Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ Droid...

ritou
October 06, 2022
Technology
2
7.1k

Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022

DroidKaigi 2022 Day2 での発表資料です。
https://droidkaigi.jp/2022/timetable/357753

ritou

October 06, 2022
Tweet

More Decks by ritou

See All by ritou
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 + α
ritou
0
47
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
ritou
4
1.5k
OIDF-J EIWG 振り返り
ritou
2
30
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
400
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
3
500
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
ritou
2
720
Webアプリ開発者向け パスキー対応の始め方
ritou
4
6.1k
様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023
ritou
3
4.7k
パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1
ritou
6
13k

Other Decks in Technology

See All in Technology
Building Scalable Backend Services with Firebase
wisdommatt
0
110
EMConf JP の楽しみ方 / How to enjoy EMConf JP
pauli
2
150
iPadOS18でフローティングタブバーを解除してみた
sansantech
PRO
1
150
30分でわかる「リスクから学ぶKubernetesコンテナセキュリティ」/30min-k8s-container-sec
mochizuki875
3
450
カップ麺の待ち時間(3分)でわかるPartyRockアップデート
ryutakondo
0
140
Cloudflareで実現する AIエージェント ワークフロー基盤
kmd09
0
290
「隙間家具OSS」に至る道/Fujiwara Tech Conference 2025
fujiwara3
7
6.5k
深層学習と3Dキャプチャ・3Dモデル生成(土木学会応用力学委員会 応用数理・AIセミナー)
pfn
PRO
0
460
メールヘッダーを見てみよう
hinono
0
110
#TRG24 / David Cuartielles / Post Open Source
tarugoconf
0
590
ABWGのRe:Cap!
hm5ug
1
120
あなたの知らないクラフトビールの世界
miura55
0
130

Featured

See All Featured
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
870
Building Applications with DynamoDB
mza
93
6.2k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Being A Developer After 40
akosma
89
590k
Automating Front-end Workflow
addyosmani
1366
200k
Speed Design
sergeychernyshev
25
740
VelocityConf: Rendering Performance Case Studies
addyosmani
327
24k
Learning to Love Humans: Emotional Interface Design
aarron
274
40k
The Cult of Friendly URLs
andyhume
78
6.1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
192
16k

Transcript

  1. Android/ChromeͰମݧͰ͖Δ ೝূͷͨΊͷඪ४Խ࢓༷ͷ ݱࡏͱະདྷ @ritou (Ryo Ito) 2022/10/6 - DroidKaigi 2022

  2. ൃදͷ಺༰ • C޲͚αʔϏεʹ͓͚ΔϢʔβʔೝূͷมભ • Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX  2

  3. ˏritou • Digital Identity ؔ࿈ͷϒϩάࣥචɺษڧձ࣮ࢪ #idcon #iddance • ΤόϯδΣϦετ @

    OIDF-J • ΤϯδχΞ ˏ גࣜձࣾMIXI  3

  4. C޲͚αʔϏεʹ͓͚Δ Ϣʔβʔೝূͷมભ

  5. ᶃύεϫʔυೝূ

  6. ύεϫʔυೝূ 
 (هԱγʔΫϨοτ, Memorized Secrets)  6 • ೝূཁૉ :

    ஌ࣝ • Ϣʔβʔ/αʔϏε͕ύεϫʔυΛڞ༗ • Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛݕূ

  7. ύεϫʔυೝূͰ ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅  7 • Ϣʔβʔ • ύεϫʔυΛ๨Εͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ࢖͍·Θ͞ͳ͍

    • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ • αʔϏε • ύεϫʔυΛ҆શʹ؅ཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ

  8. ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  8 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ

    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

  9. ΞΧ΢ϯτϦΧόϦʔ • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ಛఆͷೝূํ͕ࣜ࢖͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ

    • ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷ૊Έ߹Θ͕ͤҰൠత • ϝʔϧ΁ϦϯΫ΍ೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ • ੈͷதʹ͸ύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔ΋ଘࡏ͢Δ

  10. ϝʔϧ/SMSʹΑΔOTP 
 (ܦ࿏֎ೝূ, Out-of-Band Devices)  10 • ೝূཁૉ :

