Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022

ritou
October 06, 2022

Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022

DroidKaigi 2022 Day2 での発表資料です。
https://droidkaigi.jp/2022/timetable/357753

ritou

October 06, 2022
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. Android/ChromeͰମݧͰ͖Δ


    ೝূͷͨΊͷඪ४Խ࢓༷ͷ


    ݱࡏͱະདྷ
    @ritou (Ryo Ito) 2022/10/6 - DroidKaigi 2022

    View Slide

  2. ൃදͷ಺༰
    • C޲͚αʔϏεʹ͓͚ΔϢʔβʔೝূͷมભ


    • Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX

    2

    View Slide

  3. ˏritou
    • Digital Identity ؔ࿈ͷϒϩάࣥචɺษڧձ࣮ࢪ #idcon #iddance


    • ΤόϯδΣϦετ @ OIDF-J


    • ΤϯδχΞ ˏ גࣜձࣾMIXI

    3

    View Slide

  4. C޲͚αʔϏεʹ͓͚Δ


    Ϣʔβʔೝূͷมભ

    View Slide

  5. ᶃύεϫʔυೝূ

    View Slide

  6. ύεϫʔυೝূ

    (هԱγʔΫϨοτ, Memorized Secrets)

    6
    • ೝূཁૉ : ஌ࣝ


    • Ϣʔβʔ/αʔϏε͕ύεϫʔυΛڞ༗


    • Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛݕূ

    View Slide

  7. ύεϫʔυೝূͰ


    ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅

    7
    • Ϣʔβʔ


    • ύεϫʔυΛ๨Εͳ͍


    • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ࢖͍·Θ͞ͳ͍


    • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍


    • αʔϏε


    • ύεϫʔυΛ҆શʹ؅ཧ͢Δ


    • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ

    View Slide

  8. ύεϫʔυೝূʹ͓͚Δ


    ϢʔβʔɺαʔϏεͷݱঢ়

    8
    • Ϣʔβʔ


    • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏


    • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ


    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏


    • αʔϏε


    • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏


    • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

    View Slide

  9. ΞΧ΢ϯτϦΧόϦʔ
    • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮


    • ಛఆͷೝূํ͕ࣜ࢖͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ


    • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ


    • ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷ૊Έ߹Θ͕ͤҰൠత


    • ϝʔϧ΁ϦϯΫ΍ೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ


    • ੈͷதʹ͸ύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔ΋ଘࡏ͢Δ

    View Slide

  10. ϝʔϧ/SMSʹΑΔOTP

    (ܦ࿏֎ೝূ, Out-of-Band Devices)

    10
    • ೝূཁૉ : ॴ༗


    • αʔϏε͕ϢʔβʔʹSMS/ϝʔϧͰϫϯλΠϜύεϫʔυΛૹΓڞ༗


    • ϦϯΫૹ৴&ΫϦοΫ΋͜ΕΛ؆ུԽͨ͠΋ͷͱଊ͑ΒΕΔ


    • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜
    ͱͰɺΞΧ΢ϯτϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳͬͨ

    View Slide

  11. ᶄ2ஈ֊/ཁૉೝূͷීٴ

    View Slide

  12. ύεϫʔυೝূʹ͓͚Δ


    ϢʔβʔɺαʔϏεͷݱঢ়

    12
    • Ϣʔβʔ


    • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏


    • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ


    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏


    • αʔϏε


    • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏


    • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

    View Slide

  13. ύεϫʔυϦετ߈ܸɺ


    ύεϫʔυεϓϨʔ߈ܸ

    13
    • ύεϫʔυϦετ߈ܸ


    • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ


    • ಉ͡ύεϫʔυΛ࢖͍ճ͍ͯͨ͠ΒΞ΢τ


    • ύεϫʔυεϓϨʔ߈ܸ


    • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ


    • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞ΢τ


    • ͜ΕΒͷ߈ܸ΁ͷରࡦͱͯ͠ɺ௥Ճೝূ͕ීٴ

    View Slide

  14. ιϑτ΢ΣΞTOTP

    (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)

    14
    • ೝূཁૉ : ॴ༗


    • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ͯ͠ɺϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰ
    ੜ੒ͨ͠OTPΛݕূ (RFC6238)


    • 2010೥Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google Authenticatorͱͱ΋ʹTOTP
    ೝূΛఏڙ։࢝


