ
    • खݩͷσόΠεʹ௨஌
    • ϩοΫղআͱ૊Έ߹Θͤ
    • σόΠε΍ઐ༻ΞϓϦ΁ͷ
    ϓογϡͳͲͰ࣮ݱ
    !17

    View Slide

  18. ௥ՃೝূͷޮՌ
    • ϫϯλΠϜύεϫʔυ
    • ϑΟογϯάαΠτ͕ಉظతʹਖ਼نͷαΠτʹΞΫ
    ηε͢ΔͱೝূΛಥഁ͞ΕΔՄೳੑ΋
    • खݩͷσόΠεͰڐՄ
    • ͳΜͰ΋͔ΜͰ΋ڐՄͨ͠ΒNG
    • ϑΟογϯάαΠτ͕ಉظతʹਖ਼نͷαΠτʹΞΫ
    ηε͢Δͱؾ෇͔ͳ͍ͰڐՄͯ͠͠·͏Մೳੑ΋
    !18

    View Slide

  19. FIDO / WebAuthn ֓ཁ

    View Slide

  20. FIDO(First IDentity Online)
    • ϩʔΧϧೝূΛར༻
    • ύεϫʔυ΍ੜମ৘ใ͕௨৴࿏ΛྲྀΕͳ͍
    • (ੜମೝূʹݶΒͣ)༷ʑͳೝূํࣜͱͷ૊Έ߹Θͤ
    ͕Մೳ
    • ެ։伴҉߸ํࣜΛ༻͍ͨ̎ͭͷػೳ
    • ొ࿥ : ॺ໊ͱެ։伴৘ใΛૹ৴
    • ೝূ : ॺ໊Λૹ৴
    !20

    View Slide

  21. FIDOͷϢʔεέʔε
    !21
    • ύεϫʔυϨεೝূͱͯ͠ (ॴ࣋+ϩʔΧϧೝূ)
    • ௥Ճೝূͱͯ͠ (ॴ࣋)
    • ࠶ೝূͷํ๏ͱͯ͠

    View Slide

  22. FIDO2 Project
    • FIDO2 : WebΞϓϦέʔγϣϯ͔Β΋FIDO
    • WebAuthn (Web Authentication API)
    • FIDOΛར༻͢ΔαʔϏε͕ݺͼग़͢
    JavaScript API
    • CTAP (Client To Authenticator Protocol)
    • ηΩϡϦςΟΩʔͱ΍ΓͱΓ͢ΔͨΊͷ࢓༷
    • ϒϥ΢β͕࣮૷
    !22

    View Slide

  23. WebAuthn(WebAuthentication API)
    • 2019/3/4 W3Cקࠂ https://www.w3.org/TR/
    webauthn/
    • ఆٛ͞Ε͍ͯΔ2ͭͷAPI
    • navigator.credentials.create() : ొ࿥
    • navigator.credentials.get() : ೝূ
    !23

    View Slide

  24. WebAuthn - ొ৔ਓ෺
    !24
    • Relying Party : WebΞϓϦ
    • Authenticator : ηΩϡϦςΟΩʔɺσόΠε
    • Client : Webϒϥ΢β

    View Slide

  25. WebAuthn - ొ৔ਓ෺
    !25
    IUUQTHJIZPKQEFWDPMVNOOFXZFBSXFCBVUIO QBHF

    View Slide

  26. WebAuthn - ొ৔ਓ෺
    !26
    IUUQTHJIZPKQEFWDPMVNOOFXZFBSXFCBVUIO QBHF

    View Slide

  27. WebAuthn - ొ࿥ϑϩʔ
    !27
    1. ొ࿥༻ύϥϝʔλ࡞੒

    (RP৘ใ,Ϣʔβʔ৘ใ,
    ϩʔΧϧೝূͷ༗ແͳͲ)
    3. Authenticator/Platform
    ͷػೳΛݺͼग़͢
    2. JS APIͷݺͼग़͠
    4.ϩʔΧϧೝূ
    伴ϖΞੜ੒
    ॺ໊࡞੒
    5. ৽͍͠ެ։伴ͱॺ໊
    6. JS API͔Βͷ໭Γ஋ 7.֤छݕূ
    ެ։伴ͷอଘ
    Authenticator
    (SecurityKey etc…)
    Client
    (ϒϥ΢β)
    Relying Party
    (αʔϏε)

