Downloaded 34 times
Uploaded byFIDO Alliance
Introduction to FIDO Authentication and Passkeys.pptx
The document presents an overview of FIDO authentication and the concept of passkeys as a secure alternative to passwords for sign-ins across devices. It defines passkeys as passwordless FIDO credentials that enable faster and more secure access while outlining their synchronization capabilities for easier account recovery. The content also emphasizes a user-friendly experience inspired by password managers and discusses cross-device and cross-platform authentication methods.
More Related Content
Similar to Introduction to FIDO Authentication and Passkeys.pptx
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
Introduction to FIDO Authentication and Passkeys.pptx
- 1. 1 © FIDOAlliance 2024 Introduction to FIDO and Passkeys Shane Weeden Senior Technical Staff Member, IBM
- 2. 2 © FIDOAlliance 2024 CONFIDENTIAL Agenda • FIDO authentication in a nutshell • What is a passkey? • Security spectrum • User experience • The wrap
- 3. 3 © FIDOAlliance 2024 CONFIDENTIAL 3 © FIDO Alliance 2024 FIDO Authentication
- 4. 4 © FIDOAlliance 2024 CONFIDENTIAL FIDO authentication Client (computing device, user, authenticator with private key) Relying Party Server (website, FIDO server, user accounts with public keys) I’m ready to login Ok, here’s a random challenge Here’s the challenge signed with my private key Yep, that’s correct! Passwords FIDO A human generated symmetric secret Machine generated public key cryptography Often re-used across websites Bound to a single RP (relying party) Easily phished Phishing resistant Subject to credential stuffing, social engineering and server leakage Impractical to remotely attack
- 5. 5 © FIDOAlliance 2024 CONFIDENTIAL 5 © FIDO Alliance 2024 What is a passkey?
- 6. 6 © FIDOAlliance 2024 CONFIDENTIAL What is a passkey – let’s start with an example How I login at work
- 7. 7 © FIDOAlliance 2024 CONFIDENTIAL
- 8. 8 © FIDOAlliance 2024 CONFIDENTIAL What is a passkey? Marketing Definition Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. https://fidoalliance.org/passkeys/ Technical Definition Passkeys are defined as any passwordless FIDO credential.
- 9. 9 © FIDOAlliance 2024 CONFIDENTIAL A syncable passkey is… A passkey that can be backed up and synchronized by the passkey provider across a user’s devices. • A passkey provider might be a platform/OS vendor, or 3rd-party software such as a password manager. • Facilitates new device bootstrapping and simplifies account recovery. • Security of syncable passkeys is the responsibility of the passkey provider. Passkey synchronization fabric
- 10. 10 © FIDOAlliance 2024 CONFIDENTIAL Another example Apple passkey using Safari on consumer website
- 11. 11 © FIDOAlliance 2024 CONFIDENTIAL
- 12. 12 © FIDOAlliance 2024 CONFIDENTIAL 12 © FIDO Alliance 2024 Security Spectrum
- 13. 13 © FIDOAlliance 2024 CONFIDENTIAL password password+ Conditional MFA syncable passkey Device-bound passkey Security Spectrum
- 14. 14 © FIDOAlliance 2024 CONFIDENTIAL 14 © FIDO Alliance 2024 User Experience
- 15. 15 © FIDOAlliance 2024 CONFIDENTIAL Inspiration from Password Manager UX • Autofill UI familiar for users • Privacy preserving • HTML / JS instrumentation for website developers <input id="username" type="text" autocomplete="webauthn"> <script> navigator.credentials.get({"publicKey":{ "challenge":{ … }, "signal":{}, "mediation":"conditional"}) .then((assertion) => { … }); </script>
- 16. 16 © FIDOAlliance 2024 CONFIDENTIAL Cross-device authentication • Also known as the hybrid flow. • Passkey on mobile device can bootstrap another device. This can be the platform passkey, or that from a 3rd party provider. • You may wish to solicit platform authenticator registration after observing cross-device authentication.
- 17. 17 © FIDOAlliance 2024 CONFIDENTIAL Cross-platform authentication demo Using an iPhone to bootstrap sign-in to Chrome/Windows
- 18. 18 © FIDOAlliance 2024 CONFIDENTIAL
- 19. 19 © FIDOAlliance 2024 CONFIDENTIAL 19 © FIDO Alliance 2024 The wrap
- 20. 20 © FIDOAlliance 2024 CONFIDENTIAL Other resources General Information • FIDO Alliance - https://fidoalliance.org/passkeys/ Developer Adoption • passkeys.dev • Includes links to many other resources
- 21. 21 © FIDOAlliance 2024 CONFIDENTIAL Wrapping up alternative to password, with enhanced security characteristics synchronized passkeys addresses account recovery hybrid flow for cross-device, cross-ecosystem sign in familiar UX
- 22. 22 © FIDOAlliance 2024 CONFIDENTIAL Thank you! Security Poor Easy Weak Strong
Editor's Notes
- #5 A discoverable credential is one that is stored on the authenticator with information such as a user display name (for account choosing) kept with the private key by the authenticator. The implication of defining a passkey as a discoverable (resident key) credential is that it can be used in “typing-less” login flows since it can be discovered by the platform during authentication without the RP (website) being aware of who the user is. Whilst discoverable credentials include both those provided by platform vendors and those on physical hardware security keys, it is recognized that hardware security key ownership will be in the minority and that platform provider passkeys will be much more prevalent. Additionally, all major platforms are headed toward the replication of passkeys across user accounts, which implies syncable passkeys will become the predominantly available technology. With that in mind, let’s explore syncable passkeys in a little more detail.
- #9 Last year I described this as “a discoverable credential”. A discoverable credential is one that is stored on the authenticator with information such as a user display name (for account choosing) kept with the private key by the authenticator. This allows for pure typing-less logins where the user doesn’t even have to first supply their username. For best user experiences, this is still the recommended approach for deploying FIDO. Whilst discoverable credentials include both those provided by platform vendors and those on physical hardware security keys, it is recognized that hardware security key ownership will be in the minority and that platform provider passkeys will be much more prevalent. Additionally, all major platforms are headed toward the replication of passkeys across user devices, which implies syncable passkeys will become the predominantly available technology. With that in mind, let’s explore syncable passkeys in a little more detail.
- #10 Dashlane,1Password, BitWarden are all examples of 3rd-party passkey providers. Think of this as very similar to how your browser’s replicate passwords, bookmarks and other cloud-managed state information today.
- #14 Note that syncable passkey may also be used with conditional MFA in circumstances where account sovereignty requirements dictate that the passkey provider platform account security cannot represent the keys to the RP account.