様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023

Transcript

1. Use Cases of 'Passkey' and
   
   
   the Challenges in UX
   
   
   ༷ʑͳϢʔεέʔεʹར༻Ͱ͖Δ "ύεΩʔ" ͷ
   
   
   ಋೖࣄྫͷ঺հͱUXͷ՝୊ղઆ
   Ryo Ito (@ritou)
   
   
   DroidKaigi 2023ʢ2023/09/15 15:00-15:40ʣ
   

   View Slide

2. Ryo Ito (@ritou)
   • Engineer at MIXI, Inc.
   
   
   • Evangelist at OpenID Foundation Japan
   2
   

   View Slide

3. Today’s GOAL
   To understand:
   
   
   • The overview of Passkey
   
   
   • Two typical use cases of Passkey and their required features
   
   
   • UX challenges when introducing Passkey into consumer services
   
   
   • The relationship between Passkey and ID Federation
   3
   

   View Slide

4. Overview
   

   View Slide

5. Rough Overview of User Authentication
   • Password authentication is vulnerable
   
   
   • Generation of hard-to-guess strings
   
   
   • Memorization of multiple passwords
   
   
   • Countermeasures against phishing
   
   
   • Risks of leaks from services and secondary damage
   
   
   • Passkey authentication solves these challenges
   5
   

   View Slide

6. The Current Status of User Authentication
   • Human-managed credential management is vulnerable
   
   
   • System-managed credential management is required
   
   
   • Use of a password manager solves most problems, but it's dif
   fi
   cult
   to make it mandatory
   
   
   • Passkey assumes system-managed credential management and
   can enforce it on users
   6
   

   View Slide

7. FIDO, FIDO2, Passkey
   • FIDO
   
   
   • Security Using Public Key Cryptography
   
   
   • Usability Using Local Authentication
   7
   

   View Slide

8. FIDO, FIDO2, Passkey
   • FIDO
   
   
   • Security Using Public Key Cryptography
   
   
   • Usability Using Local Authentication
   8
   

   View Slide

9. FIDO, FIDO2, Passkey
   • FIDO2
   
   
   • WebAuthn API + CTAP for Web Application
   
   
   • Phishing Resistance Through Browser Mediation
   9
   

   View Slide

10. FIDO, FIDO2, Passkey
    • Passkey : FIDO Credentials for Password-less Authentication
    
    
    • Device-bounded credentials + Multi-device credentials
    
    
    • Device-bounded : Security Key, Platform Authenticator without key
    synchronization
    
    
    • Platform Authenticator with key synchronization in Platform
    Account
    
    
    • External Password Manager
    10
    

    View Slide

11. FIDO, FIDO2, Passkey
    • Passkey : FIDO Credentials for Password-less Authentication
    
    
    • Device-bounded credentials + Multi-device credentials
    
    
    • Device-bounded : Security Key, Platform Authenticator without key
    synchronization
    
    
    • Platform Authenticator with key synchronization in Platform
    Account
    
    
    • External Password Manager
    11
    

    View Slide

12. Passkey on 1Password
    12
    

    View Slide

13. Use Cases
    

    View Slide

14. Use Cases
    • SignIn: Primary or optional authentication methods
    
    
    • Re-Authentication
    14
    

    View Slide

15. Identi
    fi
    er
    fi
    rst SignIn @ Yahoo! JAPAN
    15
    

    View Slide

16. Identi
    fi
    er
    fi
    rst SignIn
    • Service
    fi
    rst identi
    fi
    es user and requires authentication if
    Passkey is available
    
    
    • Note that having Passkey registered does not mean that Passkey is
    available
    16
    

    View Slide

17. One button SignIn @ GitHub
    17
    

    View Slide

18. One button SignIn
    • When the user clicks the button, the service requests
    authentication with an available Passkey
    
    
    • In the browser dialog, the user selects a Passkey to use, or uses
    another device's Passkey
    18
    

    View Slide

19. Auto
    fi
    ll (Conditional UI) @ MIXI M
    19
    

    View Slide

20. Auto
    fi
    ll (Conditional UI) @ Money Forward ID
    20
    

    View Slide

21. Auto
    fi
    ll (Conditional UI)
    • Browser displays the available Passkeys near the HTML input
    form or when focused, and the user selects from them or uses
    another device's Passkey
    
    
    • Passkey available with the same UX as password suggestions by
    Password Manager
    21
    

    View Slide

22. Hybrid transport @ MIXI M
    22
    

    View Slide

23. Hybrid transport
    • If the device requesting authentication and a nearby mobile
    device are connected via BLE, the mobile device's Passkey can
    be used
    
    
    • A UX that requires multiple Hybrid
    fl
    ows is too bad. It is also
    important to seamlessly require Passkey registration for each device
    23
    