    ॴ༗ • αʔϏε͕ϢʔβʔʹSMS/ϝʔϧͰϫϯλΠϜύεϫʔυΛૹΓڞ༗ • ϦϯΫૹ৴&ΫϦοΫ΋͜ΕΛ؆ུԽͨ͠΋ͷͱଊ͑ΒΕΔ • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜ ͱͰɺΞΧ΢ϯτϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳͬͨ

  11. ᶄ2ஈ֊/ཁૉೝূͷීٴ

  12. ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  12 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ

    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

  13. ύεϫʔυϦετ߈ܸɺ ύεϫʔυεϓϨʔ߈ܸ  13 • ύεϫʔυϦετ߈ܸ • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ • ಉ͡ύεϫʔυΛ࢖͍ճ͍ͯͨ͠ΒΞ΢τ

    • ύεϫʔυεϓϨʔ߈ܸ • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞ΢τ • ͜ΕΒͷ߈ܸ΁ͷରࡦͱͯ͠ɺ௥Ճೝূ͕ීٴ

  14. ιϑτ΢ΣΞTOTP 
 (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)  14 • ೝূཁૉ

    : ॴ༗ • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ͯ͠ɺϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰ ੜ੒ͨ͠OTPΛݕূ (RFC6238) • 2010೥Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google Authenticatorͱͱ΋ʹTOTP ೝূΛఏڙ։࢝ • ۚ༥ػؔͳͲͰ͸RSA/VerisignͳͲͷϋʔυ΢ΣΞτʔΫϯ͕࢖ΘΕ͍ͯ ͕ͨίετ໘ʹ՝୊͕͋ͬͨ

  15. ϞόΠϧΞϓϦ΍୺຤΁ͷpush௨஌ 
 (ܦ࿏֎ೝূ, Out-of-Band Devices)  15 • ೝূཁૉ :

    ॴ༗ • ϞόΠϧΞϓϦʹ௨஌ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK • Ϣʔβʔ͕ར༻͍ͯ͠Δ୺຤΁ͷ௨஌ (Apple, Google) • ܦ࿏ͷ҆શੑ͕ΩϞ • ϞόΠϧΞϓϦ/ݸผ୺຤΁ͷ௨஌ͷํ͕SMS΍EϝʔϧΑΓ҆શ? • Push௨஌ΛૹΓ·ͬͯ͘Ͳ͏ʹ͔͠Α͏ͱ͢Δ߈ܸ΋ൃੜ

  16. όοΫΞοϓίʔυ 
 (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)  16 • ೝূཁૉ :

    ॴ༗ • Ϣʔβʔʹ୯Ұ͋Δ͍͸ෳ਺ͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷ஋Λݕূ • TOTP͕࢖͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷϢʔβʔ͕औΕΔϦ ΧόϦʔखஈͱͯ͠͠Εͬͱ࠾༻͞Ε͍ͯΔ

  17. ᶅϑΟογϯάʹڧ͍ೝূํࣜ ͦͯ͠ύεϫʔυϨε΁

  18. ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  18 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ

    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

  19. ݱ࣮  19 • ৘ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ޲͚1Ґʂ • B޲͚Ͱ͸Microsoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ

    ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද • 2021೥9݄Ҏ߱ɺ1ສҎ্ͷ૊৫͕ඪతʹ

  20. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012

  21. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789:

  22. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789: ;<=>?@AB6CD89:

  23. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 345'()*+,-./6789:

  24. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 3VO'()*789: 345'()*+,-./6789:

  25. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU WXY9Z [#$\%]#^.0_` ;<=>?@AB6CD89: 3VO'()*789:

    345'()*+,-./6789:

  26. ͜Ε·Ͱͷೝূํࣜ͸ ϑΟογϯά଱ੑΛ࣋ͨͳ͍  26 • ͍ͣΕ΋ਓ͕ؒߦ͏൑அͷ෦෼͕ऑ఺ͱͳΔ • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP:

    ࠷ॳͷURLΛ֬ೝͤ ͣೖྗ • ެࣜΞϓϦͳͲ΁ͷPush௨஌&ಉҙ : ࠷ॳͷURLΛ֬ೝͤͣʹಉҙ • ࣄલ֬ೝɺཤྺɺ௨஌ͱ͍ͬͨ࢓૊Έ͸͋Δ͕ࠜຊతͳରࡦͰ͸ͳ͍

