In April 2019 WebAuthn was officially released to the world as a new standard for authentication. WebAuthn enables a rich set of authentication solutions to be built, but knowing how to enable these solutions, is a major key in building a future where we no longer rely on passwords or phishable technologies. This session will dive into the journey of adopting WebAuthn, the components in the architecture of this modern authentication solution and how this new protocol touches not only every stage of an account lifecycle but creates a new phase that must be supported. This session will not only help you understand how to deploy authentication solutions internally but also how to build great solutions for your customers.
4. A place where no one has to think about authentication
A place where everyone is able to access their applications and data
using the devices that they carry
A place where the simplest authentication method is also secure enough
to use on a day to day basis
A place where stories are told of the ancient horror of phishing
Authentication Nirvana
4
9. If we don’t rely on secrets + something you have we have to
Have a device that is unlocked by a secret or a biometric
User Verification in a Post Password World
9
MFA Combinations
You are You have
You are You know
You have You are
You have You know
You know You are
You know You have
22. 1. Creating a User Profile
Description: The application users are able
to create accounts
User Benefits: The user is able to create a
profile and store information
Security Story: Users are logging in with only
a password. Not a good state to be in
Required Components:
● Self-Service Account Registration App
● Self-Service Account Management App
● Self-Service Account Recovery App
● Account Datastore
● Administrator Account Registration App
● Administrator Account Management App
22
23. 1. Creating a User Profile
23
Affected Stages of the Account Lifecycle
Account
Registration
Authentication Account
Management
Account Recovery Account Removal
● Enable Users to
register account
and enable
passwords
● Enable Users to
setup email
address for
recovery
● User types in user
name and
password
● Prompt users to
verify recovery
methods
● Enable users to
change their
password
● Enable users to
change their email
address
● Enable users to
verify email
address
● Enable users to
recover access to
account by
sending email for
password reset
● Enable users to
request the
deletion of their
account
24. 2. Enabling a Second Factor
Description: The application users now can
enroll with second factor
User Benefits: The user is have a second
factor authenticator for protecting their
accounts
Security Story: Users are no longer just
logging in with only a password, better but
still phishable
Required Components:
● Self-Service Account Registration App *
● Self-Service Account Management App
● Self-Service Account Recovery App *
● Account Datastore *
● Administrator Account Registration App *
● Administrator Account Management App *
24
25. 2. Enabling a Second Factor
25
Affected Stages of the Account Lifecycle
Account
Registration
Authentication Account
Management
Account Recovery Account Removal
● Enable Users to
register OTP
credential during
registration
● When
authenticating
allow the user to
authenticate with
second factor
● Enable users to
manage OTP
devices on the
account
● Enable users to
enroll more than
one OTP device on
their account
● Enable users to
require MFA on
the account
● Enable users to
configure
attributes for
recovery (email
address, verified
attributes, etc)
● Enable users to
recover account
with registered
attributes
● Enable properly
authenticated
users to delete
their account
26. Description: The application users now can
use FIDO2WebAuthn as a second factor
User Benefits: The user has a second factor
authenticator that is phishing resistant for
protecting their accounts
Security Story: Users now have a phishing
resistant authenticator and we are no longer
just relying on phishable credentials
Required Components:
● Self-Service Account Registration App
● Self-Service Account Management App
● Self-Service Account Recovery App
● WebAuthn Capable Identity Provider *
● Account Datastore
● Administrator Account Registration App
● Administrator Account Management App
26
3. Phishing Resistant Second Factor
27. 3. Phishing Resistant Second Factor
27
Affected Stages of the Account Lifecycle
Account
Registration
Authentication Account
Management
Account Recovery Account Removal
● Enable Users to
enroll a Security Key
during registration
● When authenticating
allow the user to
authenticate with
Security Key
● Enable users to
manage Security
Keys on the account
● Enable users to
enroll more than
one Security Key on
their account
● Enable users to
disable other
methods of
authentication
● Enable users to
configure attributes
for recovery (email
address, verified
attributes, etc)
● Enable users to
recover account
with registered
attributes
● Enable properly
authenticated users
to delete their
account
28. Description: The application users now can
use FIDO2WebAuthn to login without a
password
User Benefits: The user can use the
authenticator on their device without needing
their password
Security Story: Users now have a method to
securely bootstrap the credential and the
biometrics on their compute devices
Required Components:
● Self-Service Account Registration App
● Self-Service Account Management App
● Self-Service Account Recovery App
● Device Registration App *
● Device Management App *
● WebAuthn Capable Identity Provider
● Account Datastore
● Administrator Account Registration App
● Administrator Account Management App
28
4. Platform Passwordless Authentication
29. 4. Platform Passwordless Authentication
29
Affected Stages of the Account Lifecycle
Account
Registration
Authentication Device
Enrollment
Account
Management
Account
Recovery
Account
Removal
● Enable Users to
enroll a Security
Key during
registration
● Enable Users to
enroll a platform
authenticator
during
registration
● Allow the user to
authenticate
with Security Key
● Allow the user to
authenticate
with the
platform
authenticator
● Prompt the user
to enroll a
platform
authenticator as
appropriate
