$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022
ritou
October 06, 2022
Technology
1
690
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022
DroidKaigi 2022 Day2 での発表資料です。
https://droidkaigi.jp/2022/timetable/357753
ritou
October 06, 2022
Tweet
Share
More Decks by ritou
See All by ritou
C向けサービスで 使われている認証方式と安全な使い方
ritou
13
2.4k
現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19
ritou
2
590
GNAP超入門 ~ IW2021 C15
ritou
1
3.4k
OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3
ritou
1
890
ID連携の標準化仕様紹介とセキュアな実装のためのアプローチ 2021 / Identity Federation Protocols 2021
ritou
3
7.4k
JWT Boot Camp 2020
ritou
1
5.9k
iddance2_ritou.pdf
ritou
1
3.7k
webauthn_study_ritou.pdf
ritou
3
870
WebAuthn/FIDOのUX徹底解説 ~実サービスへの導入イメージを添えて~ / builderscon tokyo 2019 ritou
ritou
11
6k
Other Decks in Technology
See All in Technology
Oracle Funtions ご紹介 / oracle-functions-overview
oracle4engineer
PRO
0
450
[re:Invent 2022][Fin-JAWS #29]現地参加のみなさんがキラキラアップデートに目がくらんでいるスキに渋いアップデートをキャッチアップ!!
ykimi
1
230
システム開発の基礎〜システム開発の全体像を捉えるV字モデル
haru860
5
1.2k
221203 Power 界隈ではない立場からPower Automate の強さについてライトに語ってみる_株式会社コミュカル Mitz
comucal
PRO
0
110
APN AWS Top Engineersが語るAWSの最新セキュリティ
cmusudakeisuke
0
890
Redshift ServerlessとProvisioned Cluster のちょっとした違い
mashiike
0
160
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
22k
AIの言う通りにやったら Webアプリが作れるのか試してみた (ChatGPT)
t_pori418
0
160
ユーザー理解は、自組織理解から!インナーリサーチのススメ / SDC_okusa
recruitengineers
PRO
0
300
Treasure Data TechTalk 2022 - TD CDP in 30 minutes
aamine
0
530
Reading "Interpretable Personalized Experimentation"
tatsuyashirakawa
0
140
Advice for Ruby beginners
sinsoku
2
200
Featured
See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
1
310
Art, The Web, and Tiny UX
lynnandtonic
282
18k
Mobile First: as difficult as doing things right
swwweet
213
7.7k
StorybookのUI Testing Handbookを読んだ
zakiyama
7
3k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
20
6.7k
Building Applications with DynamoDB
mza
84
4.9k
Designing the Hi-DPI Web
ddemaree
273
32k
The Power of CSS Pseudo Elements
geoffreycrofte
51
4.2k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
6
770
Reflections from 52 weeks, 52 projects
jeffersonlam
337
