Upgrade to Pro — share decks privately, control downloads, hide ads and more …

パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1

ritou
February 09, 2023

パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1

下記講演の資料です。
https://event.shoeisha.jp/devsumi/20230209/session/4146/

下記記事で内容解説を行っていますのでご覧ください。
https://zenn.dev/mixi/articles/fdf9236f86ea29

ritou

February 09, 2023
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. ύεΩʔ͸ϢʔβʔೝূΛ


    Ͳ͏ม͑Δͷ͔ʁ
    ͦͷಛ௃ͱಋೖʹ͓͚Δ՝୊
    ҏ౦ ྒ(@ritou) - Developers Summit 2023ʢ2023.02.09-10ʣ

    View full-size slide

  2. ҏ౦ ྒ (@ritou)
    • גࣜձࣾ MIXI - ΤϯδχΞ


    • OpenID ϑΝ΢ϯσʔγϣϯɾδϟύϯ - ΤόϯδΣϦετ


    • Digital Identityؔ࿈ͷϒϩάɺࣥචɺษڧձ…
    2

    View full-size slide

  3. ൃදͷ಺༰
    • ͜Ε·ͰͷϢʔβʔೝূ


    • ύεΩʔͷಛ௃


    • ύεΩʔಋೖͷϙΠϯτ
    3

    View full-size slide

  4. ͜Ε·ͰͷϢʔβʔೝূ

    View full-size slide

  5. ύεϫʔυೝূ - Memorized Secrets
    • ೝূཁૉ : ஌ࣝ


    • ϢʔβʔɺαʔϏε͕ύεϫʔυΛڞ༗


    • Ϣʔβʔ͸هԱ͢Δ


    • αʔϏε͸҆શʹอଘ


    • Ϣʔβʔ͔ΒૹΒΕͨϢʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛ
    αʔϏε͕ݕূ͢Δํ๏͕Ұൠత
    5

    View full-size slide

  6. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ়
    • Ϣʔβʔͷཁ݅


    • ύεϫʔυΛ๨Εͳ͍


    • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍


    • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍


    • αʔϏεͷཁ݅


    • ύεϫʔυΛ҆શʹ؅ཧ͢Δ


    • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
    6
    ←๨ΕΔ

    View full-size slide

  7. ΞΧ΢ϯτϦΧόϦʔ
    • ͋ΔೝূํࣜͰ “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮


    • ผͷखஈͰ౰ਓೝূ / ਎ݩ֬ೝ + ઃఆมߋ


    • ผͷೝূํࣜ : SMS͕࢖͑ͳ͍ͷͰόοΫΞοϓίʔυΛར༻


    • ొ࿥࣌ͷ਎ݩ֬ೝํ๏Λར༻ : PW࠶ઃఆ༻ͷURLΛϝʔϧૹ৴


    • CSܦ༝ͷKYC : ఏग़ࡁΈͷ਎෼ূ໌ॻΛར༻
    7

    View full-size slide

  8. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ়
    • Ϣʔβʔͷཁ݅


    • ύεϫʔυΛ๨Εͳ͍


    • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍


    • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍


    • αʔϏεͷཁ݅


    • ύεϫʔυΛ҆શʹ؅ཧ͢Δ


    • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
    8
    ਪଌՄೳͳύεϫʔυΛ


    ෳ਺αʔϏεͰ࢖͍ճ͢
    ෮߸Մೳͳঢ়ଶͰ


    อଘ͍ͯͨ͠஋͕࿙Ӯ

    View full-size slide

  9. ύεϫʔυϦετ/ύεϫʔυεϓϨʔ ߈ܸ
    • ύεϫʔυϦετ߈ܸ : ଞαʔϏε͔Β࿙ӮɺϑΟογϯάͰऔಘ͞
    Εͨ”(ϝʔϧΞυϨεͳͲؚΉ)Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹
    Θͤ”Λར༻ͯ͠ϩάΠϯࢼߦ


