Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless authentication by Cody Salas, Yubico
APIdays_official
136 views
24 slides
May 05, 2024
Slide 1 of 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
About This Presentation
Passkeys: Developing APIs to enable passwordless authentication
Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponso...
Slide Content
Passkeys Developing APIs to enable passwordless authentication Cody Salas Sr. Developer Advocate | Solutions Architect @ Yubico Apidays New York 2024
What are passkeys?
Passkeys at a glance Replacement for passwords Phishing-resistant Discoverable FIDO2 credential FIDO2 Standard WebAuthn and CTAP2 specification Ubiquitous FIDO2 capable devices They are Supported by Available from Identified with
Passwords vs Passkeys Password String of characters Single factor Something you know Can be reused across multiple services Passkey Cryptographic key pair Multiple factors Something you have (device) + Something you know (PIN) or Something you are (biometric) Origin-bound and unique to each service
Cryptographic key pairs Encrypts message w/ public key Alice Bob Generates key pair Holds private key Decrypts message w/ private key Send public key Send encrypted message
Cryptographic key pairs Issues authentication challenge Authenticator Application Generates passkey Holds private key Signs challenge w/ private key Send public key Send authentication challenge Verifies challenge response
How it works Application (Authenticating service) Client (Browser/platform) External authenticator (Security key / Hardware token) FIDO2 Standard WebAuthn and CTAP2 specification Authentication standard Hosted by the FIDO Alliance Combination of: WebAuthn API + CTAP2 protocol WebAuthn API – Browser API used to perform credential registration and authentication CTAP2 – Protocol used by platforms to communicate with external authenticators WebAuthn CTAP2 The open FIDO2 standard allows for all FIDO2 capable devices to be usable across every major browser, platform, and ecosystem
Architecture of a passkey application
Relying party server and API
Responsible for issuing and validating registration and authentication challenges *Unlike consuming a password, passkeys require a multi-step process RP sends reg/auth challenges to a client who will execute them against the WebAuthn API The client will return the result of the WebAuthn call to the RP for processing Can enforce policy-based rules against reg/auth requests The purpose of the RP is to manage passkeys not user information *this is the responsibility of the identity provider What is a relying party?
API endpoints API method categories Registration (attestation) POST /attestation/options – send the registration challenge ( PublicKeyCredentialCreateOptions ) POST /attestation/result – receive the public key of the newly created passkey Authentication (assertion) POST /assertion/options – send the authentication challenge ( PublicKeyCredentialRequestOptions ) POST /assertion/result – receive the challenge signed by the passkey’s private key Credential management GET /user/credentials – allows a user to see the credentials associated to their account DELETE /user/credentials/{id} – allows a user to remove a credential from their account PUT /user/credentials/{id} – allows a user to change metadata for a specific credential (never the credential itself)
Registration flow Create a new passkey, and register it to the RP Authenticator Client Relying party Initialize the reg ceremony Issue a reg Challenge /attestation/options Call WebAuthn API – Attempt to create passkey Passkey created - Return credential Return response to relying party /attestation/options Return registration result
Defined as PublicKeyCredentialCreationOptions in the WebAuthn spec Some fields are defined as a BufferArray , but can be translated to b64 and b64url encoding challenge user.id authenticatorSelection is used to define characteristics such as Should the credential be discoverable? Should the user input a PIN/biometric when created? Should only a specific modality be used? Registration Options
Authentication flow Find a passkey, and attempt to respond to the challenge from the RP Authenticator Client Relying party Initialize the auth ceremony Issue an auth Challenge /assertion/options Call WebAuthn API – Attempt to find passkey Passkey found - Return challenge response Return response to relying party /assertion/result Return authentication result
Defined as PublicKeyCredentialRequestOptions in the WebAuthn spec The rpId field is what helps to ensure that the request is origin-bound userVerification is used to denote is a user should present a PIN or biometric during auth timeout is primarily used by the RP to reject stale requests Authentication Options
SDKs and libraries Don’t attempt to build the WebAuthn RP logic and components on your own There are numerous server-side libraries that can be used Our example was built using Yubico’s java- webauthn -server library https://github.com/Yubico/java-webauthn-server Other libraries can be found on community resources https://passkeys.dev/docs/tools-libraries/libraries/
This presentation The world of passkeys
Resource summary Sample project https://github.com/YubicoLabs/passkey-workshop Community resources https://passkeys.dev https://github.com/herrjemand/awesome-webauthn Don’t forget to checkout Yubico’s Developer Program https:// developers.yubico.com https:// github.com / YubicoLabs
Questions???
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 136
- Slides 24
- Favorites 1
- Age 576 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
24 views