    View Slide

  28. ొ࿥༻ύϥϝʔλͷࢦఆྫ
    !28
    • Attachment : Authenticatorͷछྨ
    • User Verification : ϩʔΧϧೝূͷཁٻ
    • Require ResidentKey : Ϣʔβʔ৘ใΛอଘ

    View Slide

  29. Attachment : Undefined
    (macOS + Google Chrome)
    !29
    Ϣʔβʔ͕ར༻͢Δ"VUIFOUJDBUJPSΛબ୒

    View Slide

  30. Platform Authenticator
    (macOS + Google Chrome)
    !30

    View Slide

  31. Cross-Platform Authenticator
    (macOS + Google Chrome)
    !31

    View Slide

  32. Attachment : Undefined
    (Windows10 + MS Edge)
    !32
    8JOEPXT)FMMP༏ઌ Ωϟϯηϧˠ$SPTT1MBUGPSN

    View Slide

  33. ొ࿥༻ύϥϝʔλͷࢦఆྫ
    !33
    • Attachment : Authenticatorͷछྨ
    • User Verification : ϩʔΧϧೝূͷཁٻ
    • Require ResidentKey : Ϣʔβʔ৘ใΛอଘ

    View Slide

  34. AuthenticatorͱϩʔΧϧೝূ
    !34
    '*%0ηΩϡϦςΟΩʔσόΠεʛ#JP1BTT'*%0cඈఱδϟύϯ

    IUUQTGUTBGFDPKQQSPEVDUTGJEP

    View Slide

  35. AuthenticatorͱϩʔΧϧೝূ
    !35
    %JTDPWFS:VCJ,FZTc4USPOH5XP'BDUPS"VUIFOUJDBUJPOGPS4FDVSF-PHJOc:VCJDP

    IUUQTXXXZVCJDPDPNQSPEVDUTZVCJLFZIBSEXBSF

    View Slide

  36. User Verification : Required
    (macOS + Google Chrome)
    !36
    ϩʔΧϧೝূͷͳ͍σόΠεͰ΋1*/ͷར༻͕Մೳ

    View Slide

  37. User Verification : Required
    (Windows10 + MS Edge)
    !37

    View Slide

  38. ొ࿥༻ύϥϝʔλͷࢦఆྫ
    !38
    • Attachment : Authenticatorͷछྨ
    • User Verification : ϩʔΧϧೝূͷཁٻ
    • Require ResidentKey : Ϣʔβʔ৘ใΛอଘ

    View Slide

  39. Require ResidentKey : True
    (macOS + Google Chrome)
    !39
    69͕มΘΔ৔߹΋

    View Slide

  40. WebAuthn - ೝূϑϩʔ
    !40
    Authenticator
    (SecurityKey etc…)
    Client
    (ϒϥ΢β)
    Relying Party
    (αʔϏε)
    1. ೝূ༻ύϥϝʔλ࡞੒

    (ެ։伴৘ใ,
    ϩʔΧϧೝূͷ༗ແͳͲ)
    3. Authenticator/Platform
    ͷػೳΛݺͼग़͢
    2. JS APIͷݺͼग़͠
    4.ϩʔΧϧೝূ
    ॺ໊࡞੒
    5. ॺ໊
    6. JS API͔Βͷ໭Γ஋ 7.֤छݕূ
    ೝূॲཧ

    View Slide

  41. ೝূ༻ύϥϝʔλͷࢦఆྫ
    !41
    • AllowCredentials : ެ։伴ͷࢦఆ
    • ͋Γ : RP͕อ͍࣋ͯ͠Δެ։伴Λࢦఆ
    • ͳ͠(ۭ) : Authenticator ʹอଘ͞Ε͍ͯΔ
    ৘ใΛར༻

    View Slide

  42. allowCredentialsࢦఆ͋Γ
    (macOS + Google Chrome)
    !42
    ࢦఆͨ͠ެ։ݤʹඥͮ͘"VUIFOUJDBUPSΛཁٻ

    View Slide

  43. allowCredentialsࢦఆ͋Γ
    (Windows10 + MS Edge)
    !43

    View Slide

  44. ೝূ༻ύϥϝʔλͷࢦఆྫ
    !44
    • AllowCredentials : ެ։伴ͷࢦఆ
    • ͋Γ : RP͕อ͍࣋ͯ͠Δެ։伴Λࢦఆ
    • ͳ͠(ۭ) : Authenticator ʹอଘ͞Ε͍ͯΔ
    ৘ใΛར༻ -> Resident Key