    • ύεϫʔυεϓϨʔ߈ܸ : “ϢʔβʔࣝผࢠͷϦετͱΑ͘࢖ΘΕ͍ͯ
    Δύεϫʔυ”ͷ૊Έ߹ΘͤͰϩάΠϯࢼߦ


    • ύεϫʔυҎ֎ͷೝূํࣜͱͷ૊Έ߹ΘͤʹΑΔରࡦ͕ඞཁ
    9

    View full-size slide

  10. TOTP - Single-Factor OTP Device
    • ೝূཁૉ : ॴ༗


    • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ɺ


    • ϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰੜ੒ͨ͠OTP(RFC6238)Λར༻


    • ۚ༥ػؔͳͲͰ͸ϋʔυ΢ΣΞτʔΫϯ͕ར༻͞Ε͍͕ͯͨɺ2010
    ೥୅ʹGoogle͕Google Authenticatorͱͱ΋ʹ2ஈ֊ೝূΛఏڙͯ͠
    ͔Βීٴ
    10

    View full-size slide

  11. SMS OTP - Out-of-Band Devices
    • ೝূཁૉ : ॴ༗


    • SMSܦ༝ͰૹΒΕͨϫϯλΠϜύεϫʔυ(OTP)Λར༻


    • αʔϏε͸ొ࿥ࡁΈͷి࿩൪߸ʹOTPΛૹ৴


    • Ϣʔβʔ͸ड৴ͨ͠OTPΛαʔϏεʹૹ৴


    • Ϣʔβʔͷେྔొ࿥ରࡦͱͯ͠΋࢖ΘΕ͖ͯͨɻαʔϏεଆͷૹ৴ί
    ετɺ஗Ԇ΍ಧ͔ͳ͍ϦεΫͱ͍͏ϦεΫ΋ແࢹͰ͖ͳ͍ɻ
    11

    View full-size slide

  12. Email OTP - Out-of-Band Devices
    • ೝূཁૉ : ॴ༗ (?)


    • Emailܦ༝ͰૹΒΕͨϫϯλΠϜύεϫʔυ(OTP)Λར༻


    • αʔϏε͸ొ࿥ࡁΈͷϝʔϧΞυϨεʹOTPΛૹ৴


    • Ϣʔβʔ͸ड৴ͨ͠OTPΛαʔϏεʹૹ৴
    12

    View full-size slide

  13. ೝূ༻ΞϓϦ - Out-of-Band Devices
    • ೝূཁૉ : ॴ༗


    • ೝূ༻ͷ୺຤΍ϞόΠϧΞϓϦ΁ͷϓογϡ௨஌Λར༻


    • αʔϏε͸Ϣʔβʔʹඥ͚ͮΒΕͨ୺຤/ΞϓϦʹϓογϡ௨஌


    • Ϣʔβʔ͸୺຤/ΞϓϦͰϩάΠϯ͢Δ͜ͱΛڐՄ


    • MFAർ࿑߈ܸ(MFA fatigue attacks) ͕࿩୊ʹ
    13

    View full-size slide

  14. όοΫΞοϓίʔυ - Look-Up Secrets
    • ೝূཁૉ : ॴ༗


    • ͋Β͔͡ΊϢʔβʔʹ഑෍ͨ͠୯Ұ΋͘͠͸ෳ਺ͷจࣈྻΛར༻


    • SMS͕ड৴Ͱ͖ͳ͍


    • ೝূ༻ΞϓϦ͕ར༻Ͱ͖ͳ͍


    • 2ཁૉ/2ஈ֊ೝূΛઃఆ͢Δࡍʹ߹Θͤͯઃఆͤ͞Δͷ͕Ұൠత
    14

    View full-size slide

  15. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ়
    • Ϣʔβʔͷཁ݅


    • ύεϫʔυΛ๨Εͳ͍


    • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍


    • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍


    • αʔϏεͷཁ݅


    • ύεϫʔυΛ҆શʹ؅ཧ͢Δ


    • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
    15
    ←ϑΟογϯάαΠτʹ


    ೖྗͯ͠͠·͏

    View full-size slide

  16. ϑΟογϯά߈ܸ
    • IPA ৘ใηΩϡϦςΟ10େڴҖ2023 ݸਓ޲͚1Ґ(2࿈೼த)


