cs 253 guest talk webauthn lucas garron the future of user ... 14.pdf · the future of user...
TRANSCRIPT
![Page 1: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/1.jpg)
The future of user authentication on the web 🤞
Lucas GarronCS 253 Guest Talk2019-11-06
WebAuthn
![Page 2: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/2.jpg)
About Me
![Page 3: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/3.jpg)
You may know me from:
Chrome DevTools Securitybadssl.com, hstspreload.org
Speedcubing, Dancing
![Page 4: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/4.jpg)
WebAuthnat GitHubBen Toews (@mastahyeti) implemented U2F.
I wrote most of the WebAuthn implementation.
![Page 5: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/5.jpg)
A few words on Responsibility
![Page 6: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/6.jpg)
![Page 8: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/8.jpg)
Passwords (Redux)
“Use bcrypt”Terribly phishable
HaveIBeenPwned.com
![Page 9: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/9.jpg)
AuthenticationFactors
![Page 10: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/10.jpg)
FactorSomethingyou . ‽
![Page 11: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/11.jpg)
FactorSomethingyou know.
Example:Password
![Page 12: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/12.jpg)
FactorSomethingyou have.
Example:Security Key
![Page 13: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/13.jpg)
FactorSomethingyou are.
Example:Fingerprint
![Page 14: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/14.jpg)
Classical “Factors”
![Page 15: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/15.jpg)
Stop thinking about factors
![Page 16: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/16.jpg)
WebAuthn is supposed to help you…Stop thinking about factors
![Page 17: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/17.jpg)
WebAuthn
![Page 18: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/18.jpg)
WebAuthn
Afor many
browser APIauthentication factors.
![Page 19: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/19.jpg)
WebAuthn
navigator.credentials.create(...)
navigator.credentials.get(...)
![Page 20: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/20.jpg)
WebAuthn
https://www.w3.org/TR/webauthn/#idl-index
![Page 21: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/21.jpg)
Demo Time!webauthn.iowebauthntest.azurewebsites.net
![Page 22: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/22.jpg)
Windows HelloFingerprint (Android)
Touch ID (Chrome macOS)
Try it yourself!
![Page 23: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/23.jpg)
Stop thinking about factors
![Page 24: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/24.jpg)
A tour of factors
![Page 25: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/25.jpg)
“We’ve emailedYou a login link”.
![Page 26: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/26.jpg)
Security Images
Not a user auth factor.
Useless against“Meddler inthe Middle”
attacks
![Page 27: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/27.jpg)
SMS
![Page 28: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/28.jpg)
TOTPTime-basedOne-Time“Password”
![Page 29: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/29.jpg)
HOTPHash-basedOne-Time“Password”
(no one uses this)
![Page 30: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/30.jpg)
PAKEPasswordAuthenticatedKeyExchange
(uncommon on the web)
![Page 31: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/31.jpg)
Different security strengths
![Page 32: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/32.jpg)
Client Certificates
![Page 33: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/33.jpg)
SSH Key
![Page 34: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/34.jpg)
Push notifications
![Page 35: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/35.jpg)
Something you… can do?
![Page 36: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/36.jpg)
Under the hood
![Page 38: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/38.jpg)
The experimental non-standard precursor API
to WebAuthn. Still used.
U2F
![Page 39: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/39.jpg)
Used by your browser/OSto communicate with
security keys
CTAP2
![Page 40: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/40.jpg)
FIDO2
≈ WebAuthn + CTAP2
![Page 41: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/41.jpg)
Implementing WebAuthn
![Page 42: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/42.jpg)
User-Facing Terminology
![Page 43: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/43.jpg)
User-Facing Terminology
For now: “security key”
![Page 44: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/44.jpg)
User-Facing Terminology
In the future:“using your device”?
![Page 45: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/45.jpg)
Configuration
User presence vs. user verification
Resident key vs. non-resident key
Platform vs. roaming
![Page 46: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/46.jpg)
@github/webauthn-json
![Page 47: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/47.jpg)
Registration
New device
Re-authentication
Recovery
User Flows
![Page 48: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/48.jpg)
Account Recovery
A big unsolved problem.
![Page 49: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06](https://reader034.vdocuments.us/reader034/viewer/2022042310/5ed839260fa3e705ec0e10b9/html5/thumbnails/49.jpg)
WebAuthn: A Journey
Worth adopting, but
there’s a long way to go.