Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022

Transcript

1. Android/ChromeͰମݧͰ͖Δ ೝূͷͨΊͷඪ४Խ࢓༷ͷ ݱࡏͱະདྷ @ritou (Ryo Ito) 2022/10/6 - DroidKaigi 2022

2. ൃදͷ಺༰ • C޲͚αʔϏεʹ͓͚ΔϢʔβʔೝূͷมભ • Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX  2

3. ˏritou • Digital Identity ؔ࿈ͷϒϩάࣥචɺษڧձ࣮ࢪ #idcon #iddance • ΤόϯδΣϦετ @

   OIDF-J • ΤϯδχΞ ˏ גࣜձࣾMIXI  3

4. C޲͚αʔϏεʹ͓͚Δ Ϣʔβʔೝূͷมભ

5. ᶃύεϫʔυೝূ

6. ύεϫʔυೝূ 
 (هԱγʔΫϨοτ, Memorized Secrets)  6 • ೝূཁૉ :

   ஌ࣝ • Ϣʔβʔ/αʔϏε͕ύεϫʔυΛڞ༗ • Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛݕূ

7. ύεϫʔυೝূͰ ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅  7 • Ϣʔβʔ • ύεϫʔυΛ๨Εͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ࢖͍·Θ͞ͳ͍

   • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ • αʔϏε • ύεϫʔυΛ҆શʹ؅ཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ

8. ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  8 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ

   • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

9. ΞΧ΢ϯτϦΧόϦʔ • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ಛఆͷೝূํ͕ࣜ࢖͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ

   • ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷ૊Έ߹Θ͕ͤҰൠత • ϝʔϧ΁ϦϯΫ΍ೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ • ੈͷதʹ͸ύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔ΋ଘࡏ͢Δ

10. ϝʔϧ/SMSʹΑΔOTP 
 (ܦ࿏֎ೝূ, Out-of-Band Devices)  10 • ೝূཁૉ :

    ॴ༗ • αʔϏε͕ϢʔβʔʹSMS/ϝʔϧͰϫϯλΠϜύεϫʔυΛૹΓڞ༗ • ϦϯΫૹ৴&ΫϦοΫ΋͜ΕΛ؆ུԽͨ͠΋ͷͱଊ͑ΒΕΔ • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜ ͱͰɺΞΧ΢ϯτϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳͬͨ

11. ᶄ2ஈ֊/ཁૉೝূͷීٴ

12. ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  12 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ

    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

13. ύεϫʔυϦετ߈ܸɺ ύεϫʔυεϓϨʔ߈ܸ  13 • ύεϫʔυϦετ߈ܸ • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ • ಉ͡ύεϫʔυΛ࢖͍ճ͍ͯͨ͠ΒΞ΢τ

    • ύεϫʔυεϓϨʔ߈ܸ • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞ΢τ • ͜ΕΒͷ߈ܸ΁ͷରࡦͱͯ͠ɺ௥Ճೝূ͕ීٴ

14. ιϑτ΢ΣΞTOTP 
 (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)  14 • ೝূཁૉ

    : ॴ༗ • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ͯ͠ɺϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰ ੜ੒ͨ͠OTPΛݕূ (RFC6238) • 2010೥Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google Authenticatorͱͱ΋ʹTOTP ೝূΛఏڙ։࢝ • ۚ༥ػؔͳͲͰ͸RSA/VerisignͳͲͷϋʔυ΢ΣΞτʔΫϯ͕࢖ΘΕ͍ͯ ͕ͨίετ໘ʹ՝୊͕͋ͬͨ

15. ϞόΠϧΞϓϦ΍୺຤΁ͷpush௨஌ 
 (ܦ࿏֎ೝূ, Out-of-Band Devices)  15 • ೝূཁૉ :

    ॴ༗ • ϞόΠϧΞϓϦʹ௨஌ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK • Ϣʔβʔ͕ར༻͍ͯ͠Δ୺຤΁ͷ௨஌ (Apple, Google) • ܦ࿏ͷ҆શੑ͕ΩϞ • ϞόΠϧΞϓϦ/ݸผ୺຤΁ͷ௨஌ͷํ͕SMS΍EϝʔϧΑΓ҆શ? • Push௨஌ΛૹΓ·ͬͯ͘Ͳ͏ʹ͔͠Α͏ͱ͢Δ߈ܸ΋ൃੜ

16. όοΫΞοϓίʔυ 
 (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)  16 • ೝূཁૉ :

    ॴ༗ • Ϣʔβʔʹ୯Ұ͋Δ͍͸ෳ਺ͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷ஋Λݕূ • TOTP͕࢖͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷϢʔβʔ͕औΕΔϦ ΧόϦʔखஈͱͯ͠͠Εͬͱ࠾༻͞Ε͍ͯΔ

