-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathindex.html
309 lines (271 loc) · 12.3 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta
name="viewport"
content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"
/>
<title>Passkeys, FIDO2, Python, & You</title>
<link rel="stylesheet" href="dist/reset.css" />
<link rel="stylesheet" href="dist/reveal.css" />
<link rel="stylesheet" href="dist/theme/night.css" />
<!-- Theme used for syntax highlighted code -->
<link rel="stylesheet" href="plugin/highlight/monokai.css" />
</head>
<body>
<div class="reveal">
<div class="slides">
<section data-markdown>
<textarea data-template>
## Passkeys, FIDO2, Python, & You
### [Aaron Yong](https://aarony.dev)
#### EdmontonPy Nov 2022
</textarea>
</section>
<section data-markdown>
<textarea data-template>
### Goal
- Put passkeys on your radar
- Simpler registration and sign-in flows
- Provide information that's _mostly_ correct
---
### Background
- **Not a security expert**
- U of A 2014 CS grad
- Polyglot dev (1st lang: Perl, newest: Dart)
- Python'd for a few years (Django, FastAPI)
- Some front-end (VueJS)
- Mobile dev these days (Flutter)
</textarea>
</section>
<section>
<section data-markdown>
<textarea data-template>
### Discovery
<small>
https://arstechnica.com/information-technology/2022/10/passkeys-microsoft-apple-and-googles-password-killer-are-finally-here/
</small>
---
### Web Demo
- [Passkeys.io](https://www.passkeys.io)
- [Basic Example](https://webauthnworks.github.io/FIDO2WebAuthnSeries/WebAuthnIntro/BasicExample.html)
- [Basic Passwordless Example](https://webauthnworks.github.io/FIDO2WebAuthnSeries/WebAuthnIntro/PasswordlessExample.html)
</textarea>
</section>
</section>
<section>
<section data-markdown>
<textarea data-template>
### Benefits
- Protection against phishing
- Reduced impact of data breaches
- Invulnerable to password attacks
(Source: [MDN](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API))
---
### Isn't this 2016 tech?
#### Yes. Sort of.
- Waiting for client-side adoption
- [May 2022](https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/): Apple, Google, Microsoft announce OS support
---
### Passkey Support
<img src="img/passkeys-client-adoption-2022-11-07.png" width="720" />
(Source: [passkeys.io](https://passkeys.io))
Also: [Passkeys.dev Device Support](https://passkeys.dev/device-support/)
</textarea>
</section>
</section>
<section>
<section data-markdown>
<textarea data-template>
## Jargon
tl;dr Edition
---
### FIDO & FIDO2
- **F**ast **ID**entity **O**nline, or [FIDO Alliance](https://fidoalliance.org/)
- Consortium that develops authentication standards
- **FIDO2**: Name for the passwordless auth protocol w/2 main specifications
- Web Authentication (WebAuthn) API
- Client to Authenticator Protocol (CTAP)
- Misc. others
---
### WebAuthn & CTAP
- **WebAuthn**: Browsed-based JS API for creation and handling of public key credentials
- **CTAP**: Enables communication between an authenticator (phones, security keys) and client (e.g. browser) or platform (e.g. OS)
- **CTAP2** is latest iteration, **CTAP2.1** in Draft
---
### Authenticators
In FIDO2, there are 2 types
- **Platform authenticator**: An authenticator that your OS provides, e.g., PIN, fingerprint, FaceID, Hello
- **Security Key**: Physical device connecting via USB, NFC, or BLE (e.g., Yubikey)
This talk focuses on **platform authenticators**
---
### Relying Party
Usually a web server which is using FIDO authentication protocol.
---
### Grammar
**Authentication with FIDO2** is more accurate than "Auth with WebAuthn".
**Sign in with a passkey** is valid.
</textarea>
</section>
</section>
<section>
<section data-markdown>
<textarea data-template>
## How It Works
### (Kind of)
---
### Disclaimer
I may have gotten some bits wrong.
Not a security expert, so will welcome all feedback on this topic!
---
### Asymmetric Public Key Cryptography
<img src="img/apkc-key-generation.png" width="240" />
<img src="img/apkc-encrypt-decrypt.png" width="240" />
Source: [Wikipedia](https://en.wikipedia.org/wiki/Public-key_cryptography)
- Alice: technically a device
- Bob: actually a web server
---
### Registration
1. User supplies a username.
1. Server sends unique challenge value to user's browser.
1. Browser begins to create a new public/private key pair.
- Shows OS's options for user verification.
1. If verified, client sends public key and challenge back to server.
1. Server stores public key with user's ID and username.
---
### Authentication
<img src="img/fido2-auth-seq-diag.png" width="720" />
Source: [dev.yubico](https://developers.yubico.com/WebAuthn/Libraries/Using_a_library.html)
---
### Flows Look Similar
Yep.
