PassKeys is relatively new way of authentication. This presentation aims to provide a bit of guidance on how you can implement them in your own application.
1. PassKeys
How to implement them
Presenter:
Marian Marinov
Organization:
Director of Engineering
Web Hosting Canada
2. What are passkeys?
The idea behind them is to replace username
and password combinations with something
more secure and generally unique per
application/website.
3. Are passkeys more secure?
➢ Randomly generated long string
➢ Cryptographically signed
➢ Cryptographically verifiable
➢ Unique passkey pair for each site/application
➢ Eliminating the possibility to reuse either usernames
or passwords
4. Reality
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
5. Reality
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
➢ Why I decided to speak about this topic?
6. Reality
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
➢ Why I decided to speak about this topic?
➢
https://www.peeringdb.com/
10. Implementation
iPhone/Android situation
➢ Your authentication keys are stored on their cloud
➢ You have limited control
➢ The vendor can delete those without your concent
➢ The vendor can limit your access to your creds at any
given time
14. On the backend
Registrations
➢ Generate random challenge with expiration time
(CSRF)
➢ Generate new user_id based on the username +
challenge
➢ Enrol passkey (pubkey + user_id)
➢ Store the generated pair on the backend
15. On the frontend
➢ Most of the work is here
➢ Support for devices in Browsers
➢
All major browsers support it
➢ Annoying and large frontend libraries
20. Backend implementation
I used PostgreSQL
I needed two tables:
➢ challenges
➢ credentials
Challenges would probably be better with
Redis/DragonFly auto expiring keys
22. Backend implementation
I used PostgreSQL
sign_count, if implemented allows prevention of
replay attacks
table: challenges
id
username
challenge
created
table: credentials
id
sign_count
user_handle
credential_id
public_key
23. Backend implementation
I tried initially writing it in PHP with
web-auth/webauthn-lib
It did not work. Their example returned:
PHP Fatal error:
Uncaught Error: Class "WebauthnServer" not found
24. Backend implementation
Then I switched to my favourite
I found Authen::WebAuthn ...
But I decided to try to build it from scratch.
25. My basic Mojolicious app
I ended up creating the following
endpoints in my app:
get '/' Login form
post '/auth-options' Challenge generation
post '/auth-verify' Authentication
validation
post '/register' User ID generation
post '/reg-verify' Registering the user
26. Important definitions
➢ rp_id - Relying Party (hostname of your app)
➢ credential_id - ID that is stored on the backend
➢ allowCredentials - the server may request specific
credentials
27. Backend- Registration
1. /auth-options - get supported options from the
backend
2. /register - register the client and return passkey
data
3. /reg-verify - validate the credentials
28. Problems with passkeys?
➢ Multiple reports that Apple has completely erased
the passkey store for users
➢ Not fully supported everywhere.
➢ Cumbersome with HW devices
➢ Device missing
➢ Requiring restart of browsers in order to recognize
a device