Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ Droid...
Search
ritou
October 06, 2022
Technology
2
6.9k
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022
DroidKaigi 2022 Day2 での発表資料です。
https://droidkaigi.jp/2022/timetable/357753
ritou
October 06, 2022
Tweet
Share
More Decks by ritou
See All by ritou
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
ritou
3
1.4k
OIDF-J EIWG 振り返り
ritou
2
26
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
380
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
3
470
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
ritou
2
700
Webアプリ開発者向け パスキー対応の始め方
ritou
4
6.1k
様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023
ritou
3
4.6k
パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1
ritou
6
12k
C向けサービスで 使われている認証方式と安全な使い方
ritou
12
3k
Other Decks in Technology
See All in Technology
LINE Developersプロダクト(LIFF/LINE Login)におけるフロントエンド開発
lycorptech_jp
PRO
0
120
LINEヤフーのフロントエンド組織・体制の紹介【24年12月】
lycorp_recruit_jp
0
530
サービスでLLMを採用したばっかりに振り回され続けたこの一年のあれやこれや
segavvy
2
450
20241214_WACATE2024冬_テスト設計技法をチョット俯瞰してみよう
kzsuzuki
3
470
組織に自動テストを書く文化を根付かせる戦略(2024冬版) / Building Automated Test Culture 2024 Winter Edition
twada
PRO
16
4k
C++26 エラー性動作
faithandbrave
2
740
PHP ユーザのための OpenTelemetry 入門 / phpcon2024-opentelemetry
shin1x1
1
220
10個のフィルタをAXI4-Streamでつなげてみた
marsee101
0
170
PHPからGoへのマイグレーション for DMMアフィリエイト
yabakokobayashi
1
170
スタートアップで取り組んでいるAzureとMicrosoft 365のセキュリティ対策/How to Improve Azure and Microsoft 365 Security at Startup
yuj1osm
0
220
AI時代のデータセンターネットワーク
lycorptech_jp
PRO
1
290
生成AIのガバナンスの全体像と現実解
fnifni
1
190
Featured
See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
2
290
A Philosophy of Restraint
colly
203
16k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Code Reviewing Like a Champion
maltzj
520
39k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Speed Design
sergeychernyshev
25
670
Optimising Largest Contentful Paint
csswizardry
33
3k
Navigating Team Friction
lara
183
15k
Git: the NoSQL Database
bkeepers
PRO
427
64k
The Language of Interfaces
destraynor
154
24k
Site-Speed That Sticks
csswizardry
