SlideShare a Scribd company logo

Future-proofing Authentication with Passkeys

Nordic APIs
Nordic APIs

A presentation given by Joost van Dijk, Developer Advocate, Yubico, at our 2023 Platform Summit, October 17-18, 2023.

Technology
1 of 21
Download to read offline
© 2022 Yubico © 2023 Yubico Joost van Dijk, Yubico Nordic APIs Platform Summit - October 18, 2023 Future-proofing Authentication With Passkeys
© 2023 Yubico ● Passkeys and API security ● What is a passkey? ● FIDO and the WebAuthn API ● Device attestation and the FIDO metadata service ● Assurance levels and step-up authentication Overview
© 2023 Yubico Protecting the OAuth Flow User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response Token Validation User AuthN & Consent
© 2023 Yubico Protecting the OAuth Flow User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response Token Validation User AuthN & Consent ??? JAR PAR PKCE DPoP JARM Non- Repudiation Signed Response Sender Constrained Aaron Parecki https://www.udemy.com/course/advanced-oauth-security/
© 2023 Yubico ● Passkeys are a more secure alternative to passwords ● More secure, because: ○ passkeys are resistant to phishing ○ passkeys have no secrets that can be leaked from servers ○ passkeys are generated automatically, never reused ○ passkeys can be stored on secure hardware ● Also easier to use: ○ “Sign in with your face, your finger, or your PIN” ○ Optionally, automatically backed up and synced What is a passkey?
© 2023 Yubico Demo
© 2023 Yubico ● Roaming Authenticator also called cross-platform authenticator example: a USB security key ● Roaming authenticators can use different transports: USB, NFC, BLE, hybrid ● Platform Authenticator Built into user’s device example: a built-in fingerprint sensor ● Note: a single authenticator can store multiple passkeys! TouchID FaceID Windows Hello Passkeys are stored on Authenticators
© 2023 Yubico Hardware-bound ● Single-device ● Hardware attestation ● Ideal for high assurance use cases ● FIPS eligible ● Example: passkey stored on a security key Synced | Copyable passkeys ● Multi-device ● Backed up and synced across devices via a cloud provider ● No need to re-enroll a new device on every account! ● Synced across devices but not across ecosystems (Apple iCloud and Google Password Manager) Different types of passkeys
© 2023 Yubico FIDO Public Key authentication Veri fi er challenge response = sign(k, challenge) private key k public key p response Client challenge response Authenticator (Simplified) result = verify(p, response, challenge)
© 2023 Yubico Phishing resistance Veri fi er challenge response = sign(k, challenge) private key k public key p result = verify(p, response, challenge) response Client response Authenticator +origin +origin +origin (Simplified) challenge
WebAuthn API HTTPS CTAP User Veri fi cation CTAP and Webauthn Platform API Roaming Authenticator Platform Authenticator (Relying Party)
© 2023 Yubico ● navigator.credentials.create() register new FIDO credential ● navigator.credentials.get() authenticate using a previously registered credential Webauthn: JavaScript API Client-side JavaScript Server-side application Browser WebAuthn API HTTPS CTAP Web Application
© 2023 Yubico Attestation and Metadata ● Attestation provides verifiable evidence as to the authenticator’s origin ● Based on a hardware attestation key and certificate ● Use FIDO Alliance Metadata Service to determine provenance ● Implement Allow/Deny lists to filter Authenticators ● Typically used in high-assurance (enterprise) use cases MDS Attestation Data Authenticator Metadata
© 2023 Yubico Metadata example ● aaguid (Authenticator unique ID) ● keyProtection e.g. secure_element ● transports e.g. usb ● status (certification level)
© 2023 Yubico Assurance Levels Password OTP Copyable passkey Hardware bound passkey High assurance Low assurance
© 2022 Yubico ● Step up: elevate the authentication assurance level for sensitive API calls ● Resource servers will return an error when step up is required ● Levels are expressed using an Authentication context class reference claim, for instance: "acr": "high" ● Use acr_values parameter in authorization requests to obtain the required level ● See RFC 9470: OAuth 2.0 Step Up Authentication Challenge Protocol Step-up Authentication GET /sensitive HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM GET /authorize?client_id=…& response_type=code&acr_values=high AuthZ Server Resource Server API Request API Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer error="insufficient_user_authentication", acr_values=“high"
© 2023 Yubico Step-up Authentication User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response User AuthN & Consent 200 OK Low Assurance Authentication GET /protected
© 2023 Yubico Step-up - Insufficient User Authentication User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response User AuthN & Consent (High Assurance) API Request API Response 401 Unauthorized 200 OK GET /sensitive GET /sensitive High Assurance Authentication acr_values=high
© 2023 Yubico Key Take-aways ● Passkeys are a secure and user-friendly alternative to passwords ● Passkeys are phishing-resistant by design ● Don’t let user authentication become the weakest link of API security ● Don’t frustrate users by unnecessarily excluding authenticators ● Device attestation and the FIDO metadata service let you differentiate between different types of authenticator
© 2023 Yubico ● Demo: https://passkey.org/ ● Passkeys developers site: https://passkeys.dev/ ● FIDO Metadata Explorer: https://opotonniee.github.io/fido-mds-explorer/ ● Passkey Workshop: https://developers.yubico.com/Passkeys/ ● Workshop source code: https://github.com/YubicoLabs/passkey-workshop Resources

