Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PassKeys and WebAuthN: What you want to know

PassKeys and WebAuthN: What you want to know

PassKeys are pitched by Apple as the next best thing for account security. But did you know it has been in essence been around for a couple years? And is in fact an implementation of WebAuthN.

In my talk I show you some basics about WebAuthN and PassKeys to help you get started.

More info here
https://developer.apple.com/passkeys/ https://developer.apple.com/videos/play/wwdc2022/10092/ https://developer.apple.com/documentation/authenticationservices/public- private_key_authentication/supporting_passkeys https://support.apple.com/en-us/HT213305 https://en.wikipedia.org/wiki/WebAuthn
https://webauthn.io/
https://webauthn.me/ https://www.yubico.com/authentication-standards/webauthn/ https://oauth.net/webauthn/

More Decks by Jeroen Leenarts (AppForce1)

Other Decks in Programming

Transcript

  1. G E T S T R E A M .

    I O PassKeys and WebAuthN What you want to know
  2. G E T S T R E A M .

    I O Jeroen Leenarts • iOS Developer Relations Lead • Podcast: AppForce1 • Book: Being a Lead Developer • Over 20 years of experience
  3. G E T S T R E A M .

    I O Why talk about PassKeys and WebAuthN?
  4. G E T S T R E A M .

    I O Stream Chat • The #1 Chat API for Custom Messaging Apps. • Add fast, real-time messaging to your application in days • Free trial available, no credit card required .N ET SD K too
  5. G E T S T R E A M .

    I O Trusted by many companies
  6. G E T S T R E A M .

    I O What you want to know about WebAuthN and Passkeys
  7. G E T S T R E A M .

    I O •Based on industry standards for account authentication •Passkeys are easier to use than passwords and far more secure. •Adopt passkeys to give people a simple, secure way to sign in to your apps and websites across platforms — with no passwords required. PassKeys, Apple’s pitch
  8. G E T S T R E A M .

    I O •Based on FIDO Alliance and W3C standards ◦ WebAuthN •With Apple sauce to streamline usage Sounds great, but what is it?
  9. G E T S T R E A M .

    I O •Since iOS 15 ◦ Passkeys sync through iCloud Keychain •With iOS 16 ◦ Sharable through Apple handoff ◦ QR-code based local handshake for off device authentication What Apple adds to WebAuthN
  10. G E T S T R E A M .

    I O •The relying party ◦ Service provider that wants to authenticate users •The authenticator ◦ A PassKey in the KeyChain or other a secure token •The web browser or app ◦ acts as the channel between the relying party and authenticator •The user ◦ Has to affirmatively interact with the authenticator to prove physical presence. WebAuthN requires 4 parties
  11. G E T S T R E A M .

    I O •Enrollment ◦ Basically the registration of the user and secure element with your service ◦ Allows for attestation of the secure element •Assertion ◦ Login by proving a user has access to the secure element Two phases
  12. G E T S T R E A M .

    I O •Roaming Authenticators ◦ Discrete device ▪ Yubikey or a Google Titan key. ▪ USB, Bluetooth or RFID link, enabling a web browser to communicate with the device. •Virtual Authenticators ◦ Pure software ▪ Private keys in a database that likely doesn’t reside in secure hardware. ▪ Often have some security drawbacks •Platform Authenticators ◦ Built into a device. ▪ Apple’s Secure Enclave ▪ Convenient, but bound to a particular device • Device loss or reset will destroy the keys • PassKeys turns the Secure Enclave into a Secure Virtual Authenticator WebAuthN Authenticator flavours
  13. G E T S T R E A M .

    I O •I do not have the QR code bits working yet ◦ Apple is very sparse on their server side example ▪ ( There is none) •Tim Condon did create a quick Vapor based implementation ◦ Unvetted, unreviewed, only for play right now •Other parties online have amazing login examples ◦ Auth0, WebAuthN, Yubico, etc My current knowledge on the topic
  14. G E T S T R E A M .

    I O A quick demo https://webauthn.io/
  15. G E T S T R E A M .

    I O •Vapor is working on a Swift based implementation •Once available I will add it to Stream’s Vapor integration project Great, now show me some Swift
  16. G E T S T R E A M .

    I O I can show you something already though https://webauthn.io/
  17. G E T S T R E A M .

    I O Work in progress, still need to get to the iOS bits
  18. G E T S T R E A M .

    I O •Too early to tell •Signs are good •It is all based on industry standards •Google, Apple, Microsoft and many others are onboard Are WebAuthN and PassKeys a thing or not?
  19. G E T S T R E A M .

    I O •Beyond Swift many integrations are already available ◦ Go, Python, PHP, etc, etc… •DUO Security and Yubico have been a big drivers of FIDO and WebAuthN adoption Are WebAuthN and PassKeys a thing or not?
  20. G E T S T R E A M .

    I O •How to transition your logins between iOS and Android? ◦ We don’t really want a lockin on our credentials right? ◦ FIDO has something in the works for this Still some questions remain
  21. G E T S T R E A M .

    I O Questions?
  22. G E T S T R E A M .

    I O Thank You.
  23. G E T S T R E A M .

    I O https://developer.apple.com/passkeys/ https://developer.apple.com/videos/play/wwdc2022/10092/ https://developer.apple.com/documentation/authenticationservices/public- private_key_authentication/supporting_passkeys https://support.apple.com/en-us/HT213305 https://en.wikipedia.org/wiki/WebAuthn https://webauthn.io/ https://webauthn.me/ https://www.yubico.com/authentication-standards/webauthn/ https://oauth.net/webauthn/ More info here