Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A passwordless future! Passkeys for Spring Deve...

A passwordless future! Passkeys for Spring Developers

Deepu K Sasidharan

May 31, 2024
Tweet

More Decks by Deepu K Sasidharan

Other Decks in Programming

Transcript

  1. @oktaDev | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Java

    Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ OSS aficionado, polyglot dev, author, speaker ➔ Developer Advocate @ Okta Hi, I’m Deepu K Sasidharan @[email protected] deepu.tech @deepu105 deepu05
  2. @oktaDev | @deepu105 | deepu.tech Roaming authenticators Removable device via

    USB, NFC, Bluetooth • Yubikey • Google Titan • Smartphones Platform authenticators Built into the device • TouchID • FaceID • Smartphone authenticators • Windows Hello
  3. @oktaDev | @deepu105 | deepu.tech == W3C standard WebAuthn is

    the standard that allows for passkeys implementation WebAuthn
  4. @oktaDev | @deepu105 | deepu.tech == Discoverable passwordless FIDO credentials

    It uses asymmetric public key cryptography Passkeys
  5. @oktaDev | @deepu105 | deepu.tech Passkeys Synced Device-bound • Private

    key synced between devices in same ecosystem and backed up to cloud • Better usability • One time enrollment • Can be restored on device loss or on new device • Less secure than device-bound passkeys • Private key stored only on the device • Not as convenient as synced passkeys • Each device needs enrollment • No recovery or backups • Most secure option
  6. @oktaDev | @deepu105 | deepu.tech Easier to maintain Not reusable

    & shareable* Breach resistant Remote attack resistant Phishing resistant Discoverable
  7. @oktaDev | @deepu105 | deepu.tech • OS/Browser support • Cloud

    vendor reliance • Enterprise use cases • Reset & recovery
  8. @oktaDev | @deepu105 | deepu.tech # Create a Spring Boot

    web app $ curl -G https://start.spring.io/starter.tgz \ -d dependencies=web,okta -d baseDir=passkey-demo | tar -xzvf - # Add controller for @GetMapping("/") # Create an Auth0 account and configure tenant to enable passkeys # Login to the tenant $ auth0 login # Create an Auth0 app $ auth0 apps create \ /-name "Spring Boot Passkeys" \ /-description "Spring Boot Example" \ /-type regular \ /-callbacks http://localhost:8080/login/oauth2/code/okta \ /-logout-urls http://localhost:8080 \ /-reveal-secrets # Update OIDC credentials # Start the app $ ./gradlew bootRun a0.to/spring-passkey
  9. @oktaDev | @deepu105 | deepu.tech WebAuthn4j • FIDO2 conformant •

    Supports attestation validation • Supports all attestation formats • Suitable for relying party server implementation • Supports passkeys • Used by Keycloak • Has Spring Security support • Kotlin friendly java-webauthn-server • Not 100% FIDO2 conformant • Supports attestation validation • All attestation formats not supported • Suitable for relying party server implementation • Supports passkeys • From Yubico
  10. @oktaDev | @deepu105 | deepu.tech Passkeys with Spring Security and

    WebAuthn4j Spring Boot web app as a relying party server using WebAuthn4j
  11. @oktaDev | @deepu105 | deepu.tech WebAuthn4J Spring Security # Clone

    the repo $ git clone https://github.com/deepu105/webauthn4j-spring-boot-passkeys-demo # Start the app $ ./gradlew bootRun a0.to/spring-webauthn
  12. @oktaDev | @deepu105 | deepu.tech spring-security-webauthn • Provides default registration

    and login pages • Will become a Spring Security core option • Based on WebAuthn4j • At experimental stage now • Expected in Spring Security 6.4 (November, hopefully)
  13. @oktaDev | @deepu105 | deepu.tech Passkeys • Implemented using WebAuthn

    and FIDO2 • Can be synced or device-bound • Discoverable credentials (Resident keys) • Can be used for account registration as first factor • Enrollment required only once for synced passkeys WebAuthn MFA • Implemented using WebAuthn and FIDO2 • Only device-bound • Non-Discoverable credentials • Can only be second factor after account registration with password • Enrollment required on each device
  14. @oktaDev | @deepu105 | deepu.tech Passkeys login challenge • Complete

    the challenge and visit our booth to win some cool prizes • Only for first 15 completed submissions a0.to/passkey-challenge
  15. Authorization Authentication Security Single Sign-On | Adaptive Multi-Factor Authentication |

    Universal Login | Passwordless | Bot Detection & Prevention | Security Center | Breached Password Detection | Brute Force Protection | FGA How we can help: Try Free Today: Free Plan (forever) $0 Up to 7,500 monthly active users. Unlimited user logins. Includes passkeys support*. No credit card required. Special Plans for Startups & Nonprofits Plans for Everyone B2C: your users are consumers B2B: your users are businesses or a mix of businesses and consumers Enterprise: Best for production applications that need to scale - Contact Us Make login our problem. Not yours. a0.to/plg_signup
  16. @oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our

    newsletter a0.to/nl-signup/java Try our free Spring Boot microservices workshop a0.to/spring-boot