Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ Droid...

ritou
October 06, 2022
Technology
2
7.2k

Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022

DroidKaigi 2022 Day2 での発表資料です。
https://droidkaigi.jp/2022/timetable/357753

ritou

October 06, 2022
Tweet

More Decks by ritou

See All by ritou
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 + α
ritou
0
69
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
ritou
4
1.6k
OIDF-J EIWG 振り返り
ritou
2
37
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
420
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
3
520
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
ritou
2
760
Webアプリ開発者向け パスキー対応の始め方
ritou
4
6.2k
様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023
ritou
3
4.8k
パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1
ritou
6
13k

Other Decks in Technology

See All in Technology
4th place solution Eedi - Mining Misconceptions in Mathematics
rist
0
140
Visualize, Visualize, Visualize and rclone
tomoaki0705
9
81k
「正しく」失敗できる チームの作り方 〜リアルな事例から紐解く失敗を恐れない組織とは〜 / A team that can fail correctly
i35_267
4
840
ESXi で仮想化した ARM 環境で LLM を動作させてみるぞ
unnowataru
0
160
【内製開発Summit 2025】イオンスマートテクノロジーの内製化組織の作り方/In-house-development-summit-AST
aeonpeople
2
590
(機械学習システムでも) SLO から始める信頼性構築 - ゆる SRE#9 2025/02/21
daigo0927
0
260
AWSを活用したIoTにおけるセキュリティ対策のご紹介
kwskyk
0
340
MIMEと文字コードの闇
hirachan
2
1.4k
Two Blades, One Journey: Engineering While Managing
ohbarye
4
1.8k
開発組織を進化させる!AWSで実践するチームトポロジー
iwamot
1
170
RayでPHPのデバッグをちょっと快適にする
muno92
PRO
0
190
AWSアカウントのセキュリティ自動化、どこまで進める? 最適な設計と実践ポイント
yuobayashi
7
520

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Bootstrapping a Software Product
garrettdimon
PRO
306
110k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2.1k
Rails Girls Zürich Keynote
gr2m
94
13k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
114
50k
A designer walks into a library…
pauljervisheath
205
24k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Building Adaptive Systems
keathley
40
2.4k
Making the Leap to Tech Lead
cromwellryan
133
9.1k
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.5k
Into the Great Unknown - MozCon
thekraken
35
1.6k

Transcript

  1. Android/ChromeͰମݧͰ͖Δ ೝূͷͨΊͷඪ४Խ࢓༷ͷ ݱࡏͱະདྷ @ritou (Ryo Ito) 2022/10/6 - DroidKaigi 2022

  2. ൃදͷ಺༰ • C޲͚αʔϏεʹ͓͚ΔϢʔβʔೝূͷมભ • Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX  2

  3. ˏritou • Digital Identity ؔ࿈ͷϒϩάࣥචɺษڧձ࣮ࢪ #idcon #iddance • ΤόϯδΣϦετ @

    OIDF-J • ΤϯδχΞ ˏ גࣜձࣾMIXI  3

  4. C޲͚αʔϏεʹ͓͚Δ Ϣʔβʔೝূͷมભ

  5. ᶃύεϫʔυೝূ

  6. ύεϫʔυೝূ 
 (هԱγʔΫϨοτ, Memorized Secrets)  6 • ೝূཁૉ :

    ஌ࣝ • Ϣʔβʔ/αʔϏε͕ύεϫʔυΛڞ༗ • Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛݕূ

  7. ύεϫʔυೝূͰ ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅  7 • Ϣʔβʔ • ύεϫʔυΛ๨Εͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ࢖͍·Θ͞ͳ͍

    • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ • αʔϏε • ύεϫʔυΛ҆શʹ؅ཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ

  8. ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  8 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ

    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

  9. ΞΧ΢ϯτϦΧόϦʔ • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ಛఆͷೝূํ͕ࣜ࢖͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ

    • ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷ૊Έ߹Θ͕ͤҰൠత • ϝʔϧ΁ϦϯΫ΍ೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ • ੈͷதʹ͸ύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔ΋ଘࡏ͢Δ

  10. ϝʔϧ/SMSʹΑΔOTP 
 (ܦ࿏֎ೝূ, Out-of-Band Devices)  10 • ೝূཁૉ :