2
190
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Transcript
Android/ChromeͰମݧͰ͖Δ ೝূͷͨΊͷඪ४Խ༷ͷ ݱࡏͱະདྷ @ritou (Ryo Ito) 2022/10/6 - DroidKaigi 2022
ൃදͷ༰ • C͚αʔϏεʹ͓͚ΔϢʔβʔೝূͷมભ • Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX  2
ˏritou • Digital Identity ؔ࿈ͷϒϩάࣥචɺษڧձ࣮ࢪ #idcon #iddance • ΤόϯδΣϦετ @
OIDF-J • ΤϯδχΞ ˏ גࣜձࣾMIXI  3
C͚αʔϏεʹ͓͚Δ Ϣʔβʔೝূͷมભ
ᶃύεϫʔυೝূ
ύεϫʔυೝূ (هԱγʔΫϨοτ, Memorized Secrets)  6 • ೝূཁૉ :
ࣝ • Ϣʔβʔ/αʔϏε͕ύεϫʔυΛڞ༗ • ϢʔβʔࣝผࢠͱύεϫʔυͷΈ߹ΘͤΛݕূ
ύεϫʔυೝূͰ ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅  7 • Ϣʔβʔ • ύεϫʔυΛΕͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ͍·Θ͞ͳ͍
• ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ • αʔϏε • ύεϫʔυΛ҆શʹཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  8 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ΞΧϯτϦΧόϦʔ • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ಛఆͷೝূํ͕ࣜ͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ
• ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷΈ߹Θ͕ͤҰൠత • ϝʔϧϦϯΫೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ • ੈͷதʹύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔଘࡏ͢Δ
ϝʔϧ/SMSʹΑΔOTP (ܦ࿏֎ೝূ, Out-of-Band Devices)  10 • ೝূཁૉ :
ॴ༗ • αʔϏε͕ϢʔβʔʹSMS/ϝʔϧͰϫϯλΠϜύεϫʔυΛૹΓڞ༗ • ϦϯΫૹ৴&ΫϦοΫ͜ΕΛ؆ུԽͨ͠ͷͱଊ͑ΒΕΔ • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜ ͱͰɺΞΧϯτϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳͬͨ
ᶄ2ஈ֊/ཁૉೝূͷීٴ
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  12 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ύεϫʔυϦετ߈ܸɺ ύεϫʔυεϓϨʔ߈ܸ  13 • ύεϫʔυϦετ߈ܸ • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ • ಉ͡ύεϫʔυΛ͍ճ͍ͯͨ͠ΒΞτ
• ύεϫʔυεϓϨʔ߈ܸ • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞτ • ͜ΕΒͷ߈ܸͷରࡦͱͯ͠ɺՃೝূ͕ීٴ
ιϑτΣΞTOTP (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)  14 • ೝূཁૉ
: ॴ༗ • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ͯ͠ɺϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰ ੜͨ͠OTPΛݕূ (RFC6238) • 2010Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google AuthenticatorͱͱʹTOTP ೝূΛఏڙ։࢝ • ۚ༥ػؔͳͲͰRSA/VerisignͳͲͷϋʔυΣΞτʔΫϯ͕ΘΕ͍ͯ ͕ͨίετ໘ʹ՝͕͋ͬͨ
ϞόΠϧΞϓϦͷpush௨ (ܦ࿏֎ೝূ, Out-of-Band Devices)  15 • ೝূཁૉ :
