Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Passkeys and Identity Federation @ OpenID Summi...

ritou
January 19, 2024
Technology
2
670

Passkeys and Identity Federation @ OpenID Summit Tokyo 2024

下記イベントの発表資料です。
https://www.openid.or.jp/summit/2024/#event-outline

ritou

January 19, 2024
Tweet

More Decks by ritou

See All by ritou
OIDF-J EIWG 振り返り
ritou
2
17
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
340
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
2
430
Webアプリ開発者向け パスキー対応の始め方
ritou
4
6k
様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023
ritou
3
4.5k
パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1
ritou
6
12k
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022
ritou
2
6.8k
C向けサービスで 使われている認証方式と安全な使い方
ritou
12
2.9k
現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19
ritou
2
1k

Other Decks in Technology

See All in Technology
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
960
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
590
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
580
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
170
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
Terraform Stacks入門 #HashiTalks
msato
0
350

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
A designer walks into a library…
pauljervisheath
203
24k
Facilitating Awesome Meetings
lara
50
6.1k
Navigating Team Friction
lara
183
14k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Building Applications with DynamoDB
mza
90
6.1k
A better future with KSS
kneath
238
17k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720

Transcript

  1. Passkeys and Identity Federation ritou ~ OpenID Summit Tokyo 2024

    ~

  2. Contents • Features • Bene fi ts of supporting passkeys

    for each IdP/RP of ID Federation • Related Speci fi cations 2

  3. Features

  4. Passkey • Security • Public Key Cryptography • Phishing Resistance

    • Usability • Local Authentication • Synced Passkey with Password Manager 4

  5. Passkey • Issues • Account Recovery • Cross-platform Synchronization •

    Phase • 2023: Management, SignIn • 2024: SignUp, Migration from Password 5

  6. ID Federation • Usage • Authentication • Identity Proo fi

    ng • OpenID Connect • Widely Supported Environment • Extensions for Various Use-cases 6

  7. ID Federation • Issues • UX without Browser Mediation •

    Privacy Risk • IdP-induced Trouble • Unsupported Speci fi cations 7

  8. Passkey for ID Federation RP

  9. Passkey Advantage as Authentication Method • UX with Conditional Mediation

    • Reduced Privacy Risk • Controllable Authenticator-induced Trouble • Ease of use for Re-Authentication 9

  10. Complement ID Federation with Passkey • Usability Improvement • Appeal

    to users who avoid ID Federation 10 4JHO*OXJUIʜ

  11. Complement Passkey with ID Federation • Strong authentication method options

    • Support for Passkey unavailable environments 11 w 1BTTXPSE w 1BTTXPSE 5051 w 1BTTLFZ w *%'FEFSBUJPO w 1BTTLFZ

  12. Passkey for ID Federation IdP

  13. Advantages of IdP using Passkey • Protect multiple RPs •

    Account Recovery(MFA Options, ID Proo fi ng) 13 1BTTLFZ *E1 31 31 31 31

  14. Related OIDC / OAuth 2.0 Specs

  15. OpenID Connect Core 1.0 15 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response

  16. OpenID Connect Core 1.0 16 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ

  17. OpenID Connect Core 1.0 17 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ BDS@WBMVFTDMBJNT BDSBNS

  18. OpenID Connect Core 1.0 18 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3F"VUIX 1BTTLFZ BDS@WBMVFTDMBJNT  NBY@BHF  MPHJO@IJOU JE@UPLFO@IJOU BDSBNS  BVUI@UJNF

  19. OpenID Connect Core 1.0 • Authentication Request Parameters for End-User

    Authentication • acr_values, claims • Claims for End-User Authentication • acr, amr, auth_time • Authentication Request Parameters for Re-Authentication • max_age, login_hint, id_token_hint 19

  20. OpenID Connect Extended Authentication Pro fi le (EAP) ACR Values

    1.0 (draft 01) 20 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ BDSBNS BDS@WBMVFTDMBJNT

  21. OpenID Connect Extended Authentication Pro fi le (EAP) ACR Values

    1.0 (draft 01) • “acr” • “phr”: Phishing-Resistant • “phrh”: Phishing-Resistant Hardware-Protected • “amr” • “pop”: Proof-of-possession of a key • Other value is de fi ned in RFC8176 21

  22. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    22 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF 4FSWFS (5) Resource Access

  23. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    23 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF 4FSWFS (5) Resource Access BDS BVUI@UJNF BDS BVUI@UJNF 1BTTXPSE

  24. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    24 31 01 End User (1) Request Authentication (2), (7) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF 4FSWFS (5) Resource Access BDS BVUI@UJNF BDS BVUI@UJNF (6) Error with challenge 1BTTLFZ BDS@WBMVFTDMBJNT  NBY@BHF BDS NBY@BHF

  25. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    • Use-case • IdP: Authentication/Authorization Service • RP: SPA/Native App • RS: Payment, Healthcare, … 25

  26. Summary • Passkey and ID Federation have distinct features and

    complement each other when combined • There are bene fi ts to both IdP and RP in ID Federation to support passkey • Let's support speci fi cations for handling authentication states 26

  27. Fin @ritou