Recommended

IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
 
Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical Overview
FIDO Alliance
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
IBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxIBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 

Recommended

IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
 
Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical Overview
FIDO Alliance
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
IBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxIBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
FIDO Alliance
 
Overview of Decentralized Identity
Overview of Decentralized IdentityOverview of Decentralized Identity
Overview of Decentralized Identity
Jim Flynn
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
ForgeRock
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
FIDO Alliance
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for Authentication
FIDO Alliance
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User Authentication
FIDO Alliance
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
FIDO Alliance
 
FIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & Tutorial
FIDO Alliance
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
Michał Wcisło
 

More Related Content

What's hot

Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
ForgeRock
 

What's hot (20)

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
 
Overview of Decentralized Identity
Overview of Decentralized IdentityOverview of Decentralized Identity
Overview of Decentralized Identity
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for Authentication
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User Authentication
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
 
FIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & Tutorial
 

Similar to Future-proofing Authentication with Passkeys

apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 

Similar to Future-proofing Authentication with Passkeys (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security ExplainedCloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security Explained
 
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
 
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security ExplainedCloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security Explained
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
WebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsWebRTC Identity in SAML Federations
WebRTC Identity in SAML Federations
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG Hackathon
 

More from Nordic APIs

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
Nordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
Nordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Nordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
Nordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Nordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
Nordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
Nordic APIs
 

More from Nordic APIs (20)

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 

Recently uploaded (20)