    • 2ஈ֊ೝূɺ2ཁૉೝূΛར༻ͯ͠΋ඃ֐ʹૺ͏Մೳੑ͕͋Δ


    • Adversary-in-the-MiddleʢAiTMʣ
    16
    ग़య : ৘ใηΩϡϦςΟ10େڴҖ 2023ɿIPA ಠཱߦ੓๏ਓ ৘ใॲཧਪਐػߏ


    https://www.ipa.go.jp/security/vuln/10threats2023.html

    View full-size slide

  17. Adversary-in-the-
    MiddleʢAiTMʣ
    • ϑΟογϯάαΠτ͕தؒऀͱͳ
    Γਖ਼نͷαʔϏεʹϩάΠϯࢼߦ


    • ύεϫʔυ + SMS/Email OTP


    • ύεϫʔυ + ೝূΞϓϦ


    • ੒ޭ͢ΔͱϩάΠϯηογϣϯࣗ
    ମ(Cookie/Token)ΛऔಘՄೳ
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹ
    further
    fi
    nancial fraud - Microsoft Security Blog


    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-
    cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/

    View full-size slide

  18. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ
    18
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog


    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    example.com
    example.net

    View full-size slide

  19. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ
    19
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog


    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    example.com
    example.net

    View full-size slide

  20. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ
    20
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog


    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    50514.4051
    ೖྗը໘Λදࣔ
    example.com
    example.net

    View full-size slide

  21. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ
    21
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog


    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    50514.4051
    ೖྗը໘Λදࣔ
    50514.4051Λ
    ਖ਼نαʔϏεʹૹΔ
    example.com
    example.net

    View full-size slide

  22. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ
    22
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog


    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    50514.4051
    ೖྗը໘Λදࣔ
    50514.4051Λ
    ਖ਼نαʔϏεʹૹΔ
    ϩάΠϯηογϣϯΛ
    औಘՄೳ
    example.com
    example.net

    View full-size slide

  23. Ϣʔβʔ/αʔϏε͕ͱΕΔϑΟογϯάରࡦ
    • Ϣʔβʔ͕ύεϫʔυϚωʔδϟʔͷར༻ : ύεϫʔυ΍TOTPઃఆΛ
    ΦϦδϯ(υϝΠϯ)ͱඥ෇͚ͯ؅ཧ͠ɺҰக͍ͯ͠Δ΋ͷ͕ϑΥʔϜ
    ೖྗ࣌ʹબ୒Մೳ


    • αʔϏε͕WebOTPͷ࠾༻ : ૹ৴ͨ͠SMSϝοηʔδʹؚ·ΕΔΦϦ
    δϯ(υϝΠϯ)ͱOTPͷೖྗΛଅ͍ͯ͠ΔURL͕Ұக͍ͯ͠Ε͹ड৴
    ͨ͠SMSʹؚ·ΕΔOTPͷ஋͕ϑΥʔϜʹࣗಈೖྗ
    23

    View full-size slide

  24. ύεϫʔυϚωʔδϟʔʹΑΔରࡦ
    24
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog


    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ਖ਼نαʔϏεͷύεϫʔυ͕
    ϑΟογϯάαʔϏεʹ͸ఏҊ͞Εͳ͍
    example.com
    example.net

    View full-size slide

  25. WebOTPʹΑΔରࡦ
    25
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog


    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    50514.4051
    ೖྗը໘Λදࣔ
    ϑΟογϯάαʔϏεʹ͸051ࣗಈೖྗ͕ߦΘΕͳ͍
    example.com
    example.net

