Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022

ritou
October 06, 2022
Technology
2
3.2k

Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022

DroidKaigi 2022 Day2 での発表資料です。
https://droidkaigi.jp/2022/timetable/357753

ritou

October 06, 2022
Tweet

More Decks by ritou

See All by ritou
パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1
ritou
6
7k
C向けサービスで 使われている認証方式と安全な使い方
ritou
13
2.6k
現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19
ritou
2
680
GNAP超入門 ~ IW2021 C15
ritou
2
4.4k
OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3
ritou
1
1.2k
ID連携の標準化仕様紹介とセキュアな実装のためのアプローチ 2021 / Identity Federation Protocols 2021
ritou
3
7.9k
JWT Boot Camp 2020
ritou
1
6.3k
iddance2_ritou.pdf
ritou
1
3.9k
webauthn_study_ritou.pdf
ritou
3
910

Other Decks in Technology

See All in Technology
応用から学ぶ強化学習
nearme_tech
0
220
Head toward Java 20 and Java 21
line_developers
PRO
0
460
無理なく始めるGoでのユニットテストの並行化戦略
shohata
1
610
Romi チームの OpenSearchのコスト最適化事例

mixi_engineers
PRO
0
280
金融系子会社でレガシーシステムしか作ったことないけど、モダン開発に挑戦してみた
marikashiotsuki
1
140
Exadata Database Cloud (Exadata Cloud Service) サービス技術詳細
oracle4engineer
PRO
0
29k
人工知能学会 AI哲学マップ・総括セッション 講演資料
miyayou
3
1.4k
dx_osarai_about_connection
hatahata021
0
450
JJUG_CCC_2023_Exposed.pdf
wenas
0
100
Microsoft Startup Tech Meetup #0 : Kikuchi
hikiroku
1
130
バクラクのAI-OCR機能の体験を支える良質なデータセット作成の仕組み / data-centric-ai-bakuraku-dataset
yuya4
1
550
#47-48 “NSDI 2023 recap”
cafenero_777
0
110

Featured

See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
341
18k
YesSQL, Process and Tooling at Scale
rocio
158
13k
Being A Developer After 40
akosma
50
580k
Web development in the modern age
philhawksworth
197
9.7k
Imperfection Machines: The Place of Print at Facebook
scottboms
255
12k
Design by the Numbers
sachag
272
18k
GraphQLの誤解/rethinking-graphql
sonatard
41
8.3k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
110
17k
Fireside Chat
paigeccino
18
2.1k
Three Pipe Problems
jasonvnalue
89
9.1k
Agile that works and the tools we love
rasmusluckow
322
20k

Transcript

  1. Android/ChromeͰମݧͰ͖Δ


    ೝূͷͨΊͷඪ४Խ࢓༷ͷ


    ݱࡏͱະདྷ
    @ritou (Ryo Ito) 2022/10/6 - DroidKaigi 2022

    View Slide

  2. ൃදͷ಺༰
    • C޲͚αʔϏεʹ͓͚ΔϢʔβʔೝূͷมભ


    • Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX

    2

    View Slide

  3. ˏritou
    • Digital Identity ؔ࿈ͷϒϩάࣥචɺษڧձ࣮ࢪ #idcon #iddance


    • ΤόϯδΣϦετ @ OIDF-J


    • ΤϯδχΞ ˏ גࣜձࣾMIXI

    3

    View Slide

  4. C޲͚αʔϏεʹ͓͚Δ


    Ϣʔβʔೝূͷมભ

    View Slide

  5. ᶃύεϫʔυೝূ

    View Slide

  6. ύεϫʔυೝূ

    (هԱγʔΫϨοτ, Memorized Secrets)

