Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PassKeys and WebAuthN: What you want to know

Jeroen Leenarts (AppForce1)
June 15, 2022
Programming
0
540

PassKeys and WebAuthN: What you want to know

PassKeys are pitched by Apple as the next best thing for account security. But did you know it has been in essence been around for a couple years? And is in fact an implementation of WebAuthN.

In my talk I show you some basics about WebAuthN and PassKeys to help you get started.

More info here
https://developer.apple.com/passkeys/ https://developer.apple.com/videos/play/wwdc2022/10092/ https://developer.apple.com/documentation/authenticationservices/public- private_key_authentication/supporting_passkeys https://support.apple.com/en-us/HT213305 https://en.wikipedia.org/wiki/WebAuthn
https://webauthn.io/
https://webauthn.me/ https://www.yubico.com/authentication-standards/webauthn/ https://oauth.net/webauthn/

Jeroen Leenarts (AppForce1)

June 15, 2022
Tweet

More Decks by Jeroen Leenarts (AppForce1)

See All by Jeroen Leenarts (AppForce1)
Building a Vapor Swift backend integration with authentication and authorization
jeroenleenarts
0
550
The developer’s manual: working with and managing software developers
jeroenleenarts
0
39
Being a Lead Software Developer
jeroenleenarts
1
330
SECONDARY SKILLS AS A DEVELOPER
jeroenleenarts
0
990
Try Swift intro
jeroenleenarts
0
14
Micro Frameworks: What, why and how?
jeroenleenarts
0
21
mDevcon 2015: See the time on your wrist
jeroenleenarts
0
130
A inspirational presentation at a company's hackathon
jeroenleenarts
0
94
Secure Coding practices
jeroenleenarts
0
690

Other Decks in Programming

See All in Programming
Jakarta EE meets AI
ivargrimstad
0
720
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
6
1.5k
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
1k
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
340
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
910
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
250
C++でシェーダを書く
fadis
6
4.1k
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.2k
subpath importsで始めるモック生活
10tera
0
320
Amazon Qを使ってIaCを触ろう!
maruto
0
420
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120

Featured

See All Featured
Optimizing for Happiness
mojombo
376
70k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Designing Experiences People Love
moore
138
23k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Navigating Team Friction
lara
183
14k
KATA
mclloyd
29
14k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Building Adaptive Systems
keathley
38
2.3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
The World Runs on Bad Software
bkeepers
PRO
65
11k

Transcript

  1. G E T S T R E A M .

    I O PassKeys and WebAuthN What you want to know

  2. G E T S T R E A M .

    I O Jeroen Leenarts • iOS Developer Relations Lead • Podcast: AppForce1 • Book: Being a Lead Developer • Over 20 years of experience

  3. G E T S T R E A M .

    I O Why talk about PassKeys and WebAuthN?

  4. G E T S T R E A M .

    I O Stream Chat • The #1 Chat API for Custom Messaging Apps. • Add fast, real-time messaging to your application in days • Free trial available, no credit card required .N ET SD K too

  5. G E T S T R E A M .

    I O Trusted by many companies

  6. G E T S T R E A M .

    I O What you want to know about WebAuthN and Passkeys

  7. G E T S T R E A M .

    I O •Based on industry standards for account authentication •Passkeys are easier to use than passwords and far more secure. •Adopt passkeys to give people a simple, secure way to sign in to your apps and websites across platforms — with no passwords required. PassKeys, Apple’s pitch

  8. G E T S T R E A M .

    I O •Based on FIDO Alliance and W3C standards ◦ WebAuthN •With Apple sauce to streamline usage Sounds great, but what is it?

  9. G E T S T R E A M .

    I O •Since iOS 15 ◦ Passkeys sync through iCloud Keychain •With iOS 16 ◦ Sharable through Apple handoff ◦ QR-code based local handshake for off device authentication What Apple adds to WebAuthN

  10. G E T S T R E A M .

    I O •The relying party ◦ Service provider that wants to authenticate users •The authenticator ◦ A PassKey in the KeyChain or other a secure token •The web browser or app ◦ acts as the channel between the relying party and authenticator •The user ◦ Has to affirmatively interact with the authenticator to prove physical presence. WebAuthN requires 4 parties

  11. G E T S T R E A M .

    I O •Enrollment ◦ Basically the registration of the user and secure element with your service ◦ Allows for attestation of the secure element •Assertion ◦ Login by proving a user has access to the secure element Two phases

  12. G E T S T R E A M .

    I O •Roaming Authenticators ◦ Discrete device ▪ Yubikey or a Google Titan key. ▪ USB, Bluetooth or RFID link, enabling a web browser to communicate with the device. •Virtual Authenticators ◦ Pure software ▪ Private keys in a database that likely doesn’t reside in secure hardware. ▪ Often have some security drawbacks •Platform Authenticators ◦ Built into a device. ▪ Apple’s Secure Enclave ▪ Convenient, but bound to a particular device • Device loss or reset will destroy the keys • PassKeys turns the Secure Enclave into a Secure Virtual Authenticator WebAuthN Authenticator flavours

  13. G E T S T R E A M .

    I O •I do not have the QR code bits working yet ◦ Apple is very sparse on their server side example ▪ ( There is none) •Tim Condon did create a quick Vapor based implementation ◦ Unvetted, unreviewed, only for play right now •Other parties online have amazing login examples ◦ Auth0, WebAuthN, Yubico, etc My current knowledge on the topic

  14. G E T S T R E A M .

    I O A quick demo https://webauthn.io/

  15. G E T S T R E A M .

    I O •Vapor is working on a Swift based implementation •Once available I will add it to Stream’s Vapor integration project Great, now show me some Swift

  16. G E T S T R E A M .

    I O I can show you something already though https://webauthn.io/

  17. G E T S T R E A M .

    I O Work in progress, still need to get to the iOS bits

  18. G E T S T R E A M .

    I O •Too early to tell •Signs are good •It is all based on industry standards •Google, Apple, Microsoft and many others are onboard Are WebAuthN and PassKeys a thing or not?

  19. G E T S T R E A M .

    I O •Beyond Swift many integrations are already available ◦ Go, Python, PHP, etc, etc… •DUO Security and Yubico have been a big drivers of FIDO and WebAuthN adoption Are WebAuthN and PassKeys a thing or not?

  20. G E T S T R E A M .

    I O •How to transition your logins between iOS and Android? ◦ We don’t really want a lockin on our credentials right? ◦ FIDO has something in the works for this Still some questions remain

  21. G E T S T R E A M .

    I O Questions?

  22. G E T S T R E A M .

    I O Thank You.

  23. G E T S T R E A M .

    I O https://developer.apple.com/passkeys/ https://developer.apple.com/videos/play/wwdc2022/10092/ https://developer.apple.com/documentation/authenticationservices/public- private_key_authentication/supporting_passkeys https://support.apple.com/en-us/HT213305 https://en.wikipedia.org/wiki/WebAuthn https://webauthn.io/ https://webauthn.me/ https://www.yubico.com/authentication-standards/webauthn/ https://oauth.net/webauthn/ More info here