Past Time For Passkeys

Transcript

1. Kyle Simpson Passwords Are Fine! ******** SLIDES

2. Kyle Simpson Passwords Are Fine! SLIDES ******** User name or

   password entered incorrectly.

3. Past Time for Passkeys Kyle Simpson

4. None

5. Passwords Are Bad Password Resets Are Bad Security Questions Are

   Bad

6. Federated/SSO Logins Are Bad Email/SMS/App TOTP 2FA Is Bad Magic

   Login Links Are Bad

7. QR Code Logins Are Bad OAuth/OIDC Is Bad Security Key

   Devices Are Bad

8. CAPTCHAs Are Bad Push-Based Approval Is Bad Backup Codes Are

   Bad

9. These mainly exist to cope with quirks of the web

   They also protect vendor lock-in & monetization

10. Bad doesn’t just mean poor UX It also means poor

    security

11. </rant>

12. Biometric Device Unlock 80-90% of consumer devices worldwide

13. None
14. None

15. This shares my personal biometric data with big tech

16. Biometric data is registered PER DEVICE, and only stored securely

    on that device

17. Apple: Secure Enclave Android: TEE / StrongBox

18. If my biometric data is compromised, I’m screwed

19. Compromise requires your biometric data AND physical access to your

    device

20. Device Unlock falls back to PIN/Pattern without biometrics

21. 86% of US consumers use some device lock 1 55%

    of major global market consumers use biometric unlock 2 1. https://www.pewresearch.org/internet/2023/10/18/how-americans-protect-their-online-data/ 2. https://www.iproov.com/press/consumers-prefer-biometric-face-verification

22. Passkeys? (Biometric) Device Unlock… but for (web) apps!

23. None
24. None

25. Register Passkey /api/register-passkey /api/save-passkey { credentialID, pubkey } { userID,

    name, challenge }
26. None
27. None
28. None
29. None
30. None
31. None

32. Authenticate Passkey /api/auth-passkey /api/verify-passkey { credentialID, signature, data } {

    challenge } { success }
33. None
34. None
35. None
36. None
37. None
38. None
39. None
40. None
41. None

42. “Ugh, can you just give me something that does all

    that for me?”

43. github.com/mylofi/webauthn-local-client

44. None

45. Auth.js / NextAuth (now owned by BetterAuth) Lucia Passport.js ...

46. BetterAuth Auth0 Okta Clerk Supabase …

47. “Never roll your own auth…”

48. Yes, DO roll your own (passkey) auth!

49. Passkeys shift the burden of safe credential handling from your

    server to users’ device security system
50. None

51. Users will resist having to create passkeys on every device

52. Apple, Google, and Microsoft all support cloud-based Passkey sync between

    devices

53. A user can be phished/tricked with Passkeys just like passwords

54. Browser locks a passkey to a web origin, and will

    not share it with any other

55. If a site is attacked, all its Passkeys can be

    compromised

56. Sites never see your Passkey, only its public key; they

    can’t do anything bad with it

57. Passkeys can be stolen by MitM and used without permission

58. Servers verify the signature signed by the Passkey private key;

    tamper-proof

59. If I lose my device, I lose access to my

    account

60. You should set up multiple Passkeys on different devices; any

    device/Passkey lets you in
61. None

62. More Private More Secure Familiarity Streamlined UX

63. User Education User Setup Burden User Responsibility Still Evolving

64. Patterns for Passkey Use

65. Alternate Authentication

66. None

67. Additional Authentication (2FA)

68. None

69. Primary Authentication

70. None
71. None
72. None

73. Local-Only Passkeys (no server!)

74. None

75. Passkey Branding/UX

76. None
77. None
78. None

79. Passkeys for Passwords

80. None

81. a LOT of variance

82. https://passkey.garden

83. None

84. Learn More?

85. None
86. None
87. None

88. Kyle Simpson SLIDES Past Time for Passkeys Waiting for your

    biometric passkey (face/fingerprint) to be presented…

89. Past Time for Passkeys Kyle Simpson Thank You! Slide Code