    6
    • ೝূཁૉ : ஌ࣝ


    • Ϣʔβʔ/αʔϏε͕ύεϫʔυΛڞ༗


    • Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛݕূ

    View Slide

  7. ύεϫʔυೝূͰ


    ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅

    7
    • Ϣʔβʔ


    • ύεϫʔυΛ๨Εͳ͍


    • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ࢖͍·Θ͞ͳ͍


    • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍


    • αʔϏε


    • ύεϫʔυΛ҆શʹ؅ཧ͢Δ


    • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ

    View Slide

  8. ύεϫʔυೝূʹ͓͚Δ


    ϢʔβʔɺαʔϏεͷݱঢ়

    8
    • Ϣʔβʔ


    • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏


    • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ


    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏


    • αʔϏε


    • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏


    • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

    View Slide

  9. ΞΧ΢ϯτϦΧόϦʔ
    • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮


    • ಛఆͷೝূํ͕ࣜ࢖͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ


    • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ


    • ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷ૊Έ߹Θ͕ͤҰൠత


    • ϝʔϧ΁ϦϯΫ΍ೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ


    • ੈͷதʹ͸ύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔ΋ଘࡏ͢Δ

    View Slide

  10. ϝʔϧ/SMSʹΑΔOTP

    (ܦ࿏֎ೝূ, Out-of-Band Devices)

    10
    • ೝূཁૉ : ॴ༗


    • αʔϏε͕ϢʔβʔʹSMS/ϝʔϧͰϫϯλΠϜύεϫʔυΛૹΓڞ༗


    • ϦϯΫૹ৴&ΫϦοΫ΋͜ΕΛ؆ུԽͨ͠΋ͷͱଊ͑ΒΕΔ


    • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜
    ͱͰɺΞΧ΢ϯτϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳͬͨ

    View Slide

  11. ᶄ2ஈ֊/ཁૉೝূͷීٴ

    View Slide

  12. ύεϫʔυೝূʹ͓͚Δ


    ϢʔβʔɺαʔϏεͷݱঢ়

    12
    • Ϣʔβʔ


    • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏


    • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ


    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏


    • αʔϏε


    • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏


    • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

    View Slide

  13. ύεϫʔυϦετ߈ܸɺ


    ύεϫʔυεϓϨʔ߈ܸ

    13
    • ύεϫʔυϦετ߈ܸ


    • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ


    • ಉ͡ύεϫʔυΛ࢖͍ճ͍ͯͨ͠ΒΞ΢τ


    • ύεϫʔυεϓϨʔ߈ܸ


    • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ


    • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞ΢τ


    • ͜ΕΒͷ߈ܸ΁ͷରࡦͱͯ͠ɺ௥Ճೝূ͕ීٴ

    View Slide

  14. ιϑτ΢ΣΞTOTP

    (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)

    14
    • ೝূཁૉ : ॴ༗


    • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ͯ͠ɺϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰ
    ੜ੒ͨ͠OTPΛݕূ (RFC6238)


    • 2010೥Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google Authenticatorͱͱ΋ʹTOTP
    ೝূΛఏڙ։࢝


    • ۚ༥ػؔͳͲͰ͸RSA/VerisignͳͲͷϋʔυ΢ΣΞτʔΫϯ͕࢖ΘΕ͍ͯ
    ͕ͨίετ໘ʹ՝୊͕͋ͬͨ

    View Slide

  15. ϞόΠϧΞϓϦ΍୺຤΁ͷpush௨஌

    (ܦ࿏֎ೝূ, Out-of-Band Devices)

    15
    • ೝূཁૉ : ॴ༗


    • ϞόΠϧΞϓϦʹ௨஌ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK


    • Ϣʔβʔ͕ར༻͍ͯ͠Δ୺຤΁ͷ௨஌ (Apple, Google)


    • ܦ࿏ͷ҆શੑ͕ΩϞ


    • ϞόΠϧΞϓϦ/ݸผ୺຤΁ͷ௨஌ͷํ͕SMS΍EϝʔϧΑΓ҆શ?