  27. FIDOೝূ w/ UserPresense 
 (୯Ұཁૉ҉߸σόΠε, Single-Factor Cryptographic Devices)  27

    • ೝূཁૉ : ॴ༗ • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛར༻ • ηΩϡϦςΟΩʔ : PCʹ͚ࢗͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩ

  28. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 aabcdef6gh4i !"#$%&'()*j4ik lmnFAB6opbqr5 ;<=>?@AB6CD89: 345'()*+,-./6789:

  29. FIDOೝূ w/ UserVeri fi cation 
 (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)

     29 • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ • ެ։伴҉߸ + ϩʔΧϧೝূ • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛॴ༗͠ɺΞΫςΟ ϕʔτͷͨΊʹ2ཁૉ໨ͷೝূΛඞཁͱ͢Δ΋ͷ • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬౰)

  30. FIDOೝূͷ՝୊  30 • 伴؅ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ೉໰୊ • Authenticator(ηΩϡϦςΟΩʔɺରԠ୺຤)͕յΕͨΓͳ͘ͳͬͨ Γɺަ׵ͨ͠ࡍʹ࠶ొ࿥͕ඞཁ • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?

    • ಉఔ౓ͷೝূڧ౓Λ࣋ͭೝূํࣜͱ͸??? • ෳ਺ͷAuthenticatorΛొ࿥͓ͯ͘͠ඞཁੑ͕͋Δ

  31. Passkey - ”FIDO multi-device credentials”  31 • 伴৘ใ͕σόΠεͰ͸ͳ͘Ϣʔβʔʹඥ͚ͮΒΕΔΑ͏ʹͳΔ •

    ͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴؅ཧͱ͸ผ • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔ໰୊ͷվળ • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ (ޙ͔Β঺հ)

  32. Passkey - ”FIDO multi-device credentials”  32 • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ 1.

    Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ࿥ • iCloud KeychainʹΑΔಉظ -> AppleϢʔβʔʹ伴͕ඥ͚ͮΒΕΔ 2. ϩάΞ΢τͯ͠΋ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ) 3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ બ୒͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ

  33. Passkey - ”FIDO multi-device credentials”  33 • ෳ਺ϓϥοτϑΥʔϜΛލ͙৔߹ͷUXվળ 1.

    ࣄલʹAndroidͰύεΩʔΛొ࿥ 2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ Մೳ (caBLEͱݺ͹ΕΔ઀ଓํ๏) 3. ͦͷ௚ޙʹTouchID͕ཁٻ͞Εɺࠓޙ͸͜ͷ୺຤ͰTouchIDͷΈͰ ϩάΠϯՄೳʹͳΔ

  34. ᶆ ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બ୒ࢶ

  35. ID࿈ܞʹΑΔϩάΠϯ  35 • Identity Provider(IdP)ͷϢʔβʔ৘ใΛར༻͢Δ • ୅දతͳϓϩτίϧ͕OpenID Connect, OAuth

    2.0 + Ϣʔβʔ৘ใ APIͳͲ • Ϣʔβʔࣝผࢠͷඥ෇͚Λ؅ཧ͢Δ͜ͱͰϩάΠϯʹར༻ • ଐੑ৘ใΛ׆༻ͯ͠UXΛ޲্ • ֬ೝࡁΈϝʔϧΞυϨεɺి࿩൪߸ɺຊਓ֬ೝ৘ใͳͲ

  36. ID࿈ܞͷ՝୊  36 • IdPͱ৺த໰୊ • ΞΧ΢ϯτBAN, ো֐࣌ʹ͸ͦΕΛར༻͢ΔαʔϏε΋࢖͑ͳ͘ͳ ΔՄೳੑ͕͋Δ •

    IdPͷΞΧ΢ϯτ͕৐ͬऔΒΕͯ͠·ͬͨΒαʔϏε΋ѱ༻͞ΕΔ

  37. Identity Wallet 
 (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri fi able Credentials)

     37 • IdPʹґଘ͢ΔͷͰ͸ͳ͘ɺݸਓ͕ࣗ෼ͷ৘ใΛ؅ཧ͢ΔελΠϧ • Ծ૝௨՟͋ͨΓͰ໨ʹ͢Δ໾ׂ෼୲ • Issuer : Ϣʔβʔ৘ใͷఏڙɺূ໌ॻͷൃߦ • Holder(Wallet) : Ϣʔβʔ৘ใΛ؅ཧ͢ΔΞϓϦ΍ϒϥ΢βػೳ • Veri fi er : Holder ʹ৘ใΛཁٻ͠ɺऔಘͨ͠৘ใΛݕূͯ͠ར༻ • Open Wallet Foundation͕ઃཱ͞Εͯ࣌୅͕ਐΜͰ͍͘ؾ഑

