Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Passkeys and Identity Federation @ OpenID Summi...

ritou
January 19, 2024

Passkeys and Identity Federation @ OpenID Summit Tokyo 2024

下記イベントの発表資料です。
https://www.openid.or.jp/summit/2024/#event-outline

ritou

January 19, 2024
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. Contents • Features • Bene fi ts of supporting passkeys

    for each IdP/RP of ID Federation • Related Speci fi cations 2
  2. Passkey • Security • Public Key Cryptography • Phishing Resistance

    • Usability • Local Authentication • Synced Passkey with Password Manager 4
  3. Passkey • Issues • Account Recovery • Cross-platform Synchronization •

    Phase • 2023: Management, SignIn • 2024: SignUp, Migration from Password 5
  4. ID Federation • Usage • Authentication • Identity Proo fi

    ng • OpenID Connect • Widely Supported Environment • Extensions for Various Use-cases 6
  5. ID Federation • Issues • UX without Browser Mediation •

    Privacy Risk • IdP-induced Trouble • Unsupported Speci fi cations 7
  6. Passkey Advantage as Authentication Method • UX with Conditional Mediation

    • Reduced Privacy Risk • Controllable Authenticator-induced Trouble • Ease of use for Re-Authentication 9
  7. Complement ID Federation with Passkey • Usability Improvement • Appeal

    to users who avoid ID Federation 10 4JHO*OXJUIʜ
  8. Complement Passkey with ID Federation • Strong authentication method options

    • Support for Passkey unavailable environments 11 w 1BTTXPSE w 1BTTXPSE 5051 w 1BTTLFZ w *%'FEFSBUJPO w 1BTTLFZ
  9. Advantages of IdP using Passkey • Protect multiple RPs •

    Account Recovery(MFA Options, ID Proo fi ng) 13 1BTTLFZ *E1 31 31 31 31
  10. OpenID Connect Core 1.0 15 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response
  11. OpenID Connect Core 1.0 16 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ
  12. OpenID Connect Core 1.0 17 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ BDS@WBMVFTDMBJNT BDSBNS
  13. OpenID Connect Core 1.0 18 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3F"VUIX 1BTTLFZ BDS@WBMVFTDMBJNT  NBY@BHF  MPHJO@IJOU JE@UPLFO@IJOU BDSBNS  BVUI@UJNF
  14. OpenID Connect Core 1.0 • Authentication Request Parameters for End-User

    Authentication • acr_values, claims • Claims for End-User Authentication • acr, amr, auth_time • Authentication Request Parameters for Re-Authentication • max_age, login_hint, id_token_hint 19
  15. OpenID Connect Extended Authentication Pro fi le (EAP) ACR Values

    1.0 (draft 01) 20 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ BDSBNS BDS@WBMVFTDMBJNT
  16. OpenID Connect Extended Authentication Pro fi le (EAP) ACR Values

    1.0 (draft 01) • “acr” • “phr”: Phishing-Resistant • “phrh”: Phishing-Resistant Hardware-Protected • “amr” • “pop”: Proof-of-possession of a key • Other value is de fi ned in RFC8176 21
  17. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    22 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF 4FSWFS (5) Resource Access
  18. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    23 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF 4FSWFS (5) Resource Access BDS BVUI@UJNF BDS BVUI@UJNF 1BTTXPSE
  19. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    24 31 01 End User (1) Request Authentication (2), (7) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF 4FSWFS (5) Resource Access BDS BVUI@UJNF BDS BVUI@UJNF (6) Error with challenge 1BTTLFZ BDS@WBMVFTDMBJNT  NBY@BHF BDS NBY@BHF
  20. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    • Use-case • IdP: Authentication/Authorization Service • RP: SPA/Native App • RS: Payment, Healthcare, … 25
  21. Summary • Passkey and ID Federation have distinct features and

    complement each other when combined • There are bene fi ts to both IdP and RP in ID Federation to support passkey • Let's support speci fi cations for handling authentication states 26