    View Slide

  45. allowCredentialsࢦఆͳ͠
    (macOS + Google Chrome)
    !45
    ϩʔΧϧೝূอଘ͞Ε͍ͯΔϢʔβʔ৘ใ͔Βબ୒

    View Slide

  46. allowCredentialsࢦఆͳ͠
    (macOS + Google Chrome)
    !46
    ηΩϡϦςΟΩʔͷ৔߹΋࠷ޙʹϢʔβʔ৘ใબ୒

    View Slide

  47. allowCredentialsࢦఆͳ͠
    (Windows10 + MS Edge)
    !47
    8JOEPXT)FMMPͰ͸Ϣʔβʔબ୒ϩʔΧϧೝূ

    View Slide

  48. allowCredentialsࢦఆͳ͠
    (Windows10 + MS Edge)
    !48
    ηΩϡϦςΟΩʔͷ৔߹͸ϩʔΧϧೝূޙϢʔβʔબ୒

    View Slide

  49. WebAuthnͷϑΟογϯά଱ੑ
    (௥Ճೝূ)
    !49
    ϑΟογϯάϝʔϧɺ
    ϝοηʔδ
    ϑΟογϯάαΠτ
    ʢFYBNQMFJOGPʣ
    ਖ਼نͷαΠτ
    FYBNQMFDPN

    *%ύεϫʔυ

    Ξαʔγϣϯ
    ॺ໊ͳͲ

    औಘͨ͠
    *%ύεϫʔυ

    Ξαʔγϣϯ

    View Slide

  50. WebAuthnͷϑΟογϯά଱ੑ
    (௥Ճೝূ)
    !50
    ϑΟογϯάϝʔϧɺ
    ϝοηʔδ
    ϑΟογϯάαΠτ
    ʢFYBNQMFJOGPʣ
    ਖ਼نͷαΠτ
    FYBNQMFDPN

    *%ύεϫʔυ

    Ξαʔγϣϯ
    ॺ໊ͳͲ

    औಘͨ͠
    *%ύεϫʔυ

    Ξαʔγϣϯ
    PSJHJO୯ҐͰ伴ϖΞΛ
    ੜ੒͍ͯ͠ΔͷͰ
    ϑΟογϯάαΠτʹ
    ϩάΠϯͰ͖ͳ͍

    View Slide

  51. WebAuthnͷϑΟογϯά଱ੑ
    (௥Ճೝূ)
    !51
    ϑΟογϯάϝʔϧɺ
    ϝοηʔδ
    ϑΟογϯάαΠτ
    ʢFYBNQMFJOGPʣ
    ਖ਼نͷαΠτ
    FYBNQMFDPN

    *%ύεϫʔυ

    Ξαʔγϣϯ
    ॺ໊ͳͲ

    औಘͨ͠
    *%ύεϫʔυ

    Ξαʔγϣϯ
    PSJHJO୯ҐͰ伴ϖΞΛ
    ੜ੒͍ͯ͠ΔͷͰ
    ϑΟογϯάαΠτʹ
    ϩάΠϯͰ͖ͳ͍
    ϑΟογϯάαΠτ޲͚ͷ
    ΞαʔγϣϯΛਖ਼نͷαΠτʹ
    ૹͬͯ΋ݕূࣦഊ͢Δ

    View Slide

  52. ࠷ۙ஫໨ͷFIDO/WebAuthnͷରԠঢ়گ
    !52
    • Android
    • Authenticator: Android 7.0~, Security Key
    • Client: Chrome, Firefox
    • Windows 10
    • Authenticator: Windows Hello, Security
    Key
    • Client : Microsoft Edge, Chrome, Firefox…

    View Slide

  53. WebAuthnͷ࣮૷ʹ͍ͭͯ
    !53
    • ͜͜Ͱ͸঺հ͠·ͤΜ

    View Slide

  54. ͍Α͍Αຊ୊
    FIDO / WebAuthn UX

    View Slide

  55. ঺հ͢ΔϢʔεέʔε
    • ௥Ճͷೝূํࣜͱͯ͠: ύεϫʔυೝূ + FIDO
    • ϝΠϯͷೝূํࣜͱͯ͠: ύεϫʔυೝূ or FIDO
    !55

