Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ Droid...
Search
ritou
October 06, 2022
Technology
2
7.4k
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022
DroidKaigi 2022 Day2 での発表資料です。
https://droidkaigi.jp/2022/timetable/357753
ritou
October 06, 2022
Tweet
Share
More Decks by ritou
See All by ritou
“パスワードレス認証への道" ユーザー認証の変遷とパスキーの関係
ritou
1
640
パスキー導入の課題と ベストプラクティス、今後の展望
ritou
8
1.5k
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 + α
ritou
0
82
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
ritou
4
1.6k
OIDF-J EIWG 振り返り
ritou
2
43
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
470
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
3
590
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
ritou
2
790
Webアプリ開発者向け パスキー対応の始め方
ritou
4
6.3k
Other Decks in Technology
See All in Technology
OpenLane-V2ベンチマークと代表的な手法
kzykmyzw
0
110
Рекомендации с нуля: как мы в Lamoda превратили главную страницу в ключевую точку входа для персонализированного шоппинга. Данил Комаров, Data Scientist, Lamoda Tech
lamodatech
0
820
C++26アップデート 2025-03
faithandbrave
0
1.1k
新卒エンジニアがCICDをモダナイズしてみた話
akashi_sn
2
260
2025-04-14 Data & Analytics 井戸端会議 Multi tenant log platform with Iceberg
kamijin_fanta
0
110
3D生成AIのための画像生成
kosukeito
2
340
ビジネスとデザインとエンジニアリングを繋ぐために 一人のエンジニアは何ができるか / What can a single engineer do to connect business, design, and engineering?
kaminashi
2
680
エンジニアリングで組織のアウトカムを最速で最大化する!
ham0215
1
220
OPENLOGI Company Profile for engineer
hr01
1
24k
Oracle Cloud Infrastructure:2025年4月度サービス・アップデート
oracle4engineer
PRO
0
170
watsonx.data上のベクトル・データベース Milvusを見てみよう/20250418-milvus-dojo
mayumihirano
0
130
SREからゼロイチプロダクト開発へ ー越境する打席の立ち方と期待への応え方ー / Product Engineering Night #8
itkq
2
1k
Featured
See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
34
2.2k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.4k
Optimising Largest Contentful Paint
csswizardry
37
3.2k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
23
2.7k
Done Done
chrislema
184
16k
GraphQLとの向き合い方2022年版
quramy
46
14k
GraphQLの誤解/rethinking-graphql
sonatard
71
10k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.8k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
13
800
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Speed Design
sergeychernyshev
29
910
Making the Leap to Tech Lead
cromwellryan
133
9.2k
Transcript
Android/ChromeͰମݧͰ͖Δ ೝূͷͨΊͷඪ४Խ༷ͷ ݱࡏͱະདྷ @ritou (Ryo Ito) 2022/10/6 - DroidKaigi 2022
ൃදͷ༰ • C͚αʔϏεʹ͓͚ΔϢʔβʔೝূͷมભ • Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX  2
ˏritou • Digital Identity ؔ࿈ͷϒϩάࣥචɺษڧձ࣮ࢪ #idcon #iddance • ΤόϯδΣϦετ @
OIDF-J • ΤϯδχΞ ˏ גࣜձࣾMIXI  3
C͚αʔϏεʹ͓͚Δ Ϣʔβʔೝূͷมભ
ᶃύεϫʔυೝূ
ύεϫʔυೝূ (هԱγʔΫϨοτ, Memorized Secrets)  6 • ೝূཁૉ :
ࣝ • Ϣʔβʔ/αʔϏε͕ύεϫʔυΛڞ༗ • ϢʔβʔࣝผࢠͱύεϫʔυͷΈ߹ΘͤΛݕূ
ύεϫʔυೝূͰ ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅  7 • Ϣʔβʔ • ύεϫʔυΛΕͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ͍·Θ͞ͳ͍
• ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ • αʔϏε • ύεϫʔυΛ҆શʹཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  8 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ΞΧϯτϦΧόϦʔ • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ಛఆͷೝূํ͕ࣜ͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ
• ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷΈ߹Θ͕ͤҰൠత • ϝʔϧϦϯΫೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ • ੈͷதʹύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔଘࡏ͢Δ
ϝʔϧ/SMSʹΑΔOTP (ܦ࿏֎ೝূ, Out-of-Band Devices)  10 • ೝূཁૉ :
ॴ༗ • αʔϏε͕ϢʔβʔʹSMS/ϝʔϧͰϫϯλΠϜύεϫʔυΛૹΓڞ༗ • ϦϯΫૹ৴&ΫϦοΫ͜ΕΛ؆ུԽͨ͠ͷͱଊ͑ΒΕΔ • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜ ͱͰɺΞΧϯτϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳͬͨ
ᶄ2ஈ֊/ཁૉೝূͷීٴ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  12 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ύεϫʔυϦετ߈ܸɺ ύεϫʔυεϓϨʔ߈ܸ  13 • ύεϫʔυϦετ߈ܸ • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ • ಉ͡ύεϫʔυΛ͍ճ͍ͯͨ͠ΒΞτ
• ύεϫʔυεϓϨʔ߈ܸ • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞτ • ͜ΕΒͷ߈ܸͷରࡦͱͯ͠ɺՃೝূ͕ීٴ
ιϑτΣΞTOTP (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)  14 • ೝূཁૉ
: ॴ༗ • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ͯ͠ɺϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰ ੜͨ͠OTPΛݕূ (RFC6238) • 2010Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google AuthenticatorͱͱʹTOTP ೝূΛఏڙ։࢝ • ۚ༥ػؔͳͲͰRSA/VerisignͳͲͷϋʔυΣΞτʔΫϯ͕ΘΕ͍ͯ ͕ͨίετ໘ʹ՝͕͋ͬͨ
ϞόΠϧΞϓϦͷpush௨ (ܦ࿏֎ೝূ, Out-of-Band Devices)  15 • ೝূཁૉ :
ॴ༗ • ϞόΠϧΞϓϦʹ௨ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK • Ϣʔβʔ͕ར༻͍ͯ͠Δͷ௨ (Apple, Google) • ܦ࿏ͷ҆શੑ͕ΩϞ • ϞόΠϧΞϓϦ/ݸผͷ௨ͷํ͕SMSEϝʔϧΑΓ҆શ? • Push௨ΛૹΓ·ͬͯ͘Ͳ͏ʹ͔͠Α͏ͱ͢Δ߈ܸൃੜ
όοΫΞοϓίʔυ (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)  16 • ೝূཁૉ :
ॴ༗ • Ϣʔβʔʹ୯Ұ͋Δ͍ෳͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷΛݕূ • TOTP͕͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷϢʔβʔ͕औΕΔϦ ΧόϦʔखஈͱͯ͠͠Εͬͱ࠾༻͞Ε͍ͯΔ
ᶅϑΟογϯάʹڧ͍ೝূํࣜ ͦͯ͠ύεϫʔυϨε
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  18 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ݱ࣮  19 • ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ͚1Ґʂ • B͚ͰMicrosoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ
ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද • 20219݄Ҏ߱ɺ1ສҎ্ͷ৫͕ඪతʹ
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789: ;<=>?@AB6CD89:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 3VO'()*789: 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU WXY9Z [#$\%]#^.0_` ;<=>?@AB6CD89: 3VO'()*789:
345'()*+,-./6789:
͜Ε·Ͱͷೝূํࣜ ϑΟογϯάੑΛ࣋ͨͳ͍  26 • ͍ͣΕਓ͕ؒߦ͏அͷ෦͕ऑͱͳΔ • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP:
࠷ॳͷURLΛ֬ೝͤ ͣೖྗ • ެࣜΞϓϦͳͲͷPush௨&ಉҙ : ࠷ॳͷURLΛ֬ೝͤͣʹಉҙ • ࣄલ֬ೝɺཤྺɺ௨ͱ͍ͬͨΈ͋Δ͕ࠜຊతͳରࡦͰͳ͍
FIDOೝূ w/ UserPresense (୯Ұཁૉ҉߸σόΠε, Single-Factor Cryptographic Devices)  27
• ೝূཁૉ : ॴ༗ • อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛར༻ • ηΩϡϦςΟΩʔ : PCʹ͚ͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩ
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 aabcdef6gh4i !"#$%&'()*j4ik lmnFAB6opbqr5 ;<=>?@AB6CD89: 345'()*+,-./6789:
FIDOೝূ w/ UserVeri fi cation (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)
 29 • ೝূཁૉ : ॴ༗ + ࣝ/ੜମ • ެ։伴҉߸ + ϩʔΧϧೝূ • อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛॴ༗͠ɺΞΫςΟ ϕʔτͷͨΊʹ2ཁૉͷೝূΛඞཁͱ͢Δͷ • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬)
FIDOೝূͷ՝  30 • 伴ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ • Authenticator(ηΩϡϦςΟΩʔɺରԠ)͕յΕͨΓͳ͘ͳͬͨ Γɺަͨ͠ࡍʹ࠶ొ͕ඞཁ • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?