    • ۚ༥ػؔͳͲͰ͸RSA/VerisignͳͲͷϋʔυ΢ΣΞτʔΫϯ͕࢖ΘΕ͍ͯ
    ͕ͨίετ໘ʹ՝୊͕͋ͬͨ

    View Slide

  15. ϞόΠϧΞϓϦ΍୺຤΁ͷpush௨஌

    (ܦ࿏֎ೝূ, Out-of-Band Devices)

    15
    • ೝূཁૉ : ॴ༗


    • ϞόΠϧΞϓϦʹ௨஌ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK


    • Ϣʔβʔ͕ར༻͍ͯ͠Δ୺຤΁ͷ௨஌ (Apple, Google)


    • ܦ࿏ͷ҆શੑ͕ΩϞ


    • ϞόΠϧΞϓϦ/ݸผ୺຤΁ͷ௨஌ͷํ͕SMS΍EϝʔϧΑΓ҆શ?


    • Push௨஌ΛૹΓ·ͬͯ͘Ͳ͏ʹ͔͠Α͏ͱ͢Δ߈ܸ΋ൃੜ

    View Slide

  16. όοΫΞοϓίʔυ

    (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)

    16
    • ೝূཁૉ : ॴ༗


    • Ϣʔβʔʹ୯Ұ͋Δ͍͸ෳ਺ͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷ஋Λݕূ


    • TOTP͕࢖͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷϢʔβʔ͕औΕΔϦ
    ΧόϦʔखஈͱͯ͠͠Εͬͱ࠾༻͞Ε͍ͯΔ

    View Slide

  17. ᶅϑΟογϯάʹڧ͍ೝূํࣜ


    ͦͯ͠ύεϫʔυϨε΁

    View Slide

  18. ύεϫʔυೝূʹ͓͚Δ


    ϢʔβʔɺαʔϏεͷݱঢ়

    18
    • Ϣʔβʔ


    • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏


    • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ


    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏


    • αʔϏε


    • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏


    • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

    View Slide

  19. ݱ࣮

    19
    • ৘ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ޲͚1Ґʂ


    • B޲͚Ͱ͸Microsoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ
    ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද


    • 2021೥9݄Ҏ߱ɺ1ສҎ্ͷ૊৫͕ඪతʹ

    View Slide

  20. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012

    View Slide

  21. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012 345'()*+,-./6789:

    View Slide

  22. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012 345'()*+,-./6789:
    ;<=>[email protected]:

    View Slide

  23. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012
    EFEGH!"#$%&'()*12


    JKLMNOL#$PQR*STU
    ;<=>[email protected]:
    345'()*+,-./6789:

    View Slide

  24. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012
    EFEGH!"#$%&'()*12


    JKLMNOL#$PQR*STU
    ;<=>[email protected]:
    3VO'()*789:
    345'()*+,-./6789:

    View Slide

  25. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012
    EFEGH!"#$%&'()*12


    JKLMNOL#$PQR*STU
    WXY9Z


    [#$\%]#^.0_`
    ;<=>[email protected]:
    3VO'()*789:
    345'()*+,-./6789:

    View Slide

  26. ͜Ε·Ͱͷೝূํࣜ͸


    ϑΟογϯά଱ੑΛ࣋ͨͳ͍

    26
    • ͍ͣΕ΋ਓ͕ؒߦ͏൑அͷ෦෼͕ऑ఺ͱͳΔ


    • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP: ࠷ॳͷURLΛ֬ೝͤ
    ͣೖྗ


    • ެࣜΞϓϦͳͲ΁ͷPush௨஌&ಉҙ : ࠷ॳͷURLΛ֬ೝͤͣʹಉҙ


    • ࣄલ֬ೝɺཤྺɺ௨஌ͱ͍ͬͨ࢓૊Έ͸͋Δ͕ࠜຊతͳରࡦͰ͸ͳ͍

    View Slide

  27. FIDOೝূ w/ UserPresense

    (୯Ұཁૉ҉߸σόΠε, Single-Factor Cryptographic Devices)

    27
    • ೝূཁૉ : ॴ༗


    • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛར༻


    • ηΩϡϦςΟΩʔ : PCʹ͚ࢗͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩ

    View Slide

  28. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012
    aabcdef6gh4i


    !"#$%&'()*j4ik
    lmnFAB6opbqr5
    ;<=>[email protected]:
    345'()*+,-./6789:

    View Slide

  29. FIDOೝূ w/ UserVeri
    fi
    cation

    (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)

    29
    • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ


    • ެ։伴҉߸ + ϩʔΧϧೝূ


    • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛॴ༗͠ɺΞΫςΟ
    ϕʔτͷͨΊʹ2ཁૉ໨ͷೝূΛඞཁͱ͢Δ΋ͷ


    • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ


    • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬౰)

    View Slide

  30. FIDOೝূͷ՝୊

    30
    • 伴؅ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ೉໰୊


    • Authenticator(ηΩϡϦςΟΩʔɺରԠ୺຤)͕յΕͨΓͳ͘ͳͬͨ
    Γɺަ׵ͨ͠ࡍʹ࠶ొ࿥͕ඞཁ


    • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?


