Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PassKeys and WebAuthN: What you want to know

Jeroen Leenarts (AppForce1)
June 15, 2022
Programming
0
530

PassKeys and WebAuthN: What you want to know

PassKeys are pitched by Apple as the next best thing for account security. But did you know it has been in essence been around for a couple years? And is in fact an implementation of WebAuthN.

In my talk I show you some basics about WebAuthN and PassKeys to help you get started.

More info here
https://developer.apple.com/passkeys/ https://developer.apple.com/videos/play/wwdc2022/10092/ https://developer.apple.com/documentation/authenticationservices/public- private_key_authentication/supporting_passkeys https://support.apple.com/en-us/HT213305 https://en.wikipedia.org/wiki/WebAuthn
https://webauthn.io/
https://webauthn.me/ https://www.yubico.com/authentication-standards/webauthn/ https://oauth.net/webauthn/

Jeroen Leenarts (AppForce1)

June 15, 2022
Tweet

More Decks by Jeroen Leenarts (AppForce1)

See All by Jeroen Leenarts (AppForce1)
Building a Vapor Swift backend integration with authentication and authorization
jeroenleenarts
0
540
The developer’s manual: working with and managing software developers
jeroenleenarts
0
36
Being a Lead Software Developer
jeroenleenarts
1
330
SECONDARY SKILLS AS A DEVELOPER
jeroenleenarts
0
980
Try Swift intro
jeroenleenarts
0
14
Micro Frameworks: What, why and how?
jeroenleenarts
0
21
mDevcon 2015: See the time on your wrist
jeroenleenarts
0
130
A inspirational presentation at a company's hackathon
jeroenleenarts
0
94
Secure Coding practices
jeroenleenarts
0
690

Other Decks in Programming

See All in Programming
gopls を改造したら開発生産性が高まった
satorunooshie
8
250
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
7
2.9k
Realtime API 入門
riofujimon
0
120
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
440
役立つログに取り組もう
irof
27
8.7k
cXML という電子商取引の トランザクションを支える プロトコルと向きあっている話
phigasui
3
2.3k
Progressive Web Apps für Desktop und Mobile mit Angular (Hands-on)
christianliebel
PRO
0
110
Modern Angular: Renovation for Your Applications
manfredsteyer
PRO
0
210
Kaigi on Rails 2024 - Rails APIモードのためのシンプルで効果的なCSRF対策 / kaigionrails-2024-csrf
corocn
5
3.4k
GCCのプラグインを作る / I Made a GCC Plugin
shouth
1
150
OpenTelemetryでRailsのパフォーマンス分析を始めてみよう(KoR2024)
ymtdzzz
4
1.6k
レガシーな Android アプリのリアーキテクチャ戦略
oidy
1
170

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
355
29k
Gamification - CAS2011
davidbonilla
80
5k
Designing on Purpose - Digital PM Summit 2013
jponch
115
6.9k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
160
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Happy Clients
brianwarren
97
6.7k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
Fireside Chat
paigeccino
32
3k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
Producing Creativity
orderedlist
PRO
341
39k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k

Transcript

  1. G E T S T R E A M .

    I O PassKeys and WebAuthN What you want to know

  2. G E T S T R E A M .

    I O Jeroen Leenarts • iOS Developer Relations Lead • Podcast: AppForce1 • Book: Being a Lead Developer • Over 20 years of experience

  3. G E T S T R E A M .

    I O Why talk about PassKeys and WebAuthN?

  4. G E T S T R E A M .

    I O Stream Chat • The #1 Chat API for Custom Messaging Apps. • Add fast, real-time messaging to your application in days • Free trial available, no credit card required .N ET SD K too

  5. G E T S T R E A M .

    I O Trusted by many companies

  6. G E T S T R E A M .

    I O What you want to know about WebAuthN and Passkeys

  7. G E T S T R E A M .

    I O •Based on industry standards for account authentication •Passkeys are easier to use than passwords and far more secure. •Adopt passkeys to give people a simple, secure way to sign in to your apps and websites across platforms — with no passwords required. PassKeys, Apple’s pitch

  8. G E T S T R E A M .

    I O •Based on FIDO Alliance and W3C standards ◦ WebAuthN •With Apple sauce to streamline usage Sounds great, but what is it?

