Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ Droid...
Search
ritou
October 06, 2022
Technology
2
7.2k
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022
DroidKaigi 2022 Day2 での発表資料です。
https://droidkaigi.jp/2022/timetable/357753
ritou
October 06, 2022
Tweet
Share
More Decks by ritou
See All by ritou
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 + α
ritou
0
68
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
ritou
4
1.6k
OIDF-J EIWG 振り返り
ritou
2
36
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
420
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
3
520
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
ritou
2
750
Webアプリ開発者向け パスキー対応の始め方
ritou
4
6.2k
様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023
ritou
3
4.8k
パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1
ritou
6
13k
Other Decks in Technology
See All in Technology
アジャイルな開発チームでテスト戦略の話は誰がする? / Who Talks About Test Strategy?
ak1210
1
460
短縮URLをお手軽に導入しよう
nakasho
0
140
プロダクトエンジニア構想を立ち上げ、プロダクト志向な組織への成長を続けている話 / grow into a product-oriented organization
hiro_torii
1
350
OPENLOGI Company Profile for engineer
hr01
1
20k
CDKでカスタムランタイムを作成して、Lambdaをnode.js23+TypeScriptで動かしてみた
smt7174
2
110
Apache Iceberg Case Study in LY Corporation
lycorptech_jp
PRO
0
300
Share my, our lessons from the road to re:Invent
naospon
0
140
Raycast AI APIを使ってちょっと便利な拡張機能を作ってみた / created-a-handy-extension-using-the-raycast-ai-api
kawamataryo
0
210
【詳説】コンテンツ配信 システムの複数機能 基盤への拡張
hatena
0
220
Two Blades, One Journey: Engineering While Managing
ohbarye
4
1.8k
クラウドサービス事業者におけるOSS
tagomoris
4
1k
Snowflakeの開発・運用コストをApache Icebergで効率化しよう!~機能と活用例のご紹介~
sagara
1
410
Featured
See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Optimizing for Happiness
mojombo
376
70k
Making Projects Easy
brettharned
116
6k
4 Signs Your Business is Dying
shpigford
182
22k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
GraphQLとの向き合い方2022年版
quramy
44
14k
Measuring & Analyzing Core Web Vitals
bluesmoon
6
250
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.7k
Java REST API Framework Comparison - PWX 2021
mraible
29
8.4k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
Transcript
Android/ChromeͰମݧͰ͖Δ ೝূͷͨΊͷඪ४Խ༷ͷ ݱࡏͱະདྷ @ritou (Ryo Ito) 2022/10/6 - DroidKaigi 2022
ൃදͷ༰ • C͚αʔϏεʹ͓͚ΔϢʔβʔೝূͷมભ • Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX  2
ˏritou • Digital Identity ؔ࿈ͷϒϩάࣥචɺษڧձ࣮ࢪ #idcon #iddance • ΤόϯδΣϦετ @
OIDF-J • ΤϯδχΞ ˏ גࣜձࣾMIXI  3
C͚αʔϏεʹ͓͚Δ Ϣʔβʔೝূͷมભ
ᶃύεϫʔυೝূ
ύεϫʔυೝূ (هԱγʔΫϨοτ, Memorized Secrets)  6 • ೝূཁૉ :
ࣝ • Ϣʔβʔ/αʔϏε͕ύεϫʔυΛڞ༗ • ϢʔβʔࣝผࢠͱύεϫʔυͷΈ߹ΘͤΛݕূ
ύεϫʔυೝূͰ ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅  7 • Ϣʔβʔ • ύεϫʔυΛΕͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ͍·Θ͞ͳ͍
• ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ • αʔϏε • ύεϫʔυΛ҆શʹཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  8 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ΞΧϯτϦΧόϦʔ • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ಛఆͷೝূํ͕ࣜ͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ
• ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷΈ߹Θ͕ͤҰൠత • ϝʔϧϦϯΫೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ • ੈͷதʹύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔଘࡏ͢Δ
ϝʔϧ/SMSʹΑΔOTP (ܦ࿏֎ೝূ, Out-of-Band Devices)  10 • ೝূཁૉ :
ॴ༗ • αʔϏε͕ϢʔβʔʹSMS/ϝʔϧͰϫϯλΠϜύεϫʔυΛૹΓڞ༗ • ϦϯΫૹ৴&ΫϦοΫ͜ΕΛ؆ུԽͨ͠ͷͱଊ͑ΒΕΔ • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜ ͱͰɺΞΧϯτϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳͬͨ
ᶄ2ஈ֊/ཁૉೝূͷීٴ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  12 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ύεϫʔυϦετ߈ܸɺ ύεϫʔυεϓϨʔ߈ܸ  13 • ύεϫʔυϦετ߈ܸ • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ • ಉ͡ύεϫʔυΛ͍ճ͍ͯͨ͠ΒΞτ
• ύεϫʔυεϓϨʔ߈ܸ • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞτ • ͜ΕΒͷ߈ܸͷରࡦͱͯ͠ɺՃೝূ͕ීٴ
ιϑτΣΞTOTP (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)  14 • ೝূཁૉ
: ॴ༗ • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ͯ͠ɺϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰ ੜͨ͠OTPΛݕূ (RFC6238) • 2010Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google AuthenticatorͱͱʹTOTP ೝূΛఏڙ։࢝ • ۚ༥ػؔͳͲͰRSA/VerisignͳͲͷϋʔυΣΞτʔΫϯ͕ΘΕ͍ͯ ͕ͨίετ໘ʹ՝͕͋ͬͨ
ϞόΠϧΞϓϦͷpush௨ (ܦ࿏֎ೝূ, Out-of-Band Devices)  15 • ೝূཁૉ :
ॴ༗ • ϞόΠϧΞϓϦʹ௨ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK • Ϣʔβʔ͕ར༻͍ͯ͠Δͷ௨ (Apple, Google) • ܦ࿏ͷ҆શੑ͕ΩϞ • ϞόΠϧΞϓϦ/ݸผͷ௨ͷํ͕SMSEϝʔϧΑΓ҆શ? • Push௨ΛૹΓ·ͬͯ͘Ͳ͏ʹ͔͠Α͏ͱ͢Δ߈ܸൃੜ
όοΫΞοϓίʔυ (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)  16 • ೝূཁૉ :
ॴ༗ • Ϣʔβʔʹ୯Ұ͋Δ͍ෳͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷΛݕূ • TOTP͕͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷϢʔβʔ͕औΕΔϦ ΧόϦʔखஈͱͯ͠͠Εͬͱ࠾༻͞Ε͍ͯΔ
ᶅϑΟογϯάʹڧ͍ೝূํࣜ ͦͯ͠ύεϫʔυϨε
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  18 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ݱ࣮  19 • ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ͚1Ґʂ • B͚ͰMicrosoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ
ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද • 20219݄Ҏ߱ɺ1ສҎ্ͷ৫͕ඪతʹ
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789: ;<=>?@AB6CD89:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 3VO'()*789: 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU WXY9Z [#$\%]#^.0_` ;<=>?@AB6CD89: 3VO'()*789:
345'()*+,-./6789:
͜Ε·Ͱͷೝূํࣜ ϑΟογϯάੑΛ࣋ͨͳ͍  26 • ͍ͣΕਓ͕ؒߦ͏அͷ෦͕ऑͱͳΔ • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP:
࠷ॳͷURLΛ֬ೝͤ ͣೖྗ • ެࣜΞϓϦͳͲͷPush௨&ಉҙ : ࠷ॳͷURLΛ֬ೝͤͣʹಉҙ • ࣄલ֬ೝɺཤྺɺ௨ͱ͍ͬͨΈ͋Δ͕ࠜຊతͳରࡦͰͳ͍
FIDOೝূ w/ UserPresense (୯Ұཁૉ҉߸σόΠε, Single-Factor Cryptographic Devices)  27
• ೝূཁૉ : ॴ༗ • อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛར༻ • ηΩϡϦςΟΩʔ : PCʹ͚ͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩ
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 aabcdef6gh4i !"#$%&'()*j4ik lmnFAB6opbqr5 ;<=>?@AB6CD89: 345'()*+,-./6789:
FIDOೝূ w/ UserVeri fi cation (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)
 29 • ೝূཁૉ : ॴ༗ + ࣝ/ੜମ • ެ։伴҉߸ + ϩʔΧϧೝূ • อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛॴ༗͠ɺΞΫςΟ ϕʔτͷͨΊʹ2ཁૉͷೝূΛඞཁͱ͢Δͷ • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬)
FIDOೝূͷ՝  30 • 伴ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ • Authenticator(ηΩϡϦςΟΩʔɺରԠ)͕յΕͨΓͳ͘ͳͬͨ Γɺަͨ͠ࡍʹ࠶ొ͕ඞཁ • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?