    • Push௨஌ΛૹΓ·ͬͯ͘Ͳ͏ʹ͔͠Α͏ͱ͢Δ߈ܸ΋ൃੜ

    View Slide

  16. όοΫΞοϓίʔυ

    (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)

    16
    • ೝূཁૉ : ॴ༗


    • Ϣʔβʔʹ୯Ұ͋Δ͍͸ෳ਺ͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷ஋Λݕূ


    • TOTP͕࢖͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷϢʔβʔ͕औΕΔϦ
    ΧόϦʔखஈͱͯ͠͠Εͬͱ࠾༻͞Ε͍ͯΔ

    View Slide

  17. ᶅϑΟογϯάʹڧ͍ೝূํࣜ


    ͦͯ͠ύεϫʔυϨε΁

    View Slide

  18. ύεϫʔυೝূʹ͓͚Δ


    ϢʔβʔɺαʔϏεͷݱঢ়

    18
    • Ϣʔβʔ


    • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏


    • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ


    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏


    • αʔϏε


    • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏


    • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

    View Slide

  19. ݱ࣮

    19
    • ৘ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ޲͚1Ґʂ


    • B޲͚Ͱ͸Microsoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ
    ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද


    • 2021೥9݄Ҏ߱ɺ1ສҎ্ͷ૊৫͕ඪతʹ

    View Slide

  20. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012

    View Slide

  21. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012 345'()*+,-./6789:

    View Slide

  22. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012 345'()*+,-./6789:
    ;<=>[email protected]:

    View Slide

  23. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012
    EFEGH!"#$%&'()*12


    JKLMNOL#$PQR*STU
    ;<=>[email protected]:
    345'()*+,-./6789:

    View Slide

  24. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012
    EFEGH!"#$%&'()*12


    JKLMNOL#$PQR*STU
    ;<=>[email protected]:
    3VO'()*789:
    345'()*+,-./6789:

    View Slide

  25. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012
    EFEGH!"#$%&'()*12


    JKLMNOL#$PQR*STU
    WXY9Z


    [#$\%]#^.0_`
    ;<=>[email protected]:
    3VO'()*789:
    345'()*+,-./6789:

    View Slide

  26. ͜Ε·Ͱͷೝূํࣜ͸


    ϑΟογϯά଱ੑΛ࣋ͨͳ͍

    26
    • ͍ͣΕ΋ਓ͕ؒߦ͏൑அͷ෦෼͕ऑ఺ͱͳΔ


    • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP: ࠷ॳͷURLΛ֬ೝͤ
    ͣೖྗ


    • ެࣜΞϓϦͳͲ΁ͷPush௨஌&ಉҙ : ࠷ॳͷURLΛ֬ೝͤͣʹಉҙ


    • ࣄલ֬ೝɺཤྺɺ௨஌ͱ͍ͬͨ࢓૊Έ͸͋Δ͕ࠜຊతͳରࡦͰ͸ͳ͍

    View Slide

  27. FIDOೝূ w/ UserPresense

    (୯Ұཁૉ҉߸σόΠε, Single-Factor Cryptographic Devices)

    27
    • ೝূཁૉ : ॴ༗


    • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛར༻


    • ηΩϡϦςΟΩʔ : PCʹ͚ࢗͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩ

    View Slide

  28. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012
    aabcdef6gh4i


    !"#$%&'()*j4ik
    lmnFAB6opbqr5
    ;<=>[email protected]:
    345'()*+,-./6789:

    View Slide

  29. FIDOೝূ w/ UserVeri
    fi
    cation

    (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)

    29
    • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ


    • ެ։伴҉߸ + ϩʔΧϧೝূ


    • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛॴ༗͠ɺΞΫςΟ
    ϕʔτͷͨΊʹ2ཁૉ໨ͷೝূΛඞཁͱ͢Δ΋ͷ


    • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ


    • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬౰)

    View Slide

  30. FIDOೝূͷ՝୊

    30
    • 伴؅ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ೉໰୊


    • Authenticator(ηΩϡϦςΟΩʔɺରԠ୺຤)͕յΕͨΓͳ͘ͳͬͨ
    Γɺަ׵ͨ͠ࡍʹ࠶ొ࿥͕ඞཁ


    • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?


    • ಉఔ౓ͷೝূڧ౓Λ࣋ͭೝূํࣜͱ͸???


