様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023

Transcript

1. Use Cases of 'Passkey' and the Challenges in UX ༷ʑͳϢʔεέʔεʹར༻Ͱ͖Δ

   "ύεΩʔ" ͷ ಋೖࣄྫͷ঺հͱUXͷ՝୊ղઆ Ryo Ito (@ritou) DroidKaigi 2023ʢ2023/09/15 15:00-15:40ʣ

2. Ryo Ito (@ritou) • Engineer at MIXI, Inc. • Evangelist

   at OpenID Foundation Japan 2

3. Today’s GOAL To understand: • The overview of Passkey •

   Two typical use cases of Passkey and their required features • UX challenges when introducing Passkey into consumer services • The relationship between Passkey and ID Federation 3

4. Overview

5. Rough Overview of User Authentication • Password authentication is vulnerable

   • Generation of hard-to-guess strings • Memorization of multiple passwords • Countermeasures against phishing • Risks of leaks from services and secondary damage • Passkey authentication solves these challenges 5

6. The Current Status of User Authentication • Human-managed credential management

   is vulnerable • System-managed credential management is required • Use of a password manager solves most problems, but it's dif fi cult to make it mandatory • Passkey assumes system-managed credential management and can enforce it on users 6

7. FIDO, FIDO2, Passkey • FIDO • Security Using Public Key

   Cryptography • Usability Using Local Authentication 7

8. FIDO, FIDO2, Passkey • FIDO • Security Using Public Key

   Cryptography • Usability Using Local Authentication 8

9. FIDO, FIDO2, Passkey • FIDO2 • WebAuthn API + CTAP

   for Web Application • Phishing Resistance Through Browser Mediation 9

10. FIDO, FIDO2, Passkey • Passkey : FIDO Credentials for Password-less

    Authentication • Device-bounded credentials + Multi-device credentials • Device-bounded : Security Key, Platform Authenticator without key synchronization • Platform Authenticator with key synchronization in Platform Account • External Password Manager 10

11. FIDO, FIDO2, Passkey • Passkey : FIDO Credentials for Password-less

    Authentication • Device-bounded credentials + Multi-device credentials • Device-bounded : Security Key, Platform Authenticator without key synchronization • Platform Authenticator with key synchronization in Platform Account • External Password Manager 11

12. Passkey on 1Password 12

13. Use Cases

14. Use Cases • SignIn: Primary or optional authentication methods •

    Re-Authentication 14

15. Identi fi er fi rst SignIn @ Yahoo! JAPAN 15

16. Identi fi er fi rst SignIn • Service fi rst

    identi fi es user and requires authentication if Passkey is available • Note that having Passkey registered does not mean that Passkey is available 16

17. One button SignIn @ GitHub 17

18. One button SignIn • When the user clicks the button,

    the service requests authentication with an available Passkey • In the browser dialog, the user selects a Passkey to use, or uses another device's Passkey 18

19. Auto fi ll (Conditional UI) @ MIXI M 19

20. Auto fi ll (Conditional UI) @ Money Forward ID 20

21. Auto fi ll (Conditional UI) • Browser displays the available

    Passkeys near the HTML input form or when focused, and the user selects from them or uses another device's Passkey • Passkey available with the same UX as password suggestions by Password Manager 21

22. Hybrid transport @ MIXI M 22

23. Hybrid transport • If the device requesting authentication and a

    nearby mobile device are connected via BLE, the mobile device's Passkey can be used • A UX that requires multiple Hybrid fl ows is too bad. It is also important to seamlessly require Passkey registration for each device 23

24. Use Cases • SignIn: Primary or optional authentication methods •

    Re-Authentication 24

25. Re-Authentication @ MIXI M, GitHub 25

26. Re-Authentication • To protect speci fi c services • Credential

    Management • Personal Information Management • Payment services • Fine-tuned Session Management • Expired Session • High-risk environment • Credential updated in another session • Low AAL(Authentication Assurance Level) 26

27. Related Features • SignIn • Passkey registration promotion after successful

    non-Passkey login • SignUp • Create Account with passkey • Credential Management • Promote passkey • Create, Update(passkey’s name), Revoke • Account Recovery • Passkey registration promotion after recovery password 27

