• Home

  • Documents

  • CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user...
49
The future of user authentication on the web Lucas Garron CS 253 Guest Talk 2019-11-06 WebAuthn

CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

The future of user authentication on the web 🤞

Lucas GarronCS 253 Guest Talk2019-11-06

WebAuthn

Page 2: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

About Me

Page 3: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

You may know me from:

Chrome DevTools Securitybadssl.com, hstspreload.org

Speedcubing, Dancing

Page 4: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

WebAuthnat GitHubBen Toews (@mastahyeti) implemented U2F.

I wrote most of the WebAuthn implementation.

https://twitter.com/mastahyeti
https://github.blog/2019-08-21-github-supports-webauthn-for-security-keys/
Page 5: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

A few words on Responsibility

Page 6: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06
Page 7: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Security and Privacyare not “add-on features”

https://www.apple.com/privacy/
Page 8: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Passwords (Redux)

“Use bcrypt”Terribly phishable

HaveIBeenPwned.com

Page 9: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

AuthenticationFactors

Page 10: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

FactorSomethingyou . ‽

Page 11: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

FactorSomethingyou know.

Example:Password

Page 12: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

FactorSomethingyou have.

Example:Security Key

Page 13: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

FactorSomethingyou are.

Example:Fingerprint

Page 14: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Classical “Factors”

Page 15: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Stop thinking about factors

Page 16: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

WebAuthn is supposed to help you…Stop thinking about factors

Page 17: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

WebAuthn

Page 18: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

WebAuthn

Afor many

browser APIauthentication factors.

Page 19: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

WebAuthn

navigator.credentials.create(...)

navigator.credentials.get(...)

Page 20: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

WebAuthn

https://www.w3.org/TR/webauthn/#idl-index

https://www.w3.org/TR/webauthn/#idl-index
https://www.w3.org/TR/webauthn/#idl-index
https://www.w3.org/TR/webauthn/#idl-index
https://www.w3.org/TR/webauthn/#idl-index
https://www.w3.org/TR/webauthn/#idl-index
Page 21: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Demo Time!webauthn.iowebauthntest.azurewebsites.net

https://webauthn.io/
https://webauthntest.azurewebsites.net/
Page 22: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Windows HelloFingerprint (Android)

Touch ID (Chrome macOS)

Try it yourself!

Page 23: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Stop thinking about factors

Page 24: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

A tour of factors

Page 25: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Email

“We’ve emailedYou a login link”.

Page 26: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Security Images

Not a user auth factor.

Useless against“Meddler inthe Middle”

attacks

Page 27: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

SMS

Page 28: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

TOTPTime-basedOne-Time“Password”

Page 29: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

HOTPHash-basedOne-Time“Password”

(no one uses this)

Page 30: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

PAKEPasswordAuthenticatedKeyExchange

(uncommon on the web)

Page 31: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Different security strengths

Page 32: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Client Certificates

Page 33: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

SSH Key

Page 34: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Push notifications

Page 35: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Something you… can do?

Page 36: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Under the hood

Page 37: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Developer Terminology

https://twitter.com/codekaiju/status/1179143359815933954
Page 38: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

The experimental non-standard precursor API

to WebAuthn. Still used.

U2F

Page 39: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Used by your browser/OSto communicate with

security keys

CTAP2

Page 40: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

FIDO2

≈ WebAuthn + CTAP2

Page 41: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Implementing WebAuthn

Page 42: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

User-Facing Terminology

Page 43: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

User-Facing Terminology

For now: “security key”

Page 44: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

User-Facing Terminology

In the future:“using your device”?

Page 45: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Configuration

User presence vs. user verification

Resident key vs. non-resident key

Platform vs. roaming

Page 46: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

@github/webauthn-json

Page 47: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Registration

New device

Re-authentication

Recovery

User Flows

Page 48: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

Account Recovery

A big unsolved problem.

Page 49: CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user authentication on the web 🤞 WebAuthn Lucas Garron CS 253 Guest Talk 2019-11-06

WebAuthn: A Journey

Worth adopting, but

there’s a long way to go.


WebAuthn 101 - Black Hat Briefings · WebAuthn 101 Demystifying WebAuthn Blackhat 2019. 2 Agenda MFA - a spectrum of assurance Enter WebAuthn Passwords aren’t enough. 3 Passwords

WebAuthn 101 - Black Hat Briefings · WebAuthn 101 Demystifying WebAuthn Blackhat 2019. 2 Agenda MFA - a spectrum of assurance Enter WebAuthn Passwords aren’t enough. 3 Passwords

Documents
Ijair 253 Final

Ijair 253 Final

Documents
FFSA : ARTICLE 253

FFSA : ARTICLE 253

Documents
WebAuthn with PHP...WebAuthn with PHP Arne Blankerts Co-Founder, The PHP Consulting Company Passwords are a shared secret How to find a good password A good Password policy? Must

WebAuthn with PHP...WebAuthn with PHP Arne Blankerts Co-Founder, The PHP Consulting Company Passwords are a shared secret How to find a good password A good Password policy? Must

Documents
ECS 253 / MAE 253, Lecture 6mae.engr.ucdavis.edu/dsouza/Classes/253-S16/Lectures/... · 2016. 4. 19. · ECS 253 / MAE 253, Lecture 6 April 14, 2016 “Percolation and Epidemiology

ECS 253 / MAE 253, Lecture 6mae.engr.ucdavis.edu/dsouza/Classes/253-S16/Lectures/... · 2016. 4. 19. · ECS 253 / MAE 253, Lecture 6 April 14, 2016 “Percolation and Epidemiology