18k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
15
1.1k
Designing with Data
zakiwarfel
91
4.1k
Transcript
Android/ChromeͰମݧͰ͖Δ ೝূͷͨΊͷඪ४Խ༷ͷ ݱࡏͱະདྷ @ritou (Ryo Ito) 2022/10/6 - DroidKaigi 2022
ൃදͷ༰ • C͚αʔϏεʹ͓͚ΔϢʔβʔೝূͷมભ • Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX  2
ˏritou • Digital Identity ؔ࿈ͷϒϩάࣥචɺษڧձ࣮ࢪ #idcon #iddance • ΤόϯδΣϦετ @
OIDF-J • ΤϯδχΞ ˏ גࣜձࣾMIXI  3
C͚αʔϏεʹ͓͚Δ Ϣʔβʔೝূͷมભ
ᶃύεϫʔυೝূ
ύεϫʔυೝূ (هԱγʔΫϨοτ, Memorized Secrets)  6 • ೝূཁૉ :
ࣝ • Ϣʔβʔ/αʔϏε͕ύεϫʔυΛڞ༗ • ϢʔβʔࣝผࢠͱύεϫʔυͷΈ߹ΘͤΛݕূ
ύεϫʔυೝূͰ ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅  7 • Ϣʔβʔ • ύεϫʔυΛΕͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ͍·Θ͞ͳ͍
• ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ • αʔϏε • ύεϫʔυΛ҆શʹཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  8 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ΞΧϯτϦΧόϦʔ • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ಛఆͷೝূํ͕ࣜ͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ
• ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷΈ߹Θ͕ͤҰൠత • ϝʔϧϦϯΫೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ • ੈͷதʹύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔଘࡏ͢Δ
ϝʔϧ/SMSʹΑΔOTP (ܦ࿏֎ೝূ, Out-of-Band Devices)  10 • ೝূཁૉ :
ॴ༗ • αʔϏε͕ϢʔβʔʹSMS/ϝʔϧͰϫϯλΠϜύεϫʔυΛૹΓڞ༗ • ϦϯΫૹ৴&ΫϦοΫ͜ΕΛ؆ུԽͨ͠ͷͱଊ͑ΒΕΔ • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜ ͱͰɺΞΧϯτϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳͬͨ
ᶄ2ஈ֊/ཁૉೝূͷීٴ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  12 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ύεϫʔυϦετ߈ܸɺ ύεϫʔυεϓϨʔ߈ܸ  13 • ύεϫʔυϦετ߈ܸ • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ • ಉ͡ύεϫʔυΛ͍ճ͍ͯͨ͠ΒΞτ
• ύεϫʔυεϓϨʔ߈ܸ • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞτ • ͜ΕΒͷ߈ܸͷରࡦͱͯ͠ɺՃೝূ͕ීٴ
ιϑτΣΞTOTP (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)  14 • ೝূཁૉ
: ॴ༗ • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ͯ͠ɺϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰ ੜͨ͠OTPΛݕূ (RFC6238) • 2010Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google AuthenticatorͱͱʹTOTP ೝূΛఏڙ։࢝ • ۚ༥ػؔͳͲͰRSA/VerisignͳͲͷϋʔυΣΞτʔΫϯ͕ΘΕ͍ͯ ͕ͨίετ໘ʹ՝͕͋ͬͨ
ϞόΠϧΞϓϦͷpush௨ (ܦ࿏֎ೝূ, Out-of-Band Devices)  15 • ೝূཁૉ :