    ॴ༗ • αʔϏε͕ϢʔβʔʹSMS/ϝʔϧͰϫϯλΠϜύεϫʔυΛૹΓڞ༗ • ϦϯΫૹ৴&ΫϦοΫ΋͜ΕΛ؆ུԽͨ͠΋ͷͱଊ͑ΒΕΔ • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜ ͱͰɺΞΧ΢ϯτϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳͬͨ

  11. ᶄ2ஈ֊/ཁૉೝূͷීٴ

  12. ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  12 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ

    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

  13. ύεϫʔυϦετ߈ܸɺ ύεϫʔυεϓϨʔ߈ܸ  13 • ύεϫʔυϦετ߈ܸ • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ • ಉ͡ύεϫʔυΛ࢖͍ճ͍ͯͨ͠ΒΞ΢τ

    • ύεϫʔυεϓϨʔ߈ܸ • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞ΢τ • ͜ΕΒͷ߈ܸ΁ͷରࡦͱͯ͠ɺ௥Ճೝূ͕ීٴ

  14. ιϑτ΢ΣΞTOTP 
 (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)  14 • ೝূཁૉ

    : ॴ༗ • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ͯ͠ɺϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰ ੜ੒ͨ͠OTPΛݕূ (RFC6238) • 2010೥Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google Authenticatorͱͱ΋ʹTOTP ೝূΛఏڙ։࢝ • ۚ༥ػؔͳͲͰ͸RSA/VerisignͳͲͷϋʔυ΢ΣΞτʔΫϯ͕࢖ΘΕ͍ͯ ͕ͨίετ໘ʹ՝୊͕͋ͬͨ

  15. ϞόΠϧΞϓϦ΍୺຤΁ͷpush௨஌ 
 (ܦ࿏֎ೝূ, Out-of-Band Devices)  15 • ೝূཁૉ :

    ॴ༗ • ϞόΠϧΞϓϦʹ௨஌ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK • Ϣʔβʔ͕ར༻͍ͯ͠Δ୺຤΁ͷ௨஌ (Apple, Google) • ܦ࿏ͷ҆શੑ͕ΩϞ • ϞόΠϧΞϓϦ/ݸผ୺຤΁ͷ௨஌ͷํ͕SMS΍EϝʔϧΑΓ҆શ? • Push௨஌ΛૹΓ·ͬͯ͘Ͳ͏ʹ͔͠Α͏ͱ͢Δ߈ܸ΋ൃੜ

  16. όοΫΞοϓίʔυ 
 (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)  16 • ೝূཁૉ :

    ॴ༗ • Ϣʔβʔʹ୯Ұ͋Δ͍͸ෳ਺ͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷ஋Λݕূ • TOTP͕࢖͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷϢʔβʔ͕औΕΔϦ ΧόϦʔखஈͱͯ͠͠Εͬͱ࠾༻͞Ε͍ͯΔ

  17. ᶅϑΟογϯάʹڧ͍ೝূํࣜ ͦͯ͠ύεϫʔυϨε΁

  18. ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  18 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ

    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

  19. ݱ࣮  19 • ৘ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ޲͚1Ґʂ • B޲͚Ͱ͸Microsoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ

    ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද • 2021೥9݄Ҏ߱ɺ1ສҎ্ͷ૊৫͕ඪతʹ

  20. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012

  21. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789:

  22. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789: ;<=>?@AB6CD89:

  23. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 345'()*+,-./6789:

  24. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 3VO'()*789: 345'()*+,-./6789:

  25. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU WXY9Z [#$\%]#^.0_` ;<=>?@AB6CD89: 3VO'()*789:

    345'()*+,-./6789:

  26. ͜Ε·Ͱͷೝূํࣜ͸ ϑΟογϯά଱ੑΛ࣋ͨͳ͍  26 • ͍ͣΕ΋ਓ͕ؒߦ͏൑அͷ෦෼͕ऑ఺ͱͳΔ • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP:

    ࠷ॳͷURLΛ֬ೝͤ ͣೖྗ • ެࣜΞϓϦͳͲ΁ͷPush௨஌&ಉҙ : ࠷ॳͷURLΛ֬ೝͤͣʹಉҙ • ࣄલ֬ೝɺཤྺɺ௨஌ͱ͍ͬͨ࢓૊Έ͸͋Δ͕ࠜຊతͳରࡦͰ͸ͳ͍

