How to implement PassKeys in your application
azilian
65 views
33 slides
May 11, 2024
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
PassKeys is relatively new way of authentication. This presentation aims to provide a bit of guidance on how you can implement them in your own application.
Slide Content
PassKeys
How to implement them
Presenter:
Marian Marinov
Organization:
Director of Engineering
Web Hosting Canada
How to implement them
Presenter:
Marian Marinov
Organization:
Director of Engineering
Web Hosting Canada
What are passkeys?
The idea behind them is to replace username
and password combinations with something
more secure and generally unique per
application/website.
The idea behind them is to replace username
and password combinations with something
more secure and generally unique per
application/website.
Are passkeys more secure?
➢ Randomly generated long string
➢ Cryptographically signed
➢ Cryptographically verifiable
➢ Unique passkey pair for each site/application
➢ Eliminating the possibility to reuse either usernames
or passwords
➢ Randomly generated long string
➢ Cryptographically signed
➢ Cryptographically verifiable
➢ Unique passkey pair for each site/application
➢ Eliminating the possibility to reuse either usernames
or passwords
Reality
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
Reality
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
➢ Why I decided to speak about this topic?
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
➢ Why I decided to speak about this topic?
Reality
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
➢ Why I decided to speak about this topic?
➢
https://www.peeringdb.com/
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
➢ Why I decided to speak about this topic?
➢
https://www.peeringdb.com/
Implementation
Handling of PassKeys on the client side
Handling of PassKeys on the client side
Implementation
Handling of PassKeys on the client side
➢ You can use HW device (i have examples)
Handling of PassKeys on the client side
➢ You can use HW device (i have examples)
Implementation
Handling of PassKeys on the client side
➢ You can use HW device (i have examples)
➢ You can also use iPhone or Android
Handling of PassKeys on the client side
➢ You can use HW device (i have examples)
➢ You can also use iPhone or Android
Implementation
iPhone/Android situation
➢ Your authentication keys are stored on their cloud
➢ You have limited control
➢ The vendor can delete those without your concent
➢ The vendor can limit your access to your creds at any
given time
iPhone/Android situation
➢ Your authentication keys are stored on their cloud
➢ You have limited control
➢ The vendor can delete those without your concent
➢ The vendor can limit your access to your creds at any
given time
PassKeys process
PassKeys process
Credit Yubico
Credit Yubico
PassKeys process
Credit Yubico
Credit Yubico
On the backend
Registrations
➢ Generate random challenge with expiration time
(CSRF)
➢ Generate new user_id based on the username +
challenge
➢ Enrol passkey (pubkey + user_id)
➢ Store the generated pair on the backend
Registrations
➢ Generate random challenge with expiration time
(CSRF)
➢ Generate new user_id based on the username +
challenge
➢ Enrol passkey (pubkey + user_id)
➢ Store the generated pair on the backend
On the frontend
➢ Most of the work is here
➢ Support for devices in Browsers
➢
All major browsers support it
➢ Annoying and large frontend libraries
➢ Most of the work is here
➢ Support for devices in Browsers
➢
All major browsers support it
➢ Annoying and large frontend libraries
Fronted implementation
➢ I decided to ride the wave of AI
➢ I asked ChatGPT to assist me
➢ I decided to ride the wave of AI
➢ I asked ChatGPT to assist me
Fronted implementation
➢ I decided to ride the wave of AI
➢ I asked ChatGPT to assist me
➢ Big mistake!
➢ I decided to ride the wave of AI
➢ I asked ChatGPT to assist me
➢ Big mistake!
Fronted implementation
Once it was clear it will not build it for me...
Once it was clear it will not build it for me...