ॴ༗ • ϞόΠϧΞϓϦʹ௨ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK • Ϣʔβʔ͕ར༻͍ͯ͠Δͷ௨ (Apple, Google) • ܦ࿏ͷ҆શੑ͕ΩϞ • ϞόΠϧΞϓϦ/ݸผͷ௨ͷํ͕SMSEϝʔϧΑΓ҆શ? • Push௨ΛૹΓ·ͬͯ͘Ͳ͏ʹ͔͠Α͏ͱ͢Δ߈ܸൃੜ
όοΫΞοϓίʔυ (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)  16 • ೝূཁૉ :
ॴ༗ • Ϣʔβʔʹ୯Ұ͋Δ͍ෳͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷΛݕূ • TOTP͕͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷϢʔβʔ͕औΕΔϦ ΧόϦʔखஈͱͯ͠͠Εͬͱ࠾༻͞Ε͍ͯΔ
ᶅϑΟογϯάʹڧ͍ೝূํࣜ ͦͯ͠ύεϫʔυϨε
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  18 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ݱ࣮  19 • ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ͚1Ґʂ • B͚ͰMicrosoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ
ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද • 20219݄Ҏ߱ɺ1ສҎ্ͷ৫͕ඪతʹ
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789: ;<=>?@AB6CD89:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 3VO'()*789: 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU WXY9Z [#$\%]#^.0_` ;<=>?@AB6CD89: 3VO'()*789:
345'()*+,-./6789:
͜Ε·Ͱͷೝূํࣜ ϑΟογϯάੑΛ࣋ͨͳ͍  26 • ͍ͣΕਓ͕ؒߦ͏அͷ෦͕ऑͱͳΔ • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP:
࠷ॳͷURLΛ֬ೝͤ ͣೖྗ • ެࣜΞϓϦͳͲͷPush௨&ಉҙ : ࠷ॳͷURLΛ֬ೝͤͣʹಉҙ • ࣄલ֬ೝɺཤྺɺ௨ͱ͍ͬͨΈ͋Δ͕ࠜຊతͳରࡦͰͳ͍
FIDOೝূ w/ UserPresense (୯Ұཁૉ҉߸σόΠε, Single-Factor Cryptographic Devices)  27
• ೝূཁૉ : ॴ༗ • อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛར༻ • ηΩϡϦςΟΩʔ : PCʹ͚ͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩ
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 aabcdef6gh4i !"#$%&'()*j4ik lmnFAB6opbqr5 ;<=>?@AB6CD89: 345'()*+,-./6789:
FIDOೝূ w/ UserVeri fi cation (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)
 29 • ೝূཁૉ : ॴ༗ + ࣝ/ੜମ • ެ։伴҉߸ + ϩʔΧϧೝূ • อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛॴ༗͠ɺΞΫςΟ ϕʔτͷͨΊʹ2ཁૉͷೝূΛඞཁͱ͢Δͷ • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬)
FIDOೝূͷ՝  30 • 伴ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ • Authenticator(ηΩϡϦςΟΩʔɺରԠ)͕յΕͨΓͳ͘ͳͬͨ Γɺަͨ͠ࡍʹ࠶ొ͕ඞཁ • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?
• ಉఔͷೝূڧΛ࣋ͭೝূํࣜͱ??? • ෳͷAuthenticatorΛొ͓ͯ͘͠ඞཁੑ͕͋Δ
Passkey - ”FIDO multi-device credentials”  31 • 伴ใ͕σόΠεͰͳ͘Ϣʔβʔʹඥ͚ͮΒΕΔΑ͏ʹͳΔ •
͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴ཧͱผ • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔͷվળ • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ (ޙ͔Βհ)
