Future-proofing Authentication with Passkeys
1 like765 views
The document discusses the benefits of passkeys as a secure alternative to traditional passwords, emphasizing their phishing resistance, ease of use, and secure storage options. It details the different types of passkeys, including hardware-bound and synced passkeys, along with the importance of device attestation in ensuring security. Additionally, it covers the implementation of step-up authentication to elevate security for sensitive API calls, providing an overview of the relevant protocols and standards.
Future-proofing Authentication with Passkeys
- 1. © 2022 Yubico © 2023 Yubico Joost van Dijk, Yubico Nordic APIs Platform Summit - October 18, 2023 Future-proofing Authentication With Passkeys
- 2. © 2023 Yubico ● Passkeys and API security ● What is a passkey? ● FIDO and the WebAuthn API ● Device attestation and the FIDO metadata service ● Assurance levels and step-up authentication Overview
- 3. © 2023 Yubico Protecting the OAuth Flow User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response Token Validation User AuthN & Consent
- 4. © 2023 Yubico Protecting the OAuth Flow User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response Token Validation User AuthN & Consent ??? JAR PAR PKCE DPoP JARM Non- Repudiation Signed Response Sender Constrained Aaron Parecki https://www.udemy.com/course/advanced-oauth-security/
- 5. © 2023 Yubico ● Passkeys are a more secure alternative to passwords ● More secure, because: ○ passkeys are resistant to phishing ○ passkeys have no secrets that can be leaked from servers ○ passkeys are generated automatically, never reused ○ passkeys can be stored on secure hardware ● Also easier to use: ○ “Sign in with your face, your finger, or your PIN” ○ Optionally, automatically backed up and synced What is a passkey?
- 7. © 2023 Yubico ● Roaming Authenticator also called cross-platform authenticator example: a USB security key ● Roaming authenticators can use different transports: USB, NFC, BLE, hybrid ● Platform Authenticator Built into user’s device example: a built-in fingerprint sensor ● Note: a single authenticator can store multiple passkeys! TouchID FaceID Windows Hello Passkeys are stored on Authenticators
- 8. © 2023 Yubico Hardware-bound ● Single-device ● Hardware attestation ● Ideal for high assurance use cases ● FIPS eligible ● Example: passkey stored on a security key Synced | Copyable passkeys ● Multi-device ● Backed up and synced across devices via a cloud provider ● No need to re-enroll a new device on every account! ● Synced across devices but not across ecosystems (Apple iCloud and Google Password Manager) Different types of passkeys
- 10. © 2023 Yubico FIDO Public Key authentication Veri fi er challenge response = sign(k, challenge) private key k public key p response Client challenge response Authenticator (Simplified) result = verify(p, response, challenge)
- 11. © 2023 Yubico Phishing resistance Veri fi er challenge response = sign(k, challenge) private key k public key p result = verify(p, response, challenge) response Client response Authenticator +origin +origin +origin (Simplified) challenge
- 13. © 2023 Yubico ● navigator.credentials.create() register new FIDO credential ● navigator.credentials.get() authenticate using a previously registered credential Webauthn: JavaScript API Client-side JavaScript Server-side application Browser WebAuthn API HTTPS CTAP Web Application
- 14. © 2023 Yubico Attestation and Metadata ● Attestation provides verifiable evidence as to the authenticator’s origin ● Based on a hardware attestation key and certificate ● Use FIDO Alliance Metadata Service to determine provenance ● Implement Allow/Deny lists to filter Authenticators ● Typically used in high-assurance (enterprise) use cases MDS Attestation Data Authenticator Metadata
- 15. © 2023 Yubico Metadata example ● aaguid (Authenticator unique ID) ● keyProtection e.g. secure_element ● transports e.g. usb ● status (certification level)
- 16. © 2023 Yubico Assurance Levels Password OTP Copyable passkey Hardware bound passkey High assurance Low assurance
- 17. © 2022 Yubico ● Step up: elevate the authentication assurance level for sensitive API calls ● Resource servers will return an error when step up is required ● Levels are expressed using an Authentication context class reference claim, for instance: "acr": "high" ● Use acr_values parameter in authorization requests to obtain the required level ● See RFC 9470: OAuth 2.0 Step Up Authentication Challenge Protocol Step-up Authentication GET /sensitive HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM GET /authorize?client_id=…& response_type=code&acr_values=high AuthZ Server Resource Server API Request API Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer error="insufficient_user_authentication", acr_values=“high"
- 18. © 2023 Yubico Step-up Authentication User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response User AuthN & Consent 200 OK Low Assurance Authentication GET /protected
- 19. © 2023 Yubico Step-up - Insufficient User Authentication User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response User AuthN & Consent (High Assurance) API Request API Response 401 Unauthorized 200 OK GET /sensitive GET /sensitive High Assurance Authentication acr_values=high
- 20. © 2023 Yubico Key Take-aways ● Passkeys are a secure and user-friendly alternative to passwords ● Passkeys are phishing-resistant by design ● Don’t let user authentication become the weakest link of API security ● Don’t frustrate users by unnecessarily excluding authenticators ● Device attestation and the FIDO metadata service let you differentiate between different types of authenticator
- 21. © 2023 Yubico ● Demo: https://passkey.org/ ● Passkeys developers site: https://passkeys.dev/ ● FIDO Metadata Explorer: https://opotonniee.github.io/fido-mds-explorer/ ● Passkey Workshop: https://developers.yubico.com/Passkeys/ ● Workshop source code: https://github.com/YubicoLabs/passkey-workshop Resources