ॴ༗ • ϞόΠϧΞϓϦʹ௨ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK • Ϣʔβʔ͕ར༻͍ͯ͠Δͷ௨ (Apple, Google) • ܦ࿏ͷ҆શੑ͕ΩϞ • ϞόΠϧΞϓϦ/ݸผͷ௨ͷํ͕SMSEϝʔϧΑΓ҆શ? • Push௨ΛૹΓ·ͬͯ͘Ͳ͏ʹ͔͠Α͏ͱ͢Δ߈ܸൃੜ
όοΫΞοϓίʔυ (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)  16 • ೝূཁૉ :
ॴ༗ • Ϣʔβʔʹ୯Ұ͋Δ͍ෳͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷΛݕূ • TOTP͕͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷϢʔβʔ͕औΕΔϦ ΧόϦʔखஈͱͯ͠͠Εͬͱ࠾༻͞Ε͍ͯΔ
ᶅϑΟογϯάʹڧ͍ೝূํࣜ ͦͯ͠ύεϫʔυϨε
ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  18 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛΕͯ͠·͏ • ෳαʔϏεͰ͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ
• ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍
ݱ࣮  19 • ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ͚1Ґʂ • B͚ͰMicrosoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ
ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද • 20219݄Ҏ߱ɺ1ສҎ্ͷ৫͕ඪతʹ
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 345'()*+,-./6789: ;<=>?@AB6CD89:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU ;<=>?@AB6CD89: 3VO'()*789: 345'()*+,-./6789:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 EFEGH!"#$%&'()*12 JKLMNOL#$PQR*STU WXY9Z [#$\%]#^.0_` ;<=>?@AB6CD89: 3VO'()*789:
345'()*+,-./6789:
͜Ε·Ͱͷೝূํࣜ ϑΟογϯάੑΛ࣋ͨͳ͍  26 • ͍ͣΕਓ͕ؒߦ͏அͷ෦͕ऑͱͳΔ • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP:
࠷ॳͷURLΛ֬ೝͤ ͣೖྗ • ެࣜΞϓϦͳͲͷPush௨&ಉҙ : ࠷ॳͷURLΛ֬ೝͤͣʹಉҙ • ࣄલ֬ೝɺཤྺɺ௨ͱ͍ͬͨΈ͋Δ͕ࠜຊతͳରࡦͰͳ͍
FIDOೝূ w/ UserPresense (୯Ұཁૉ҉߸σόΠε, Single-Factor Cryptographic Devices)  27
• ೝূཁૉ : ॴ༗ • อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛར༻ • ηΩϡϦςΟΩʔ : PCʹ͚ͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩ
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 aabcdef6gh4i !"#$%&'()*j4ik lmnFAB6opbqr5 ;<=>?@AB6CD89: 345'()*+,-./6789:
FIDOೝূ w/ UserVeri fi cation (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)
 29 • ೝূཁૉ : ॴ༗ + ࣝ/ੜମ • ެ։伴҉߸ + ϩʔΧϧೝূ • อޢ͞Εͨ҉߸伴Λ༻͍ΔϋʔυΣΞσόΠεΛॴ༗͠ɺΞΫςΟ ϕʔτͷͨΊʹ2ཁૉͷೝূΛඞཁͱ͢Δͷ • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬)
FIDOೝূͷ՝  30 • 伴ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ • Authenticator(ηΩϡϦςΟΩʔɺରԠ)͕յΕͨΓͳ͘ͳͬͨ Γɺަͨ͠ࡍʹ࠶ొ͕ඞཁ • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?
