SlideShare a Scribd company logo

W3C Web Authentication - #idcon vol.24

Nov Matake, profile picture
Nov Matake

The document discusses the W3C Web Authentication standard (also known as FIDO 2.0) for passwordless strong authentication on the web. It provides an overview of the key components and actors in the standard like FIDO authenticators, user agents, relying parties. It then summarizes the basic flows of registration and authentication in 2 phases. During registration, a key pair is generated on the authenticator and the public key is registered with the FIDO server. During authentication, the authenticator performs local authentication using the registered key and sends an assertion to the server for remote authentication.

Technology
1 of 44
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
W3C Web Authentication (a.k.a. FIDO 2.0) @nov
#idcon vol.20 - またの名を #fidcon https://idcon.org
Overview FIDO Authenticator User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server
FIDO の基本的な流れ ❖ Registration と Authentication の2フェーズ ❖ Registration ❖ FIDO Authenticator 内で鍵ペアを生成し公開鍵を FIDO Server に登録 ❖ Authentication ❖ 登録済の鍵を持つ FIDO Authenticator でローカル認証 ❖ FIDO Assertion を FIDO Server に送ってリモート認証
Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server
Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Init Reg. Request
Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Register Request
Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request Select Authenticator & Authenticate
Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request Select Authenticator & Authenticate Key Generation
Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request AttestationAuth Key Generation
Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request Reg. Response AttestationAuth Key Generation
Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request Select Authenticator & Authenticate Reg. Response
Registration User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server init Reg. Request Reg. Response Verify Authenticator Key Generation AttestationAuth
Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server
Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Init Auth Request
Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Init Auth Request
Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Init Auth Request AssertionAuth Fetch Key
Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Auth Response Init Auth Request AssertionAuth
Authentication User Agent End-User Device FIDO Authenticator FIDO Client Relying Party Web Apps FIDO Authenticator Metadata FIDO Server Authenticate Auth Response Init Auth Request
❖ Web AuthN 仕様的には (一部) 考慮されて いるように見えるが、現状実装はなし。 ❖ まだ解決すべき課題が残っている、らしい。 ❖ 詳細は後の関水さんの発表で。 ❖ Chrome, FireFox, Edge が実装済。 ❖ WebKit も実装は開始している痕跡有。 ❖ この発表ではこちらを扱う。
W3C Web Authentication
https://www.w3.org/TR/webauthn
W3C Web Authentication ❖ 対象は Browser, FIDO Authenticator, FIDO Server ❖ FIDO Server 側の処理については後ほど倉林くんから ❖ この発表では JS API の話をメインに ❖ Browser and/or FIDO Authenticator 作る人は自分で頑張れ (!?) ❖ JS API Interface は W3C Credential Management API (*1) ベース ❖ “public-key” という Credential Type を追加定義 (*1) Credential Management API については #idcon vol.23 参照
https://web-authn.self-issued.app/u2f.js
https://web-authn.self-issued.app/u2f.js
https://web-authn.self-issued.app/u2f.js ※ 現状利用する鍵を指定する必要あり。
allowCredentials 必須 = U2F 相当 (chrome v68.0.3432.3)
open "Google Chrome (dev).app” --args --enable-features=WebAuthenticationCtap2
CTAP2 Authenticators?
FIDO Attestation & Assertion
FIDO Attestation (Registration Response)
URL-safe Base64 Encoded JSON URL-safe Base64 Encoded CBOR Obj ※ CBOR については @ritou より
Decoded Attestation Object
authData contains.. Name Length (in bytes) Description rpIdHash 32 SHA-256 hash of the RP ID associated with the credential. flags 1 Flags (bit 0 is the least significant bit): • Bit 0: User Present (UP) result. • Bit 1: Reserved for future use (RFU1). • Bit 2: User Verified (UV) result. • Bits 3-5: Reserved for future use (RFU2). • Bit 6: Attested credential data included (AT). • Bit 7: Extension data included (ED). signCount 4 Signature counter, 32-bit unsigned big-endian integer. attestedCredentialData variable (if present) attested credential data (if present). See §6.3.1 Attested credential data for details. Its length depends on the length of the credential ID and credential public key being attested. extensions variable (if present) Extension-defined authenticator data. This is a CBOR [RFC7049] map with extension identifiers as keys, and authenticator extension outputs as values. See §9 WebAuthn Extensions for details.
attestedCredentialData contains.. Name Length (in bytes) Description aaguid 16 The AAGUID of the authenticator. credentialIdLength 2 Byte length L of Credential ID, 16-bit unsigned big-endian integer. credentialId L Credential ID credentialPublicKey variable The credential public key encoded in COSE_Key format, as defined in Section 7 of [RFC8152], using the CTAP2 canonical CBOR encoding form. The COSE_Key-encoded credential public key MUST contain the optional "alg" parameter and MUST NOT contain any other optional parameters. The "alg" parameter MUST contain a COSEAlgorithmIdentifier value. The encoded credential public key MUST also contain any additional required parameters stipulated by the relevant key type specification, i.e., required for the key type "kty" and algorithm "alg" (see Section 8 of [RFC8152]).
Credential Public Key ※ 実際には COSE Key フォーマット
Decoded Client Data JSON
FIDO Assertion (Authentication Response)
Decoded Client Data JSON
authData contains.. Name Length (in bytes) Description rpIdHash 32 SHA-256 hash of the RP ID associated with the credential. flags 1 Flags (bit 0 is the least significant bit): • Bit 0: User Present (UP) result. • Bit 1: Reserved for future use (RFU1). • Bit 2: User Verified (UV) result. • Bits 3-5: Reserved for future use (RFU2). • Bit 6: Attested credential data included (AT). • Bit 7: Extension data included (ED). signCount 4 Signature counter, 32-bit unsigned big-endian integer. attestedCredentialData variable (if present) attested credential data (if present). See §6.3.1 Attested credential data for details. Its length depends on the length of the credential ID and credential public key being attested. extensions variable (if present) Extension-defined authenticator data. This is a CBOR [RFC7049] map with extension identifiers as keys, and authenticator extension outputs as values. See §9 WebAuthn Extensions for details.
Android OS as FIDO Authenticator
What's new in Android security (Google I/O '18)
iOS as FIDO Authenticator?
https://github.com/WebKit/webkit/blob/master/Source/ WebCore/Modules/webauthn/cocoa/LocalAuthenticator.mm