  27. FIDOೝূ w/ UserPresense 
 (୯Ұཁૉ҉߸σόΠε, Single-Factor Cryptographic Devices)  27

    • ೝূཁૉ : ॴ༗ • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛར༻ • ηΩϡϦςΟΩʔ : PCʹ͚ࢗͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩ

  28. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 aabcdef6gh4i !"#$%&'()*j4ik lmnFAB6opbqr5 ;<=>?@AB6CD89: 345'()*+,-./6789:

  29. FIDOೝূ w/ UserVeri fi cation 
 (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)

     29 • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ • ެ։伴҉߸ + ϩʔΧϧೝূ • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛॴ༗͠ɺΞΫςΟ ϕʔτͷͨΊʹ2ཁૉ໨ͷೝূΛඞཁͱ͢Δ΋ͷ • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬౰)

  30. FIDOೝূͷ՝୊  30 • 伴؅ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ೉໰୊ • Authenticator(ηΩϡϦςΟΩʔɺରԠ୺຤)͕յΕͨΓͳ͘ͳͬͨ Γɺަ׵ͨ͠ࡍʹ࠶ొ࿥͕ඞཁ • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?

    • ಉఔ౓ͷೝূڧ౓Λ࣋ͭೝূํࣜͱ͸??? • ෳ਺ͷAuthenticatorΛొ࿥͓ͯ͘͠ඞཁੑ͕͋Δ

  31. Passkey - ”FIDO multi-device credentials”  31 • 伴৘ใ͕σόΠεͰ͸ͳ͘Ϣʔβʔʹඥ͚ͮΒΕΔΑ͏ʹͳΔ •

    ͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴؅ཧͱ͸ผ • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔ໰୊ͷվળ • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ (ޙ͔Β঺հ)

  32. Passkey - ”FIDO multi-device credentials”  32 • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ 1.

    Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ࿥ • iCloud KeychainʹΑΔಉظ -> AppleϢʔβʔʹ伴͕ඥ͚ͮΒΕΔ 2. ϩάΞ΢τͯ͠΋ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ) 3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ બ୒͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ

  33. Passkey - ”FIDO multi-device credentials”  33 • ෳ਺ϓϥοτϑΥʔϜΛލ͙৔߹ͷUXվળ 1.

    ࣄલʹAndroidͰύεΩʔΛొ࿥ 2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ Մೳ (caBLEͱݺ͹ΕΔ઀ଓํ๏) 3. ͦͷ௚ޙʹTouchID͕ཁٻ͞Εɺࠓޙ͸͜ͷ୺຤ͰTouchIDͷΈͰ ϩάΠϯՄೳʹͳΔ

  34. ᶆ ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બ୒ࢶ

  35. ID࿈ܞʹΑΔϩάΠϯ  35 • Identity Provider(IdP)ͷϢʔβʔ৘ใΛར༻͢Δ • ୅දతͳϓϩτίϧ͕OpenID Connect, OAuth

    2.0 + Ϣʔβʔ৘ใ APIͳͲ • Ϣʔβʔࣝผࢠͷඥ෇͚Λ؅ཧ͢Δ͜ͱͰϩάΠϯʹར༻ • ଐੑ৘ใΛ׆༻ͯ͠UXΛ޲্ • ֬ೝࡁΈϝʔϧΞυϨεɺి࿩൪߸ɺຊਓ֬ೝ৘ใͳͲ

  36. ID࿈ܞͷ՝୊  36 • IdPͱ৺த໰୊ • ΞΧ΢ϯτBAN, ো֐࣌ʹ͸ͦΕΛར༻͢ΔαʔϏε΋࢖͑ͳ͘ͳ ΔՄೳੑ͕͋Δ •

    IdPͷΞΧ΢ϯτ͕৐ͬऔΒΕͯ͠·ͬͨΒαʔϏε΋ѱ༻͞ΕΔ

  37. Identity Wallet 
 (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri fi able Credentials)

     37 • IdPʹґଘ͢ΔͷͰ͸ͳ͘ɺݸਓ͕ࣗ෼ͷ৘ใΛ؅ཧ͢ΔελΠϧ • Ծ૝௨՟͋ͨΓͰ໨ʹ͢Δ໾ׂ෼୲ • Issuer : Ϣʔβʔ৘ใͷఏڙɺূ໌ॻͷൃߦ • Holder(Wallet) : Ϣʔβʔ৘ใΛ؅ཧ͢ΔΞϓϦ΍ϒϥ΢βػೳ • Veri fi er : Holder ʹ৘ใΛཁٻ͠ɺऔಘͨ͠৘ใΛݕূͯ͠ར༻ • Open Wallet Foundation͕ઃཱ͞Εͯ࣌୅͕ਐΜͰ͍͘ؾ഑