• ಉఔͷೝূڧΛ࣋ͭೝূํࣜͱ??? • ෳͷAuthenticatorΛొ͓ͯ͘͠ඞཁੑ͕͋Δ
Passkey - ”FIDO multi-device credentials”  31 • 伴ใ͕σόΠεͰͳ͘Ϣʔβʔʹඥ͚ͮΒΕΔΑ͏ʹͳΔ •
͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴ཧͱผ • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔͷվળ • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ (ޙ͔Βհ)
Passkey - ”FIDO multi-device credentials”  32 • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ 1.
Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ • iCloud KeychainʹΑΔಉظ -> AppleϢʔβʔʹ伴͕ඥ͚ͮΒΕΔ 2. ϩάΞτͯ͠ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ) 3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ બ͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ
Passkey - ”FIDO multi-device credentials”  33 • ෳϓϥοτϑΥʔϜΛލ͙߹ͷUXվળ 1.
ࣄલʹAndroidͰύεΩʔΛొ 2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ Մೳ (caBLEͱݺΕΔଓํ๏) 3. ͦͷޙʹTouchID͕ཁٻ͞Εɺࠓޙ͜ͷͰTouchIDͷΈͰ ϩάΠϯՄೳʹͳΔ
ᶆ ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બࢶ
ID࿈ܞʹΑΔϩάΠϯ  35 • Identity Provider(IdP)ͷϢʔβʔใΛར༻͢Δ • දతͳϓϩτίϧ͕OpenID Connect, OAuth
2.0 + Ϣʔβʔใ APIͳͲ • Ϣʔβʔࣝผࢠͷඥ͚Λཧ͢Δ͜ͱͰϩάΠϯʹར༻ • ଐੑใΛ׆༻ͯ͠UXΛ্ • ֬ೝࡁΈϝʔϧΞυϨεɺి൪߸ɺຊਓ֬ೝใͳͲ
ID࿈ܞͷ՝  36 • IdPͱ৺த • ΞΧϯτBAN, ো࣌ʹͦΕΛར༻͢ΔαʔϏε͑ͳ͘ͳ ΔՄೳੑ͕͋Δ •
IdPͷΞΧϯτ͕ͬऔΒΕͯ͠·ͬͨΒαʔϏεѱ༻͞ΕΔ
Identity Wallet (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri fi able Credentials)
 37 • IdPʹґଘ͢ΔͷͰͳ͘ɺݸਓ͕ࣗͷใΛཧ͢ΔελΠϧ • Ծ௨՟͋ͨΓͰʹ͢Δׂ୲ • Issuer : Ϣʔβʔใͷఏڙɺূ໌ॻͷൃߦ • Holder(Wallet) : ϢʔβʔใΛཧ͢ΔΞϓϦϒϥβػೳ • Veri fi er : Holder ʹใΛཁٻ͠ɺऔಘͨ͠ใΛݕূͯ͠ར༻ • Open Wallet Foundation͕ઃཱ͞Ε͕ͯ࣌ਐΜͰ͍͘ؾ
҆શੑɺརศੑΛߴΊΔ Ξϓϩʔν