    View Slide

  56. Dropbox

    View Slide

  57. Dropbox - ొ࿥
    !57
    ઃఆલʹύεϫʔυ֬ೝΛཁٻ

    View Slide

  58. Dropbox - ొ࿥
    !58
    σόΠε৘ใʹର͢Δ
    ΞΫηεڐՄ֬ೝΛཁٻ "UUFTUBUJPOOPOF

    View Slide

  59. Dropbox - ొ࿥
    !59
    ໊લΛ͚ͭͯ׬ྃ

    View Slide

  60. Dropbox - ೝূ
    !60
    ύεϫʔυೝূͷޙʹೝূΛཁٻ

    View Slide

  61. Dropbox - ೝূ
    !61
    ιʔγϟϧϩάΠϯޙʹ΋ೝূΛཁٻ

    View Slide

  62. Dropboxͷಋೖྫ
    • ̎ஈ֊ೝূͷ2ͭ໨Ҏ߱ͷೝূํࣜͱͯ͠ઃఆ
    • ར༻ՄೳͳAuthenticatorʹ੍ݶͳ͠
    • ొ࿥ॲཧޙʹ໊લΛઃఆ
    • ύεϫʔυೝূ͚ͩͰ͸ͳ͘ɺιʔγϟϧϩάΠϯ
    ͷޙʹ΋ཁٻ͞ΕΔ
    !62

    View Slide

  63. GitHub

    View Slide

  64. GitHub - ొ࿥
    !64
    ొ࿥ॲཧͷલʹ໊લΛઃఆͤ͞Δ

    View Slide

  65. GitHub - ొ࿥
    !65
    1MBUGPSN"VUIFOUJDBUPS΋ར༻Մೳ

    View Slide

  66. GitHub - ೝূ
    !66
    ύεϫʔυೝূޙʹར༻

    View Slide

  67. GitHub - ೝূ
    !67
    ύεϫʔυ֬ೝ࣌ʹ΋ηΩϡϦςΟΩʔΛར༻Մೳ

    View Slide

  68. GitHubͷಋೖྫ
    • ̎ཁૉೝূͷ2ͭ໨Ҏ߱ͷೝূํࣜͱͯ͠ઃఆ
    • ར༻ՄೳͳAuthenticatorʹ੍ݶͳ͠
    • ొ࿥ॲཧલʹ໊લΛઃఆ
    • ύεϫʔυೝূͷޙ͚ͩͰ͸ͳ͘ɺ࠶ೝূ࣌ʹ΋η
    ΩϡϦςΟΩʔΛ༻͍ͨೝূ͕Մೳ
    !68

    View Slide

  69. Google

    View Slide

  70. Google - ొ࿥
    !70
    "OESPJEҎ߱ͷσόΠεΛ؆୯ʹઃఆͰ͖Δ

    View Slide

  71. Google - ొ࿥
    !71
    $SPTT1MBUGPSN"VUIFOUJDBUPS 5JUBOFUDʜ
    ΋ొ࿥Մೳ

    View Slide

  72. Google - ೝূ
    !72
    ύεϫʔυೝূޙʹ௥ՃೝূΛཁٻ

    View Slide

  73. Google - ೝূ
    !73
    εϚϗͰڐՄ͢Δͱೝূ͕׬ྃ

    View Slide

  74. Google - ೝূ
    !74
    ηΩϡϦςΟΩʔΛબ୒ޙɺλοϓ͢Δͱ׬ྃ

    View Slide

  75. Googleͷಋೖྫ
    • ̎ஈ֊ೝূͷ2ͭ໨Ҏ߱ͷೝূํࣜͱͯ͠ར༻Մೳ
    • Cross-platform Authenticator
    • Android୺຤΋ར༻Մೳ
    • ϖΞϦϯάͳ͠ͷBluetooth઀ଓ(caBLE)
    • ͍ۙ͏ͪʹ࠶ೝূ࣌ʹ΋ར༻ՄೳʹͳΓͦ͏
    !75

    View Slide

  76. ʮ௥Ճೝূͱͯ͠ͷಋೖʯ
    ͷϙΠϯτ
    • ෳ਺ͷೝূํࣜΛఏڙ : ʮ٧Έʹ͍͘ʯ࢓૊Έ
    • Authenticatorͷ੍ݶ
    • ໊લͷઃఆ
    • ೝূཁٻͷλΠϛϯά
    • ύεϫʔυೝূ / ιʔγϟϧϩάΠϯͷޙ
    • ύεϫʔυ֬ೝͷ୅ସͱͯ͠
    !76

    View Slide

  77. ঺հ͢ΔϢʔεέʔε
    • ௥Ճͷೝূํࣜͱͯ͠: ύεϫʔυೝূ + FIDO
    • ϝΠϯͷೝূํࣜͱͯ͠: ύεϫʔυೝূ or FIDO
    !77