Documents
253 koscher

253 koscher

Documents
lucas garron resume 2013-10-02

lucas garron resume 2013-10-02

Documents
Revista APSI 253

Revista APSI 253

Documents
253 PELIDONCHO

253 PELIDONCHO

Documents
DIN EN 253

DIN EN 253

Documents
WebAuthn: Beyond the Password · Subresource Integrity HTTPS Work Elsewhere Let’s Encrypt Certificate Transparency HSTS. WebAppSec: Enlisting the User Agent in Cooperative Policy

WebAuthn: Beyond the Password · Subresource Integrity HTTPS Work Elsewhere Let’s Encrypt Certificate Transparency HSTS. WebAppSec: Enlisting the User Agent in Cooperative Policy

Documents
Exhaust gas fl aps...VAG – 1K0 253 291 J 7.01300.24.0 – – 5Q0 253 101 AG 5Q0 253 691 F 7.03608.16.0 5Q0 253 692 5Q0 253 692 A 7.07696.00.0 5Q0 253 101 AJ 5Q0 253 101 AN 5Q0

Exhaust gas fl aps...VAG – 1K0 253 291 J 7.01300.24.0 – – 5Q0 253 101 AG 5Q0 253 691 F 7.03608.16.0 5Q0 253 692 5Q0 253 692 A 7.07696.00.0 5Q0 253 101 AJ 5Q0 253 101 AN 5Q0

Documents
Users/jehodges/Documents/work/standards/W3C/webauthn ...kingsmountain.com/doc/diff/diff-webauthn-index-master-1.../Users/jehodges/Documents/work/standards/W3C/webauthn/index-master-1eebeed.txt,

Users/jehodges/Documents/work/standards/W3C/webauthn ...kingsmountain.com/doc/diff/diff-webauthn-index-master-1.../Users/jehodges/Documents/work/standards/W3C/webauthn/index-master-1eebeed.txt,

Documents
Users/jehodges/Documents/work/standards/W3C/webauthn/index …kingsmountain.com/doc/diff/diff-webauthn-index-master-tr... · 2017. 8. 17. · /Users/jehodges/Documents/work/standards/W3C/webauthn/index-master-tr-dda3e24-WD-05.txt,

Users/jehodges/Documents/work/standards/W3C/webauthn/index …kingsmountain.com/doc/diff/diff-webauthn-index-master-tr... · 2017. 8. 17. · /Users/jehodges/Documents/work/standards/W3C/webauthn/index-master-tr-dda3e24-WD-05.txt,

Documents
Webauthn Tutorial

Webauthn Tutorial

Technology
253 - UNECE

253 - UNECE

Documents
Users/jehodges/Documents/work/standards/W3C/webauthn ...kingsmountain.com/doc/diff/diff-webauthn-WD-07--from--WD-06.pdf · 0092 This document is governed by the 1 March 2017 W3C

Users/jehodges/Documents/work/standards/W3C/webauthn ...kingsmountain.com/doc/diff/diff-webauthn-WD-07--from--WD-06.pdf · 0092 This document is governed by the 1 March 2017 W3C

Documents
Scientific Programming 19 (2011) 253–258 253 DOI 10.3233 ...downloads.hindawi.com/journals/sp/2011/198378.pdf · Scientific Programming 19 (2011) 253–258 253 DOI 10.3233/SPR-2011-0330

Scientific Programming 19 (2011) 253–258 253 DOI 10.3233 ...downloads.hindawi.com/journals/sp/2011/198378.pdf · Scientific Programming 19 (2011) 253–258 253 DOI 10.3233/SPR-2011-0330

Documents
Scientific Programming 19 (2011) 253–258 253 DOI 10.3233

Scientific Programming 19 (2011) 253–258 253 DOI 10.3233

Documents
Traffic Flow Plan - Michael Garron Hospital · EllisDon and the Michael Garron Hospital Redevelopment team are actively listening to community concerns and are interested in minimizing

Traffic Flow Plan - Michael Garron Hospital · EllisDon and the Michael Garron Hospital Redevelopment team are actively listening to community concerns and are interested in minimizing

Documents
Panasonic SD 253

Panasonic SD 253

Documents
Strategy 253

Strategy 253

Documents
Fda2555 253

Fda2555 253

Documents
Digita 253

Digita 253

Documents
FEMA 253.pdf

FEMA 253.pdf

Documents
CONTACT EXPERIENCE GARRON BALLARDgarronballard.com/assets/gb_resume-final_oct272.pdf · SKILLS & LANGUAGES Digital Photography Project Management Adobe Creative Cloud Heuristic Evaluation

CONTACT EXPERIENCE GARRON BALLARDgarronballard.com/assets/gb_resume-final_oct272.pdf · SKILLS & LANGUAGES Digital Photography Project Management Adobe Creative Cloud Heuristic Evaluation

Documents
RHCE RH 253

RHCE RH 253

Documents
Avt 253 photography

Avt 253 photography

Education
Users/jehodges/Documents/work/standards/W3C/webauthn/index …kingsmountain.com/doc/diff/diff-webauthn-index-master-tr... · 2017. 5. 7. · /Users/jehodges/Documents/work/standards/W3C/webauthn/index-master-tr-ce7925c-WD-04

Users/jehodges/Documents/work/standards/W3C/webauthn/index …kingsmountain.com/doc/diff/diff-webauthn-index-master-tr... · 2017. 5. 7. · /Users/jehodges/Documents/work/standards/W3C/webauthn/index-master-tr-ce7925c-WD-04

Documents
253 Rastogi

253 Rastogi

Documents