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 

Future-proofing Authentication with Passkeys

  • 1. © 2022 Yubico © 2023 Yubico Joost van Dijk, Yubico Nordic APIs Platform Summit - October 18, 2023 Future-proofing Authentication With Passkeys
  • 2. © 2023 Yubico ● Passkeys and API security ● What is a passkey? ● FIDO and the WebAuthn API ● Device attestation and the FIDO metadata service ● Assurance levels and step-up authentication Overview
  • 3. © 2023 Yubico Protecting the OAuth Flow User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response Token Validation User AuthN & Consent
  • 4. © 2023 Yubico Protecting the OAuth Flow User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response Token Validation User AuthN & Consent ??? JAR PAR PKCE DPoP JARM Non- Repudiation Signed Response Sender Constrained Aaron Parecki https://www.udemy.com/course/advanced-oauth-security/
  • 5. © 2023 Yubico ● Passkeys are a more secure alternative to passwords ● More secure, because: ○ passkeys are resistant to phishing ○ passkeys have no secrets that can be leaked from servers ○ passkeys are generated automatically, never reused ○ passkeys can be stored on secure hardware ● Also easier to use: ○ “Sign in with your face, your finger, or your PIN” ○ Optionally, automatically backed up and synced What is a passkey?
  • 7. © 2023 Yubico ● Roaming Authenticator also called cross-platform authenticator example: a USB security key ● Roaming authenticators can use different transports: USB, NFC, BLE, hybrid ● Platform Authenticator Built into user’s device example: a built-in fingerprint sensor ● Note: a single authenticator can store multiple passkeys! TouchID FaceID Windows Hello Passkeys are stored on Authenticators
  • 8. © 2023 Yubico Hardware-bound ● Single-device ● Hardware attestation ● Ideal for high assurance use cases ● FIPS eligible ● Example: passkey stored on a security key Synced | Copyable passkeys ● Multi-device ● Backed up and synced across devices via a cloud provider ● No need to re-enroll a new device on every account! ● Synced across devices but not across ecosystems (Apple iCloud and Google Password Manager) Different types of passkeys
  • 9.
  • 10. © 2023 Yubico FIDO Public Key authentication Veri fi er challenge response = sign(k, challenge) private key k public key p response Client challenge response Authenticator (Simplified) result = verify(p, response, challenge)
  • 11. © 2023 Yubico Phishing resistance Veri fi er challenge response = sign(k, challenge) private key k public key p result = verify(p, response, challenge) response Client response Authenticator +origin +origin +origin (Simplified) challenge
  • 13. © 2023 Yubico ● navigator.credentials.create() register new FIDO credential ● navigator.credentials.get() authenticate using a previously registered credential Webauthn: JavaScript API Client-side JavaScript Server-side application Browser WebAuthn API HTTPS CTAP Web Application
  • 14. © 2023 Yubico Attestation and Metadata ● Attestation provides verifiable evidence as to the authenticator’s origin ● Based on a hardware attestation key and certificate ● Use FIDO Alliance Metadata Service to determine provenance ● Implement Allow/Deny lists to filter Authenticators ● Typically used in high-assurance (enterprise) use cases MDS Attestation Data Authenticator Metadata
  • 15. © 2023 Yubico Metadata example ● aaguid (Authenticator unique ID) ● keyProtection e.g. secure_element ● transports e.g. usb ● status (certification level)
  • 16. © 2023 Yubico Assurance Levels Password OTP Copyable passkey Hardware bound passkey High assurance Low assurance
  • 17. © 2022 Yubico ● Step up: elevate the authentication assurance level for sensitive API calls ● Resource servers will return an error when step up is required ● Levels are expressed using an Authentication context class reference claim, for instance: "acr": "high" ● Use acr_values parameter in authorization requests to obtain the required level ● See RFC 9470: OAuth 2.0 Step Up Authentication Challenge Protocol Step-up Authentication GET /sensitive HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM GET /authorize?client_id=…& response_type=code&acr_values=high AuthZ Server Resource Server API Request API Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer error="insufficient_user_authentication", acr_values=“high"
  • 18. © 2023 Yubico Step-up Authentication User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response User AuthN & Consent 200 OK Low Assurance Authentication GET /protected
  • 19. © 2023 Yubico Step-up - Insufficient User Authentication User Agent Application AuthZ Server Resource Server AuthZ Request AuthZ Code Response Token Request API Request API Response User AuthN & Consent (High Assurance) API Request API Response 401 Unauthorized 200 OK GET /sensitive GET /sensitive High Assurance Authentication acr_values=high
  • 20. © 2023 Yubico Key Take-aways ● Passkeys are a secure and user-friendly alternative to passwords ● Passkeys are phishing-resistant by design ● Don’t let user authentication become the weakest link of API security ● Don’t frustrate users by unnecessarily excluding authenticators ● Device attestation and the FIDO metadata service let you differentiate between different types of authenticator
  • 21. © 2023 Yubico ● Demo: https://passkey.org/ ● Passkeys developers site: https://passkeys.dev/ ● FIDO Metadata Explorer: https://opotonniee.github.io/fido-mds-explorer/ ● Passkey Workshop: https://developers.yubico.com/Passkeys/ ● Workshop source code: https://github.com/YubicoLabs/passkey-workshop Resources