    • ಉఔ౓ͷೝূڧ౓Λ࣋ͭೝূํࣜͱ͸???


    • ෳ਺ͷAuthenticatorΛొ࿥͓ͯ͘͠ඞཁੑ͕͋Δ

    View Slide

  31. Passkey - ”FIDO multi-device credentials”

    31
    • 伴৘ใ͕σόΠεͰ͸ͳ͘Ϣʔβʔʹඥ͚ͮΒΕΔΑ͏ʹͳΔ


    • ͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴؅ཧͱ͸ผ


    • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔ໰୊ͷվળ


    • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ (ޙ͔Β঺հ)

    View Slide

  32. Passkey - ”FIDO multi-device credentials”

    32
    • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ


    1. Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ࿥


    • iCloud KeychainʹΑΔಉظ -> AppleϢʔβʔʹ伴͕ඥ͚ͮΒΕΔ


    2. ϩάΞ΢τͯ͠΋ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ)


    3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ
    બ୒͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ

    View Slide

  33. Passkey - ”FIDO multi-device credentials”

    33
    • ෳ਺ϓϥοτϑΥʔϜΛލ͙৔߹ͷUXվળ


    1. ࣄલʹAndroidͰύεΩʔΛొ࿥


    2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ
    Մೳ (caBLEͱݺ͹ΕΔ઀ଓํ๏)


    3. ͦͷ௚ޙʹTouchID͕ཁٻ͞Εɺࠓޙ͸͜ͷ୺຤ͰTouchIDͷΈͰ
    ϩάΠϯՄೳʹͳΔ

    View Slide




  34. ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બ୒ࢶ

    View Slide

  35. ID࿈ܞʹΑΔϩάΠϯ

    35
    • Identity Provider(IdP)ͷϢʔβʔ৘ใΛར༻͢Δ


    • ୅දతͳϓϩτίϧ͕OpenID Connect, OAuth 2.0 + Ϣʔβʔ৘ใ
    APIͳͲ


    • Ϣʔβʔࣝผࢠͷඥ෇͚Λ؅ཧ͢Δ͜ͱͰϩάΠϯʹར༻


    • ଐੑ৘ใΛ׆༻ͯ͠UXΛ޲্


    • ֬ೝࡁΈϝʔϧΞυϨεɺి࿩൪߸ɺຊਓ֬ೝ৘ใͳͲ

    View Slide

  36. ID࿈ܞͷ՝୊

    36
    • IdPͱ৺த໰୊


    • ΞΧ΢ϯτBAN, ো֐࣌ʹ͸ͦΕΛར༻͢ΔαʔϏε΋࢖͑ͳ͘ͳ
    ΔՄೳੑ͕͋Δ


    • IdPͷΞΧ΢ϯτ͕৐ͬऔΒΕͯ͠·ͬͨΒαʔϏε΋ѱ༻͞ΕΔ

    View Slide

  37. Identity Wallet

    (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri
    fi
    able Credentials)