    View Slide

  78. Yahoo! JAPAN

    View Slide

  79. Yahoo! JAPAN - ొ࿥
    !79
    "OESPJE$ISPNF؀ڥʹݶఆ

    View Slide

  80. Yahoo! JAPAN - ొ࿥
    !80
    4.4ϝʔϧ֬ೝίʔυ౳ͱͷซ༻΋Մೳ

    View Slide

  81. Yahoo! JAPAN - ೝূ
    !81
    Ϣʔβʔࣝผޙɺ"OESPJE$ISPNFͳΒೝূཁٻ

    View Slide

  82. Yahoo! JAPANͷಋೖྫ
    • Android + Chrome ͱݴ͏૊Έ߹Θͤʹݶఆ
    • ͦΕҎ֎ͷ؀ڥͰ͸ϝʔϧ / SMSͰͷ֬ೝίʔ
    υૹ৴౳Λར༻
    • ϢʔβʔࣝผޙʹೝূํࣜΛग़͠Θ͚
    • ొ࿥ޙͷ࠶ೝূͰ΋ಉ͡ೝূํࣜ
    !82

    View Slide

  83. Microsoft

    View Slide

  84. Microsoft - ొ࿥
    !84
    8JOEPXT)FMMP͕ಈ࡞͢Δ؀ڥͰ͋Ε͹
    $SPTT1MBUGPSN"VUIFOUJDBUPS΋ར༻Մೳ

    View Slide

  85. Microsoft - ొ࿥
    !85
    6TFS7FSJGJDBUJPOSFRVJSFE

    View Slide

  86. Cross-Platform Authenticator
    !86
    ΋ͪΖΜ8JOEPXT)FMMP୯ମͰ΋ొ࿥Մೳ

    View Slide

  87. Microsoft - ೝূ
    !87
    Ϣʔβʔࣝผલʹೝূཁٻ 3FTJEFOU,FZ

    View Slide

  88. Microsoftͷಋೖྫ
    • Windows Hello͕࢖͑Δ؀ڥ + MS Edgeݶఆ
    • Windows Hello୯ମ
    • USB/NFCͳηΩϡϦςΟΩʔ΋ར༻Մೳ
    • αΠϯΠϯΦϓγϣϯͱͯ͠Ϣʔβʔࣝผલʹཁٻ
    • Resident KeyʹΑΔϢʔβʔબ୒
    !88

    View Slide

  89. Nulab(ψʔϥϘΞΧ΢ϯτ)

    View Slide

  90. ψʔϥϘΞΧ΢ϯτ - ొ࿥
    !90
    ྆ํͷ"VUIFOUJDBUPSʹରԠ

    View Slide

  91. ψʔϥϘΞΧ΢ϯτ - ొ࿥
    !91
    ొ࿥ॲཧ׬ྃ࣌ʹ໊લΛઃఆ

    View Slide

  92. ψʔϥϘΞΧ΢ϯτ - ೝূ
    !92
    ϝΞυͰࣝผޙʹ8FC"VUIOͷೝূཁٻ

    View Slide

  93. ψʔϥϘΞΧ΢ϯτͷಋೖྫ
    • ϝΠϯͷೝূํࣜͱͯ͠ύεϫʔυೝূͱซ༻Մೳ
    • ར༻ՄೳͳAuthenticatorʹ੍ݶͳ͠
    • ෳ਺ొ࿥ՄೳɺϢʔβʔ໊͕લΛ͚ͭΔ
    • Ϣʔβʔࣝผޙʹೝূཁٻ
    !93

    View Slide

  94. ʮϝΠϯͷೝূํࣜͱͯ͠ͷಋೖʯ
    ͷϙΠϯτ
    • UserVerification͸ඞਢ
    • αϙʔτ؀ڥ(Authenticator/Client)ͷ੍ݶ
    • ੍ݶ͋Γ = ϝϯςφϯε͕ඞཁ
    • ੍ݶͳ͠ = FIDO2ରԠ؀ڥͳΒ͹উखʹରԠՄೳ
    • ೝূཁٻͷλΠϛϯά
    • ϝΞυͰࣝผޙʹઃఆͱ؀ڥͷ൑ఆ
    • ResidentKeyΛར༻ͯ͠Ϣʔβʔબ୒
    !94

