Code 2019

Building secure web experiences with Passwordless Authentication

About this presentation

<p>Passwords are a problem. Yubico did a survey of devs&#8230;</p> <ul> <li>69% admitted they&#8217;ve shared passwords at work</li> <li>67% don&#8217;t use 2FA at home</li> <li>51% have experienced an attack</li> <li>57% aren&#8217;t going to change their password practices(!)</li> </ul> <p>How can we solve this? WebAuthn is a W3C standard that aims to improve security when accepting user credentials by using <em>public key cryptography</em>.</p> <blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">Yubikey makes an appearance at <a href="https://twitter.com/hashtag/code19?src=hash&amp;ref_src=twsrc%5Etfw">#code19</a> with <a href="https://twitter.com/mkairys?ref_src=twsrc%5Etfw">@mkairys</a> <a href="https://t.co/w6wDmgn0oU">pic.twitter.com/w6wDmgn0oU</a></p>&mdash; Xavier Ho ?&#65039;&#8205;?? (@Xavier_Ho) <a href="https://twitter.com/Xavier_Ho/status/1141581504494968832?ref_src=twsrc%5Etfw">June 20, 2019</a></blockquote> <p>How it works:</p> <p>Authenticator eg. yubikey or code generator<br />(connects to&#8230;)<br />Client<br />(connects to&#8230;)<br />Relying Party</p> <p>Demo:</p> <ol> <li>Enter a username</li> <li>Chrome prompts for an authenticator</li> <li>Yubikey is pressed</li> <li>Application accepts authentication</li> </ol> <p>There are some browser prompts to accept/enable the tech.</p> <p>Benefits of this:</p> <ul> <li>Industry standard &#8211; good browser interest</li> <li>No passwords</li> <li>Seamless UX, faster authentication</li> <li>Secure by design (private keys never shared to the relying parties &#8211; the key is stored on the OS, eg. recognised fingerprint)</li> </ul> <p>(code walkthrough was too complex to capture accurately)</p> <p>Browser support &#8211; ok apart from IE11 and Safari. Safari is on the way for desktop, there&#8217;s no clear advice for mobile.</p> <p>Design considerations &#8211; authorizers are not always equal. Some options are easier than others; and people may not know the ins and outs of the options, like fingerprints being stored on a single device. Also people can injure themselves and not be able to use the same fingerprint and you need to be able to handle that scenario. Or they might lose the security key, replace their mobile and so on.</p> <p><a href="https://twitter.com/mkairys">@mkairys</a></p>