    37
    • IdPʹґଘ͢ΔͷͰ͸ͳ͘ɺݸਓ͕ࣗ෼ͷ৘ใΛ؅ཧ͢ΔελΠϧ


    • Ծ૝௨՟͋ͨΓͰ໨ʹ͢Δ໾ׂ෼୲


    • Issuer : Ϣʔβʔ৘ใͷఏڙɺূ໌ॻͷൃߦ


    • Holder(Wallet) : Ϣʔβʔ৘ใΛ؅ཧ͢ΔΞϓϦ΍ϒϥ΢βػೳ


    • Veri
    fi
    er : Holder ʹ৘ใΛཁٻ͠ɺऔಘͨ͠৘ใΛݕূͯ͠ར༻


    • Open Wallet Foundation͕ઃཱ͞Εͯ࣌୅͕ਐΜͰ͍͘ؾ഑

    View Slide

  38. ҆શੑɺརศੑΛߴΊΔ


    Ξϓϩʔν

    View Slide

  39. ՝୊ΛΧόʔ͢Δ࢓૊Έ͕ඞཁ

    39
    • Ϣʔβʔ͕Ͱ͖Δ΋ͷ


    • ύεϫʔυϚωʔδϟʔͷར༻


    • αʔϏε͕Ͱ͖Δ͜ͱ : खݩͷεϚʔτϑΥϯΛ༻͍ͯརศੑΛ͋͛
    Δ࢓૊ΈΛಋೖ


    • SMS OTP : WebOTP


    • WebAuthn

    View Slide

  40. ύεϫʔυϚωʔδϟʔͷར༻

    40
    • ύεϫʔυੜ੒ɺ؅ཧΛ೚ͤΔ = ೝূཁૉΛ”ॴ༗”ʹมߋ


    • TOTPରԠ΍όοΫΞοϓίʔυΛอଘͰ͖Δ΋ͷ΋͋Δ


    • Ϛελʔύεϫʔυ؅ཧ͕ॏཁʹͳΔ(SPOFͱ΋ݴ͑Δ)


    • ϒϥ΢β / OS෇ਵͷ΋ͷ vs ಠཱͨ͠αʔϏε


    • ར༻ελΠϧʹԠͯ͡બ΂͹ྑͦ͞͏

    View Slide

  41. Android / Chrome

    Ͱ࣮ݱͰ͖ΔϩάΠϯUX

    View Slide

  42. ࠓճͷΩʔϫʔυ :


    “खݩͷεϚϗͰϩάΠϯ”


    (a.k.a Decoupled Authentication)

    View Slide

  43. WebOTP https://web.dev/web-otp/

    43
    • SMSͰૹΒΕͨϫϯλΠϜύεϫʔυΛ҆શʹऔಘ͢ΔͨΊͷ࢓૊Έ


    • υϝΠϯΛؚΉϫϯλΠϜύεϫʔυͷϝοηʔδϑΥʔϚοτ


    • JavaScript هड़ + input λά


    • Android ͷ SMS Retriever API ͱಉ౳

    View Slide

  44. WebOTP - Android Chrome


    ϒϥ΢βΛ։͍ͨ··OTPΛऔಘՄೳ

    44

    View Slide

  45. WebOTP - Android Chrome


    ϒϥ΢βΛ։͍ͨ··OTPΛऔಘՄೳ

    45

    View Slide

  46. WebOTP - (Desktop / Android) Chrome


    ಉظ͍ͯ͠ΔAndroid୺຤ͷ௨஌Ͱಉҙ->సૹ

    46

    View Slide

  47. WebOTP - (Desktop / Android) Chrome


    ಉظ͍ͯ͠ΔAndroid୺຤ͷ௨஌Ͱಉҙ->సૹ

    47

    View Slide

  48. WebOTP https://web.dev/web-otp/

    48
    • ϝοηʔδʹؚ·ΕΔυϝΠϯͱҰக͍ͯ͠Δ͔Λϒϥ΢β͕ݕূ


    • ”͜ͷ࢓૊ΈΛ࢖͏ͱ͖͸” ϑΟογϯά଱ੑΛ࣋ͭ


    • ؀ڥ͝ͱͷରԠ͸ෆཁɺඞཁͳͷ͸ϒϥ΢β͕WebOTPʹରԠ͍ͯ͠
    Δ͔Ͳ͏͔͚ͩ


    • ࢓༷௨Γ࣮૷͢Δ͚ͩͰChrome͕ରԠͯ͘͠ΕΔ

    View Slide

  49. WebAuthn https://www.w3.org/TR/webauthn-2/

    49
    • WebΞϓϦέʔγϣϯ͔ΒFIDOೝূΛར༻͢ΔͨΊͷϒϥ΢βAPI


    • ϒϥ΢β͕հೖ͠ɺ伴৘ใ͕originʹඥ͚ͮΒΕΔͨΊʹϑΟογϯά଱ੑΛ࣋ͭ


    • Platform Authenticator(εϚϗ/PCࣗମ) / Roaming Authenticator(ηΩϡϦςΟΩʔ)
    ͕ೝূثͱͯ͠ར༻Մೳ