    • ෳ਺ͷAuthenticatorΛొ࿥͓ͯ͘͠ඞཁੑ͕͋Δ

    View Slide

  31. Passkey - ”FIDO multi-device credentials”

    31
    • 伴৘ใ͕σόΠεͰ͸ͳ͘Ϣʔβʔʹඥ͚ͮΒΕΔΑ͏ʹͳΔ


    • ͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴؅ཧͱ͸ผ


    • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔ໰୊ͷվળ


    • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ (ޙ͔Β঺հ)

    View Slide

  32. Passkey - ”FIDO multi-device credentials”

    32
    • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ


    1. Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ࿥


    • iCloud KeychainʹΑΔಉظ -> AppleϢʔβʔʹ伴͕ඥ͚ͮΒΕΔ


    2. ϩάΞ΢τͯ͠΋ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ)


    3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ
    બ୒͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ

    View Slide

  33. Passkey - ”FIDO multi-device credentials”

    33
    • ෳ਺ϓϥοτϑΥʔϜΛލ͙৔߹ͷUXվળ


    1. ࣄલʹAndroidͰύεΩʔΛొ࿥


    2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ
    Մೳ (caBLEͱݺ͹ΕΔ઀ଓํ๏)


    3. ͦͷ௚ޙʹTouchID͕ཁٻ͞Εɺࠓޙ͸͜ͷ୺຤ͰTouchIDͷΈͰ
    ϩάΠϯՄೳʹͳΔ

    View Slide




  34. ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બ୒ࢶ

    View Slide

  35. ID࿈ܞʹΑΔϩάΠϯ

    35
    • Identity Provider(IdP)ͷϢʔβʔ৘ใΛར༻͢Δ


    • ୅දతͳϓϩτίϧ͕OpenID Connect, OAuth 2.0 + Ϣʔβʔ৘ใ
    APIͳͲ


    • Ϣʔβʔࣝผࢠͷඥ෇͚Λ؅ཧ͢Δ͜ͱͰϩάΠϯʹར༻


    • ଐੑ৘ใΛ׆༻ͯ͠UXΛ޲্


    • ֬ೝࡁΈϝʔϧΞυϨεɺి࿩൪߸ɺຊਓ֬ೝ৘ใͳͲ

    View Slide

  36. ID࿈ܞͷ՝୊

    36
    • IdPͱ৺த໰୊


    • ΞΧ΢ϯτBAN, ো֐࣌ʹ͸ͦΕΛར༻͢ΔαʔϏε΋࢖͑ͳ͘ͳ
    ΔՄೳੑ͕͋Δ


    • IdPͷΞΧ΢ϯτ͕৐ͬऔΒΕͯ͠·ͬͨΒαʔϏε΋ѱ༻͞ΕΔ

    View Slide

  37. Identity Wallet

    (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri
    fi
    able Credentials)

    37
    • IdPʹґଘ͢ΔͷͰ͸ͳ͘ɺݸਓ͕ࣗ෼ͷ৘ใΛ؅ཧ͢ΔελΠϧ


    • Ծ૝௨՟͋ͨΓͰ໨ʹ͢Δ໾ׂ෼୲


    • Issuer : Ϣʔβʔ৘ใͷఏڙɺূ໌ॻͷൃߦ


    • Holder(Wallet) : Ϣʔβʔ৘ใΛ؅ཧ͢ΔΞϓϦ΍ϒϥ΢βػೳ


    • Veri
    fi
    er : Holder ʹ৘ใΛཁٻ͠ɺऔಘͨ͠৘ใΛݕূͯ͠ར༻


    • Open Wallet Foundation͕ઃཱ͞Εͯ࣌୅͕ਐΜͰ͍͘ؾ഑

    View Slide

  38. ҆શੑɺརศੑΛߴΊΔ


    Ξϓϩʔν

    View Slide

  39. ՝୊ΛΧόʔ͢Δ࢓૊Έ͕ඞཁ

    39
    • Ϣʔβʔ͕Ͱ͖Δ΋ͷ


    • ύεϫʔυϚωʔδϟʔͷར༻


    • αʔϏε͕Ͱ͖Δ͜ͱ : खݩͷεϚʔτϑΥϯΛ༻͍ͯརศੑΛ͋͛
    Δ࢓૊ΈΛಋೖ


    • SMS OTP : WebOTP


    • WebAuthn

    View Slide

  40. ύεϫʔυϚωʔδϟʔͷར༻

    40
    • ύεϫʔυੜ੒ɺ؅ཧΛ೚ͤΔ = ೝূཁૉΛ”ॴ༗”ʹมߋ


    • TOTPରԠ΍όοΫΞοϓίʔυΛอଘͰ͖Δ΋ͷ΋͋Δ


    • Ϛελʔύεϫʔυ؅ཧ͕ॏཁʹͳΔ(SPOFͱ΋ݴ͑Δ)


