Passkeys and Identity Federation @ OpenID Summit Tokyo 2024

Transcript

1. Passkeys and Identity Federation ritou ~ OpenID Summit Tokyo 2024

   ~

2. Contents • Features • Bene fi ts of supporting passkeys

   for each IdP/RP of ID Federation • Related Speci fi cations 2

3. Features

4. Passkey • Security • Public Key Cryptography • Phishing Resistance

   • Usability • Local Authentication • Synced Passkey with Password Manager 4

5. Passkey • Issues • Account Recovery • Cross-platform Synchronization •

   Phase • 2023: Management, SignIn • 2024: SignUp, Migration from Password 5

6. ID Federation • Usage • Authentication • Identity Proo fi

   ng • OpenID Connect • Widely Supported Environment • Extensions for Various Use-cases 6

7. ID Federation • Issues • UX without Browser Mediation •

   Privacy Risk • IdP-induced Trouble • Unsupported Speci fi cations 7

8. Passkey for ID Federation RP

9. Passkey Advantage as Authentication Method • UX with Conditional Mediation

   • Reduced Privacy Risk • Controllable Authenticator-induced Trouble • Ease of use for Re-Authentication 9

10. Complement ID Federation with Passkey • Usability Improvement • Appeal

    to users who avoid ID Federation 10 4JHO*O
    XJUI
    ʜ

11. Complement Passkey with ID Federation • Strong authentication method options

    • Support for Passkey unavailable environments 11 w 1BTTXPSE
    
    w 1BTTXPSE
    
    
    5051
    w 1BTTLFZ w *%
    'FEFSBUJPO
    w 1BTTLFZ

12. Passkey for ID Federation IdP

13. Advantages of IdP using Passkey • Protect multiple RPs •

    Account Recovery(MFA Options, ID Proo fi ng) 13 1BTTLFZ *E1 31 31 31 31

14. Related OIDC / OAuth 2.0 Specs

15. OpenID Connect Core 1.0 15 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response

16. OpenID Connect Core 1.0 16 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ
    

17. OpenID Connect Core 1.0 17 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ
    BDS@WBMVFT
    
    DMBJNT BDS
    
    BNS

18. OpenID Connect Core 1.0 18 31 01 End User (1)

    Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3F"VUI
    X
    1BTTLFZ
    BDS@WBMVFT
    
    DMBJNT
    NBY@BHF
    MPHJO@IJOU JE@UPLFO@IJOU
    BDS
    
    BNS
    BVUI@UJNF

19. OpenID Connect Core 1.0 • Authentication Request Parameters for End-User

    Authentication • acr_values, claims • Claims for End-User Authentication • acr, amr, auth_time • Authentication Request Parameters for Re-Authentication • max_age, login_hint, id_token_hint 19

20. OpenID Connect Extended Authentication Pro fi le (EAP) ACR Values

    1.0 (draft 01) 20 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 1BTTLFZ
    BDS
    
    BNS BDS@WBMVFT
    
    DMBJNT

21. OpenID Connect Extended Authentication Pro fi le (EAP) ACR Values

    1.0 (draft 01) • “acr” • “phr”: Phishing-Resistant • “phrh”: Phishing-Resistant Hardware-Protected • “amr” • “pop”: Proof-of-possession of a key • Other value is de fi ned in RFC8176 21

22. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    22 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF
    4FSWFS (5) Resource Access

23. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    23 31 01 End User (1) Request Authentication (2) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF
    4FSWFS (5) Resource Access BDS
    BVUI@UJNF BDS
    BVUI@UJNF 1BTTXPSE
    

24. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    24 31 01 End User (1) Request Authentication (2), (7) Authentication Request (3) User Interaction (4) Authentication Response 3FTPVSDF
    4FSWFS (5) Resource Access BDS
    BVUI@UJNF BDS
    BVUI@UJNF (6) Error with challenge 1BTTLFZ
    BDS@WBMVFT
    
    DMBJNT
    NBY@BHF BDS
    NBY@BHF

25. RFC 9470 : OAuth 2.0 Step Up Authentication Challenge Protocol

    • Use-case • IdP: Authentication/Authorization Service • RP: SPA/Native App • RS: Payment, Healthcare, … 25

26. Summary • Passkey and ID Federation have distinct features and

    complement each other when combined • There are bene fi ts to both IdP and RP in ID Federation to support passkey • Let's support speci fi cations for handling authentication states 26

27. Fin @ritou