17. ᶅϑΟογϯάʹڧ͍ೝূํࣜ ͦͯ͠ύεϫʔυϨε΁

18. ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  18 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ

    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

19. ݱ࣮  19 • ৘ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ޲͚1Ґʂ • B޲͚Ͱ͸Microsoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ

    ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද • 2021೥9݄Ҏ߱ɺ1ສҎ্ͷ૊৫͕ඪతʹ

20. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012

21. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789:

22. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789: ;<=>?@AB6CD89:

23. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 345'()*+,-./6789:

24. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 3VO'()*789: 345'()*+,-./6789:

25. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU WXY9Z [#$\%]#^.0_` ;<=>?@AB6CD89: 3VO'()*789:

    345'()*+,-./6789:

26. ͜Ε·Ͱͷೝূํࣜ͸ ϑΟογϯά଱ੑΛ࣋ͨͳ͍  26 • ͍ͣΕ΋ਓ͕ؒߦ͏൑அͷ෦෼͕ऑ఺ͱͳΔ • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP:

    ࠷ॳͷURLΛ֬ೝͤ ͣೖྗ • ެࣜΞϓϦͳͲ΁ͷPush௨஌&ಉҙ : ࠷ॳͷURLΛ֬ೝͤͣʹಉҙ • ࣄલ֬ೝɺཤྺɺ௨஌ͱ͍ͬͨ࢓૊Έ͸͋Δ͕ࠜຊతͳରࡦͰ͸ͳ͍

27. FIDOೝূ w/ UserPresense 
 (୯Ұཁૉ҉߸σόΠε, Single-Factor Cryptographic Devices)  27

    • ೝূཁૉ : ॴ༗ • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛར༻ • ηΩϡϦςΟΩʔ : PCʹ͚ࢗͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩ

28. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 aabcdef6gh4i !"#$%&'()*j4ik lmnFAB6opbqr5 ;<=>?@AB6CD89: 345'()*+,-./6789:

29. FIDOೝূ w/ UserVeri fi cation 
 (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)

     29 • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ • ެ։伴҉߸ + ϩʔΧϧೝূ • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛॴ༗͠ɺΞΫςΟ ϕʔτͷͨΊʹ2ཁૉ໨ͷೝূΛඞཁͱ͢Δ΋ͷ • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬౰)

30. FIDOೝূͷ՝୊  30 • 伴؅ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ೉໰୊ • Authenticator(ηΩϡϦςΟΩʔɺରԠ୺຤)͕յΕͨΓͳ͘ͳͬͨ Γɺަ׵ͨ͠ࡍʹ࠶ొ࿥͕ඞཁ • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?

    • ಉఔ౓ͷೝূڧ౓Λ࣋ͭೝূํࣜͱ͸??? • ෳ਺ͷAuthenticatorΛొ࿥͓ͯ͘͠ඞཁੑ͕͋Δ

31. Passkey - ”FIDO multi-device credentials”  31 • 伴৘ใ͕σόΠεͰ͸ͳ͘Ϣʔβʔʹඥ͚ͮΒΕΔΑ͏ʹͳΔ •

    ͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴؅ཧͱ͸ผ • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔ໰୊ͷվળ • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ (ޙ͔Β঺հ)

32. Passkey - ”FIDO multi-device credentials”  32 • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ 1.

    Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ࿥ • iCloud KeychainʹΑΔಉظ -> AppleϢʔβʔʹ伴͕ඥ͚ͮΒΕΔ 2. ϩάΞ΢τͯ͠΋ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ) 3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ બ୒͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ

33. Passkey - ”FIDO multi-device credentials”  33 • ෳ਺ϓϥοτϑΥʔϜΛލ͙৔߹ͷUXվળ 1.

    ࣄલʹAndroidͰύεΩʔΛొ࿥ 2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ Մೳ (caBLEͱݺ͹ΕΔ઀ଓํ๏) 3. ͦͷ௚ޙʹTouchID͕ཁٻ͞Εɺࠓޙ͸͜ͷ୺຤ͰTouchIDͷΈͰ ϩάΠϯՄೳʹͳΔ

34. ᶆ ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બ୒ࢶ

35. ID࿈ܞʹΑΔϩάΠϯ  35 • Identity Provider(IdP)ͷϢʔβʔ৘ใΛར༻͢Δ • ୅දతͳϓϩτίϧ͕OpenID Connect, OAuth

    2.0 + Ϣʔβʔ৘ใ APIͳͲ • Ϣʔβʔࣝผࢠͷඥ෇͚Λ؅ཧ͢Δ͜ͱͰϩάΠϯʹར༻ • ଐੑ৘ใΛ׆༻ͯ͠UXΛ޲্ • ֬ೝࡁΈϝʔϧΞυϨεɺి࿩൪߸ɺຊਓ֬ೝ৘ใͳͲ