    • खݩͷεϚʔτϑΥϯΛ༻͍ͯ伴৘ใͷొ࿥/ೝূΛ࣮ݱ͢Δ࢓૊Έ͕͋Δ


    • caBLE (cloud-assisted BLE) : QRίʔυ + BLE


    • ChromeͰಉظ͞Ε͍ͯΔ୺຤ : Push௨஌ + BLE

    View Slide

  50. WebAuthn w/ caBLE


    QRίʔυ + BLE ͰϩάΠϯ

    50
    PC Android

    View Slide

  51. WebAuthn w/ caBLE


    Ұ౓ར༻ͨ͠୺຤͸Push௨஌Ͱར༻Մೳ

    51
    PC Android

    View Slide

  52. WebAuthn w/ (Desktop + Android) Chrome


    ಉظࡁΈͷ୺຤͸࠷ॳ͔ΒPush௨஌Ͱར༻Մೳ

    52
    PC Android

    View Slide

  53. WebAuthn

    53
    • ౰ॳ͸୺຤ͦͷ΋ͷ or USB/NFC/BLEͳͲͰηΩϡϦςΟΩʔͱͭͳ
    ͙ͱ͍͏ҹ৅͕ڧ͔͕ͬͨɺखݩͷεϚϗͱͭͳ͙࢓૊Έ΋͋Δ


    • ୯ͳΔQRίʔυ+ωοτϫʔΫΞΫηεΛ༻͍ͨϩάΠϯͰ͸ͳ͘ɺ
    BLEͰۙڑ཭ʹ͋ΔεϚϗͱ௨৴͢Δ͜ͱͰຊਓҎ֎ͷ୺຤Ͱ઀ଓ͞Ε
    Δ͜ͱΛ๷͙ߟྀ΋͞Ε͍ͯΔ


    • ChromeͰಉظ͍ͯ͠ΔεϚʔτϑΥϯͰ͋Ε͹Push௨஌ͰΑΓָʹར
    ༻Մೳ

    View Slide

  54. ·ͱΊ

    54
    • C޲͚αʔϏεͰ࢖ΘΕ͍ͯΔϢʔβʔೝূʹ͍ͭͯৼΓฦͬͨ


    • ͦΕͧΕͷೝূํࣜͰͷಛ௃Λཧղ͠Α͏


    • Android/ChromeΛ༻͍ͯ “खݩͷεϚϗͰϩάΠϯ” Λ࣮ݱ͢ΔͨΊ
    ͷ࢓૊ΈΛ঺հͨ͠


    • WebΞϓϦϕʔεͷೝূػೳΛఏڙ͍ͯ͠ΔαʔϏε͸ɺϩάΠϯ
    ͷUXΛߟ͑Δ࣌ʹҙࣝ͠Α͏

    View Slide

  55. ࢀߟϦϯΫ
    • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3


    • https://speakerdeck.com/kthrtty/ren-zheng-
    nimatuwarusekiyuriteifalsexin-chang-shi


    • NIST Special Publication 800-63B Digital Identity Guidelines (຋༁൛)


    • https://openid-foundation-japan.github.io/800-63-3-
    fi
    nal/
    sp800-63b.ja.html

    View Slide

  56. ࢀߟϦϯΫ

    56
    • GTA৽࡞ϦʔΫʹ࢖ΘΕͨ“ଟཁૉೝূർΕ”߈ܸͱ͸ɹ1࣌ؒҎ্௨
    ஌߈Ίɺैۀһͷࠜෛ͚ૂ͏


    • https://www.itmedia.co.jp/news/articles/2209/28/news050.html


    • 2022೥൛Ϩϙʔτʮ2022 State of Secure Identity ReportʯΛެ։


    • https://www.okta.com/jp/press-room/press-releases/
    okta-2022ssir/

    View Slide

  57. ࢀߟϦϯΫ

    57
    • σδλϧ΢ΥϨοτͷ૬ޓӡ༻ੑΛ໨ࢦ͢ஂମɺThe Linux
    Foundation͕ઃཱ΁


    • https://japan.zdnet.com/article/35193346/

    View Slide

  58. ࢀߟϦϯΫ

    58
    • Our Take on Passkeys


    • https://auth0.com/blog/our-take-on-passkeys/


    • Cross-device WebOTP


    • https://docs.google.com/document/d/
    1SlIaRlH0WEvvLMtQJZMuwZbH5bRs6SCPlxXwwnJQHMU/
    edit#heading=h.xgjl2srtytjt

    View Slide

  59. ׬


    ࣭໰ɺҙݟɺײ૝Λ


    ͓଴͍ͪͯ͠·͢ɻ


    ฐࣾʹڵຯ͕͋Δํ΋ੋඇʂ

    View Slide