28. Passkey for Native App

29. Native Support or Web Application integration • Native Support •

    Utilizing functions/libraries provided for app developers from each platform • https://developer.android.com/training/sign-in/passkeys • Native apps can provide a similar UX using the same credentials as web apps • https://developer.android.com/design/ui/mobile/guides/patterns/passkeys • Web Application integration • Requesting passkey authentication in web browser • Dependent on browser usage patterns and support status 29

30. Android & Passkey : SignUp 30

31. Android & Passkey : SignIn 31

32. Android & Passkey : Credential Management 32

33. Android & Passkey : Account Recovery 33

34. Native Support or Web Application integration • Native Support •

    Utilizing functions/libraries provided for app developers from each platform • Native apps can provide a similar UX using the same credentials as web apps • Web Application integration • Requesting passkey authentication in web browser • Dependent on browser usage patterns and support status 34

35. Challenges of Passkey

36. Challenges for registration • User Veri fi cation at passkey

    registration • More seamless Passkey registration is required (so that Google automatically generates a passkey when you log in to your Android device) 36

37. Challenges for Authentication • Unfriendly error screen "No passkey available."

    • It is the RP that needs this error • One-way Hybrid Transport • Fallback authentication method required 37

38. Challenges for Recovery • Best practices for passkey recovery •

    Two passkey registrations are dif fi cult • Self-recovery through eKYC and ID Federation 38

39. Challenges for Credential Management • Delete and update passkeys synchronized

    with Authenticator and RP • Unavailable passkey listed in Auto fi ll • Username not synchronized 39

40. Passkey and ID Federation

41. Features of ID Federation • Simpli fi ed new account

    registration • Achieves a single sign-on-like user experience (UX) in authentication • Shares attribute information of the IdP account with the Relying Party (RP) under appropriate consent (such as pro fi le information, email, etc.) 41

42. Weaknesses of ID Federation • Services and users who do

    not want to use a speci fi c IdP and wish to avoid privacy issues that could arise from consolidating identities • Impact when the IdP account is unavailable (due to outages or account BAN) • Re-authentication requirements are de fi ned in speci fi cations, but are rarely implemented in toC IdPs 42

43. Passkey without ID Federation • Implementing secure and convenient authentication

    equivalent to IdP • Avoiding privacy issues by not integrating with IdP 43

44. Passkey @ Identity Provider • Protecting high-value accounts • Providing

    security and convenience to RP”s” 44

45. Passkey @ Relying Party • Applying Passkeys to the weaknesses

    of ID Federation • Alternative measures when Federation is unavailable • Re-authentication • Applying ID Federation to the weaknesses of Passkeys • Federation w/ Platform Accounts as a recovery method for Passkeys 45

46. Passkey @ Relying Party • Applying Passkeys to the weaknesses

    of ID Federation • Alternative measures when Federation is unavailable • Re-authentication • Applying ID Federation to the weaknesses of Passkeys • Federation w/ Platform Accounts as a recovery method for Passkeys 46

47. Conclusion

48. Overview Passkey is a mechanism that allows users to manage

    their FIDO credentials through the system. It offers the security of public key cryptography along with the convenience of local authentication, and it is evolving to support cross-device and cross-platform use. 48

49. Use Cases • For the sign-in UX, the service needs

    to choose from several patterns to match the existing sign-in UX. • Passkey can be used for re-authentication to protect speci fi c functions and for fi ne-tuned session management. 49

50. Challenges of Passkey • For Passkey to be widely adopted,

    it needs to be easier and less stressful to register. • For users who are not familiar with Passkey, it's essential to reduce error messages and guide them toward fallback options or recovery methods. • Information that might be changed, like usernames, should be simultaneously updated in both the RP and the Authenticator, and unnecessary Passkeys should be deleted at the same time. 50

51. Passkey and ID Federation • IdP can increase the security

    and convenience of federated RPs by using Passkey. • RP combines ID federation and Passkey to compensate for each other's weaknesses. 51

52. Any Questions? Ask the Speaker or mention to @ritou at

    X 52