Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays New York 2024 - Passkeys: Developing AP...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless authentication by Cody Salas, Yubico

Passkeys: Developing APIs to enable passwordless authentication
Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico

Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

May 14, 2024
Tweet

More Decks by apidays

Other Decks in Technology

Transcript

  1. © 2024 Yubico © 2024 Yubico Passkeys Developing APIs to

    enable passwordless authentication Cody Salas Sr. Developer Advocate | Solutions Architect @ Yubico Apidays New York 2024
  2. © 2024 Yubico Passkeys at a glance Replacement for passwords

    Phishing-resistant Discoverable FIDO2 credential FIDO2 Standard WebAuthn and CTAP2 specification Ubiquitous FIDO2 capable devices They are Supported by Available from Identified with
  3. © 2024 Yubico Passwords vs Passkeys Password • String of

    characters • Single factor Something you know • Can be reused across multiple services Passkey Cryptographic key pair Multiple factors Something you have (device) + Something you know (PIN) or Something you are (biometric) Origin-bound and unique to each service
  4. © 2024 Yubico Cryptographic key pairs Encrypts message w/ public

    key Alice Bob Generates key pair Holds private key Decrypts message w/ private key Send public key Send encrypted message
  5. © 2024 Yubico Cryptographic key pairs Issues authentication challenge Authenticator

    Application Generates passkey Holds private key Signs challenge w/ private key Send public key Send authentication challenge Verifies challenge response
  6. © 2024 Yubico How it works Application (Authenticating service) Client

    (Browser/platform) External authenticator (Security key / Hardware token) FIDO2 Standard WebAuthn and CTAP2 specification • Authentication standard • Hosted by the FIDO Alliance • Combination of: WebAuthn API + CTAP2 protocol • WebAuthn API – Browser API used to perform credential registration and authentication • CTAP2 – Protocol used by platforms to communicate with external authenticators WebAuthn CTAP2 The open FIDO2 standard allows for all FIDO2 capable devices to be usable across every major browser, platform, and ecosystem
  7. © 2024 Yubico Responsible for issuing and validating registration and

    authentication challenges *Unlike consuming a password, passkeys require a multi-step process RP sends reg/auth challenges to a client who will execute them against the WebAuthn API The client will return the result of the WebAuthn call to the RP for processing Can enforce policy-based rules against reg/auth requests The purpose of the RP is to manage passkeys not user information *this is the responsibility of the identity provider What is a relying party?
  8. © 2024 Yubico API endpoints API method categories Registration (attestation)

    • POST /attestation/options – send the registration challenge (PublicKeyCredentialCreateOptions) • POST /attestation/result – receive the public key of the newly created passkey Authentication (assertion) • POST /assertion/options – send the authentication challenge (PublicKeyCredentialRequestOptions) • POST /assertion/result – receive the challenge signed by the passkey’s private key Credential management • GET /user/credentials – allows a user to see the credentials associated to their account • DELETE /user/credentials/{id} – allows a user to remove a credential from their account • PUT /user/credentials/{id} – allows a user to change metadata for a specific credential (never the credential itself)
  9. © 2024 Yubico Registration flow Create a new passkey, and

    register it to the RP Authenticator Client Relying party Initialize the reg ceremony Issue a reg Challenge /attestation/options Call WebAuthn API – Attempt to create passkey Passkey created - Return credential Return response to relying party /attestation/options Return registration result
  10. © 2024 Yubico Defined as PublicKeyCredentialCreationOptions in the WebAuthn spec

    Some fields are defined as a BufferArray, but can be translated to b64 and b64url encoding • challenge • user.id authenticatorSelection is used to define characteristics such as • Should the credential be discoverable? • Should the user input a PIN/biometric when created? • Should only a specific modality be used? Registration Options
  11. © 2024 Yubico Authentication flow Find a passkey, and attempt

    to respond to the challenge from the RP Authenticator Client Relying party Initialize the auth ceremony Issue an auth Challenge /assertion/options Call WebAuthn API – Attempt to find passkey Passkey found - Return challenge response Return response to relying party /assertion/result Return authentication result
  12. © 2024 Yubico Defined as PublicKeyCredentialRequestOptions in the WebAuthn spec

    The rpId field is what helps to ensure that the request is origin-bound userVerification is used to denote is a user should present a PIN or biometric during auth timeout is primarily used by the RP to reject stale requests Authentication Options
  13. © 2024 Yubico SDKs and libraries Don’t attempt to build

    the WebAuthn RP logic and components on your own There are numerous server-side libraries that can be used Our example was built using Yubico’s java-webauthn-server library https://github.com/Yubico/java-webauthn-server Other libraries can be found on community resources https://passkeys.dev/docs/tools-libraries/libraries/
  14. © 2024 Yubico Resource summary Sample project • https://github.com/YubicoLabs/passkey-workshop Community

    resources • https://passkeys.dev • https://github.com/herrjemand/awesome-webauthn Don’t forget to checkout Yubico’s Developer Program • https://developers.yubico.com • https://github.com/YubicoLabs