SlideShare a Scribd company logo

使用 Passkeys 打造無密碼驗證服務

升煌 黃

在這個數位時代,資安事件層出不窮,密碼外流事件頻傳,傳統的密碼登入方式已經變得平凡到令人感到無聊。然而,這種登入方式也帶來了不少資安隱憂,因此我們迫切需要一種更安全的解決方案。 幸運的是,現在我們有了一個令人振奮的解決方案 - Passkeys!FIDO 聯盟推出的 Passkeys 規格,將完全改變我們登入的方式。現在,使用者不再需要記住繁瑣的密碼,只需擁有自己的 Passkey,就能輕鬆完成驗證。同時,這也意味著網站管理者不再需要儲存使用者的密碼,消除了密碼外洩以及釣魚網站帶來的風險。 本次分享將帶您深入探索 Passkeys 的原理,並透過實際的程式碼示範,展示如何實現 Passkeys 驗證服務。讓我們一同踏入安全的無密碼時代,探索未來資安的新里程碑!

Technology
1 of 43
Download to read offline
黃升煌 Mike Huang 使用 Passkeys 打造無密碼驗證服務 無密碼時代降臨!
About Me • 黃升煌 Mike • Angular GDE • Microsoft MVP • Awards • 2018 iT 邦幫忙鐵人賽 冠軍 • 2019 iT 邦幫忙鐵人賽 優選 • 第 12 屆 iThome 鐵人賽 冠軍 https://github.com/wellwind https://www.facebook.com/fullstackledder https://fullstackladder.dev
Password Sucks!!
無密碼 Passwordless
關於 Passkeys • FIDO 聯盟提出的標準 • 一種用來代替密碼,以達到無密碼的驗證方式 • 提供更快速、更簡便、更安全的登錄方式 • 具有抵抗釣魚網站攻擊的能力 • 可以跨裝置進行驗證 • 簡化應用程式和網站的帳戶註冊流程 https://fidoalliance.org/passkeys/
https://passkeys.dev/device-support/#matrix
IE Support?
IE Support?
DEMO Google Passkeys 註冊/登入
WebAuthn (Web Authentication) • FIDO 聯盟與 W3C 聯合提出的驗證標準 • 利用非對稱金鑰的方式進行驗證 • 伺服器端只會儲存公鑰 • 私鑰儲存在使用者個人設備上,可透過生物特徵進行加密 • 私鑰會與網域綁定,避免釣魚網站攻擊 • Passkeys 透過 WebAuthn,同時加入跨裝置驗證的支援 • 需要作業系統支援 • 開發上只需要調整 WebAuthn API 的參數 https://webauthn.guide/
5 分鐘非對稱金鑰小教室 • 使用金鑰對 (分成公鑰與私鑰) 的加解密 & 驗證系統 Public Key Private Key
5 分鐘非對稱金鑰小教室 • 使用公鑰加密的內容,可以被私鑰解密 Public Key Private Key 明文 密文 明文
5 分鐘非對稱金鑰小教室 • 使用公鑰加密的內容,無法被原公鑰解密 Public Key Public Key 明文 密文
5 分鐘非對稱金鑰小教室 • 可以使用私鑰對內容進行簽章,並透過公鑰驗證簽章是否正確 Public Key Private Key 明文 簽章 明文 verified
使用 WebAuthn 註冊裝置
const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, }); 使用 WebAuthn 註冊裝置
使用 WebAuthn 註冊裝置 從伺服器產生的隨機字串 (challenge) 避免重播攻擊 (replay attack) SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
使用 WebAuthn 註冊裝置 relying party 資訊 通常也就是驗證伺服器的資訊 id 需要與網域名稱相符,避免釣魚網站攻擊 SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
使用 WebAuthn 註冊裝置 目前要註冊裝置的使用者資訊 SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
使用 WebAuthn 註冊裝置 指定允許使用的簽章演算法 SPEC 建議包含以下幾種演算法已達到最佳的支援 • -8 (Ed25519) • -7 (ES256) • -257 (RS256) const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
使用 WebAuthn 註冊裝置 (非必要) 用來限定可以使用的驗證器來源 SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
使用 WebAuthn 註冊裝置 註冊流程到期時間 (毫秒) SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
使用 WebAuthn 註冊裝置 是否要回傳驗證器資訊給伺服器 SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
使用 WebAuthn 註冊裝置 產生裝置公鑰及相關認證資訊 const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' }
產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' } 產生的認證 ID SPEC
產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' } 也是認證 ID,只是為 binary 格式 SPEC
產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' } 瀏覽器與驗證器之間傳遞的資料 SPEC
產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' } 驗證器相關資料,包含公鑰等資訊 SPEC
使用 WebAuthn 登入
const publicKeyCredentialRequestOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), allowCredentials: [ { id: Uint8Array.from( "credential id", (c) => c.charCodeAt(0)), type: "public-key", transports: ["internal"], }, ], timeout: 60000, }; const assertion = await navigator.credentials.get({ publicKey: publicKeyCredentialRequestOptions, }); 使用 WebAuthn 驗證
const publicKeyCredentialRequestOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), allowCredentials: [ { id: Uint8Array.from( "credential id", (c) => c.charCodeAt(0)), type: "public-key", transports: ["internal"], }, ], timeout: 60000, }; const assertion = await navigator.credentials.get({ publicKey: publicKeyCredentialRequestOptions, }); 使用 WebAuthn 驗證 (非必要) 允許使用的驗證資訊 可用來限定登入的裝置 SPEC
const publicKeyCredentialRequestOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), allowCredentials: [ { id: Uint8Array.from( "credential id", (c) => c.charCodeAt(0)), type: "public-key", transports: ["internal"], }, ], timeout: 60000, }; const assertion = await navigator.credentials.get({ publicKey: publicKeyCredentialRequestOptions, }); 使用 WebAuthn 驗證 登入流程的到期時間 (毫秒) SPEC
const publicKeyCredentialRequestOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), allowCredentials: [ { id: Uint8Array.from( "credential id", (c) => c.charCodeAt(0)), type: "public-key", transports: ["internal"], }, ], timeout: 60000, }; const assertion = await navigator.credentials.get({ publicKey: publicKeyCredentialRequestOptions, }); 使用 WebAuthn 驗證 取得註冊的裝置資訊,以及相關簽章結果
產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAssertionResponse { authenticatorData: ArrayBuffer(191), clientDataJSON: ArrayBuffer(118), signature: ArrayBuffer(70), userHandle: ArrayBuffer(10), }, type: 'public-key' }
產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAssertionResponse { authenticatorData: ArrayBuffer(191), clientDataJSON: ArrayBuffer(118), signature: ArrayBuffer(70), userHandle: ArrayBuffer(10), }, type: 'public-key' } 用來完成這次驗證的裝置資訊 注意:不會包含公鑰資訊 SPEC
產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAssertionResponse { authenticatorData: ArrayBuffer(191), clientDataJSON: ArrayBuffer(118), signature: ArrayBuffer(70), userHandle: ArrayBuffer(10), }, type: 'public-key' } 由驗證器私鑰產生的簽章資訊 Client 端根據特定規則產生簽章 Server 端使用已註冊的公鑰驗證簽章 SPEC
產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAssertionResponse { authenticatorData: ArrayBuffer(191), clientDataJSON: ArrayBuffer(118), signature: ArrayBuffer(70), userHandle: ArrayBuffer(10), }, type: 'public-key' } 由驗證器提供的額外使用者資訊 SPEC
WebAuthn JavaScript Library • SimpleWebAuthn • https://simplewebauthn.dev/ • 支援 TypeScript • 前後端皆支援 • Server: • npm install @simplewebauthn/server • Browser: • npm install @simplewebauthn/browser
DEMO 用 SimpleWebAuthn 實作前後端 Passkeys https://github.com/wellwind/webconf23-passkeys-demo
Resources • Passkeys (Passkey Authentication) • passkeys.com • WebAuthn vs Passkeys • SimpleWebAuthn • [Google] 使用密碼金鑰進行無密碼登入 • 一起來了解 Web Authentication • [影片]有 Google 帳號的人注意!這個功能請火速把它打開
Thank You https://github.com/wellwind https://www.facebook.com/fullstackledder https://fullstackladder.dev

Recommended

AngularとSpring Bootで作るSPA + RESTful Web Serviceアプリケーション
AngularとSpring Bootで作るSPA + RESTful Web ServiceアプリケーションAngularとSpring Bootで作るSPA + RESTful Web Serviceアプリケーション
AngularとSpring Bootで作るSPA + RESTful Web Serviceアプリケーション
ssuser070fa9
 