Passkey - ”FIDO multi-device credentials”  32 • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ 1.
Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ • iCloud KeychainʹΑΔಉظ -> AppleϢʔβʔʹ伴͕ඥ͚ͮΒΕΔ 2. ϩάΞτͯ͠ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ) 3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ બ͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ
Passkey - ”FIDO multi-device credentials”  33 • ෳϓϥοτϑΥʔϜΛލ͙߹ͷUXվળ 1.
ࣄલʹAndroidͰύεΩʔΛొ 2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ Մೳ (caBLEͱݺΕΔଓํ๏) 3. ͦͷޙʹTouchID͕ཁٻ͞Εɺࠓޙ͜ͷͰTouchIDͷΈͰ ϩάΠϯՄೳʹͳΔ
ᶆ ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બࢶ
ID࿈ܞʹΑΔϩάΠϯ  35 • Identity Provider(IdP)ͷϢʔβʔใΛར༻͢Δ • දతͳϓϩτίϧ͕OpenID Connect, OAuth
2.0 + Ϣʔβʔใ APIͳͲ • Ϣʔβʔࣝผࢠͷඥ͚Λཧ͢Δ͜ͱͰϩάΠϯʹར༻ • ଐੑใΛ׆༻ͯ͠UXΛ্ • ֬ೝࡁΈϝʔϧΞυϨεɺి൪߸ɺຊਓ֬ೝใͳͲ
ID࿈ܞͷ՝  36 • IdPͱ৺த • ΞΧϯτBAN, ো࣌ʹͦΕΛར༻͢ΔαʔϏε͑ͳ͘ͳ ΔՄೳੑ͕͋Δ •
IdPͷΞΧϯτ͕ͬऔΒΕͯ͠·ͬͨΒαʔϏεѱ༻͞ΕΔ
Identity Wallet (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri fi able Credentials)
 37 • IdPʹґଘ͢ΔͷͰͳ͘ɺݸਓ͕ࣗͷใΛཧ͢ΔελΠϧ • Ծ௨՟͋ͨΓͰʹ͢Δׂ୲ • Issuer : Ϣʔβʔใͷఏڙɺূ໌ॻͷൃߦ • Holder(Wallet) : ϢʔβʔใΛཧ͢ΔΞϓϦϒϥβػೳ • Veri fi er : Holder ʹใΛཁٻ͠ɺऔಘͨ͠ใΛݕূͯ͠ར༻ • Open Wallet Foundation͕ઃཱ͞Ε͕ͯ࣌ਐΜͰ͍͘ؾ
҆શੑɺརศੑΛߴΊΔ Ξϓϩʔν
՝ΛΧόʔ͢ΔΈ͕ඞཁ  39 • Ϣʔβʔ͕Ͱ͖Δͷ • ύεϫʔυϚωʔδϟʔͷར༻ • αʔϏε͕Ͱ͖Δ͜ͱ :
खݩͷεϚʔτϑΥϯΛ༻͍ͯརศੑΛ͋͛ ΔΈΛಋೖ • SMS OTP : WebOTP • WebAuthn
ύεϫʔυϚωʔδϟʔͷར༻  40 • ύεϫʔυੜɺཧΛͤΔ = ೝূཁૉΛ”ॴ༗”ʹมߋ • TOTPରԠόοΫΞοϓίʔυΛอଘͰ͖Δͷ͋Δ •
Ϛελʔύεϫʔυཧ͕ॏཁʹͳΔ(SPOFͱݴ͑Δ) • ϒϥβ / OSਵͷͷ vs ಠཱͨ͠αʔϏε • ར༻ελΠϧʹԠͯ͡બྑͦ͞͏
Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX
ࠓճͷΩʔϫʔυ : “खݩͷεϚϗͰϩάΠϯ” (a.k.a Decoupled Authentication)
WebOTP https://web.dev/web-otp/  43 • SMSͰૹΒΕͨϫϯλΠϜύεϫʔυΛ҆શʹऔಘ͢ΔͨΊͷΈ • υϝΠϯΛؚΉϫϯλΠϜύεϫʔυͷϝοηʔδϑΥʔϚοτ • JavaScript
هड़ + input λά • Android ͷ SMS Retriever API ͱಉ
WebOTP - Android Chrome ϒϥβΛ։͍ͨ··OTPΛऔಘՄೳ  44
WebOTP - Android Chrome ϒϥβΛ։͍ͨ··OTPΛऔಘՄೳ  45
WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroidͷ௨Ͱಉҙ->సૹ  46
WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroidͷ௨Ͱಉҙ->సૹ  47
WebOTP https://web.dev/web-otp/  48 • ϝοηʔδʹؚ·ΕΔυϝΠϯͱҰக͍ͯ͠Δ͔Λϒϥβ͕ݕূ • ”͜ͷΈΛ͏ͱ͖” ϑΟογϯάੑΛ࣋ͭ •
ڥ͝ͱͷରԠෆཁɺඞཁͳͷϒϥβ͕WebOTPʹରԠ͍ͯ͠ Δ͔Ͳ͏͔͚ͩ • ༷௨Γ࣮͢Δ͚ͩͰChrome͕ରԠͯ͘͠ΕΔ