More Related Content

PDF
NIST SP 800-63C #idcon vol.22
Nov Matake
 
PDF
ID連携入門 (実習編) - Security Camp 2016
Nov Matake
 
PDF
Sign in with Apple
Nov Matake
 
PDF
FIDO2 Specifications Overview
FIDO Alliance
 
PDF
Authlete: API Authorization Enabler for API Economy
Tatsuo Kudo
 
PDF
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
Nov Matake
 
PDF
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
Tatsuo Kudo
 
PDF
FIDO2 Specifications Overview
FIDO Alliance
 
NIST SP 800-63C #idcon vol.22
Nov Matake
 
ID連携入門 (実習編) - Security Camp 2016
Nov Matake
 
Sign in with Apple
Nov Matake
 
FIDO2 Specifications Overview
FIDO Alliance
 
Authlete: API Authorization Enabler for API Economy
Tatsuo Kudo
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
Nov Matake
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
Tatsuo Kudo
 
FIDO2 Specifications Overview
FIDO Alliance
 

What's hot (20)

PDF
NIST SP 800-63-3 #idcon vol.22
Nov Matake
 
PDF
Integrating FIDO Authentication & Federation Protocols
FIDO Alliance
 
PDF
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
PDF
OAuth 2.0 Updates #technight
Nov Matake
 
PDF
FIDO alliance #idcon vol.18
Nov Matake
 
PDF
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
PDF
OpenID Foundation RISC WG Update - 2017-10-16
MikeLeszcz
 
PPTX
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Hitachi, Ltd. OSS Solution Center.
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PDF
Full stack security
DPC Consulting Ltd
 
PDF
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
PDF
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
PDF
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CloudIDSummit
 
PPTX
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
PPTX
API Security : Patterns and Practices
Prabath Siriwardena
 
PDF
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
PDF
Enterprise Single Sign On
WSO2
 
PDF
FIDO U2F & UAF Tutorial
FIDO Alliance
 
PDF
OAuth and OpenID Connect for Microservices
Twobo Technologies
 
NIST SP 800-63-3 #idcon vol.22
Nov Matake
 
Integrating FIDO Authentication & Federation Protocols
FIDO Alliance
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
OAuth 2.0 Updates #technight
Nov Matake
 
FIDO alliance #idcon vol.18
Nov Matake
 
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
OpenID Foundation RISC WG Update - 2017-10-16
MikeLeszcz
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Hitachi, Ltd. OSS Solution Center.
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Full stack security
DPC Consulting Ltd
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CloudIDSummit
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
API Security : Patterns and Practices
Prabath Siriwardena
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
Enterprise Single Sign On
WSO2
 
FIDO U2F & UAF Tutorial
FIDO Alliance
 
OAuth and OpenID Connect for Microservices
Twobo Technologies
 
Ad

Similar to W3C Web Authentication - #idcon vol.24 (20)