• ಉఔͷೝূڧΛ࣋ͭೝূํࣜͱ??? • ෳͷAuthenticatorΛొ͓ͯ͘͠ඞཁੑ͕͋Δ
Passkey - ”FIDO multi-device credentials”  31 • 伴ใ͕σόΠεͰͳ͘Ϣʔβʔʹඥ͚ͮΒΕΔΑ͏ʹͳΔ •
͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴ཧͱผ • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔͷվળ • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ (ޙ͔Βհ)
Passkey - ”FIDO multi-device credentials”  32 • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ 1.
Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ • iCloud KeychainʹΑΔಉظ -> AppleϢʔβʔʹ伴͕ඥ͚ͮΒΕΔ 2. ϩάΞτͯ͠ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ) 3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ બ͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ
Passkey - ”FIDO multi-device credentials”  33 • ෳϓϥοτϑΥʔϜΛލ͙߹ͷUXվળ 1.
ࣄલʹAndroidͰύεΩʔΛొ 2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ Մೳ (caBLEͱݺΕΔଓํ๏) 3. ͦͷޙʹTouchID͕ཁٻ͞Εɺࠓޙ͜ͷͰTouchIDͷΈͰ ϩάΠϯՄೳʹͳΔ
ᶆ ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બࢶ
ID࿈ܞʹΑΔϩάΠϯ  35 • Identity Provider(IdP)ͷϢʔβʔใΛར༻͢Δ • දతͳϓϩτίϧ͕OpenID Connect, OAuth
2.0 + Ϣʔβʔใ APIͳͲ • Ϣʔβʔࣝผࢠͷඥ͚Λཧ͢Δ͜ͱͰϩάΠϯʹར༻ • ଐੑใΛ׆༻ͯ͠UXΛ্ • ֬ೝࡁΈϝʔϧΞυϨεɺి൪߸ɺຊਓ֬ೝใͳͲ
ID࿈ܞͷ՝  36 • IdPͱ৺த • ΞΧϯτBAN, ো࣌ʹͦΕΛར༻͢ΔαʔϏε͑ͳ͘ͳ ΔՄೳੑ͕͋Δ •
IdPͷΞΧϯτ͕ͬऔΒΕͯ͠·ͬͨΒαʔϏεѱ༻͞ΕΔ
Identity Wallet (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri fi able Credentials)
 37 • IdPʹґଘ͢ΔͷͰͳ͘ɺݸਓ͕ࣗͷใΛཧ͢ΔελΠϧ • Ծ௨՟͋ͨΓͰʹ͢Δׂ୲ • Issuer : Ϣʔβʔใͷఏڙɺূ໌ॻͷൃߦ • Holder(Wallet) : ϢʔβʔใΛཧ͢ΔΞϓϦϒϥβػೳ • Veri fi er : Holder ʹใΛཁٻ͠ɺऔಘͨ͠ใΛݕূͯ͠ར༻ • Open Wallet Foundation͕ઃཱ͞Ε͕ͯ࣌ਐΜͰ͍͘ؾ
҆શੑɺརศੑΛߴΊΔ Ξϓϩʔν
