Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
C向けサービスで 使われている認証方式と安全な使い方
Search
ritou
September 21, 2022
Technology
12
3k
C向けサービスで 使われている認証方式と安全な使い方
どこかでこっそりやった勉強会の資料を公開します。
ritou
September 21, 2022
Tweet
Share
More Decks by ritou
See All by ritou
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 + α
ritou
0
67
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
ritou
4
1.6k
OIDF-J EIWG 振り返り
ritou
2
36
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
420
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
3
520
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
ritou
2
750
Webアプリ開発者向け パスキー対応の始め方
ritou
4
6.2k
様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023
ritou
3
4.8k
パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1
ritou
6
13k
Other Decks in Technology
See All in Technology
OCI Success Journey OCIの何が評価されてる?疑問に答える事例セミナー(2025年2月実施)
oracle4engineer
PRO
2
120
Oracle Database Technology Night #87-1 : Exadata Database Service on Exascale Infrastructure(ExaDB-XS)サービス詳細
oracle4engineer
PRO
1
160
Amazon Q Developerの無料利用枠を使い倒してHello worldを表示させよう!
nrinetcom
PRO
2
110
PHPで印刷所に入稿できる名札データを作る / Generating Print-Ready Name Tag Data with PHP
tomzoh
0
180
手を動かしてレベルアップしよう!
maruto
0
200
システム・ML活用を広げるdbtのデータモデリング / Expanding System & ML Use with dbt Modeling
i125
1
320
プロダクトエンジニア 360°フィードバックを実施した話
hacomono
PRO
0
140
Autonomous Database Serverless 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
17
45k
ウォンテッドリーのデータパイプラインを支える ETL のための analytics, rds-exporter / analytics, rds-exporter for ETL to support Wantedly's data pipeline
unblee
0
120
生成AI×財務経理:PoCで挑むSlack AI Bot開発と現場巻き込みのリアル
pohdccoe
1
580
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
18k
短縮URLをお手軽に導入しよう
nakasho
0
140
Featured
See All Featured
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Large-scale JavaScript Application Architecture
addyosmani
511
110k
RailsConf 2023
tenderlove
29
1k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
A better future with KSS
kneath
238
17k
Become a Pro
speakerdeck
PRO
26
5.2k
Building a Modern Day E-commerce SEO Strategy
aleyda
38
7.1k
Code Reviewing Like a Champion
maltzj
521
39k
We Have a Design System, Now What?
morganepeng
51
7.4k
Automating Front-end Workflow
addyosmani
1368
200k
Transcript
C͚αʔϏεͰ ΘΕ͍ͯΔೝূํࣜͱ ҆શͳ͍ํ ritou @ Ͳ͔͜Ͱߦͳͬͨษڧձ
ൃදͷ༰ • C͚αʔϏεͰΘΕ͍ͯΔϢʔβʔೝূํࣜͷհ • ͦΕͧΕͷಛͱͳͥΘΕ࢝Ί͔ͨ • ੈͷத͕ΑΓ҆શͰศརʹͳΔͨΊʹϢʔβʔ։ൃऀ͕ҙ͖ࣝ͢ ͜ͱ  2
ೝূํࣜʹ͍ͭͯҰ൪ࢀߟʹͳΔࢿྉ NIST SP 800-63γϦʔζ • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3 • https://speakerdeck.com/kthrtty/ren-zheng-
nimatuwarusekiyuriteifalsexin-chang-shi • NIST Special Publication 800-63B Digital Identity Guidelines (༁൛) • https://openid-foundation-japan.github.io/800-63-3- fi nal/ sp800-63b.ja.html
C͚Ϣʔβʔೝূͷྺ࢙
ᶃ ύεϫʔυೝূ
ύεϫʔυೝূ (هԱγʔΫϨοτ, Memorized Secrets)  6 • ೝূཁૉ :
ࣝ • ϢʔβʔࣝผࢠͱύεϫʔυͷΈ߹ΘͤΛݕূ • ಛఆσόΠεෆཁͷࢸߴͷೝূํࣜ
ύεϫʔυೝূͰ ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅  7 • Ϣʔβʔ • ύεϫʔυΛΕͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ͍·Θ͞ͳ͍
• ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ • αʔϏε • ύεϫʔυΛ҆શʹཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  8 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ΞΧϯτϦΧόϦʔ • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ಛఆͷೝূํ͕ࣜ͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ
• ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷΈ߹Θ͕ͤҰൠత • ϝʔϧϦϯΫೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ • ੈͷதʹύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔଘࡏ͢Δ
ϝʔϧ/SMSʹΑΔOTP (ܦ࿏֎ೝূ, Out-of-Band Devices)  10 • ೝূཁૉ :
ॴ༗ • SMSϝʔϧͰड͚औͬͨೝূίʔυΛݕূ • ϦϯΫૹ৴&ΫϦοΫ͜ΕΛ؆ུԽͨ͠ͷͱଊ͑ΒΕΔ • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜ ͱͰɺϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳ͍ͬͯͨ
ᶄ 2ஈ֊/ཁૉೝূͷීٴ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  12 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ύεϫʔυϦετ߈ܸɺ ύεϫʔυεϓϨʔ߈ܸ  13 • ύεϫʔυϦετ߈ܸ • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ • ಉ͡ύεϫʔυΛ͍ճ͍ͯͨ͠ΒΞτ
• ύεϫʔυεϓϨʔ߈ܸ • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞτ • ͍ΘΏΔϩοΫΧϯλʹ͔͔Βͳ͍Α͏ʹ͏·͍͜ͱ߈ܸͯ͘͠Δ
ιϑτΣΞTOTP (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)  14 • ೝূཁૉ
: ॴ༗ • ϞόΠϧΞϓϦͰੜͨ͠TOTP(RFC6238)Λݕূ • 2010Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google Authenticatorͱͱ ʹTOTPೝূΛఏڙ։࢝ • ͦΕ·Ͱۚ༥ػؔͳͲͰRSA/VerisignͳͲͷϋʔυΣΞτʔΫ ϯ͕ΘΕ͍ͯͨ
ϞόΠϧΞϓϦͷpush௨ (ܦ࿏֎ೝূ, Out-of-Band Devices)  15 • ೝূཁૉ :
ॴ༗ • ϞόΠϧΞϓϦʹ௨ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK • MS Authenticator, GitHub, Okta Verify… • ܦ࿏ͷ҆શੑ͕ΩϞʹͳΔͷͰɺϞόΠϧΞϓϦͷ௨ͷΈͷ ํ͕SMSEϝʔϧΑΓ҆શͱ·ͰݴΘΕΔ
όοΫΞοϓίʔυ (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)  16 • ೝূཁૉ :
ॴ༗ • Ϣʔβʔʹ୯Ұ͋Δ͍ෳͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷΛݕূ • TOTP͕͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷ࠷ޙͷखஈͱͯ͠͠ Εͬͱ࠾༻͞Ε͍ͯΔ
ᶅ ϑΟογϯάʹڧ͍ ೝূํࣜ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  18 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ݱ࣮  19 • ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ͚1Ґʂ • B͚ͰMicrosoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ
ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද • 20219݄Ҏ߱ɺ1ສҎ্ͷ৫͕ඪతʹ
ʮTOTPઃఆΛͯͨ͠Β ҆શͰͳ͍ͷͰ͔͢ʁʯ
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 34356!"#$%&'()*12 89:;<=:#$>?@*ABC
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 34356!"#$%&'()*12 89:;<=:#$>?@*ABC DEFGH I#$J%K#L.0MN
͜Ε·Ͱͷೝূํࣜ ϑΟογϯάੑΛ࣋ͨͳ͍  25 • ͍ͣΕਓ͕ؒߦ͏அͷ෦͕ऑͱͳΔ • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP:
URLΛ֬ೝͤͣೖྗ • ެࣜΞϓϦͳͲͷPush௨&ಉҙ : URLΛ֬ೝͤͣʹಉҙ • ࣄલ֬ೝɺཤྺɺ௨ͱ͍ͬͨΈ͋Δ͕ࠜຊతͳରࡦͰͳ͍
(͓·͚)͋ΔϝʔϧΞυϨε/ి൪߸͕αʔϏεʹରͯ͠ ొࡁΈ͔Ͳ͏͔ΛΒΕ͍͚ͯͳ͍ཧ༝  26 • ొࡁΈͷͷ͚ͩΛͬͯύεϫʔυϦετ/εϓϨʔ߈ܸɺඪత ܕ߈ܸ + ϑΟογϯά
• ແବܸͪΛݮΒͤͯޮՌత • ϦετࣗମͷՁ্ • ෳαʔϏεͰར༻͍ͯ͠ΔϝʔϧΞυϨε/ి൪߸Ձ͕ߴ͍
FIDOೝূ w/ UserVeri fi cation (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)
 27 • ೝূཁૉ : ॴ༗ + ࣝ/ੜମ • ެ։伴҉߸ + ϩʔΧϧೝূ • อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛॴ༗͠ɺΞΫςΟ ϕʔτͷͨΊʹ2ཁૉͷೝূΛඞཁͱ͢Δͷ • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬)
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ OPQ4RSTUVWXYZ[\]^ _`abcdefg*hijk lm='()n !"#$%&'()] ocp*qk rrcstuqv
FIDOೝূͷ՝  29 • 伴ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ • Authenticator(ηΩϡϦςΟΩʔɺରԠ)͕յΕͨΓͳ͘ͳͬͨ Β࠶ొ͕ඞཁ • ෳͷAuthenticatorΛొ͓ͯ͘͠ඞཁੑ?
• ػछมߋ/ަͨ͠ΒαʔϏε୯Ґʹ࠶ొ͕ඞཁ • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?
Passkey  30 • ύεϫʔυ vs ύεΩʔ • σόΠεΑΓϢʔβʔʹඥ͚ͮΒΕΔ伴ใ •
͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴ཧͱผ࿏ઢ • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔͷվળ • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ
Passkey - ”FIDO multi-device credentials”  31 • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ 1.
Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ 2. ϩάΞτͯ͠ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ) 3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ બ͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ • iCloud KeychainʹΑΔಉظ
Passkey - ”FIDO multi-device credentials”  32 • ෳϓϥοτϑΥʔϜΛލ͙߹ͷUXվળ 1.
ࣄલʹAndroidͰύεΩʔΛొ 2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ Մೳ (caBLEͱݺΕΔଓํ๏) 3. ͦͷޙʹTouchID͕ཁٻ͞Εɺࠓޙ͜ͷͰTouchIDͷΈͰϩ άΠϯՄೳʹͳΔ
ᶆ ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બࢶ
ID࿈ܞ  34 • Identity Provider(IdP)ͷϢʔβʔใΛར༻͢Δ • දతͳϓϩτίϧ͕OpenID Connect, SAMLͳͲ
• Ϣʔβʔࣝผࢠͷඥ͚Λཧ͢Δ͜ͱͰϩάΠϯʹར༻͢Δ • ଐੑใΛ׆༻ͯ͠UXΛ্ͤ͞Δ • ֬ೝࡁΈϝʔϧΞυϨεɺి൪߸ɺຊਓ֬ೝใͳͲΛ৴༻͢Δ
ID࿈ܞͷ՝  35 • IdPͱ৺த • ΞΧϯτBAN, ো࣌ʹͦΕΛར༻͢ΔαʔϏε͑ͳ͘ͳ ΔՄೳੑ͕͋Δ •
IdPͷΞΧϯτ͕ͬऔΒΕͯ͠·ͬͨΒαʔϏεѱ༻͞ΕΔ
Identity Wallet (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri fi able Credentials)
 36 • IdPʹґଘ͢ΔͷͰͳ͘ɺݸਓ͕ࣗͷใΛཧ͢ΔελΠϧ • Ծ௨՟͋ͨΓͰʹ͢Δׂ୲ • Issuer : Ϣʔβʔใͷఏڙɺূ໌ॻͷൃߦ • Holder(Wallet) : ϢʔβʔใΛཧ͢ΔΞϓϦϒϥβػೳ • Veri fi er : Holder ʹใΛཁٻ͠ɺऔಘͨ͠ใΛݕূͯ͠ར༻ • Open Wallet Foundation͕ઃཱ͞Ε͕ͯ࣌ਐΜͰ͍͘ؾ
҆શ&ศརʹར༻͢ΔͨΊʹ Ϣʔβʔ/αʔϏε͕Ͱ͖Δ͜ͱ
՝  38 • ೝূํࣜࣗମͷऑΈΛͲ͏ΧόʔͰ͖Δ͔ • ϑΟογϯάੑ : FIDOҎ֎ͷطଘͷೝূํࣜ •
རศੑ • εϚʔτϑΥϯҎ֎Λ͏ͷ͠ΜͲ͍ • εϚʔτϑΥϯͷѻ͍ • “εϚʔτϑΥϯ͚ͩͰͰ͖Δ”ʹدͤͭͭɺ”མͱͨ͠ΒऴΘΓ”ΛέΞ͢Δ ඞཁ͕͋Δ
(Ϣʔβʔ) ύεϫʔυϚωʔδϟʔͷར༻  39 • ύεϫʔυؚΊͨΫϨσϯγϟϧΛ”શ෦ॴ༗”͢Δײ֮ • ύεϫʔυ, TOTPͷγʔΫϨοτཧ&TOTPੜ, όοΫΞοϓ
ίʔυཧ • υϝΠϯఆΛͤΔ͜ͱͰϑΟογϯάੑΛ࣋ͭ • Ϛελʔύεϫʔυͷཧʹ໋Λ͙ελΠϧ
(αʔϏε) ʮεϚʔτϑΥϯ͕͋ΕʯελΠϧͷීٴ  40 • खݩͷεϚʔτϑΥϯΛར༻͢ΔUX • Cross-device WebOTP :
AndroidͰड͚औͬͨೝূίʔυΛPCͷ Chromeͷը໘ʹసૹՄೳ • ެࣜΞϓϦͷϓογϡ௨ • Passkey • εϚϗ͕ͳ͘ͳͬͨ߹ͷϦΧόϦʔʹ͔͔͍ͬͯΔελΠϧ
·ͱΊ  41 • ೝূํࣜཧ • ύεϫʔυೝূ -> 2ஈ֊ೝূ •
FIDO -> Passkey • ID࿈ܞ -> Identity Wallet? • ҆શͰศརͳ͍ํ
ऴΘΓ
ritou
oracle4engineer
nrinetcom
tomzoh
maruto
i125
hacomono
unblee
pohdccoe
safie_recruit
nakasho
keithpitt
addyosmani
tenderlove
tanoku
chriscoyier
jlugia
kneath
speakerdeck
aleyda
maltzj
morganepeng
![https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ OPQ4RSTUVWXYZ[\]^ _`abcdefg*hijk lm='()n !"#$%&'()] ocp*qk rrcstuqv](https://files.speakerdeck.com/presentations/4681beb2a7714244b9128ea8c3803bab/slide_27.jpg){kind=link}
