The document discusses passkeys as a secure alternative to traditional passwords, highlighting their cryptographic nature and phishing resistance. It explains the components of passkeys, including key pairs and the FIDO2 standard, as well as the roles of relying parties and the authentication process. Additionally, it provides resources for developers on implementing passkey authentication and emphasizes the importance of using established libraries for security.

1. ©
2024
Yubico
© 2024 Yubico
Passkeys
Developing APIs to enable passwordless authentication
Cody Salas
Sr. Developer Advocate | Solutions Architect @ Yubico
Apidays New York 2024

2. ©
2024
Yubico

3. ©
2024
Yubico
What are passkeys?

4. ©
2024
Yubico
Passkeys at a glance
Replacement for
passwords
Phishing-resistant
Discoverable FIDO2
credential
FIDO2 Standard
WebAuthn and CTAP2
specification
Ubiquitous FIDO2 capable devices
They are
Supported by
Available from
Identified with

5. ©
2024
Yubico
Passwords vs Passkeys
Password
● String of characters
● Single factor
Something you know
● Can be reused across multiple services
Passkey
Cryptographic key pair
Multiple factors
Something you have (device)
+
Something you know (PIN)
or
Something you are (biometric)
Origin-bound and unique to each service

6. ©
2024
Yubico
Cryptographic key pairs
Encrypts message w/ public key
Alice Bob
Generates key pair
Holds private key
Decrypts message w/ private key
Send public key
Send encrypted
message

7. ©
2024
Yubico
Cryptographic key pairs
Issues authentication challenge
Authenticator Application
Generates passkey
Holds private key
Signs challenge w/ private key
Send public key
Send authentication
challenge
Verifies challenge response

8. ©
2024
Yubico
How it works
Application
(Authenticating service)
Client
(Browser/platform)
External authenticator
(Security key / Hardware token)
FIDO2 Standard
WebAuthn and CTAP2 specification
• Authentication standard
• Hosted by the FIDO Alliance
• Combination of: WebAuthn API + CTAP2 protocol
• WebAuthn API – Browser API used to perform
credential registration and authentication
• CTAP2 – Protocol used by platforms to
communicate with external authenticators
WebAuthn
CTAP2
The open FIDO2 standard allows for all FIDO2 capable devices to be
usable across every major browser, platform, and ecosystem

9. ©
2024
Yubico
Architecture of a passkey application

10. ©
2024
Yubico

11. ©
2024
Yubico
Relying party server and API

12. ©
2024
Yubico
Responsible for issuing and validating registration and authentication challenges
*Unlike consuming a password, passkeys require a multi-step process
RP sends reg/auth challenges to a client who will execute them against the
WebAuthn API
The client will return the result of the WebAuthn call to the RP for processing
Can enforce policy-based rules against reg/auth requests
The purpose of the RP is to manage passkeys not user information
*this is the responsibility of the identity provider
What is a relying party?

13. ©
2024
Yubico
API endpoints
API method categories
Registration (attestation)
• POST /attestation/options – send the registration challenge (PublicKeyCredentialCreateOptions)
• POST /attestation/result – receive the public key of the newly created passkey
Authentication (assertion)
• POST /assertion/options – send the authentication challenge (PublicKeyCredentialRequestOptions)
• POST /assertion/result – receive the challenge signed by the passkey’s private key
Credential management
• GET /user/credentials – allows a user to see the credentials associated to their account
• DELETE /user/credentials/{id} – allows a user to remove a credential from their account
• PUT /user/credentials/{id} – allows a user to change metadata for a specific credential (never the credential itself)

14. ©
2024
Yubico
Registration flow
Create a new passkey, and register it to the RP
Authenticator
Client
Relying
party
Initialize the
reg ceremony
Issue a reg
Challenge
/attestation/options
Call WebAuthn
API – Attempt to
create passkey
Passkey created -
Return credential
Return response
to relying party
/attestation/options
Return registration
result

15. ©
2024
Yubico
Defined as
PublicKeyCredentialCreationOptions
in the WebAuthn spec
Some fields are defined as a BufferArray, but can
be translated to b64 and b64url encoding
• challenge
• user.id
authenticatorSelection is used to define
characteristics such as
• Should the credential be discoverable?
• Should the user input a PIN/biometric when
created?
• Should only a specific modality be used?
Registration Options

16. ©
2024
Yubico

17. ©
2024
Yubico
Authentication flow
Find a passkey, and attempt to respond to the challenge from the RP
Authenticator
Client
Relying
party
Initialize the
auth ceremony
Issue an auth
Challenge
/assertion/options
Call WebAuthn
API – Attempt to
find passkey
Passkey found -
Return challenge
response
Return response
to relying party
/assertion/result
Return authentication
result

18. ©
2024
Yubico
Defined as
PublicKeyCredentialRequestOptions
in the WebAuthn spec
The rpId field is what helps to ensure that the
request is origin-bound
userVerification is used to denote is a user
should present a PIN or biometric during auth
timeout is primarily used by the RP to reject stale
requests
Authentication Options

19. ©
2024
Yubico

20. ©
2024
Yubico
SDKs and libraries
Don’t attempt to build the WebAuthn RP logic and components on your own
There are numerous server-side libraries that can be used
Our example was built using Yubico’s java-webauthn-server library
https://github.com/Yubico/java-webauthn-server
Other libraries can be found on community resources
https://passkeys.dev/docs/tools-libraries/libraries/

21. ©
2024
Yubico
This presentation
The world of passkeys

22. ©
2024
Yubico
Resource summary
Sample project
● https://github.com/YubicoLabs/passkey-workshop
Community resources
● https://passkeys.dev
● https://github.com/herrjemand/awesome-webauthn
Don’t forget to checkout
Yubico’s Developer Program
• https://developers.yubico.com
• https://github.com/YubicoLabs

23. ©
2024
Yubico
© 2024 Yubico
Questions???

24. ©
2024
Yubico
©
2022
Yubico