՝ΛΧόʔ͢ΔΈ͕ඞཁ  39 • Ϣʔβʔ͕Ͱ͖Δͷ • ύεϫʔυϚωʔδϟʔͷར༻ • αʔϏε͕Ͱ͖Δ͜ͱ :
खݩͷεϚʔτϑΥϯΛ༻͍ͯརศੑΛ͋͛ ΔΈΛಋೖ • SMS OTP : WebOTP • WebAuthn
ύεϫʔυϚωʔδϟʔͷར༻  40 • ύεϫʔυੜɺཧΛͤΔ = ೝূཁૉΛ”ॴ༗”ʹมߋ • TOTPରԠόοΫΞοϓίʔυΛอଘͰ͖Δͷ͋Δ •
Ϛελʔύεϫʔυཧ͕ॏཁʹͳΔ(SPOFͱݴ͑Δ) • ϒϥβ / OSਵͷͷ vs ಠཱͨ͠αʔϏε • ར༻ελΠϧʹԠͯ͡બྑͦ͞͏
Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX
ࠓճͷΩʔϫʔυ : “खݩͷεϚϗͰϩάΠϯ” (a.k.a Decoupled Authentication)
WebOTP https://web.dev/web-otp/  43 • SMSͰૹΒΕͨϫϯλΠϜύεϫʔυΛ҆શʹऔಘ͢ΔͨΊͷΈ • υϝΠϯΛؚΉϫϯλΠϜύεϫʔυͷϝοηʔδϑΥʔϚοτ • JavaScript
هड़ + input λά • Android ͷ SMS Retriever API ͱಉ
WebOTP - Android Chrome ϒϥβΛ։͍ͨ··OTPΛऔಘՄೳ  44
WebOTP - Android Chrome ϒϥβΛ։͍ͨ··OTPΛऔಘՄೳ  45
WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroidͷ௨Ͱಉҙ->సૹ  46
WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroidͷ௨Ͱಉҙ->సૹ  47
WebOTP https://web.dev/web-otp/  48 • ϝοηʔδʹؚ·ΕΔυϝΠϯͱҰக͍ͯ͠Δ͔Λϒϥβ͕ݕূ • ”͜ͷΈΛ͏ͱ͖” ϑΟογϯάੑΛ࣋ͭ •
ڥ͝ͱͷରԠෆཁɺඞཁͳͷϒϥβ͕WebOTPʹରԠ͍ͯ͠ Δ͔Ͳ͏͔͚ͩ • ༷௨Γ࣮͢Δ͚ͩͰChrome͕ରԠͯ͘͠ΕΔ
WebAuthn https://www.w3.org/TR/webauthn-2/  49 • WebΞϓϦέʔγϣϯ͔ΒFIDOೝূΛར༻͢ΔͨΊͷϒϥβAPI • ϒϥβ͕հೖ͠ɺ伴ใ͕originʹඥ͚ͮΒΕΔͨΊʹϑΟογϯάੑΛ࣋ͭ • Platform
Authenticator(εϚϗ/PCࣗମ) / Roaming Authenticator(ηΩϡϦςΟΩʔ) ͕ೝূثͱͯ͠ར༻Մೳ • खݩͷεϚʔτϑΥϯΛ༻͍ͯ伴ใͷొ/ೝূΛ࣮ݱ͢ΔΈ͕͋Δ • caBLE (cloud-assisted BLE) : QRίʔυ + BLE • ChromeͰಉظ͞Ε͍ͯΔ : Push௨ + BLE
WebAuthn w/ caBLE QRίʔυ + BLE ͰϩάΠϯ  50 PC
Android
WebAuthn w/ caBLE Ұར༻ͨ͠Push௨Ͱར༻Մೳ  51 PC Android
WebAuthn w/ (Desktop + Android) Chrome ಉظࡁΈͷ࠷ॳ͔ΒPush௨Ͱར༻Մೳ  52 PC
Android
WebAuthn  53 • ॳͦͷͷ or USB/NFC/BLEͳͲͰηΩϡϦςΟΩʔͱͭͳ ͙ͱ͍͏ҹ͕ڧ͔͕ͬͨɺखݩͷεϚϗͱͭͳ͙Έ͋Δ • ୯ͳΔQRίʔυ+ωοτϫʔΫΞΫηεΛ༻͍ͨϩάΠϯͰͳ͘ɺ