Fronted implementation
I shamelessly stole the web interface from
https://webauthn.io
I shamelessly stole the web interface from
https://webauthn.io
Backend implementation
I used PostgreSQL
I needed two tables:
➢ challenges
➢ credentials
Challenges would probably be better with
Redis/DragonFly auto expiring keys
I used PostgreSQL
I needed two tables:
➢ challenges
➢ credentials
Challenges would probably be better with
Redis/DragonFly auto expiring keys
Backend implementation
I used PostgreSQL
table: challenges
id
username
challenge
created
I used PostgreSQL
table: challenges
id
username
challenge
created
Backend implementation
I used PostgreSQL
sign_count, if implemented allows prevention of
replay attacks
table: challenges
id
username
challenge
created
table: credentials
id
sign_count
user_handle
credential_id
public_key
I used PostgreSQL
sign_count, if implemented allows prevention of
replay attacks
table: challenges
id
username
challenge
created
table: credentials
id
sign_count
user_handle
credential_id
public_key
Backend implementation
I tried initially writing it in PHP with
web-auth/webauthn-lib
It did not work. Their example returned:
PHP Fatal error:
Uncaught Error: Class "Webauthn\Server" not found
I tried initially writing it in PHP with
web-auth/webauthn-lib
It did not work. Their example returned:
PHP Fatal error:
Uncaught Error: Class "Webauthn\Server" not found
Backend implementation
Then I switched to my favourite
I found Authen::WebAuthn ...
But I decided to try to build it from scratch.
Then I switched to my favourite
I found Authen::WebAuthn ...
But I decided to try to build it from scratch.
My basic Mojolicious app
I ended up creating the following
endpoints in my app:
get '/' Login form
post '/auth-options' Challenge generation
post '/auth-verify' Authentication
validation
post '/register' User ID generation
post '/reg-verify' Registering the user
I ended up creating the following
endpoints in my app:
get '/' Login form
post '/auth-options' Challenge generation
post '/auth-verify' Authentication
validation
post '/register' User ID generation
post '/reg-verify' Registering the user
Important definitions
➢ rp_id - Relying Party (hostname of your app)
➢ credential_id - ID that is stored on the backend
➢ allowCredentials - the server may request specific
credentials
➢ rp_id - Relying Party (hostname of your app)
➢ credential_id - ID that is stored on the backend
➢ allowCredentials - the server may request specific
credentials
Backend- Registration
1. /auth-options - get supported options from the
backend
2. /register - register the client and return passkey
data
3. /reg-verify - validate the credentials
1. /auth-options - get supported options from the
backend
2. /register - register the client and return passkey
data
3. /reg-verify - validate the credentials
Problems with passkeys?
➢ Multiple reports that Apple has completely erased
the passkey store for users
➢ Not fully supported everywhere.
➢ Cumbersome with HW devices
➢ Device missing
➢ Requiring restart of browsers in order to recognize
a device
➢ Multiple reports that Apple has completely erased
the passkey store for users
➢ Not fully supported everywhere.
➢ Cumbersome with HW devices
➢ Device missing
➢ Requiring restart of browsers in order to recognize
a device
HW Security keys
➢ YubiKey
➢ NitroKey
➢ Thetis Fido U2F Security Key (only U2F, no OTP)
➢ CryptoTrust OnlyKey
➢ Feitian ePass K9 USB Security Key
➢ YubiKey
➢ NitroKey
➢ Thetis Fido U2F Security Key (only U2F, no OTP)
➢ CryptoTrust OnlyKey
➢ Feitian ePass K9 USB Security Key
YubiKey on Ubuntu
apt-get install \
yubico-piv-tool \
yubikey-personalization-gui \
yubioath-desktop \
ykcs11 \
opensc
apt-get install \
yubico-piv-tool \
yubikey-personalization-gui \
yubioath-desktop \
ykcs11 \
opensc
Resources
https://passkeys.dev
https://www.passkeys.io/technical-details
https://developer.apple.com/passkeys/
https://developers.google.com/identity/
passkeys
https://developers.yubico.com/Passkeys/
Quick_overview_of_WebAuthn_FIDO2_and_CTAP.h
tml
https://passkeys.dev
https://www.passkeys.io/technical-details
https://developer.apple.com/passkeys/
https://developers.google.com/identity/
passkeys
https://developers.yubico.com/Passkeys/
Quick_overview_of_WebAuthn_FIDO2_and_CTAP.h
tml
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 65
- Slides 33
- Age 573 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views