՝ΛΧόʔ͢ΔΈ͕ඞཁ  39 • Ϣʔβʔ͕Ͱ͖Δͷ • ύεϫʔυϚωʔδϟʔͷར༻ • αʔϏε͕Ͱ͖Δ͜ͱ :
खݩͷεϚʔτϑΥϯΛ༻͍ͯརศੑΛ͋͛ ΔΈΛಋೖ • SMS OTP : WebOTP • WebAuthn
ύεϫʔυϚωʔδϟʔͷར༻  40 • ύεϫʔυੜɺཧΛͤΔ = ೝূཁૉΛ”ॴ༗”ʹมߋ • TOTPରԠόοΫΞοϓίʔυΛอଘͰ͖Δͷ͋Δ •
Ϛελʔύεϫʔυཧ͕ॏཁʹͳΔ(SPOFͱݴ͑Δ) • ϒϥβ / OSਵͷͷ vs ಠཱͨ͠αʔϏε • ར༻ελΠϧʹԠͯ͡બྑͦ͞͏
Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX
ࠓճͷΩʔϫʔυ : “खݩͷεϚϗͰϩάΠϯ” (a.k.a Decoupled Authentication)
WebOTP https://web.dev/web-otp/  43 • SMSͰૹΒΕͨϫϯλΠϜύεϫʔυΛ҆શʹऔಘ͢ΔͨΊͷΈ • υϝΠϯΛؚΉϫϯλΠϜύεϫʔυͷϝοηʔδϑΥʔϚοτ • JavaScript
هड़ + input λά • Android ͷ SMS Retriever API ͱಉ
WebOTP - Android Chrome ϒϥβΛ։͍ͨ··OTPΛऔಘՄೳ  44
WebOTP - Android Chrome ϒϥβΛ։͍ͨ··OTPΛऔಘՄೳ  45
WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroidͷ௨Ͱಉҙ->సૹ  46
WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroidͷ௨Ͱಉҙ->సૹ  47
WebOTP https://web.dev/web-otp/  48 • ϝοηʔδʹؚ·ΕΔυϝΠϯͱҰக͍ͯ͠Δ͔Λϒϥβ͕ݕূ • ”͜ͷΈΛ͏ͱ͖” ϑΟογϯάੑΛ࣋ͭ •
ڥ͝ͱͷରԠෆཁɺඞཁͳͷϒϥβ͕WebOTPʹରԠ͍ͯ͠ Δ͔Ͳ͏͔͚ͩ • ༷௨Γ࣮͢Δ͚ͩͰChrome͕ରԠͯ͘͠ΕΔ
WebAuthn https://www.w3.org/TR/webauthn-2/  49 • WebΞϓϦέʔγϣϯ͔ΒFIDOೝূΛར༻͢ΔͨΊͷϒϥβAPI • ϒϥβ͕հೖ͠ɺ伴ใ͕originʹඥ͚ͮΒΕΔͨΊʹϑΟογϯάੑΛ࣋ͭ • Platform
Authenticator(εϚϗ/PCࣗମ) / Roaming Authenticator(ηΩϡϦςΟΩʔ) ͕ೝূثͱͯ͠ར༻Մೳ • खݩͷεϚʔτϑΥϯΛ༻͍ͯ伴ใͷొ/ೝূΛ࣮ݱ͢ΔΈ͕͋Δ • caBLE (cloud-assisted BLE) : QRίʔυ + BLE • ChromeͰಉظ͞Ε͍ͯΔ : Push௨ + BLE
WebAuthn w/ caBLE QRίʔυ + BLE ͰϩάΠϯ  50 PC
Android
WebAuthn w/ caBLE Ұར༻ͨ͠Push௨Ͱར༻Մೳ  51 PC Android
WebAuthn w/ (Desktop + Android) Chrome ಉظࡁΈͷ࠷ॳ͔ΒPush௨Ͱར༻Մೳ  52 PC
Android
WebAuthn  53 • ॳͦͷͷ or USB/NFC/BLEͳͲͰηΩϡϦςΟΩʔͱͭͳ ͙ͱ͍͏ҹ͕ڧ͔͕ͬͨɺखݩͷεϚϗͱͭͳ͙Έ͋Δ • ୯ͳΔQRίʔυ+ωοτϫʔΫΞΫηεΛ༻͍ͨϩάΠϯͰͳ͘ɺ
BLEͰۙڑʹ͋ΔεϚϗͱ௨৴͢Δ͜ͱͰຊਓҎ֎ͷͰଓ͞Ε Δ͜ͱΛ͙ߟྀ͞Ε͍ͯΔ • ChromeͰಉظ͍ͯ͠ΔεϚʔτϑΥϯͰ͋ΕPush௨ͰΑΓָʹར ༻Մೳ