    View full-size slide

  26. • ೝূཁૉ : ॴ༗


    • ϋʔυ΢ΣΞσόΠε಺ʹ҆શʹอ࣋͞Εͨ҉߸伴Λ༻͍ͨެ։伴ೝ
    ূΛར༻


    • ηΩϡϦςΟΩʔΛࢦ͚ͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩͰར༻Մೳ


    • ύεϫʔυೝূͱ૊Έ߹Θͤͨ2ஈ֊ೝূͰͷར༻͕޿·ͬͨ
    26
    FIDO w/ User Presence


    - Single-Factor Cryptographic Device/Software

    View full-size slide

  27. FIDO w/ User Veri
    fi
    cation


    - Multi-Factor Cryptographic Software/Device
    • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ


    • ϋʔυ΢ΣΞσόΠε಺ʹ҆શʹอ࣋͞Εͨ҉߸伴Λ༻͍ͨެ։伴ೝ
    ূ ͱ ϩοΫղআͳͲͰ࢖ΘΕΔϩʔΧϧೝূ ͷ૊Έ߹Θͤ


    • ηΩϡϦςΟΩʔ + PIN


    • εϚʔτϑΥϯ / PC + ը໘ϩοΫղআ
    27

    View full-size slide

  28. FIDOͷϑΟογϯά଱ੑ
    • WebAuthn : WebΞϓϦέʔγϣϯͰFIDOΛར༻͢ΔͨΊͷϒϥ΢
    βAPI


    • ར༻αʔϏε͸ࣗ਎ͷΦϦδϯ(υϝΠϯ)Λࢦఆ


    • ϒϥ΢β͸ͦͷ஋Λݕূͯ͠ෆҰகͷ৔߹͸ೝূෆՄೳ


    • ϑΟογϯάαΠτͱਖ਼نαʔϏε͕γεςϜతʹ۠ผ͞ΕΔ
    28

    View full-size slide

  29. FIDOͷϑΟογϯά଱ੑ
    29
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog


    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    '*%0ʹΑΔ
    ௥ՃೝূΛཁٻ
    example.net example.com

    View full-size slide

  30. FIDOͷϑΟογϯά଱ੑ
    30
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog


    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    '*%0ʹΑΔ
    ௥ՃೝূΛཁٻ
    example.net
    ϑΟογϯάαΠτʹਖ਼نαʔϏεͷೝূ৘ใ͸ૹΒΕͳ͍
    example.com

    View full-size slide

  31. FIDOͷ՝୊
    • 伴؅ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ೉໰୊


    • Authenticator(ηΩϡϦςΟΩʔɺରԠ୺຤)͕յΕͨɺແͨ͘͠ɺ
    ങ͍ସ͑ͨ৔߹ʹอଘ͞Ε͍ͯΔ҉߸伴͕ར༻Ͱ͖ͳ͘ͳΓɺશͯ
    ͷαʔϏεͰ࠶ొ࿥͕ඞཁ


    • όοΫΞοϓ


    • ೝূڧ౓Λམͱͣ͞ɺϑΟογϯά଱ੑΛอͭʹ͸ෳ਺ͷ
    Authenticatorͷొ࿥͕ඞཁ
    31

    View full-size slide

  32. ύεΩʔͷಛ௃

    View full-size slide

  33. ύεΩʔ : FIDO multi-device credentials
    • 伴؅ཧΛσόΠε͔ΒϢʔβʔʹ


    • ϓϥοτϑΥʔϜϢʔβʔͱඥ෇͚ : Apple, Google, MS Account


    • ύεϫʔυϚωʔδϟʔ : 1Password(༧ఆ)


    • ͜Ε·ͰͷFIDOʹ͋ͬͨ伴؅ཧͷݎ࿚ੑ͸ࣦΘΕΔ͕ɺόοΫΞο
    ϓΛՄೳʹ͢Δ͜ͱͰ “ϑΟογϯά଱ੑΛ࣋ͪརศੑͷߴ͍ೝূํ
    ࣜ” ͱͯ͠ීٴΛૂ͏
    33