You get basic user registration and authentication, all in 1 flow!
🤯
---
### Password Authentication
Source: [Ackermann Yuriy's WebAuthn Series](https://medium.com/webauthnworks/introduction-to-webauthn-api-5fd1fb46c285)
---
### Password-less Authn w/FIDO2
example.com enforces user verification on client's side
Source: [Ackermann Yuriy's WebAuthn Series](https://medium.com/webauthnworks/introduction-to-webauthn-api-5fd1fb46c285)
</textarea>
</section>
</section>
<section>
<section data-markdown>
<textarea data-template>
## Libraries
### (aka "where's Python in all this?")
<small>For the latest:</small>
<small>https://github.com/herrjemand/awesome-webauthn</small>
---
### Client-side
- Web: [WebAuthn JS API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API)
- Android: [FIDO2 API for Native Apps](https://developers.google.com/identity/fido/android/native-apps)
- iOS: [Apple docs on Supporting Passkeys](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys)
---
### Server-side
There are quite a few already, for example:
- Python: [yubico/python-fido2](https://github.com/Yubico/python-fido2)
- Python: [duo-labs/py_webauthn](https://github.com/duo-labs/py_webauthn)
- C#/.NET: [FIDO2 for .NET](https://fido2-net-lib.passwordless.dev/)
- Best tl;dr website imo
- More: [awesome-webauthn repo](https://github.com/herrjemand/awesome-webauthn#server-libs)
</textarea>
</section>
</section>
<section data-markdown>
<textarea data-template>
## Python Flask Demo
I forked Yubico's `python-fido2` repo:
<small>https://github.com/ajyong/python-fido2/tree/platform-passwordless-flow</small>
Hacked the example to allow PIN-based verification
</textarea>
</section>
<section>
<section data-markdown>
<textarea data-template>
## Limitations & Considerations
---
### FIDO2 Requires Secure Context
- Web traffic must use HTTPS
- Local demo used self-signed, good enough for local dev
- If not on HTTPS train yet, it's time
---
### End User Reactions
- We're creatures of habit
- Lots of confusion, misinformation regarding authentication/security
Will a user immediately trust FIDO2?
It's almost _too simple_... 🤔
---
### End User Transition
May have to retain familiar sign-in methods in front of FIDO2.
Source: [Ackermann Yuriy's WebAuthn Series](https://medium.com/webauthnworks/introduction-to-webauthn-api-5fd1fb46c285)
---
### Usernameless Flow?
- Technically possible, but CTAP2.0 has flaws being fixed in 2.1:
- Brute-force a CTAP2.0 security key, check if user's been to a website
- If authenticator is full, user forced to wipe entire device's stored creds
- Client-side support is still in flux between OSes and browsers
---
### Attestation...?
- tl;dr: server-side also stores the physical model of the authenticator
- Lots of hoops just for that
- Pain ensues for the devs
- Ackermann Yuriy: [When you might need attestation](https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651#4919)
---
### I Don't Trust You
Nor should you! I'm not a security expert.
However, if you trust public-key cryptography, e.g. SSH, passkeys rely on the same fundamentals.
(Devs and companies basically figured out how to get everyday folks to "SSH")
I encourage finding your own resources on FIDO2!
</textarea>
</section>
</section>
<section data-markdown>
<textarea data-template>
## Resources
Ackermann Yuriy's [Webauthn and FIDO2 Series](https://medium.com/webauthnworks/webauthn-fido-series-content-page-4f9a187aa588):
- [Intro to WebAuthn API and Passkey](https://medium.com/webauthnworks/introduction-to-webauthn-api-5fd1fb46c285)
- [Demystifying attestation and MDS](https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651)
FIDO Alliance
- https://fidoalliance.org/passkeys/
- From their own [Resources](https://fidoalliance.org/passkeys/#resources):
- [Passkeys.dev](https://passkeys.dev/)
- [Apple](https://developer.apple.com/passkeys/)
- [Google](https://developers.google.com/identity/passkeys)
</textarea>
</section>
<section data-markdown>
<textarea data-template>
## Thank You
### Questions? Comments?
- Slack: `@aaron.yong`
- Website: https://aarony.dev
- GitHub: https://github.com/ajyong
</textarea>
</section>
</div>
</div>
<script src="dist/reveal.js"></script>
<script src="plugin/notes/notes.js"></script>
<script src="plugin/markdown/markdown.js"></script>
<script src="plugin/highlight/highlight.js"></script>
<script>
// More info about initialization & config:
// - https://revealjs.com/initialization/
// - https://revealjs.com/config/
Reveal.initialize({
hash: true,
previewLinks: true,
// Learn about plugins: https://revealjs.com/plugins/
plugins: [RevealMarkdown, RevealHighlight, RevealNotes],
});
</script>
</body>
</html>