    • ϒϥ΢β / OS෇ਵͷ΋ͷ vs ಠཱͨ͠αʔϏε


    • ར༻ελΠϧʹԠͯ͡બ΂͹ྑͦ͞͏

    View Slide

  41. Android / Chrome

    Ͱ࣮ݱͰ͖ΔϩάΠϯUX

    View Slide

  42. ࠓճͷΩʔϫʔυ :


    “खݩͷεϚϗͰϩάΠϯ”


    (a.k.a Decoupled Authentication)

    View Slide

  43. WebOTP https://web.dev/web-otp/

    43
    • SMSͰૹΒΕͨϫϯλΠϜύεϫʔυΛ҆શʹऔಘ͢ΔͨΊͷ࢓૊Έ


    • υϝΠϯΛؚΉϫϯλΠϜύεϫʔυͷϝοηʔδϑΥʔϚοτ


    • JavaScript هड़ + input λά


    • Android ͷ SMS Retriever API ͱಉ౳

    View Slide

  44. WebOTP - Android Chrome


    ϒϥ΢βΛ։͍ͨ··OTPΛऔಘՄೳ

    44

    View Slide

  45. WebOTP - Android Chrome


    ϒϥ΢βΛ։͍ͨ··OTPΛऔಘՄೳ

    45

    View Slide

  46. WebOTP - (Desktop / Android) Chrome


    ಉظ͍ͯ͠ΔAndroid୺຤ͷ௨஌Ͱಉҙ->సૹ

    46

    View Slide

  47. WebOTP - (Desktop / Android) Chrome


    ಉظ͍ͯ͠ΔAndroid୺຤ͷ௨஌Ͱಉҙ->సૹ

    47

    View Slide

  48. WebOTP https://web.dev/web-otp/

    48
    • ϝοηʔδʹؚ·ΕΔυϝΠϯͱҰக͍ͯ͠Δ͔Λϒϥ΢β͕ݕূ


    • ”͜ͷ࢓૊ΈΛ࢖͏ͱ͖͸” ϑΟογϯά଱ੑΛ࣋ͭ


    • ؀ڥ͝ͱͷରԠ͸ෆཁɺඞཁͳͷ͸ϒϥ΢β͕WebOTPʹରԠ͍ͯ͠
    Δ͔Ͳ͏͔͚ͩ


    • ࢓༷௨Γ࣮૷͢Δ͚ͩͰChrome͕ରԠͯ͘͠ΕΔ

    View Slide

  49. WebAuthn https://www.w3.org/TR/webauthn-2/

    49
    • WebΞϓϦέʔγϣϯ͔ΒFIDOೝূΛར༻͢ΔͨΊͷϒϥ΢βAPI


    • ϒϥ΢β͕հೖ͠ɺ伴৘ใ͕originʹඥ͚ͮΒΕΔͨΊʹϑΟογϯά଱ੑΛ࣋ͭ


    • Platform Authenticator(εϚϗ/PCࣗମ) / Roaming Authenticator(ηΩϡϦςΟΩʔ)
    ͕ೝূثͱͯ͠ར༻Մೳ