36. ID࿈ܞͷ՝୊  36 • IdPͱ৺த໰୊ • ΞΧ΢ϯτBAN, ো֐࣌ʹ͸ͦΕΛར༻͢ΔαʔϏε΋࢖͑ͳ͘ͳ ΔՄೳੑ͕͋Δ •

    IdPͷΞΧ΢ϯτ͕৐ͬऔΒΕͯ͠·ͬͨΒαʔϏε΋ѱ༻͞ΕΔ

37. Identity Wallet 
 (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri fi able Credentials)

     37 • IdPʹґଘ͢ΔͷͰ͸ͳ͘ɺݸਓ͕ࣗ෼ͷ৘ใΛ؅ཧ͢ΔελΠϧ • Ծ૝௨՟͋ͨΓͰ໨ʹ͢Δ໾ׂ෼୲ • Issuer : Ϣʔβʔ৘ใͷఏڙɺূ໌ॻͷൃߦ • Holder(Wallet) : Ϣʔβʔ৘ใΛ؅ཧ͢ΔΞϓϦ΍ϒϥ΢βػೳ • Veri fi er : Holder ʹ৘ใΛཁٻ͠ɺऔಘͨ͠৘ใΛݕূͯ͠ར༻ • Open Wallet Foundation͕ઃཱ͞Εͯ࣌୅͕ਐΜͰ͍͘ؾ഑

38. ҆શੑɺརศੑΛߴΊΔ Ξϓϩʔν

39. ՝୊ΛΧόʔ͢Δ࢓૊Έ͕ඞཁ  39 • Ϣʔβʔ͕Ͱ͖Δ΋ͷ • ύεϫʔυϚωʔδϟʔͷར༻ • αʔϏε͕Ͱ͖Δ͜ͱ :

    खݩͷεϚʔτϑΥϯΛ༻͍ͯརศੑΛ͋͛ Δ࢓૊ΈΛಋೖ • SMS OTP : WebOTP • WebAuthn

40. ύεϫʔυϚωʔδϟʔͷར༻  40 • ύεϫʔυੜ੒ɺ؅ཧΛ೚ͤΔ = ೝূཁૉΛ”ॴ༗”ʹมߋ • TOTPରԠ΍όοΫΞοϓίʔυΛอଘͰ͖Δ΋ͷ΋͋Δ •

    Ϛελʔύεϫʔυ؅ཧ͕ॏཁʹͳΔ(SPOFͱ΋ݴ͑Δ) • ϒϥ΢β / OS෇ਵͷ΋ͷ vs ಠཱͨ͠αʔϏε • ར༻ελΠϧʹԠͯ͡બ΂͹ྑͦ͞͏

41. Android / Chrome 
 Ͱ࣮ݱͰ͖ΔϩάΠϯUX

42. ࠓճͷΩʔϫʔυ : “खݩͷεϚϗͰϩάΠϯ” (a.k.a Decoupled Authentication)

43. WebOTP https://web.dev/web-otp/  43 • SMSͰૹΒΕͨϫϯλΠϜύεϫʔυΛ҆શʹऔಘ͢ΔͨΊͷ࢓૊Έ • υϝΠϯΛؚΉϫϯλΠϜύεϫʔυͷϝοηʔδϑΥʔϚοτ • JavaScript

    هड़ + input λά • Android ͷ SMS Retriever API ͱಉ౳

44. WebOTP - Android Chrome ϒϥ΢βΛ։͍ͨ··OTPΛऔಘՄೳ  44

45. WebOTP - Android Chrome ϒϥ΢βΛ։͍ͨ··OTPΛऔಘՄೳ  45

46. WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroid୺຤ͷ௨஌Ͱಉҙ->సૹ  46

47. WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroid୺຤ͷ௨஌Ͱಉҙ->సૹ  47

48. WebOTP https://web.dev/web-otp/  48 • ϝοηʔδʹؚ·ΕΔυϝΠϯͱҰக͍ͯ͠Δ͔Λϒϥ΢β͕ݕূ • ”͜ͷ࢓૊ΈΛ࢖͏ͱ͖͸” ϑΟογϯά଱ੑΛ࣋ͭ •

    ؀ڥ͝ͱͷରԠ͸ෆཁɺඞཁͳͷ͸ϒϥ΢β͕WebOTPʹରԠ͍ͯ͠ Δ͔Ͳ͏͔͚ͩ • ࢓༷௨Γ࣮૷͢Δ͚ͩͰChrome͕ରԠͯ͘͠ΕΔ

49. WebAuthn https://www.w3.org/TR/webauthn-2/  49 • WebΞϓϦέʔγϣϯ͔ΒFIDOೝূΛར༻͢ΔͨΊͷϒϥ΢βAPI • ϒϥ΢β͕հೖ͠ɺ伴৘ใ͕originʹඥ͚ͮΒΕΔͨΊʹϑΟογϯά଱ੑΛ࣋ͭ • Platform