BLEͰۙڑʹ͋ΔεϚϗͱ௨৴͢Δ͜ͱͰຊਓҎ֎ͷͰଓ͞Ε Δ͜ͱΛ͙ߟྀ͞Ε͍ͯΔ • ChromeͰಉظ͍ͯ͠ΔεϚʔτϑΥϯͰ͋ΕPush௨ͰΑΓָʹར ༻Մೳ
·ͱΊ  54 • C͚αʔϏεͰΘΕ͍ͯΔϢʔβʔೝূʹ͍ͭͯৼΓฦͬͨ • ͦΕͧΕͷೝূํࣜͰͷಛΛཧղ͠Α͏ • Android/ChromeΛ༻͍ͯ “खݩͷεϚϗͰϩάΠϯ”
Λ࣮ݱ͢ΔͨΊ ͷΈΛհͨ͠ • WebΞϓϦϕʔεͷೝূػೳΛఏڙ͍ͯ͠ΔαʔϏεɺϩάΠϯ ͷUXΛߟ͑Δ࣌ʹҙࣝ͠Α͏
ࢀߟϦϯΫ • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3 • https://speakerdeck.com/kthrtty/ren-zheng- nimatuwarusekiyuriteifalsexin-chang-shi • NIST Special
Publication 800-63B Digital Identity Guidelines (༁൛) • https://openid-foundation-japan.github.io/800-63-3- fi nal/ sp800-63b.ja.html
ࢀߟϦϯΫ  56 • GTA৽࡞ϦʔΫʹΘΕͨ“ଟཁૉೝূർΕ”߈ܸͱɹ1࣌ؒҎ্௨ ߈Ίɺैۀһͷࠜෛ͚ૂ͏ • https://www.itmedia.co.jp/news/articles/2209/28/news050.html • 2022൛Ϩϙʔτʮ2022
State of Secure Identity ReportʯΛެ։ • https://www.okta.com/jp/press-room/press-releases/ okta-2022ssir/
ࢀߟϦϯΫ  57 • σδλϧΥϨοτͷ૬ޓӡ༻ੑΛࢦ͢ஂମɺThe Linux Foundation͕ઃཱ • https://japan.zdnet.com/article/35193346/
ࢀߟϦϯΫ  58 • Our Take on Passkeys • https://auth0.com/blog/our-take-on-passkeys/
• Cross-device WebOTP • https://docs.google.com/document/d/ 1SlIaRlH0WEvvLMtQJZMuwZbH5bRs6SCPlxXwwnJQHMU/ edit#heading=h.xgjl2srtytjt
࣭ɺҙݟɺײΛ ͓͍ͪͯ͠·͢ɻ ฐࣾʹڵຯ͕͋Δํੋඇʂ
ritou
kzykmyzw
lamodatech
faithandbrave
akashi_sn
kamijin_fanta
kosukeito
kaminashi
ham0215
hr01
oracle4engineer
mayumihirano
itkq
eileencodes
csswizardry
chrislema
quramy
sonatard
geoffreycrofte
sergeychernyshev
lauravandoore
cromwellryan
![https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU WXY9Z [#$\%]#^.0_` ;<=>?@AB6CD89: 3VO'()*789:](https://files.speakerdeck.com/presentations/ed588929c13441e2b1b0d025cdf8c5a6/slide_24.jpg){kind=link}