    • खݩͷεϚʔτϑΥϯΛ༻͍ͯ伴৘ใͷొ࿥/ೝূΛ࣮ݱ͢Δ࢓૊Έ͕͋Δ


    • caBLE (cloud-assisted BLE) : QRίʔυ + BLE


    • ChromeͰಉظ͞Ε͍ͯΔ୺຤ : Push௨஌ + BLE

    View Slide

  50. WebAuthn w/ caBLE


    QRίʔυ + BLE ͰϩάΠϯ

    50
    PC Android

    View Slide

  51. WebAuthn w/ caBLE


    Ұ౓ར༻ͨ͠୺຤͸Push௨஌Ͱར༻Մೳ

    51
    PC Android

    View Slide

  52. WebAuthn w/ (Desktop + Android) Chrome


    ಉظࡁΈͷ୺຤͸࠷ॳ͔ΒPush௨஌Ͱར༻Մೳ

    52
    PC Android

    View Slide

  53. WebAuthn

    53
    • ౰ॳ͸୺຤ͦͷ΋ͷ or USB/NFC/BLEͳͲͰηΩϡϦςΟΩʔͱͭͳ
    ͙ͱ͍͏ҹ৅͕ڧ͔͕ͬͨɺखݩͷεϚϗͱͭͳ͙࢓૊Έ΋͋Δ


    • ୯ͳΔQRίʔυ+ωοτϫʔΫΞΫηεΛ༻͍ͨϩάΠϯͰ͸ͳ͘ɺ
    BLEͰۙڑ཭ʹ͋ΔεϚϗͱ௨৴͢Δ͜ͱͰຊਓҎ֎ͷ୺຤Ͱ઀ଓ͞Ε
    Δ͜ͱΛ๷͙ߟྀ΋͞Ε͍ͯΔ


    • ChromeͰಉظ͍ͯ͠ΔεϚʔτϑΥϯͰ͋Ε͹Push௨஌ͰΑΓָʹར
    ༻Մೳ

    View Slide

  54. ·ͱΊ

    54
    • C޲͚αʔϏεͰ࢖ΘΕ͍ͯΔϢʔβʔೝূʹ͍ͭͯৼΓฦͬͨ


    • ͦΕͧΕͷೝূํࣜͰͷಛ௃Λཧղ͠Α͏


    • Android/ChromeΛ༻͍ͯ “खݩͷεϚϗͰϩάΠϯ” Λ࣮ݱ͢ΔͨΊ
    ͷ࢓૊ΈΛ঺հͨ͠


    • WebΞϓϦϕʔεͷೝূػೳΛఏڙ͍ͯ͠ΔαʔϏε͸ɺϩάΠϯ
    ͷUXΛߟ͑Δ࣌ʹҙࣝ͠Α͏

    View Slide

  55. ࢀߟϦϯΫ
    • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3


    • https://speakerdeck.com/kthrtty/ren-zheng-
    nimatuwarusekiyuriteifalsexin-chang-shi


    • NIST Special Publication 800-63B Digital Identity Guidelines (຋༁൛)


    • https://openid-foundation-japan.github.io/800-63-3-
    fi
    nal/
    sp800-63b.ja.html

    View Slide

  56. ࢀߟϦϯΫ

    56
    • GTA৽࡞ϦʔΫʹ࢖ΘΕͨ“ଟཁૉೝূർΕ”߈ܸͱ͸ɹ1࣌ؒҎ্௨
    ஌߈Ίɺैۀһͷࠜෛ͚ૂ͏


    • https://www.itmedia.co.jp/news/articles/2209/28/news050.html


    • 2022೥൛Ϩϙʔτʮ2022 State of Secure Identity ReportʯΛެ։


    • https://www.okta.com/jp/press-room/press-releases/
    okta-2022ssir/

    View Slide

  57. ࢀߟϦϯΫ

    57
    • σδλϧ΢ΥϨοτͷ૬ޓӡ༻ੑΛ໨ࢦ͢ஂମɺThe Linux
    Foundation͕ઃཱ΁


    • https://japan.zdnet.com/article/35193346/

    View Slide

  58. ࢀߟϦϯΫ

    58
    • Our Take on Passkeys


    • https://auth0.com/blog/our-take-on-passkeys/


    • Cross-device WebOTP


    • https://docs.google.com/document/d/
    1SlIaRlH0WEvvLMtQJZMuwZbH5bRs6SCPlxXwwnJQHMU/
    edit#heading=h.xgjl2srtytjt

    View Slide

  59. ׬


    ࣭໰ɺҙݟɺײ૝Λ


    ͓଴͍ͪͯ͠·͢ɻ


    ฐࣾʹڵຯ͕͋Δํ΋ੋඇʂ

    View Slide