    Authenticator(εϚϗ/PCࣗମ) / Roaming Authenticator(ηΩϡϦςΟΩʔ) ͕ೝূثͱͯ͠ར༻Մೳ • खݩͷεϚʔτϑΥϯΛ༻͍ͯ伴৘ใͷొ࿥/ೝূΛ࣮ݱ͢Δ࢓૊Έ͕͋Δ • caBLE (cloud-assisted BLE) : QRίʔυ + BLE • ChromeͰಉظ͞Ε͍ͯΔ୺຤ : Push௨஌ + BLE

50. WebAuthn w/ caBLE QRίʔυ + BLE ͰϩάΠϯ  50 PC

    Android

51. WebAuthn w/ caBLE Ұ౓ར༻ͨ͠୺຤͸Push௨஌Ͱར༻Մೳ  51 PC Android

52. WebAuthn w/ (Desktop + Android) Chrome ಉظࡁΈͷ୺຤͸࠷ॳ͔ΒPush௨஌Ͱར༻Մೳ  52 PC

    Android

53. WebAuthn  53 • ౰ॳ͸୺຤ͦͷ΋ͷ or USB/NFC/BLEͳͲͰηΩϡϦςΟΩʔͱͭͳ ͙ͱ͍͏ҹ৅͕ڧ͔͕ͬͨɺखݩͷεϚϗͱͭͳ͙࢓૊Έ΋͋Δ • ୯ͳΔQRίʔυ+ωοτϫʔΫΞΫηεΛ༻͍ͨϩάΠϯͰ͸ͳ͘ɺ

    BLEͰۙڑ཭ʹ͋ΔεϚϗͱ௨৴͢Δ͜ͱͰຊਓҎ֎ͷ୺຤Ͱ઀ଓ͞Ε Δ͜ͱΛ๷͙ߟྀ΋͞Ε͍ͯΔ • ChromeͰಉظ͍ͯ͠ΔεϚʔτϑΥϯͰ͋Ε͹Push௨஌ͰΑΓָʹར ༻Մೳ

54. ·ͱΊ  54 • C޲͚αʔϏεͰ࢖ΘΕ͍ͯΔϢʔβʔೝূʹ͍ͭͯৼΓฦͬͨ • ͦΕͧΕͷೝূํࣜͰͷಛ௃Λཧղ͠Α͏ • Android/ChromeΛ༻͍ͯ “खݩͷεϚϗͰϩάΠϯ”

    Λ࣮ݱ͢ΔͨΊ ͷ࢓૊ΈΛ঺հͨ͠ • WebΞϓϦϕʔεͷೝূػೳΛఏڙ͍ͯ͠ΔαʔϏε͸ɺϩάΠϯ ͷUXΛߟ͑Δ࣌ʹҙࣝ͠Α͏

55. ࢀߟϦϯΫ • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3 • https://speakerdeck.com/kthrtty/ren-zheng- nimatuwarusekiyuriteifalsexin-chang-shi • NIST Special

    Publication 800-63B Digital Identity Guidelines (຋༁൛) • https://openid-foundation-japan.github.io/800-63-3- fi nal/ sp800-63b.ja.html

56. ࢀߟϦϯΫ  56 • GTA৽࡞ϦʔΫʹ࢖ΘΕͨ“ଟཁૉೝূർΕ”߈ܸͱ͸ɹ1࣌ؒҎ্௨ ஌߈Ίɺैۀһͷࠜෛ͚ૂ͏ • https://www.itmedia.co.jp/news/articles/2209/28/news050.html • 2022೥൛Ϩϙʔτʮ2022

    State of Secure Identity ReportʯΛެ։ • https://www.okta.com/jp/press-room/press-releases/ okta-2022ssir/

57. ࢀߟϦϯΫ  57 • σδλϧ΢ΥϨοτͷ૬ޓӡ༻ੑΛ໨ࢦ͢ஂମɺThe Linux Foundation͕ઃཱ΁ • https://japan.zdnet.com/article/35193346/

58. ࢀߟϦϯΫ  58 • Our Take on Passkeys • https://auth0.com/blog/our-take-on-passkeys/

    • Cross-device WebOTP • https://docs.google.com/document/d/ 1SlIaRlH0WEvvLMtQJZMuwZbH5bRs6SCPlxXwwnJQHMU/ edit#heading=h.xgjl2srtytjt

59. ׬ ࣭໰ɺҙݟɺײ૝Λ ͓଴͍ͪͯ͠·͢ɻ ฐࣾʹڵຯ͕͋Δํ΋ੋඇʂ