·ͱΊ  54 • C͚αʔϏεͰΘΕ͍ͯΔϢʔβʔೝূʹ͍ͭͯৼΓฦͬͨ • ͦΕͧΕͷೝূํࣜͰͷಛΛཧղ͠Α͏ • Android/ChromeΛ༻͍ͯ “खݩͷεϚϗͰϩάΠϯ”
Λ࣮ݱ͢ΔͨΊ ͷΈΛհͨ͠ • WebΞϓϦϕʔεͷೝূػೳΛఏڙ͍ͯ͠ΔαʔϏεɺϩάΠϯ ͷUXΛߟ͑Δ࣌ʹҙࣝ͠Α͏
ࢀߟϦϯΫ • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3 • https://speakerdeck.com/kthrtty/ren-zheng- nimatuwarusekiyuriteifalsexin-chang-shi • NIST Special
Publication 800-63B Digital Identity Guidelines (༁൛) • https://openid-foundation-japan.github.io/800-63-3- fi nal/ sp800-63b.ja.html
ࢀߟϦϯΫ  56 • GTA৽࡞ϦʔΫʹΘΕͨ“ଟཁૉೝূർΕ”߈ܸͱɹ1࣌ؒҎ্௨ ߈Ίɺैۀһͷࠜෛ͚ૂ͏ • https://www.itmedia.co.jp/news/articles/2209/28/news050.html • 2022൛Ϩϙʔτʮ2022
State of Secure Identity ReportʯΛެ։ • https://www.okta.com/jp/press-room/press-releases/ okta-2022ssir/
ࢀߟϦϯΫ  57 • σδλϧΥϨοτͷ૬ޓӡ༻ੑΛࢦ͢ஂମɺThe Linux Foundation͕ઃཱ • https://japan.zdnet.com/article/35193346/
ࢀߟϦϯΫ  58 • Our Take on Passkeys • https://auth0.com/blog/our-take-on-passkeys/
• Cross-device WebOTP • https://docs.google.com/document/d/ 1SlIaRlH0WEvvLMtQJZMuwZbH5bRs6SCPlxXwwnJQHMU/ edit#heading=h.xgjl2srtytjt
࣭ɺҙݟɺײΛ ͓͍ͪͯ͠·͢ɻ ฐࣾʹڵຯ͕͋Δํੋඇʂ
ritou
ak1210
nakasho
.jpg){kind=avatar}
hiro_torii
hr01
smt7174
lycorptech_jp
naospon
kawamataryo
hatena
ohbarye
tagomoris
sagara
marcelosomers
pedronauck
mojombo
brettharned
shpigford
morganepeng
quramy
bluesmoon
dougneiner
mraible
erikaheidi
eileencodes
![https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU WXY9Z [#$\%]#^.0_` ;<=>?@AB6CD89: 3VO'()*789:](https://files.speakerdeck.com/presentations/ed588929c13441e2b1b0d025cdf8c5a6/slide_24.jpg){kind=link}
