Introduction to FIDO Authentication and Passkeys.pptx
FIDOAlliance
748 views
22 slides
May 15, 2024
Slide 1 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Presentation
FIDO Seminar RSAC 2024
Slide Content
Introduction to FIDO and Passkeys Shane Weeden Senior Technical Staff Member, IBM
Agenda FIDO authentication in a nutshell What is a passkey? Security spectrum User experience The wrap
FIDO Authentication
FIDO authentication Client (computing device, user, authenticator with private key) Relying Party Server (website, FIDO server, user accounts with public keys) I’m ready to login Ok, here’s a random challenge Here’s the challenge signed with my private key Yep, that’s correct! Passwords FIDO A human generated symmetric secret Machine generated public key cryptography Often re-used across websites Bound to a single RP (relying party) Easily phished Phishing resistant Subject to credential stuffing, social engineering and server leakage Impractical to remotely attack
What is a passkey?
What is a passkey – let’s start with an example How I login at work
What is a passkey? Marketing Definition P asskeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. https:// fidoalliance.org /passkeys/ Technical Definition P asskeys are defined as any passwordless FIDO credential.
A syncable passkey is… A passkey that can be backed up and synchronized by the passkey provider across a user’s devices . A passkey provider might be a platform/OS vendor, or 3 rd -party software such as a password manager. Facilitates new device bootstrapping and simplifies account recovery. Security of syncable passkeys is the responsibility of the passkey provider. Passkey synchronization fabric
Another example Apple passkey using Safari on consumer website
Security Spectrum
password password+ Conditional MFA syncable passkey Device-bound passkey Security Spectrum
User Experience
Inspiration from Password Manager UX Autofill UI familiar for users Privacy preserving HTML / JS instrumentation for website developers <input id="username" type="text" autocomplete=" webauthn "> <script> navigator.credentials.get ({" publicKey ":{ "challenge":{ … }, "signal":{}, " mediation":"conditional "}) .then((assertion) => { … }); </script>
Cross-device authentication Also known as the hybrid flow. P asskey on mobile device can bootstrap another device. This can be the platform passkey, or that from a 3 rd party provider. You may wish to solicit platform authenticator registration after observing cross-device authentication.
Cross-platform authentication demo Using an iPhone to bootstrap sign-in to Chrome/Windows
The wrap
Other resources General Information FIDO Alliance - https:// fidoalliance.org /passkeys/ Developer Adoption passkeys.dev Includes links to many other resources
Wrapping up alternative to password, with enhanced security characteristics synchronized passkeys addresses account recovery hybrid flow for cross-device, cross-ecosystem sign in familiar UX
Thank you! Security Poor Easy Weak Strong
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 748
- Slides 22
- Favorites 1
- Age 568 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views