Passkeys, FIDO2, WebAuthn… What does it all mean?

Transcript

1. Dan Jenkins, TADSummit, Oct 2023 Passkeys, FIDO2, WebAuthn… What does

   it all mean?

2. First, a Little About Me

3. • Founder of Everycast Labs, Nimble Ape • Creator of

   CommCon • Was the fi rst "Google Developer Expert" in WebRTC • Loves LEGO • Loves Real-Time Media • Loves developing for "the web" • @dan_jenkins / @[email protected] Dan Jenkins

4. • Real-Time Communication consultancy • Based in the UK •

   Work with Open Source Real-Time Comms • VoIP, WebRTC, Broadcast • Got a problem you want help with? Let us know • [email protected] Nimble Ape

5. • Creators of Broadcast Bridge • A Platform as a

   Service for bringing in remote talent into production AV work fl ows • We work with WebRTC / SRT / NDI / Decklink & AJA cards. • Bridging Real-Time Comms with the "Broadcast" industry is fun! • [email protected] Everycast Labs

6. • Residential Event in the UK for "Open Media" -

   Real-Time or not • Everyone stays in the same hotel • Top quality production values • 5 Years worth of content on our YouTube Channel • commcon.xyz • (currently looking for sponsorship to make 2024 happen, let us know if you're interested) CommCon

7. Passkeys, FIDO2, WebAuthn… What does it all mean?

8. Firstly...

9. Who here knows someone that writes their passwords in a

   book?

10. Or re-uses passwords across websites?

11. Even though you've tried to help them do better multiple

    times?

12. Everyone.

13. Everyone Knows Someone.

14. I Want You To Think About That Throughout This Talk.

15. Secondly...

16. What is 2FA?

17. Typically It's a Username/ Password Plus Something Else.

18. Something You Know: This Could Be a Personal Identification Number

    (PIN), a Password, Answers to “Secret Questions” or a Specific Keystroke Pattern Something You Have: Typically, a User Would Have Something in Their Possession, Like a Credit Card, a Smartphone, or a Small Hardware Token Something You Are: This Category Is a Little More Advanced, and Might Include Biometric Pattern of a Fingerprint, an Iris Scan, or a Voice Print https://authy.com/what-is-2fa/

19. 2FA Is Amazing

20. But 2FA Is a Pain Too

21. Ranging From Downright Terrible

22. A real attempt yesterday

23. To Absolutely Fantastic

24. Yubikey USB-C Bio

25. But It's Not Necessarily 100% Accessible

26. 2FA Is a Necessity

27. We Have So Many Ways To Protect Ourselves

28. Anything Is Better Than Nothing

29. Except SMS...

30. Never Use SMS.

31. 2FA Options • SMS (Please... don't) • TOTP (codes in

    an app) • WebAuthn / FIDO (security keys) • App based Push Noti fi cations • Voice based codes

32. And Now Passkeys

33. But Dan...

34. What's FIDO2?

35. What's WebAuthn?

36. In Short... FIDO2 Is a Specifiction on "How" To Do

    the Security With Devices WebAuthn Enables the Web Browsers To Use Those Standards

37. So What Are Passkeys?

38. And Are They our Saviour?

39. None

40. What if I Said That We've Actually Had Passkeys for

    Many Years?

41. A Passkey Is a FIDO2 Private Key

42. None

43. That's Right...

44. We've Been Using Passkeys for Years!

45. Passkeys Are Just FIDO Credentials.

46. Let's Take a Look at What Goes Into Making One...

47. https://www.passkeys.io/

48. Ultimately a Public & Private Key Combo Is Made.

49. That Public Key Is Stored on the Server Instead of

    a Password.

50. Passkeys Are Passwordless

51. The Key Thing About Passkeys Is...

52. They Replace Passwords.

53. So if They Replace Passwords...

54. Are They Really 2FA?

55. NO!

56. Or... I Don't Believe They Are.

57. Something You Know: This Could Be a Personal Identification Number

    (PIN), a Password, Answers to “Secret Questions” or a Specific Keystroke Pattern Something You Have: Typically, a User Would Have Something in Their Possession, Like a Credit Card, a Smartphone, or a Small Hardware Token Something You Are: This Category Is a Little More Advanced, and Might Include Biometric Pattern of a Fingerprint, an Iris Scan, or a Voice Print 2FA =

58. The "Thing" Can't Be the First Thing.

59. You Used To Know Your Password...

60. You Don't Know What Your Public Key Is.

61. What's So Exciting About Passkeys Then?

62. Quite Simply...

63. Passkeys Are More Secure Than Passwords.

64. If a Server Doesn't Have any Passwords Stored...

65. There's Nothing to "Hack".

66. There's no Password To Go and Use Elsewhere

67. There's No- One to Social Engineer.

68. This Is Where I Realised...

69. We Aren't the Target Audience for Passkeys

70. None

71. Its Aimed at our Parents.

72. Our Grandparents

73. Our Co-Workers That Hate 2FA

74. You Know the Ones That Write Passwords on Bits of

    Paper...

75. We all Know Someone...

76. Because a Unique Public Key Is More Secure Than a

    Password Used Across *N Websites.

77. But Who Is Building With Passkeys?

78. Everyone.

79. passkeys.directory

80. Just This Week We Now Have GitHub & WhatsApp

81. None
82. None

83. Passkeys Have Really Picked Up Pace.

84. They're User Friendly...

85. They Sync With Your Other Devices Password managers are slowly

    getting there so you don't have to rely on Google or Apple

86. They're Simple.

87. They're Secure.

88. Even my Mum Could Use a Passkey.

89. Which Would Mean Throwing Away the Book of Passwords I

    Know She Has.

90. How on Earth Can We in Telecoms Make Use of

    Them?

91. I Don't Have the Answer.

92. But We Need To Figure Out if We Can.

93. October Is Cyber Security Awareness Month. https://www.gov.uk/government/publications/dsit-cyber-security-newsletter- october-2023/dsit-cyber-security-newsletter-october-2023

94. So Go Help Someone Become More Secure!

95. Or Go Add Passkey Support to Your "App"

96. For More Info Watch Chris Sherwood's Video on Passkeys! https://www.youtube.com/watch?v=FTweNDAc9Fs

97. There's Never a Better Time To Support Passkeys/ WebAuthn/FIDO!

98. Thanks!

99. Thanks! nimblea.pe everycastlabs.uk broadcastbridge.app commcon.xyz @dan_jenkins @[email protected]