WebAuthn https://www.w3.org/TR/webauthn-2/  49 • WebΞϓϦέʔγϣϯ͔ΒFIDOೝূΛར༻͢ΔͨΊͷϒϥβAPI • ϒϥβ͕հೖ͠ɺ伴ใ͕originʹඥ͚ͮΒΕΔͨΊʹϑΟογϯάੑΛ࣋ͭ • Platform
Authenticator(εϚϗ/PCࣗମ) / Roaming Authenticator(ηΩϡϦςΟΩʔ) ͕ೝূثͱͯ͠ར༻Մೳ • खݩͷεϚʔτϑΥϯΛ༻͍ͯ伴ใͷొ/ೝূΛ࣮ݱ͢ΔΈ͕͋Δ • caBLE (cloud-assisted BLE) : QRίʔυ + BLE • ChromeͰಉظ͞Ε͍ͯΔ : Push௨ + BLE
WebAuthn w/ caBLE QRίʔυ + BLE ͰϩάΠϯ  50 PC
Android
WebAuthn w/ caBLE Ұར༻ͨ͠Push௨Ͱར༻Մೳ  51 PC Android
WebAuthn w/ (Desktop + Android) Chrome ಉظࡁΈͷ࠷ॳ͔ΒPush௨Ͱར༻Մೳ  52 PC
Android
WebAuthn  53 • ॳͦͷͷ or USB/NFC/BLEͳͲͰηΩϡϦςΟΩʔͱͭͳ ͙ͱ͍͏ҹ͕ڧ͔͕ͬͨɺखݩͷεϚϗͱͭͳ͙Έ͋Δ • ୯ͳΔQRίʔυ+ωοτϫʔΫΞΫηεΛ༻͍ͨϩάΠϯͰͳ͘ɺ
BLEͰۙڑʹ͋ΔεϚϗͱ௨৴͢Δ͜ͱͰຊਓҎ֎ͷͰଓ͞Ε Δ͜ͱΛ͙ߟྀ͞Ε͍ͯΔ • ChromeͰಉظ͍ͯ͠ΔεϚʔτϑΥϯͰ͋ΕPush௨ͰΑΓָʹར ༻Մೳ
·ͱΊ  54 • C͚αʔϏεͰΘΕ͍ͯΔϢʔβʔೝূʹ͍ͭͯৼΓฦͬͨ • ͦΕͧΕͷೝূํࣜͰͷಛΛཧղ͠Α͏ • Android/ChromeΛ༻͍ͯ “खݩͷεϚϗͰϩάΠϯ”
Λ࣮ݱ͢ΔͨΊ ͷΈΛհͨ͠ • WebΞϓϦϕʔεͷೝূػೳΛఏڙ͍ͯ͠ΔαʔϏεɺϩάΠϯ ͷUXΛߟ͑Δ࣌ʹҙࣝ͠Α͏
ࢀߟϦϯΫ • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3 • https://speakerdeck.com/kthrtty/ren-zheng- nimatuwarusekiyuriteifalsexin-chang-shi • NIST Special
Publication 800-63B Digital Identity Guidelines (༁൛) • https://openid-foundation-japan.github.io/800-63-3- fi nal/ sp800-63b.ja.html
ࢀߟϦϯΫ  56 • GTA৽࡞ϦʔΫʹΘΕͨ“ଟཁૉೝূർΕ”߈ܸͱɹ1࣌ؒҎ্௨ ߈Ίɺैۀһͷࠜෛ͚ૂ͏ • https://www.itmedia.co.jp/news/articles/2209/28/news050.html • 2022൛Ϩϙʔτʮ2022
State of Secure Identity ReportʯΛެ։ • https://www.okta.com/jp/press-room/press-releases/ okta-2022ssir/
ࢀߟϦϯΫ  57 • σδλϧΥϨοτͷ૬ޓӡ༻ੑΛࢦ͢ஂମɺThe Linux Foundation͕ઃཱ • https://japan.zdnet.com/article/35193346/
ࢀߟϦϯΫ  58 • Our Take on Passkeys • https://auth0.com/blog/our-take-on-passkeys/
• Cross-device WebOTP • https://docs.google.com/document/d/ 1SlIaRlH0WEvvLMtQJZMuwZbH5bRs6SCPlxXwwnJQHMU/ edit#heading=h.xgjl2srtytjt
࣭ɺҙݟɺײΛ ͓͍ͪͯ͠·͢ɻ ฐࣾʹڵຯ͕͋Δํੋඇʂ
ritou
oracle4engineer
ykimi
haru860
comucal
cmusudakeisuke
mashiike
t_pori418
recruitengineers
aamine
tatsuyashirakawa
sinsoku
bluesmoon
lynnandtonic
swwweet
zakiyama
panda_program
mza
ddemaree
geoffreycrofte
marcduiker
jeffersonlam
marktimemedia
zakiwarfel
![https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU WXY9Z [#$\%]#^.0_` ;<=>?@AB6CD89: 3VO'()*789:](https://files.speakerdeck.com/presentations/ed588929c13441e2b1b0d025cdf8c5a6/slide_24.jpg){kind=link}
