Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A passwordless future! Passkeys for Java Develo...

A passwordless future! Passkeys for Java Developers

Software technology has seen leaps and bounds, but we are still relying on passwords when it comes to authentication and security. Weak passwords remain one of the major causes of breaches and security incidents. WebAuthn, the Web Authentication standard, provides a robust framework for passwordless authentication on the web. By leveraging public key cryptography and a variety of authentication factors, including biometrics and hardware tokens, WebAuthn offers enhanced security while eliminating the vulnerabilities associated with traditional password-based systems.

In this talk, we will dive into the core concepts of WebAuthn, its architecture, key components, and underlying cryptographic principles. We will explore how Java developers can leverage WebAuthn's API to implement secure and user-friendly authentication mechanisms within their applications. We will also learn to use WebAuthn with Spring Security and external Identity providers. We will see practical examples and code snippets, demonstrating step-by-step integration of WebAuthn into Java-based web applications.

Deepu K Sasidharan

February 07, 2024
Tweet

More Decks by Deepu K Sasidharan

Other Decks in Programming

Transcript

  1. @oktaDev | @deepu105 | deepu.tech ➔ JHipster co-lead developer ➔

    Java Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ Developer Advocate @ Okta ➔ OSS aficionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @[email protected] deepu.tech @deepu105 deepu05
  2. @oktaDev | @deepu105 | deepu.tech Roaming authenticators Removable device via

    USB, NFC, Bluetooth • Yubikey • Google Titan • Smartphones Platform authenticators Built into the device • TouchID • FaceID • Smartphone authenticators • Windows Hello
  3. @oktaDev | @deepu105 | deepu.tech == W3C standard WebAuthn is

    the standard that allows for passkeys implementation WebAuthn
  4. @oktaDev | @deepu105 | deepu.tech == Discoverable passwordless FIDO credentials

    It uses asymmetric public key cryptography Passkeys
  5. @oktaDev | @deepu105 | deepu.tech Passkeys Synced Device-bound • Private

    key synced between devices in same ecosystem and backed up to cloud • Better usability • One time enrollment • Can be restored on device loss or on new device • Less secure than device-bound passkeys • Private key stored only on the device • Not as convenient as synced passkeys • Each device needs enrollment • No recovery or backups • Most secure option
  6. @oktaDev | @deepu105 | deepu.tech Easier to maintain Not reusable

    & shareable* Breach resistant Remote attack resistant Phishing resistant Discoverable
  7. @oktaDev | @deepu105 | deepu.tech • OS/Browser support • Cloud

    vendor reliance • Enterprise use cases • Reset & recovery
  8. @oktaDev | @deepu105 | deepu.tech WebAuthn4j • FIDO2 conformant •

    Supports attestation validation • Supports all attestation formats • Suitable for relying party server implementation • Supports passkeys • Used by Keycloak and Spring Security • Kotlin friendly java-webauthn-server • Not 100% FIDO2 conformant • Supports attestation validation • All attestation formats not supported • Suitable for relying party server implementation • Supports passkeys • From Yubico
  9. @oktaDev | @deepu105 | deepu.tech Let’s see passkeys in action

    Spring Boot web app using Auth0 by Okta as IdP
  10. @oktaDev | @deepu105 | deepu.tech # Create a Spring Boot

    web app $ curl -G https://start.spring.io/starter.tgz \ -d dependencies=web,okta -d baseDir=passkey-demo | tar -xzvf - # Add controller for @GetMapping("/") # Create an Auth0 account and configure tenant to enable passkeys # Login to the tenant $ auth0 login # Create an Auth0 app $ auth0 apps create \ /-name "Spring Boot Passkeys" \ /-description "Spring Boot Example" \ /-type regular \ /-callbacks http://localhost:8080/login/oauth2/code/okta \ /-logout-urls http://localhost:8080 \ /-reveal-secrets # Update OIDC credentials # Start the app $ ./gradlew bootRun a0.to/spring-passkey
  11. @oktaDev | @deepu105 | deepu.tech WebAuthn with Spring Security in

    action Spring Boot web app as a relying party server using WebAuthn4j
  12. @oktaDev | @deepu105 | deepu.tech WebAuthn4J Spring Security # Clone

    the repo $ git clone https://github.com/deepu105/webauthn4j-spring-boot-passkeys-demo # Start the app $ ./gradlew bootRun a0.to/spring-webauthn
  13. @oktaDev | @deepu105 | deepu.tech Passkeys • Implemented using WebAuthn

    and FIDO2 • Can be synced or device-bound • Discoverable credentials (Resident keys) • Can be used for account registration as first factor • Enrollment required only once for synced passkeys WebAuthn MFA • Implemented using WebAuthn and FIDO2 • Only device-bound • Non-Discoverable credentials • Can only be second factor after account registration with password • Enrollment required on each device
  14. @oktaDev | @deepu105 | deepu.tech Passkeys login challenge • Complete

    the challenge and visit our booth to win some cool prizes • Only for first 30 completed submissions a0.to/passkey-challenge
  15. Authorization Authentication Security Single Sign-On | Adaptive Multi-Factor Authentication |

    Universal Login | Passwordless | Bot Detection & Prevention | Security Center | Breached Password Detection | Brute Force Protection | FGA How we can help: Try Free Today: Free Plan (forever) $0 Up to 7,500 monthly active users. Unlimited user logins. Includes passkeys support*. No credit card required. Special Plans for Startups & Nonprofits Plans for Everyone B2C: your users are consumers B2B: your users are businesses or a mix of businesses and consumers Enterprise: Best for production applications that need to scale - Contact Us Make login our problem. Not yours. a0.to/plg_signup
  16. @oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our

    newsletter a0.to/nl-signup/java Try our free Spring Boot + Passkeys workshop a0.to/spring-boot