  38. ҆શੑɺརศੑΛߴΊΔ Ξϓϩʔν

  39. ՝୊ΛΧόʔ͢Δ࢓૊Έ͕ඞཁ  39 • Ϣʔβʔ͕Ͱ͖Δ΋ͷ • ύεϫʔυϚωʔδϟʔͷར༻ • αʔϏε͕Ͱ͖Δ͜ͱ :

    खݩͷεϚʔτϑΥϯΛ༻͍ͯརศੑΛ͋͛ Δ࢓૊ΈΛಋೖ • SMS OTP : WebOTP • WebAuthn

  40. ύεϫʔυϚωʔδϟʔͷར༻  40 • ύεϫʔυੜ੒ɺ؅ཧΛ೚ͤΔ = ೝূཁૉΛ”ॴ༗”ʹมߋ • TOTPରԠ΍όοΫΞοϓίʔυΛอଘͰ͖Δ΋ͷ΋͋Δ •

    Ϛελʔύεϫʔυ؅ཧ͕ॏཁʹͳΔ(SPOFͱ΋ݴ͑Δ) • ϒϥ΢β / OS෇ਵͷ΋ͷ vs ಠཱͨ͠αʔϏε • ར༻ελΠϧʹԠͯ͡બ΂͹ྑͦ͞͏

  41. Android / Chrome 
 Ͱ࣮ݱͰ͖ΔϩάΠϯUX

  42. ࠓճͷΩʔϫʔυ : “खݩͷεϚϗͰϩάΠϯ” (a.k.a Decoupled Authentication)

  43. WebOTP https://web.dev/web-otp/  43 • SMSͰૹΒΕͨϫϯλΠϜύεϫʔυΛ҆શʹऔಘ͢ΔͨΊͷ࢓૊Έ • υϝΠϯΛؚΉϫϯλΠϜύεϫʔυͷϝοηʔδϑΥʔϚοτ • JavaScript

    هड़ + input λά • Android ͷ SMS Retriever API ͱಉ౳

  44. WebOTP - Android Chrome ϒϥ΢βΛ։͍ͨ··OTPΛऔಘՄೳ  44

  45. WebOTP - Android Chrome ϒϥ΢βΛ։͍ͨ··OTPΛऔಘՄೳ  45

  46. WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroid୺຤ͷ௨஌Ͱಉҙ->సૹ  46

  47. WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroid୺຤ͷ௨஌Ͱಉҙ->సૹ  47

  48. WebOTP https://web.dev/web-otp/  48 • ϝοηʔδʹؚ·ΕΔυϝΠϯͱҰக͍ͯ͠Δ͔Λϒϥ΢β͕ݕূ • ”͜ͷ࢓૊ΈΛ࢖͏ͱ͖͸” ϑΟογϯά଱ੑΛ࣋ͭ •

    ؀ڥ͝ͱͷରԠ͸ෆཁɺඞཁͳͷ͸ϒϥ΢β͕WebOTPʹରԠ͍ͯ͠ Δ͔Ͳ͏͔͚ͩ • ࢓༷௨Γ࣮૷͢Δ͚ͩͰChrome͕ରԠͯ͘͠ΕΔ

  49. WebAuthn https://www.w3.org/TR/webauthn-2/  49 • WebΞϓϦέʔγϣϯ͔ΒFIDOೝূΛར༻͢ΔͨΊͷϒϥ΢βAPI • ϒϥ΢β͕հೖ͠ɺ伴৘ใ͕originʹඥ͚ͮΒΕΔͨΊʹϑΟογϯά଱ੑΛ࣋ͭ • Platform