  38. ҆શੑɺརศੑΛߴΊΔ Ξϓϩʔν

  39. ՝୊ΛΧόʔ͢Δ࢓૊Έ͕ඞཁ  39 • Ϣʔβʔ͕Ͱ͖Δ΋ͷ • ύεϫʔυϚωʔδϟʔͷར༻ • αʔϏε͕Ͱ͖Δ͜ͱ :

    खݩͷεϚʔτϑΥϯΛ༻͍ͯརศੑΛ͋͛ Δ࢓૊ΈΛಋೖ • SMS OTP : WebOTP • WebAuthn

  40. ύεϫʔυϚωʔδϟʔͷར༻  40 • ύεϫʔυੜ੒ɺ؅ཧΛ೚ͤΔ = ೝূཁૉΛ”ॴ༗”ʹมߋ • TOTPରԠ΍όοΫΞοϓίʔυΛอଘͰ͖Δ΋ͷ΋͋Δ •

    Ϛελʔύεϫʔυ؅ཧ͕ॏཁʹͳΔ(SPOFͱ΋ݴ͑Δ) • ϒϥ΢β / OS෇ਵͷ΋ͷ vs ಠཱͨ͠αʔϏε • ར༻ελΠϧʹԠͯ͡બ΂͹ྑͦ͞͏

  41. Android / Chrome 
 Ͱ࣮ݱͰ͖ΔϩάΠϯUX

  42. ࠓճͷΩʔϫʔυ : “खݩͷεϚϗͰϩάΠϯ” (a.k.a Decoupled Authentication)

  43. WebOTP https://web.dev/web-otp/  43 • SMSͰૹΒΕͨϫϯλΠϜύεϫʔυΛ҆શʹऔಘ͢ΔͨΊͷ࢓૊Έ • υϝΠϯΛؚΉϫϯλΠϜύεϫʔυͷϝοηʔδϑΥʔϚοτ • JavaScript

    هड़ + input λά • Android ͷ SMS Retriever API ͱಉ౳

  44. WebOTP - Android Chrome ϒϥ΢βΛ։͍ͨ··OTPΛऔಘՄೳ  44

  45. WebOTP - Android Chrome ϒϥ΢βΛ։͍ͨ··OTPΛऔಘՄೳ  45

  46. WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroid୺຤ͷ௨஌Ͱಉҙ->సૹ  46

  47. WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroid୺຤ͷ௨஌Ͱಉҙ->సૹ  47

  48. WebOTP https://web.dev/web-otp/  48 • ϝοηʔδʹؚ·ΕΔυϝΠϯͱҰக͍ͯ͠Δ͔Λϒϥ΢β͕ݕূ • ”͜ͷ࢓૊ΈΛ࢖͏ͱ͖͸” ϑΟογϯά଱ੑΛ࣋ͭ •

    ؀ڥ͝ͱͷରԠ͸ෆཁɺඞཁͳͷ͸ϒϥ΢β͕WebOTPʹରԠ͍ͯ͠ Δ͔Ͳ͏͔͚ͩ • ࢓༷௨Γ࣮૷͢Δ͚ͩͰChrome͕ରԠͯ͘͠ΕΔ

  49. WebAuthn https://www.w3.org/TR/webauthn-2/  49 • WebΞϓϦέʔγϣϯ͔ΒFIDOೝূΛར༻͢ΔͨΊͷϒϥ΢βAPI • ϒϥ΢β͕հೖ͠ɺ伴৘ใ͕originʹඥ͚ͮΒΕΔͨΊʹϑΟογϯά଱ੑΛ࣋ͭ • Platform

    Authenticator(εϚϗ/PCࣗମ) / Roaming Authenticator(ηΩϡϦςΟΩʔ) ͕ೝূثͱͯ͠ར༻Մೳ • खݩͷεϚʔτϑΥϯΛ༻͍ͯ伴৘ใͷొ࿥/ೝূΛ࣮ݱ͢Δ࢓૊Έ͕͋Δ • caBLE (cloud-assisted BLE) : QRίʔυ + BLE • ChromeͰಉظ͞Ε͍ͯΔ୺຤ : Push௨஌ + BLE

