The document discusses the implementation of passkeys, which aim to enhance security by replacing traditional username and password combinations with unique cryptographically signed keys for each application. It outlines challenges such as low adoption rates, cumbersome usage, and issues with vendor controls over stored authentication keys. Various implementation aspects, including frontend and backend processes, as well as potential problems with passkeys, particularly related to hardware devices, are also detailed.

1. PassKeys
How to implement them
Presenter:
Marian Marinov
Organization:
Director of Engineering
Web Hosting Canada

2. What are passkeys?
The idea behind them is to replace username
and password combinations with something
more secure and generally unique per
application/website.

3. Are passkeys more secure?
➢ Randomly generated long string
➢ Cryptographically signed
➢ Cryptographically verifiable
➢ Unique passkey pair for each site/application
➢ Eliminating the possibility to reuse either usernames
or passwords

4. Reality
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors

5. Reality
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
➢ Why I decided to speak about this topic?

6. Reality
➢ Usernames are still required
➢ Computer generated strings are hard
➢ Usage is cumbersome
➢ Adoption is low
➢ Reports for problems with major vendors
➢ Why I decided to speak about this topic?
➢
https://www.peeringdb.com/

7. Implementation
Handling of PassKeys on the client side

8. Implementation
Handling of PassKeys on the client side
➢ You can use HW device (i have examples)

9. Implementation
Handling of PassKeys on the client side
➢ You can use HW device (i have examples)
➢ You can also use iPhone or Android

10. Implementation
iPhone/Android situation
➢ Your authentication keys are stored on their cloud
➢ You have limited control
➢ The vendor can delete those without your concent
➢ The vendor can limit your access to your creds at any
given time

11. PassKeys process

12. PassKeys process
Credit Yubico

13. PassKeys process
Credit Yubico

14. On the backend
Registrations
➢ Generate random challenge with expiration time
(CSRF)
➢ Generate new user_id based on the username +
challenge
➢ Enrol passkey (pubkey + user_id)
➢ Store the generated pair on the backend

15. On the frontend
➢ Most of the work is here
➢ Support for devices in Browsers
➢
All major browsers support it
➢ Annoying and large frontend libraries

16. Fronted implementation
➢ I decided to ride the wave of AI
➢ I asked ChatGPT to assist me

17. Fronted implementation
➢ I decided to ride the wave of AI
➢ I asked ChatGPT to assist me
➢ Big mistake!

18. Fronted implementation
Once it was clear it will not build it for me...

19. Fronted implementation
I shamelessly stole the web interface from
https://webauthn.io

20. Backend implementation
I used PostgreSQL
I needed two tables:
➢ challenges
➢ credentials
Challenges would probably be better with
Redis/DragonFly auto expiring keys

21. Backend implementation
I used PostgreSQL
table: challenges
id
username
challenge
created

22. Backend implementation
I used PostgreSQL
sign_count, if implemented allows prevention of
replay attacks
table: challenges
id
username
challenge
created
table: credentials
id
sign_count
user_handle
credential_id
public_key

23. Backend implementation
I tried initially writing it in PHP with
web-auth/webauthn-lib
It did not work. Their example returned:
PHP Fatal error:
Uncaught Error: Class "WebauthnServer" not found

24. Backend implementation
Then I switched to my favourite
I found Authen::WebAuthn ...
But I decided to try to build it from scratch.

25. My basic Mojolicious app
I ended up creating the following
endpoints in my app:
get '/' Login form
post '/auth-options' Challenge generation
post '/auth-verify' Authentication
validation
post '/register' User ID generation
post '/reg-verify' Registering the user

26. Important definitions
➢ rp_id - Relying Party (hostname of your app)
➢ credential_id - ID that is stored on the backend
➢ allowCredentials - the server may request specific
credentials

27. Backend- Registration
1. /auth-options - get supported options from the
backend
2. /register - register the client and return passkey
data
3. /reg-verify - validate the credentials

28. Problems with passkeys?
➢ Multiple reports that Apple has completely erased
the passkey store for users
➢ Not fully supported everywhere.
➢ Cumbersome with HW devices
➢ Device missing
➢ Requiring restart of browsers in order to recognize
a device

29. HW Security keys
➢ YubiKey
➢ NitroKey
➢ Thetis Fido U2F Security Key (only U2F, no OTP)
➢ CryptoTrust OnlyKey
➢ Feitian ePass K9 USB Security Key

30. YubiKey on Ubuntu
apt-get install
yubico-piv-tool
yubikey-personalization-gui
yubioath-desktop
ykcs11
opensc

32. Resources
https://passkeys.dev
https://www.passkeys.io/technical-details
https://developer.apple.com/passkeys/
https://developers.google.com/identity/
passkeys
https://developers.yubico.com/Passkeys/
Quick_overview_of_WebAuthn_FIDO2_and_CTAP.h
tml

33. Questions?
Marian Marinov
mm@yuhu.biz