    Authenticator(εϚϗ/PCࣗମ) / Roaming Authenticator(ηΩϡϦςΟΩʔ) ͕ೝূثͱͯ͠ར༻Մೳ • खݩͷεϚʔτϑΥϯΛ༻͍ͯ伴৘ใͷొ࿥/ೝূΛ࣮ݱ͢Δ࢓૊Έ͕͋Δ • caBLE (cloud-assisted BLE) : QRίʔυ + BLE • ChromeͰಉظ͞Ε͍ͯΔ୺຤ : Push௨஌ + BLE

  50. WebAuthn w/ caBLE QRίʔυ + BLE ͰϩάΠϯ  50 PC

    Android

  51. WebAuthn w/ caBLE Ұ౓ར༻ͨ͠୺຤͸Push௨஌Ͱར༻Մೳ  51 PC Android

  52. WebAuthn w/ (Desktop + Android) Chrome ಉظࡁΈͷ୺຤͸࠷ॳ͔ΒPush௨஌Ͱར༻Մೳ  52 PC

    Android

  53. WebAuthn  53 • ౰ॳ͸୺຤ͦͷ΋ͷ or USB/NFC/BLEͳͲͰηΩϡϦςΟΩʔͱͭͳ ͙ͱ͍͏ҹ৅͕ڧ͔͕ͬͨɺखݩͷεϚϗͱͭͳ͙࢓૊Έ΋͋Δ • ୯ͳΔQRίʔυ+ωοτϫʔΫΞΫηεΛ༻͍ͨϩάΠϯͰ͸ͳ͘ɺ

    BLEͰۙڑ཭ʹ͋ΔεϚϗͱ௨৴͢Δ͜ͱͰຊਓҎ֎ͷ୺຤Ͱ઀ଓ͞Ε Δ͜ͱΛ๷͙ߟྀ΋͞Ε͍ͯΔ • ChromeͰಉظ͍ͯ͠ΔεϚʔτϑΥϯͰ͋Ε͹Push௨஌ͰΑΓָʹར ༻Մೳ

  54. ·ͱΊ  54 • C޲͚αʔϏεͰ࢖ΘΕ͍ͯΔϢʔβʔೝূʹ͍ͭͯৼΓฦͬͨ • ͦΕͧΕͷೝূํࣜͰͷಛ௃Λཧղ͠Α͏ • Android/ChromeΛ༻͍ͯ “खݩͷεϚϗͰϩάΠϯ”

    Λ࣮ݱ͢ΔͨΊ ͷ࢓૊ΈΛ঺հͨ͠ • WebΞϓϦϕʔεͷೝূػೳΛఏڙ͍ͯ͠ΔαʔϏε͸ɺϩάΠϯ ͷUXΛߟ͑Δ࣌ʹҙࣝ͠Α͏

  55. ࢀߟϦϯΫ • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3 • https://speakerdeck.com/kthrtty/ren-zheng- nimatuwarusekiyuriteifalsexin-chang-shi • NIST Special

    Publication 800-63B Digital Identity Guidelines (຋༁൛) • https://openid-foundation-japan.github.io/800-63-3- fi nal/ sp800-63b.ja.html

  56. ࢀߟϦϯΫ  56 • GTA৽࡞ϦʔΫʹ࢖ΘΕͨ“ଟཁૉೝূർΕ”߈ܸͱ͸ɹ1࣌ؒҎ্௨ ஌߈Ίɺैۀһͷࠜෛ͚ૂ͏ • https://www.itmedia.co.jp/news/articles/2209/28/news050.html • 2022೥൛Ϩϙʔτʮ2022

    State of Secure Identity ReportʯΛެ։ • https://www.okta.com/jp/press-room/press-releases/ okta-2022ssir/

  57. ࢀߟϦϯΫ  57 • σδλϧ΢ΥϨοτͷ૬ޓӡ༻ੑΛ໨ࢦ͢ஂମɺThe Linux Foundation͕ઃཱ΁ • https://japan.zdnet.com/article/35193346/

  58. ࢀߟϦϯΫ  58 • Our Take on Passkeys • https://auth0.com/blog/our-take-on-passkeys/

    • Cross-device WebOTP • https://docs.google.com/document/d/ 1SlIaRlH0WEvvLMtQJZMuwZbH5bRs6SCPlxXwwnJQHMU/ edit#heading=h.xgjl2srtytjt

  59. ׬ ࣭໰ɺҙݟɺײ૝Λ ͓଴͍ͪͯ͠·͢ɻ ฐࣾʹڵຯ͕͋Δํ΋ੋඇʂ