PDF
RPで受け入れる認証器を選択する ~Idance lesson 2~
5 6
 
PPTX
U2F/FIDO2 implementation of YubiKey
Haniyama Wataru
 
PDF
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
FIDO Alliance
 
PDF
Web Authentication API
FIDO Alliance
 
PDF
エンタープライズの視点からFIDOとFederationのビジネスを考える
Masaru Kurahayashi
 
PPTX
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
FIDO Alliance
 
PDF
170724 JP/UK Open Banking Summit English Translation
Nat Sakimura
 
PDF
Ritou idcon7
Ryo Ito
 
PPTX
FIDOAlliance
Sanjeev Verma, PhD
 
PDF
JavaScriptを使って学ぶEnd-to-Endセキュリティ Appendix
Jun Kurihara
 
PPTX
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
 
PDF
Future-proofing Authentication with Passkeys
Nordic APIs
 
PDF
Web Authentication: a Future Without Passwords?
Natasha Rooney
 
PPTX
Technical Considerations for Deploying FIDO Authentication
FIDO Alliance
 
PPTX
Getting Started With WebAuthn
FIDO Alliance
 
PDF
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
PDF
Securing a Web App with Security Keys
FIDO Alliance
 
PDF
FIDO Technical Specifications Overview
FIDO Alliance
 
PDF
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
PDF
ざっくり解説 LINE ログイン
Naohiro Fujie
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
5 6
 
U2F/FIDO2 implementation of YubiKey
Haniyama Wataru
 
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
FIDO Alliance
 
Web Authentication API
FIDO Alliance
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
Masaru Kurahayashi
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
FIDO Alliance
 
170724 JP/UK Open Banking Summit English Translation
Nat Sakimura
 
Ritou idcon7
Ryo Ito
 
FIDOAlliance
Sanjeev Verma, PhD
 
JavaScriptを使って学ぶEnd-to-Endセキュリティ Appendix
Jun Kurihara
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
 
Future-proofing Authentication with Passkeys
Nordic APIs
 
Web Authentication: a Future Without Passwords?
Natasha Rooney
 
Technical Considerations for Deploying FIDO Authentication
FIDO Alliance
 
Getting Started With WebAuthn
FIDO Alliance
 
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
Securing a Web App with Security Keys
FIDO Alliance
 
FIDO Technical Specifications Overview
FIDO Alliance
 
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
ざっくり解説 LINE ログイン
Naohiro Fujie
 
Ad

More from Nov Matake (20)

PDF
#idcon vol.29 - #fidcon WebAuthn, Next Stage
Nov Matake
 
PDF
FedCM - OpenID TechNight vol.19
Nov Matake
 
PDF
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Nov Matake
 
PDF
FIDO @ LINE - #idcon vol.24
Nov Matake
 
PDF
NIST SP 800-63C - Federation and Assertions (FINAL)
Nov Matake
 
PDF
ID連携概要 - OpenID TechNight vol.13
Nov Matake
 
PDF
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
Nov Matake
 
PDF
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
PDF
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
Nov Matake
 
PDF
OAuth認証再考からのOpenID Connect #devlove
Nov Matake
 
PDF
ID & IT 2013 - OpenID Connect Hands-on
Nov Matake
 
PDF
JWT Translation #technight
Nov Matake
 
PDF
MIT-KIT Intro at #idcon sattelite
Nov Matake
 
PDF
Self isssued-idp
Nov Matake
 
PDF
IIW 16th Report at #idcon
Nov Matake
 
PDF
Whats wrong oauth_authn
Nov Matake
 
PDF
OAuth 2.0 #idit2012
Nov Matake
 
PDF
Account Chooser #idit2012
Nov Matake
 
PPTX
諸外国の国民ID制度 #idcon 13th
Nov Matake
 
PDF
OpenID Connect via WebIntents
Nov Matake
 
#idcon vol.29 - #fidcon WebAuthn, Next Stage
Nov Matake
 
FedCM - OpenID TechNight vol.19
Nov Matake
 
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Nov Matake
 
FIDO @ LINE - #idcon vol.24
Nov Matake
 
NIST SP 800-63C - Federation and Assertions (FINAL)
Nov Matake
 
ID連携概要 - OpenID TechNight vol.13
Nov Matake
 
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
Nov Matake
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
Nov Matake
 
OAuth認証再考からのOpenID Connect #devlove
Nov Matake
 
ID & IT 2013 - OpenID Connect Hands-on
Nov Matake
 
JWT Translation #technight
Nov Matake
 
MIT-KIT Intro at #idcon sattelite
Nov Matake
 
Self isssued-idp
Nov Matake
 
IIW 16th Report at #idcon
Nov Matake
 
Whats wrong oauth_authn
Nov Matake
 
OAuth 2.0 #idit2012
Nov Matake
 
Account Chooser #idit2012
Nov Matake
 
諸外国の国民ID制度 #idcon 13th
Nov Matake
 
OpenID Connect via WebIntents
Nov Matake
 

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Cloud computing and distributed systems.
kkkkkhan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
MYSQL Presentation for SQL database connectivity
Swati270511
 

W3C Web Authentication - #idcon vol.24