    View full-size slide

  34. ύεΩʔͷڍಈ : https://webauthn.io
    34
    • ύεΩʔͷొ࿥(ੜ੒) : ֬ೝը໘ -> ϩʔΧϧೝূ(ੜମ/PIN)
    ϩʔΧϧೝূ
    ੜମ
    1*/
    ύλʔϯ

    View full-size slide

  35. ύεΩʔͷڍಈ : https://webauthn.io
    35
    • ύεΩʔͰϩάΠϯ : ύεΩʔબ୒ը໘ -> ϩʔΧϧೝূ(ੜମ/PIN)
    ϩʔΧϧೝূ
    ੜମ
    1*/
    ύλʔϯ

    ผ୺຤͔Β΋
    ಉ༷ʹར༻Մೳ

    View full-size slide

  36. ରԠ؀ڥ
    • “ύεΩʔରԠ؀ڥ” ≠ “FIDO multi-device credentials” ʹ஫ҙ͕ඞཁ


    • ϓϥοτϑΥʔϜɺ୺຤ɺϒϥ΢βͷ૊Έ߹ΘͤͰڍಈ͕ܾ·Δ


    • ύεΩʔ͕ಉظ͞ΕΔ΋ͷ : Safari on MacOS/iOS/iPadOS,
    Android + Chrome/Firefox


    • ύεΩʔ͕ಉظ͞Εͳ͍΋ͷ : Chrome on MacOS…
    36

    View full-size slide

  37. “hybrid” transport
    • “ผ୺຤ͷύεΩʔΛར༻ͯ͠ϩάΠϯ” ͕ՄೳʹͳΔ࢓૊Έ


    • QRίʔυ + BLE Ͱ઀ଓͨ͠୺຤ͷύεΩʔΛར༻Մೳ
    37

    View full-size slide

  38. Conditional UI / Auto
    fi
    ll
    • Ϣʔβʔ໊/ϝʔϧΞυϨεೖྗϑΥʔϜʹར༻ՄೳͳύεΩʔ͕දࣔ
    ͞Εɺબ୒͢ΔͱύεΩʔͷೝূ͕࢝·Δ


    • طଘͷೝূํࣜͷUI͔Βͷ ”γϣʔτΧοτ” ͕Մೳ
    38

    View full-size slide

  39. ύεΩʔಋೖͷϙΠϯτ

    View full-size slide

  40. ύεΩʔಋೖʹΑΓ࣮ݱ͍ͨ͜͠ͱ
    • શମ/ಛఆϢʔβʔͷ҆શੑ޲্ʁ


    • ඞཁͳೝূڧ౓ɺରԠ؀ڥΛࡉ͔͘ҙࣝ͢Δඞཁ͋Γ


    • ೚ҙͰͷϑΟογϯά଱ੑͱརศੑ޲্ʁ


    • γϯϓϧʹೝূํࣜΛ”૿΍͢”ײ֮
    40

    View full-size slide

  41. ID࿈ܞͱͷؔ܎
    • ID࿈ܞΛఏڙ/ར༻͢ΔଆͦΕͧΕʹύεΩʔରԠͷϝϦοτ͕͋Δ


    • Identity Provider(IdP) : ύεΩʔʹରԠ͢Δ͜ͱͰ࿈ܞ͢ΔRP΋ͦ
    ͷԸܙΛड͚ΒΕΔ


    • Relying Party(RP) : IdPʹґଘ͠ͳ͍҆શੑͱརศੑͷߴ͍ೝূํࣜ
    Λར༻Մೳ
    41

    View full-size slide

  42. ಋೖύλʔϯ
    • ϝΠϯͷೝূํࣜͱͯ͠ಋೖɺಛఆػೳΛར༻͢ΔࡍʹඞਢԽ


