CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user...
Transcript of CS 253 Guest Talk WebAuthn Lucas Garron The future of user ... 14.pdf · The future of user...
The future of user authentication on the web 🤞
Lucas GarronCS 253 Guest Talk2019-11-06
WebAuthn
About Me
You may know me from:
Chrome DevTools Securitybadssl.com, hstspreload.org
Speedcubing, Dancing
WebAuthnat GitHubBen Toews (@mastahyeti) implemented U2F.
I wrote most of the WebAuthn implementation.
A few words on Responsibility
Security and Privacyare not “add-on features”
Passwords (Redux)
“Use bcrypt”Terribly phishable
HaveIBeenPwned.com
AuthenticationFactors
FactorSomethingyou . ‽
FactorSomethingyou know.
Example:Password
FactorSomethingyou have.
Example:Security Key
FactorSomethingyou are.
Example:Fingerprint
Classical “Factors”
Stop thinking about factors
WebAuthn is supposed to help you…Stop thinking about factors
WebAuthn
WebAuthn
Afor many
browser APIauthentication factors.
WebAuthn
navigator.credentials.create(...)
navigator.credentials.get(...)
WebAuthn
https://www.w3.org/TR/webauthn/#idl-index
Demo Time!webauthn.iowebauthntest.azurewebsites.net
Windows HelloFingerprint (Android)
Touch ID (Chrome macOS)
Try it yourself!
Stop thinking about factors
A tour of factors
“We’ve emailedYou a login link”.
Security Images
Not a user auth factor.
Useless against“Meddler inthe Middle”
attacks
SMS
TOTPTime-basedOne-Time“Password”
HOTPHash-basedOne-Time“Password”
(no one uses this)
PAKEPasswordAuthenticatedKeyExchange
(uncommon on the web)
Different security strengths
Client Certificates
SSH Key
Push notifications
Something you… can do?
Under the hood
Developer Terminology
The experimental non-standard precursor API
to WebAuthn. Still used.
U2F
Used by your browser/OSto communicate with
security keys
CTAP2
FIDO2
≈ WebAuthn + CTAP2
Implementing WebAuthn
User-Facing Terminology
User-Facing Terminology
For now: “security key”
User-Facing Terminology
In the future:“using your device”?
Configuration
User presence vs. user verification
Resident key vs. non-resident key
Platform vs. roaming
@github/webauthn-json
Registration
New device
Re-authentication
Recovery
User Flows
Account Recovery
A big unsolved problem.
WebAuthn: A Journey
Worth adopting, but
there’s a long way to go.