    View Slide

24. Use Cases
    • SignIn: Primary or optional authentication methods
    
    
    • Re-Authentication
    24
    

    View Slide

25. Re-Authentication @ MIXI M, GitHub
    25
    

    View Slide

26. Re-Authentication
    • To protect speci
    fi
    c services
    
    
    • Credential Management
    
    
    • Personal Information Management
    
    
    • Payment services
    
    
    • Fine-tuned Session Management
    
    
    • Expired Session
    
    
    • High-risk environment
    
    
    • Credential updated in another session
    
    
    • Low AAL(Authentication Assurance Level)
    26
    

    View Slide

27. Related Features
    • SignIn
    
    
    • Passkey registration promotion after successful non-Passkey login
    
    
    • SignUp
    
    
    • Create Account with passkey
    
    
    • Credential Management
    
    
    • Promote passkey
    
    
    • Create, Update(passkey’s name), Revoke
    
    
    • Account Recovery
    
    
    • Passkey registration promotion after recovery password
    27
    

    View Slide

28. Passkey for Native App
    

    View Slide

29. Native Support or Web Application integration
    • Native Support
    
    
    • Utilizing functions/libraries provided for app developers from each platform
    
    
    • https://developer.android.com/training/sign-in/passkeys
    
    
    • Native apps can provide a similar UX using the same credentials as web apps
    
    
    • https://developer.android.com/design/ui/mobile/guides/patterns/passkeys
    
    
    • Web Application integration
    
    
    • Requesting passkey authentication in web browser
    
    
    • Dependent on browser usage patterns and support status
    29
    

    View Slide

30. Android & Passkey : SignUp
    30
    

    View Slide

31. Android & Passkey : SignIn
    31
    

    View Slide

32. Android & Passkey : Credential Management
    32
    

    View Slide

33. Android & Passkey : Account Recovery
    33
    

    View Slide

34. Native Support or Web Application integration
    • Native Support
    
    
    • Utilizing functions/libraries provided for app developers from each platform
    
    
    • Native apps can provide a similar UX using the same credentials as web
    apps
    
    
    • Web Application integration
    
    
    • Requesting passkey authentication in web browser
    
    
    • Dependent on browser usage patterns and support status
    34
    

    View Slide

35. Challenges of Passkey
    

    View Slide

36. Challenges for registration
    • User Veri
    fi
    cation at passkey registration
    
    
    • More seamless Passkey registration is required (so that Google
    automatically generates a passkey when you log in to your
    Android device)
    36
    

    View Slide

37. Challenges for Authentication
    • Unfriendly error screen "No passkey available."
    
    
    • It is the RP that needs this error
    
    
    • One-way Hybrid Transport
    
    
    • Fallback authentication method required
    37
    

    View Slide

38. Challenges for Recovery
    • Best practices for passkey recovery
    
    
    • Two passkey registrations are dif
    fi
    cult
    
    
    • Self-recovery through eKYC and ID Federation
    38
    

    View Slide

39. Challenges for Credential Management
    • Delete and update passkeys synchronized with Authenticator and
    RP
    
    
    • Unavailable passkey listed in Auto
    fi
    ll
    
    
    • Username not synchronized
    39
    

    View Slide

40. Passkey and ID Federation
    

    View Slide

41. Features of ID Federation
    • Simpli
    fi
    ed new account registration
    
    
    • Achieves a single sign-on-like user experience (UX) in authentication
    
    
    • Shares attribute information of the IdP account with the Relying
    Party (RP) under appropriate consent (such as pro
    fi
    le information,
    email, etc.)
    41
    

    View Slide

42. Weaknesses of ID Federation
    • Services and users who do not want to use a speci
    fi
    c IdP and wish to
    avoid privacy issues that could arise from consolidating identities
    
    
    • Impact when the IdP account is unavailable (due to outages or
    account BAN)
    
    
    • Re-authentication requirements are de
    fi
    ned in speci
    fi
    cations, but are
    rarely implemented in toC IdPs
    42
    

    View Slide

43. Passkey without ID Federation
    • Implementing secure and convenient authentication equivalent to
    IdP
    
    
    • Avoiding privacy issues by not integrating with IdP
    43
    

    View Slide

44. Passkey @ Identity Provider
    • Protecting high-value accounts
    
    
    • Providing security and convenience to RP”s”
    44
    

    View Slide

45. Passkey @ Relying Party
    • Applying Passkeys to the weaknesses of ID Federation
    
    
    • Alternative measures when Federation is unavailable
    
    
    • Re-authentication
    
    
    • Applying ID Federation to the weaknesses of Passkeys
    
    
    • Federation w/ Platform Accounts as a recovery method for
    Passkeys
    45
    

    View Slide

46. Passkey @ Relying Party
    • Applying Passkeys to the weaknesses of ID Federation
    
    
    • Alternative measures when Federation is unavailable
    
    
    • Re-authentication
    
    
    • Applying ID Federation to the weaknesses of Passkeys
    
    
    • Federation w/ Platform Accounts as a recovery method for
    Passkeys
    46
    

    View Slide

47. Conclusion
    

    View Slide

48. Overview
    Passkey is a mechanism that allows users to manage their FIDO
    credentials through the system. It offers the security of public key
    cryptography along with the convenience of local authentication, and
    it is evolving to support cross-device and cross-platform use.
    48
    

    View Slide

49. Use Cases
    • For the sign-in UX, the service needs to choose from several
    patterns to match the existing sign-in UX.
    
    
    • Passkey can be used for re-authentication to protect speci
    fi
    c
    functions and for
    fi
    ne-tuned session management.
    49
    

    View Slide

50. Challenges of Passkey
    • For Passkey to be widely adopted, it needs to be easier and less
    stressful to register.
    
    
    • For users who are not familiar with Passkey, it's essential to reduce
    error messages and guide them toward fallback options or recovery
    methods.
    
    
    • Information that might be changed, like usernames, should be
    simultaneously updated in both the RP and the Authenticator, and
    unnecessary Passkeys should be deleted at the same time.
    50
    

    View Slide

51. Passkey and ID Federation
    • IdP can increase the security and convenience of federated RPs by
    using Passkey.
    
    
    • RP combines ID federation and Passkey to compensate for each
    other's weaknesses.
    51
    

    View Slide

52. Any Questions?
    
    
    Ask the Speaker
    
    
    or
    
    
    mention to @ritou at X
    52
    

    View Slide