  50. WebAuthn w/ caBLE QRίʔυ + BLE ͰϩάΠϯ  50 PC

    Android

  51. WebAuthn w/ caBLE Ұ౓ར༻ͨ͠୺຤͸Push௨஌Ͱར༻Մೳ  51 PC Android

  52. WebAuthn w/ (Desktop + Android) Chrome ಉظࡁΈͷ୺຤͸࠷ॳ͔ΒPush௨஌Ͱར༻Մೳ  52 PC

    Android

  53. WebAuthn  53 • ౰ॳ͸୺຤ͦͷ΋ͷ or USB/NFC/BLEͳͲͰηΩϡϦςΟΩʔͱͭͳ ͙ͱ͍͏ҹ৅͕ڧ͔͕ͬͨɺखݩͷεϚϗͱͭͳ͙࢓૊Έ΋͋Δ • ୯ͳΔQRίʔυ+ωοτϫʔΫΞΫηεΛ༻͍ͨϩάΠϯͰ͸ͳ͘ɺ

    BLEͰۙڑ཭ʹ͋ΔεϚϗͱ௨৴͢Δ͜ͱͰຊਓҎ֎ͷ୺຤Ͱ઀ଓ͞Ε Δ͜ͱΛ๷͙ߟྀ΋͞Ε͍ͯΔ • ChromeͰಉظ͍ͯ͠ΔεϚʔτϑΥϯͰ͋Ε͹Push௨஌ͰΑΓָʹར ༻Մೳ

  54. ·ͱΊ  54 • C޲͚αʔϏεͰ࢖ΘΕ͍ͯΔϢʔβʔೝূʹ͍ͭͯৼΓฦͬͨ • ͦΕͧΕͷೝূํࣜͰͷಛ௃Λཧղ͠Α͏ • Android/ChromeΛ༻͍ͯ “खݩͷεϚϗͰϩάΠϯ”

    Λ࣮ݱ͢ΔͨΊ ͷ࢓૊ΈΛ঺հͨ͠ • WebΞϓϦϕʔεͷೝূػೳΛఏڙ͍ͯ͠ΔαʔϏε͸ɺϩάΠϯ ͷUXΛߟ͑Δ࣌ʹҙࣝ͠Α͏

  55. ࢀߟϦϯΫ • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3 • https://speakerdeck.com/kthrtty/ren-zheng- nimatuwarusekiyuriteifalsexin-chang-shi • NIST Special

    Publication 800-63B Digital Identity Guidelines (຋༁൛) • https://openid-foundation-japan.github.io/800-63-3- fi nal/ sp800-63b.ja.html

  56. ࢀߟϦϯΫ  56 • GTA৽࡞ϦʔΫʹ࢖ΘΕͨ“ଟཁૉೝূർΕ”߈ܸͱ͸ɹ1࣌ؒҎ্௨ ஌߈Ίɺैۀһͷࠜෛ͚ૂ͏ • https://www.itmedia.co.jp/news/articles/2209/28/news050.html • 2022೥൛Ϩϙʔτʮ2022

    State of Secure Identity ReportʯΛެ։ • https://www.okta.com/jp/press-room/press-releases/ okta-2022ssir/

  57. ࢀߟϦϯΫ  57 • σδλϧ΢ΥϨοτͷ૬ޓӡ༻ੑΛ໨ࢦ͢ஂମɺThe Linux Foundation͕ઃཱ΁ • https://japan.zdnet.com/article/35193346/

  58. ࢀߟϦϯΫ  58 • Our Take on Passkeys • https://auth0.com/blog/our-take-on-passkeys/

    • Cross-device WebOTP • https://docs.google.com/document/d/ 1SlIaRlH0WEvvLMtQJZMuwZbH5bRs6SCPlxXwwnJQHMU/ edit#heading=h.xgjl2srtytjt

  59. ׬ ࣭໰ɺҙݟɺײ૝Λ ͓଴͍ͪͯ͠·͢ɻ ฐࣾʹڵຯ͕͋Δํ΋ੋඇʂ