  9. G E T S T R E A M .

    I O •Since iOS 15 ◦ Passkeys sync through iCloud Keychain •With iOS 16 ◦ Sharable through Apple handoff ◦ QR-code based local handshake for off device authentication What Apple adds to WebAuthN

  10. G E T S T R E A M .

    I O •The relying party ◦ Service provider that wants to authenticate users •The authenticator ◦ A PassKey in the KeyChain or other a secure token •The web browser or app ◦ acts as the channel between the relying party and authenticator •The user ◦ Has to affirmatively interact with the authenticator to prove physical presence. WebAuthN requires 4 parties

  11. G E T S T R E A M .

    I O •Enrollment ◦ Basically the registration of the user and secure element with your service ◦ Allows for attestation of the secure element •Assertion ◦ Login by proving a user has access to the secure element Two phases

  12. G E T S T R E A M .

    I O •Roaming Authenticators ◦ Discrete device ▪ Yubikey or a Google Titan key. ▪ USB, Bluetooth or RFID link, enabling a web browser to communicate with the device. •Virtual Authenticators ◦ Pure software ▪ Private keys in a database that likely doesn’t reside in secure hardware. ▪ Often have some security drawbacks •Platform Authenticators ◦ Built into a device. ▪ Apple’s Secure Enclave ▪ Convenient, but bound to a particular device • Device loss or reset will destroy the keys • PassKeys turns the Secure Enclave into a Secure Virtual Authenticator WebAuthN Authenticator flavours

  13. G E T S T R E A M .

    I O •I do not have the QR code bits working yet ◦ Apple is very sparse on their server side example ▪ ( There is none) •Tim Condon did create a quick Vapor based implementation ◦ Unvetted, unreviewed, only for play right now •Other parties online have amazing login examples ◦ Auth0, WebAuthN, Yubico, etc My current knowledge on the topic

  14. G E T S T R E A M .

    I O A quick demo https://webauthn.io/

  15. G E T S T R E A M .

    I O •Vapor is working on a Swift based implementation •Once available I will add it to Stream’s Vapor integration project Great, now show me some Swift

  16. G E T S T R E A M .

    I O I can show you something already though https://webauthn.io/

  17. G E T S T R E A M .

    I O Work in progress, still need to get to the iOS bits

  18. G E T S T R E A M .

    I O •Too early to tell •Signs are good •It is all based on industry standards •Google, Apple, Microsoft and many others are onboard Are WebAuthN and PassKeys a thing or not?

  19. G E T S T R E A M .

    I O •Beyond Swift many integrations are already available ◦ Go, Python, PHP, etc, etc… •DUO Security and Yubico have been a big drivers of FIDO and WebAuthN adoption Are WebAuthN and PassKeys a thing or not?

  20. G E T S T R E A M .

    I O •How to transition your logins between iOS and Android? ◦ We don’t really want a lockin on our credentials right? ◦ FIDO has something in the works for this Still some questions remain

  21. G E T S T R E A M .

    I O Questions?

  22. G E T S T R E A M .

    I O Thank You.

  23. G E T S T R E A M .

    I O https://developer.apple.com/passkeys/ https://developer.apple.com/videos/play/wwdc2022/10092/ https://developer.apple.com/documentation/authenticationservices/public- private_key_authentication/supporting_passkeys https://support.apple.com/en-us/HT213305 https://en.wikipedia.org/wiki/WebAuthn https://webauthn.io/ https://webauthn.me/ https://www.yubico.com/authentication-standards/webauthn/ https://oauth.net/webauthn/ More info here