    View Slide

  95. ύεϫʔυϨεʹ޲͚ͯ

    View Slide

  96. ύεϫʔυϨε΁ͷಓ
    • ৽نαʔϏεͰ͸ύεϫʔυೝূΛಋೖ͠ͳ͍
    • WebAuthn/FIDO͕࢖͑ͳ͍؀ڥͷέΞ
    • طଘͷαʔϏε͔ΒύεϫʔυೝূΛऔΓআ͘
    1. ґଘΛͳ͘͢
    2. (ڧ੍΋͘͠͸೚ҙͰ)ແޮԽ
    !96

    View Slide

  97. ύεϫʔυೝূ΁ͷґଘͱ͸
    • ৽نొ࿥ϑϩʔ
    • ύεϫʔυΛઃఆ͔ͯ͠Βϝʔϧ/SMS֬ೝ
    • ϩάΠϯͰ͖ͳ͍ϦϯΫ
    • ύεϫʔυϦηοτϑϩʔ΁
    • ઃఆมߋͳͲॏཁͳॲཧ
    • ύεϫʔυ֬ೝ
    !97

    View Slide

  98. ύεϫʔυೝূ΁ͷґଘΛऔΓআ͘
    • ৽نొ࿥ϑϩʔ
    • ΫϨσϯγϟϧઃఆͱϝʔϧ/SMS֬ೝͷ෼཭
    • ΫϨσϯγϟϧઃఆ෦෼Λ֦ுՄೳʹ͢Δ
    • ϩάΠϯͰ͖ͳ͍ϦϯΫ
    • ผͷೝূํࣜ΍ઃఆมߋ΁ͷ༠ಋ
    • ઃఆมߋͳͲॏཁͳॲཧ
    • ෳ਺ͷೝূํࣜΛڐ༰
    !98

    View Slide

  99. ψʔϥϘΞΧ΢ϯτͷ৽نొ࿥
    • ࠷ॳʹύεϫʔυઃఆ
    • ґଘΛऔΓআͨ͘Ίʹ
    • ϝΞυ֬ೝΛઌʹʁ
    !99

    View Slide

  100. Dropboxͷύεϫʔυ֬ೝ
    • ηΩϡϦςΟػೳͷલ
    ʹύεϫʔυཁٻ
    • ґଘΛऔΓআͨ͘Ίʹ
    • ઃఆࡁΈͷೝূํࣜ
    ʹ߹Θͤͨ࠶ೝূ
    • υϝΠϯ/origin੔ཧ
    !100

    View Slide

  101. Yahoo! JAPANͷ࠶ೝূ
    • ύεϫʔυΛ֬ೝ͍ͯ͠
    ͨͱ͜ΖͰϝΠϯͷೝ
    ূํࣜΛཁٻ
    • SMS / Email
    • WebAutnn
    • υϝΠϯ͕౷Ұ
    !101

    View Slide

  102. ύεϫʔυೝূͷແޮԽ
    • ύεϫʔυΛ࢖Θͳ͍ʹϦετ߈ܸΛड͚ͳ͍
    • Yahoo! JAPAN / ψʔϥϘΞΧ΢ϯτ
    !102

    View Slide

  103. Yahoo! JAPANͷ
    ύεϫʔυೝূແޮԽ
    !103
    ϝʔϧιϑτͳͲͷύεϫʔυ͸ผ్ઃఆՄೳ

    View Slide

  104. ψʔϥϘΞΧ΢ϯτͷ
    ύεϫʔυ࡟আ
    !104
    8FC"VUIOରԠ؀ڥͰ͔͠࢖Θͳ͍ͳΒ࡟আՄೳ

    View Slide

  105. ·ͱΊ

    View Slide

  106. ࠓճͷ಺༰
    • WebAuthnΛಋೖͨ͠αʔϏεͷUXΛ঺հͨ͠
    • ࣮αʔϏε΁ͷಋೖ࣌ͷϙΠϯτΛ੔ཧͨ͠
    • ύεϫʔυೝূ͕͋ΔαʔϏε΁ͷಋೖ
    • ύεϫʔυϨε΁ͷҠߦ
    !106

    View Slide

  107. • ࣭͝໰ɺײ૝ͳͲ͓଴͓ͪͯ͠Γ·͢
    • ϒϩάͰͷݴٴͳͲ
    • Twitter ͷϋογϡλά or ϝϯγϣϯ
    • ஏ͔͚ͣ͠Ε͹DMͰ΋
    !107
    ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠

    View Slide