• ಉఔͷೝূڧΛ࣋ͭೝূํࣜͱ??? • ෳͷAuthenticatorΛొ͓ͯ͘͠ඞཁੑ͕͋Δ
Passkey - ”FIDO multi-device credentials”  31 • 伴ใ͕σόΠεͰͳ͘Ϣʔβʔʹඥ͚ͮΒΕΔΑ͏ʹͳΔ •
͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴ཧͱผ • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔͷվળ • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ (ޙ͔Βհ)
Passkey - ”FIDO multi-device credentials”  32 • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ 1.
Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ • iCloud KeychainʹΑΔಉظ -> AppleϢʔβʔʹ伴͕ඥ͚ͮΒΕΔ 2. ϩάΞτͯ͠ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ) 3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ બ͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ
Passkey - ”FIDO multi-device credentials”  33 • ෳϓϥοτϑΥʔϜΛލ͙߹ͷUXվળ 1.
ࣄલʹAndroidͰύεΩʔΛొ 2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ Մೳ (caBLEͱݺΕΔଓํ๏) 3. ͦͷޙʹTouchID͕ཁٻ͞Εɺࠓޙ͜ͷͰTouchIDͷΈͰ ϩάΠϯՄೳʹͳΔ
ᶆ ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બࢶ
ID࿈ܞʹΑΔϩάΠϯ  35 • Identity Provider(IdP)ͷϢʔβʔใΛར༻͢Δ • දతͳϓϩτίϧ͕OpenID Connect, OAuth
2.0 + Ϣʔβʔใ APIͳͲ • Ϣʔβʔࣝผࢠͷඥ͚Λཧ͢Δ͜ͱͰϩάΠϯʹར༻ • ଐੑใΛ׆༻ͯ͠UXΛ্ • ֬ೝࡁΈϝʔϧΞυϨεɺి൪߸ɺຊਓ֬ೝใͳͲ
ID࿈ܞͷ՝  36 • IdPͱ৺த • ΞΧϯτBAN, ো࣌ʹͦΕΛར༻͢ΔαʔϏε͑ͳ͘ͳ ΔՄೳੑ͕͋Δ •
IdPͷΞΧϯτ͕ͬऔΒΕͯ͠·ͬͨΒαʔϏεѱ༻͞ΕΔ
Identity Wallet (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri fi able Credentials)
 37 • IdPʹґଘ͢ΔͷͰͳ͘ɺݸਓ͕ࣗͷใΛཧ͢ΔελΠϧ • Ծ௨՟͋ͨΓͰʹ͢Δׂ୲ • Issuer : Ϣʔβʔใͷఏڙɺূ໌ॻͷൃߦ • Holder(Wallet) : ϢʔβʔใΛཧ͢ΔΞϓϦϒϥβػೳ • Veri fi er : Holder ʹใΛཁٻ͠ɺऔಘͨ͠ใΛݕূͯ͠ར༻ • Open Wallet Foundation͕ઃཱ͞Ε͕ͯ࣌ਐΜͰ͍͘ؾ
҆શੑɺརศੑΛߴΊΔ Ξϓϩʔν
՝ΛΧόʔ͢ΔΈ͕ඞཁ  39 • Ϣʔβʔ͕Ͱ͖Δͷ • ύεϫʔυϚωʔδϟʔͷར༻ • αʔϏε͕Ͱ͖Δ͜ͱ :
खݩͷεϚʔτϑΥϯΛ༻͍ͯརศੑΛ͋͛ ΔΈΛಋೖ • SMS OTP : WebOTP • WebAuthn
ύεϫʔυϚωʔδϟʔͷར༻  40 • ύεϫʔυੜɺཧΛͤΔ = ೝূཁૉΛ”ॴ༗”ʹมߋ • TOTPରԠόοΫΞοϓίʔυΛอଘͰ͖Δͷ͋Δ •
Ϛελʔύεϫʔυཧ͕ॏཁʹͳΔ(SPOFͱݴ͑Δ) • ϒϥβ / OSਵͷͷ vs ಠཱͨ͠αʔϏε • ར༻ελΠϧʹԠͯ͡બྑͦ͞͏
Android / Chrome Ͱ࣮ݱͰ͖ΔϩάΠϯUX
ࠓճͷΩʔϫʔυ : “खݩͷεϚϗͰϩάΠϯ” (a.k.a Decoupled Authentication)
WebOTP https://web.dev/web-otp/  43 • SMSͰૹΒΕͨϫϯλΠϜύεϫʔυΛ҆શʹऔಘ͢ΔͨΊͷΈ • υϝΠϯΛؚΉϫϯλΠϜύεϫʔυͷϝοηʔδϑΥʔϚοτ • JavaScript
هड़ + input λά • Android ͷ SMS Retriever API ͱಉ
