Upgrade to Pro — share decks privately, control downloads, hide ads and more …

様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ Droi...

ritou
September 15, 2023

様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023

下記イベントの発表資料です。
https://2023.droidkaigi.jp/timetable/493289/

ritou

September 15, 2023
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. Use Cases of 'Passkey' and the Challenges in UX ༷ʑͳϢʔεέʔεʹར༻Ͱ͖Δ

    "ύεΩʔ" ͷ ಋೖࣄྫͷ঺հͱUXͷ՝୊ղઆ Ryo Ito (@ritou) DroidKaigi 2023ʢ2023/09/15 15:00-15:40ʣ
  2. Today’s GOAL To understand: • The overview of Passkey •

    Two typical use cases of Passkey and their required features • UX challenges when introducing Passkey into consumer services • The relationship between Passkey and ID Federation 3
  3. Rough Overview of User Authentication • Password authentication is vulnerable

    • Generation of hard-to-guess strings • Memorization of multiple passwords • Countermeasures against phishing • Risks of leaks from services and secondary damage • Passkey authentication solves these challenges 5
  4. The Current Status of User Authentication • Human-managed credential management

    is vulnerable • System-managed credential management is required • Use of a password manager solves most problems, but it's dif fi cult to make it mandatory • Passkey assumes system-managed credential management and can enforce it on users 6
  5. FIDO, FIDO2, Passkey • FIDO • Security Using Public Key

    Cryptography • Usability Using Local Authentication 7
  6. FIDO, FIDO2, Passkey • FIDO • Security Using Public Key

    Cryptography • Usability Using Local Authentication 8
  7. FIDO, FIDO2, Passkey • FIDO2 • WebAuthn API + CTAP

    for Web Application • Phishing Resistance Through Browser Mediation 9
  8. FIDO, FIDO2, Passkey • Passkey : FIDO Credentials for Password-less

    Authentication • Device-bounded credentials + Multi-device credentials • Device-bounded : Security Key, Platform Authenticator without key synchronization • Platform Authenticator with key synchronization in Platform Account • External Password Manager 10
  9. FIDO, FIDO2, Passkey • Passkey : FIDO Credentials for Password-less

    Authentication • Device-bounded credentials + Multi-device credentials • Device-bounded : Security Key, Platform Authenticator without key synchronization • Platform Authenticator with key synchronization in Platform Account • External Password Manager 11
  10. Identi fi er fi rst SignIn • Service fi rst

    identi fi es user and requires authentication if Passkey is available • Note that having Passkey registered does not mean that Passkey is available 16
  11. One button SignIn • When the user clicks the button,

    the service requests authentication with an available Passkey • In the browser dialog, the user selects a Passkey to use, or uses another device's Passkey 18
  12. Auto fi ll (Conditional UI) • Browser displays the available

    Passkeys near the HTML input form or when focused, and the user selects from them or uses another device's Passkey • Passkey available with the same UX as password suggestions by Password Manager 21
  13. Hybrid transport • If the device requesting authentication and a

    nearby mobile device are connected via BLE, the mobile device's Passkey can be used • A UX that requires multiple Hybrid fl ows is too bad. It is also important to seamlessly require Passkey registration for each device 23
  14. Re-Authentication • To protect speci fi c services • Credential

    Management • Personal Information Management • Payment services • Fine-tuned Session Management • Expired Session • High-risk environment • Credential updated in another session • Low AAL(Authentication Assurance Level) 26
  15. Related Features • SignIn • Passkey registration promotion after successful

    non-Passkey login • SignUp • Create Account with passkey • Credential Management • Promote passkey • Create, Update(passkey’s name), Revoke • Account Recovery • Passkey registration promotion after recovery password 27
  16. Native Support or Web Application integration • Native Support •

    Utilizing functions/libraries provided for app developers from each platform • https://developer.android.com/training/sign-in/passkeys • Native apps can provide a similar UX using the same credentials as web apps • https://developer.android.com/design/ui/mobile/guides/patterns/passkeys • Web Application integration • Requesting passkey authentication in web browser • Dependent on browser usage patterns and support status 29
  17. Native Support or Web Application integration • Native Support •

    Utilizing functions/libraries provided for app developers from each platform • Native apps can provide a similar UX using the same credentials as web apps • Web Application integration • Requesting passkey authentication in web browser • Dependent on browser usage patterns and support status 34
  18. Challenges for registration • User Veri fi cation at passkey

    registration • More seamless Passkey registration is required (so that Google automatically generates a passkey when you log in to your Android device) 36
  19. Challenges for Authentication • Unfriendly error screen "No passkey available."

    • It is the RP that needs this error • One-way Hybrid Transport • Fallback authentication method required 37
  20. Challenges for Recovery • Best practices for passkey recovery •

    Two passkey registrations are dif fi cult • Self-recovery through eKYC and ID Federation 38
  21. Challenges for Credential Management • Delete and update passkeys synchronized

    with Authenticator and RP • Unavailable passkey listed in Auto fi ll • Username not synchronized 39
  22. Features of ID Federation • Simpli fi ed new account

    registration • Achieves a single sign-on-like user experience (UX) in authentication • Shares attribute information of the IdP account with the Relying Party (RP) under appropriate consent (such as pro fi le information, email, etc.) 41
  23. Weaknesses of ID Federation • Services and users who do

    not want to use a speci fi c IdP and wish to avoid privacy issues that could arise from consolidating identities • Impact when the IdP account is unavailable (due to outages or account BAN) • Re-authentication requirements are de fi ned in speci fi cations, but are rarely implemented in toC IdPs 42
  24. Passkey without ID Federation • Implementing secure and convenient authentication

    equivalent to IdP • Avoiding privacy issues by not integrating with IdP 43
  25. Passkey @ Relying Party • Applying Passkeys to the weaknesses

    of ID Federation • Alternative measures when Federation is unavailable • Re-authentication • Applying ID Federation to the weaknesses of Passkeys • Federation w/ Platform Accounts as a recovery method for Passkeys 45
  26. Passkey @ Relying Party • Applying Passkeys to the weaknesses

    of ID Federation • Alternative measures when Federation is unavailable • Re-authentication • Applying ID Federation to the weaknesses of Passkeys • Federation w/ Platform Accounts as a recovery method for Passkeys 46
  27. Overview Passkey is a mechanism that allows users to manage

    their FIDO credentials through the system. It offers the security of public key cryptography along with the convenience of local authentication, and it is evolving to support cross-device and cross-platform use. 48
  28. Use Cases • For the sign-in UX, the service needs

    to choose from several patterns to match the existing sign-in UX. • Passkey can be used for re-authentication to protect speci fi c functions and for fi ne-tuned session management. 49
  29. Challenges of Passkey • For Passkey to be widely adopted,

    it needs to be easier and less stressful to register. • For users who are not familiar with Passkey, it's essential to reduce error messages and guide them toward fallback options or recovery methods. • Information that might be changed, like usernames, should be simultaneously updated in both the RP and the Authenticator, and unnecessary Passkeys should be deleted at the same time. 50
  30. Passkey and ID Federation • IdP can increase the security

    and convenience of federated RPs by using Passkey. • RP combines ID federation and Passkey to compensate for each other's weaknesses. 51