- FIDO2 is a passwordless authentication standard that uses public key cryptography instead of passwords - It involves an initial registration process where a public/private key pair is created and the public key is associated with the user's account - Authentication then involves validating the signature from the private key without exposing any secrets - FIDO2 supports various form factors beyond USB keys like mobile devices and provides stronger security than passwords

1. Go Passwordless with FIDO2
(turn on, tap out, log on)

2. Special thanks to ALLNET & bluegras

3. Rob Dudley
CTO/CISO for a crypto currency hedge fund
Web application developer
Podcaster
Loves YubiKeys

4. Didn’t you do this
talk last year?

5. What do you have
against passwords?

6. What’s wrong with passwords?
• Complicated to create secure passwords
• Changing standards
• Users are terrible at them
• Very simple to “copy”

7. What’s wrong with passwords?
But worst of all…

8. What’s wrong with passwords?
They’re phishable!

9. Over 80% of all hacking-related breaches
are caused by stolen or weak passwords.

10. FIDO2 … WTF?

11. March of the Standards
• FIDO
• U2F
• WebAuthN
• FIDO2
• CTAP
• WebUSB
• NFC
• CBOR

12. March of the Standards
the WebAuthn API enables servers to register and authenticate users using
public key cryptography instead of a passwords
CTAP is an application layer protocol used for communication between a client
(browser or OS) and an external authenticator (YubiKey 5)

13. FIDO2 in action

14. FIDO2 in Action
• Not just a YubiKey:
• NFC
• Windows Hello
• Android

16. FIDO2 in Action
2 steps:
•Initial Registration
•Authentication

17. FIDO2 in Action - Registration
• Registration is an initial process for registering a new FIDO2 device with a
service
• User’s device creates a new public/private key pair unique for the local
device, online service and user’s account.
• Public key is sent to the online service and associated with the user’s
account.
• The private key and any information about the local authentication method
(such as biometric measurements or templates) never leave the local
device.

19. FIDO2 in Action - Registration
• Registration is an initial process for registering a new FIDO2 device with a
service
• User’s device creates a new public/private key pair unique for the local
device, online service and user’s account.
• Public key is sent to the online service and associated with the user’s
account.
• The private key and any information about the local authentication method
(such as biometric measurements or templates) never leave the local
device.

21. Quick Demo

23. Let’s look at some code…

24. Using the sample Java server
from YubiCo
https://github.com/Yubico/java-webauthn-server

25. Registration

26. Initiate a registration ceremony:

27. Serialize request to JSON and send it to the client:

28. Get the response from the client:
Validate the response:

29. Authentication

30. Initiate an authentication ceremony:

31. Validate the response:

34. The password is dead
LONG LIVE THE … PIN?

39. Attestation vs Assertion

40. Attestation vs Assertion
• Attestation is the verification of the device root certificate
• This is per device family NOT unique to the device
• Used during registration

41. Attestation vs Assertion
• Assertion is the verification of the unique key pair for the service
• Unique to device and your app
• Used during authentication

42. New processes needed

43. New processes
• Forgotten password is out
• Replacement FIDO2 is in

44. MOBILE!!!

46. More resources
https://github.com/StrongKey/fido2/
https://fidoalliance.org/
https://www.yubico.com/services-with-yubikey/fido2/
https://developers.yubico.com/

47. Questions?

48. @robdudley
@robdudley@mastodon.social
https://slideshare.com/something
www.rcwd.dev