● Enable users to
manage Security
Keys on the
account
● Enable users to
manage devices
on their account
● Enable users to
disable other
methods of
authentication
● Enable users to
configure
attributes for
recovery (email
address, verified
attributes, etc)
● Enable users to
recover account
with registered
attributes
● Enable properly
authenticated
users to delete
their account
30. 5. Passwordless Security Keys
Description: The application users now can
use Security Keys instead of a username &
password experience
User Benefits: The user does not need to
type and manage a password
Security Story: Users now has a method to
login without a password on a Security Key
30
Required Components:
● Self-Service Account Registration App
● Self-Service Account Management App
● Self-Service Account Recovery App
● Device Registration App
● Device Management App
● WebAuthn Capable Identity Provider
● Account Datastore
● Administrator Account Registration App
● Administrator Account Management App
31. 5. Passwordless Security Keys
31
Affected Stages of the Account Lifecycle
Account
Registration
Authentication Device
Enrollment
Account
Management
Account
Recovery
Account
Removal
● Enable Users to
enroll a Security
Key during
registration
● Enable Users to
enroll a platform
authenticator
during
registration
● Allow the user to
authenticate
with Security Key
● Allow the user to
authenticate
with the
platform
authenticator
● Prompt the user
to enroll a
platform
authenticator as
appropriate
● Enable users to
manage Security
Keys on the
account
● Enable users to
manage devices
on their account
● Enable users to
disable other
methods of
authentication
● Enable users to
configure
attributes for
recovery (email
address, verified
attributes, etc)
● Enable users to
recover account
with registered
attributes
● Enable properly
authenticated
users to delete
their account
32. 6. Passwordless Device Registration
Description: The application users now can
use Passwordless Security Keys for device
registration. This is the final step for users to
remove passwords
User Benefits: The user has all the
capabilities to remove usage of the password
Security Story: Users now has a method to
login without a password on a Security Key
32
Required Components:
● Self-Service Account Registration App
● Self-Service Account Management App
● Self-Service Account Recovery App
● Device Registration App
● Device Management App
● WebAuthn Capable Identity Provider
● Account Datastore
● Administrator Account Registration App
● Administrator Account Management App
33. 6. Passwordless Device Registration
33
Affected Stages of the Account Lifecycle
Account
Registration
Authentication Device
Enrollment
Account
Management
Account
Recovery
Account
Removal
● Enable Users to
enroll a Security
Key during
registration
● Enable Users to
enroll a platform
authenticator
during
registration
● Allow the user to
authenticate
with Security Key
● Allow the user to
authenticate
with the
platform
authenticator
● Prompt the user
to enroll a
platform
authenticator as
appropriate
● Enable users to
manage Security
Keys on the
account
● Enable users to
manage devices
on their account
● Enable users to
disable other
methods of
authentication
● Enable users to
configure
attributes for
recovery (email
address, verified
attributes, etc)
● Enable users to
recover account
with registered
attributes
● Enable properly
authenticated
users to delete
their account
34. Key Lessons:
● Migrating from users from a password based authentication to
Passwordless requires solving the bootstrapping problem
● Security Keys are purpose built external authenticators for
bootstrapping
● We can build great apps that leverage Security Keys and platform
authenticators to build excellent and secure deployments today
Looking at the journey ahead
34
Authentication Nirvana
Users have a frictionless secure authentication experience
Administrators have the tools to increase friction only as needed
Authentication Nirvana does not have
Passwords and Usernames to Type in
Examples: Sign into Netflix on my TV
Things to Remember
Account Lifecycle Phases
Account Registration -> Authentication -> Account Management -> Account Recovery -> Account Removal
4. Key Concepts in the journey
a. Account Lifecycle Phases
i. Account Registration -> Authentication -> Account Management -> Account Recovery -> Account Removal
b. The bootstrapping problem
i. How does a credential on a device get created
ii. Bootstrapping with passwords vs bootstrapping with FIDO
c. Anchored Credentials
i. When bootstrapping with FIDO, the credential assurance of the platform authenticator is anchored in the identity assurance of the security key.
ii. From an account perspective, the security key is the root of trust
d. What is the Root of Trust?
i. Definition: Secure bootstrapping mechanism for Platform Authenticators
ii. Key Concept: The enrollment process for any of the roots of trust for a given account is the process that must be used for recovery to maintain the identity assurance.
The bootstrapping problem
i. How does a credential on a device get created
ii. Bootstrapping with passwords vs bootstrapping with FIDO
c. Anchored Credentials
i. When bootstrapping with FIDO, the credential assurance of the platform authenticator is anchored in the identity assurance of the security key.
ii. From an account perspective, the security key is the root of trust
d. What is the Root of Trust?
i. Definition: Secure bootstrapping mechanism for Platform Authenticators
ii. Key Concept: The enrollment process for any of the roots of trust for a given account is the process that must be used for recovery to maintain the identity assurance.
First Create an Account
Choose a good user name and password
Choose to let someone else be the identity provider for registering attributes or for authenticating users
Add Second Factor
Allow users to opt-in
Allow users to require it
Allow users to opt-out of second factor options
Add Phishing Resistant Second Factor
Add Platform Passwordless Authentication
Add External Security Key Passwordless Authentication
You have a user identifier, but why do you need to type it?
Add Platform Credential Registration Process using External Security Key