WebOTP - Android Chrome ϒϥβΛ։͍ͨ··OTPΛऔಘՄೳ  44
WebOTP - Android Chrome ϒϥβΛ։͍ͨ··OTPΛऔಘՄೳ  45
WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroidͷ௨Ͱಉҙ->సૹ  46
WebOTP - (Desktop / Android) Chrome ಉظ͍ͯ͠ΔAndroidͷ௨Ͱಉҙ->సૹ  47
WebOTP https://web.dev/web-otp/  48 • ϝοηʔδʹؚ·ΕΔυϝΠϯͱҰக͍ͯ͠Δ͔Λϒϥβ͕ݕূ • ”͜ͷΈΛ͏ͱ͖” ϑΟογϯάੑΛ࣋ͭ •
ڥ͝ͱͷରԠෆཁɺඞཁͳͷϒϥβ͕WebOTPʹରԠ͍ͯ͠ Δ͔Ͳ͏͔͚ͩ • ༷௨Γ࣮͢Δ͚ͩͰChrome͕ରԠͯ͘͠ΕΔ
WebAuthn https://www.w3.org/TR/webauthn-2/  49 • WebΞϓϦέʔγϣϯ͔ΒFIDOೝূΛར༻͢ΔͨΊͷϒϥβAPI • ϒϥβ͕հೖ͠ɺ伴ใ͕originʹඥ͚ͮΒΕΔͨΊʹϑΟογϯάੑΛ࣋ͭ • Platform
Authenticator(εϚϗ/PCࣗମ) / Roaming Authenticator(ηΩϡϦςΟΩʔ) ͕ೝূثͱͯ͠ར༻Մೳ • खݩͷεϚʔτϑΥϯΛ༻͍ͯ伴ใͷొ/ೝূΛ࣮ݱ͢ΔΈ͕͋Δ • caBLE (cloud-assisted BLE) : QRίʔυ + BLE • ChromeͰಉظ͞Ε͍ͯΔ : Push௨ + BLE
WebAuthn w/ caBLE QRίʔυ + BLE ͰϩάΠϯ  50 PC
Android
WebAuthn w/ caBLE Ұར༻ͨ͠Push௨Ͱར༻Մೳ  51 PC Android
WebAuthn w/ (Desktop + Android) Chrome ಉظࡁΈͷ࠷ॳ͔ΒPush௨Ͱར༻Մೳ  52 PC
Android
WebAuthn  53 • ॳͦͷͷ or USB/NFC/BLEͳͲͰηΩϡϦςΟΩʔͱͭͳ ͙ͱ͍͏ҹ͕ڧ͔͕ͬͨɺखݩͷεϚϗͱͭͳ͙Έ͋Δ • ୯ͳΔQRίʔυ+ωοτϫʔΫΞΫηεΛ༻͍ͨϩάΠϯͰͳ͘ɺ
BLEͰۙڑʹ͋ΔεϚϗͱ௨৴͢Δ͜ͱͰຊਓҎ֎ͷͰଓ͞Ε Δ͜ͱΛ͙ߟྀ͞Ε͍ͯΔ • ChromeͰಉظ͍ͯ͠ΔεϚʔτϑΥϯͰ͋ΕPush௨ͰΑΓָʹར ༻Մೳ
·ͱΊ  54 • C͚αʔϏεͰΘΕ͍ͯΔϢʔβʔೝূʹ͍ͭͯৼΓฦͬͨ • ͦΕͧΕͷೝূํࣜͰͷಛΛཧղ͠Α͏ • Android/ChromeΛ༻͍ͯ “खݩͷεϚϗͰϩάΠϯ”
Λ࣮ݱ͢ΔͨΊ ͷΈΛհͨ͠ • WebΞϓϦϕʔεͷೝূػೳΛఏڙ͍ͯ͠ΔαʔϏεɺϩάΠϯ ͷUXΛߟ͑Δ࣌ʹҙࣝ͠Α͏
ࢀߟϦϯΫ • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3 • https://speakerdeck.com/kthrtty/ren-zheng- nimatuwarusekiyuriteifalsexin-chang-shi • NIST Special
Publication 800-63B Digital Identity Guidelines (༁൛) • https://openid-foundation-japan.github.io/800-63-3- fi nal/ sp800-63b.ja.html
ࢀߟϦϯΫ  56 • GTA৽࡞ϦʔΫʹΘΕͨ“ଟཁૉೝূർΕ”߈ܸͱɹ1࣌ؒҎ্௨ ߈Ίɺैۀһͷࠜෛ͚ૂ͏ • https://www.itmedia.co.jp/news/articles/2209/28/news050.html • 2022൛Ϩϙʔτʮ2022
State of Secure Identity ReportʯΛެ։ • https://www.okta.com/jp/press-room/press-releases/ okta-2022ssir/
ࢀߟϦϯΫ  57 • σδλϧΥϨοτͷ૬ޓӡ༻ੑΛࢦ͢ஂମɺThe Linux Foundation͕ઃཱ • https://japan.zdnet.com/article/35193346/
ࢀߟϦϯΫ  58 • Our Take on Passkeys • https://auth0.com/blog/our-take-on-passkeys/
• Cross-device WebOTP • https://docs.google.com/document/d/ 1SlIaRlH0WEvvLMtQJZMuwZbH5bRs6SCPlxXwwnJQHMU/ edit#heading=h.xgjl2srtytjt
࣭ɺҙݟɺײΛ ͓͍ͪͯ͠·͢ɻ ฐࣾʹڵຯ͕͋Δํੋඇʂ