    • Φϓγϣφϧͳೝূํࣜͱͯ͠ಋೖ


    • ௚઀ಋೖ͸͠ͳ͍͕ɺಋೖ͍ͯ͠ΔIdPͱID࿈ܞ


    • OpenID ConnectͰ͸IdPͰ࣮ࢪͨ͠ೝূํࣜͷछྨɺಛ௃Λ఻ୡ
    ͢Δύϥϝʔλ͕͋Δ
    42

    View full-size slide

  43. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ύεΩʔͷొ࿥
    • ͍ͭొ࿥ΛٻΊΔ͔


    • Ϣʔβʔͷ৽نొ࿥ͷࡍʹཁٻʁಛఆػೳΛ࢖͏࣌ʁ೚ҙʁ


    • ొ࿥࣌ͷೝূڧ౓


    • ॳճ͸ݱঢ়औΓ͏ΔೝূํࣜΛཁٻ͔ͯ͠Βʁ


    • 2ͭ໨Ҏ߱͸طʹొ࿥ࡁΈͷύεΩʔͰͷೝূΛٻΊΔʁ


    • ೝূڧ౓ʹറΓ͕ͳ͍ͳΒͦͷ··ʁ
    43

    View full-size slide

  44. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ϩάΠϯ
    • ύεΩʔ͕ಉظ͞Ε͍ͯͳ͍؀ڥ


    • ผ୺຤ͰͷύεΩʔΛར༻ʁ : “hybrid transport”


    • ೝূڧ౓Λམͱͤͳ͍ͷͰͦͷ؀ڥͰ͸ར༻ෆՄೳʁ


    • ೚ҙͷಋೖͳͷͰผͷೝূํࣜΛར༻ʁ
    44

    View full-size slide

  45. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ࠶ೝূ
    • ༗ޮظݶ੾Εɺॏཁͳॲཧͷલʹ࠶ೝূΛඞཁͱ͢Δ͔


    • ࠷ऴϩάΠϯ͔ΒҰఆظؒܦͬͨΒύεΩʔʹΑΔ࠶ೝূΛཁٻʁ


    • ॏཁͳॲཧͷલʹ͸ຖճɺύεΩʔʹΑΔ࠶ೝূΛཁٻʁ


    • ύεΩʔͰ࠶ೝূͨ͠ΒҰఆظؒ͸࠶ೝূ͕লུʁ


    • ࠶ೝূ͕ඞཁͱͳΔΑ͏ͳॲཧ͸ଘࡏ͠ͳ͍͠ɺ༗ޮظݶ੾Εͷ৔
    ߹͸ϩάΞ΢τঢ়ଶͱͯ͠ѻ͏ʁ
    45

    View full-size slide

  46. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ϦΧόϦʔ
    • ύεΩʔ͕࢖͑ͳ͍ঢ়گʹ͓͍ͯɺϢʔβʔʹԿΛཁٻ͠ɺԿΛ෮چ
    ͢Δ͔


    • ໰͍߹Θ͔ͤΒͷKYCͳͲͰϢʔβʔΛ֬ೝ͠ɺ࠶౓ύεΩʔΛొ
    ࿥ͤ͞Δʁ


    • ผͷೝূํࣜΛ࢖͍ɺύεΩʔΛ࠶౓ొ࿥ʁ
    46

    View full-size slide

  47. ·ͱΊ
    • ݱঢ়࢖ΘΕ͍ͯΔϢʔβʔೝূํࣜͰ͸ϑΟογϯά଱ੑ͕՝୊


    • ύεΩʔ͸FIDO(WebAuthn)ͷϑΟογϯά଱ੑɺϩʔΧϧೝূͷར
    ศੑΛอͪͭͭɺϦΧόϦʔͷ՝୊Λվળͨ͠࢓૊Έ


    • ύεΩʔͷಋೖύλʔϯɺಋೖʹ͋ͨΓߟྀ͢΂͖ϙΠϯτ͕͋Δ
    48

    View full-size slide

  48. ׬


    ҙݟɺײ૝ɺ࣭໰


    ͓଴͓ͪͯ͠Γ·͢ɻ

    View full-size slide