Java ORマッパー選定のポイント #jsug
Java ORマッパー選定のポイント #jsugJava ORマッパー選定のポイント #jsug
Java ORマッパー選定のポイント #jsug
Masatoshi Tada
 
Javaのログ出力: 道具と考え方
Javaのログ出力: 道具と考え方Javaのログ出力: 道具と考え方
Javaのログ出力: 道具と考え方
Taku Miyakawa
 
twMVC#44 讓我們用 k6 來進行壓測吧
twMVC#44 讓我們用 k6 來進行壓測吧twMVC#44 讓我們用 k6 來進行壓測吧
twMVC#44 讓我們用 k6 來進行壓測吧
twMVC
 
2023 COSCUP - Whats new in PostgreSQL 16
2023 COSCUP - Whats new in PostgreSQL 162023 COSCUP - Whats new in PostgreSQL 16
2023 COSCUP - Whats new in PostgreSQL 16
José Lin
 
Logback
LogbackLogback
Logback
Anubhav Shukla
 
Learn O11y from Grafana ecosystem.
Learn O11y from Grafana ecosystem.Learn O11y from Grafana ecosystem.
Learn O11y from Grafana ecosystem.
HungWei Chiu
 
テストコードの DRY と DAMP
テストコードの DRY と DAMPテストコードの DRY と DAMP
テストコードの DRY と DAMP
Yusuke Kagata
 

Recommended

AngularとSpring Bootで作るSPA + RESTful Web Serviceアプリケーション
AngularとSpring Bootで作るSPA + RESTful Web ServiceアプリケーションAngularとSpring Bootで作るSPA + RESTful Web Serviceアプリケーション
AngularとSpring Bootで作るSPA + RESTful Web Serviceアプリケーション
ssuser070fa9
 
Java ORマッパー選定のポイント #jsug
Java ORマッパー選定のポイント #jsugJava ORマッパー選定のポイント #jsug
Java ORマッパー選定のポイント #jsug
Masatoshi Tada
 
Javaのログ出力: 道具と考え方
Javaのログ出力: 道具と考え方Javaのログ出力: 道具と考え方
Javaのログ出力: 道具と考え方
Taku Miyakawa
 
twMVC#44 讓我們用 k6 來進行壓測吧
twMVC#44 讓我們用 k6 來進行壓測吧twMVC#44 讓我們用 k6 來進行壓測吧
twMVC#44 讓我們用 k6 來進行壓測吧
twMVC
 
2023 COSCUP - Whats new in PostgreSQL 16
2023 COSCUP - Whats new in PostgreSQL 162023 COSCUP - Whats new in PostgreSQL 16
2023 COSCUP - Whats new in PostgreSQL 16
José Lin
 
Logback
LogbackLogback
Logback
Anubhav Shukla
 
Learn O11y from Grafana ecosystem.
Learn O11y from Grafana ecosystem.Learn O11y from Grafana ecosystem.
Learn O11y from Grafana ecosystem.
HungWei Chiu
 
テストコードの DRY と DAMP
テストコードの DRY と DAMPテストコードの DRY と DAMP
テストコードの DRY と DAMP
Yusuke Kagata
 
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
onozaty
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Akihiro Suda
 
What's new in Spring Batch 5
What's new in Spring Batch 5What's new in Spring Batch 5
What's new in Spring Batch 5
ikeyat
 
とある脆弱性の永い議論
とある脆弱性の永い議論とある脆弱性の永い議論
とある脆弱性の永い議論
Mtikutea
 
CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)
CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)
CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)
Chen Cheng-Wei
 
TDD のこころ
TDD のこころTDD のこころ
TDD のこころ
Takuto Wada
 
日本語テストメソッドについて
日本語テストメソッドについて日本語テストメソッドについて
日本語テストメソッドについてkumake
 
Laravelを用いたゲームサーバーのチューニング
Laravelを用いたゲームサーバーのチューニングLaravelを用いたゲームサーバーのチューニング
Laravelを用いたゲームサーバーのチューニング
NOW PRODUCTION
 
やはりお前らのMVCは間違っている
やはりお前らのMVCは間違っているやはりお前らのMVCは間違っている
やはりお前らのMVCは間違っている
Koichi Tanaka
 
MySQL・PostgreSQLだけで作る高速あいまい全文検索システム
MySQL・PostgreSQLだけで作る高速あいまい全文検索システムMySQL・PostgreSQLだけで作る高速あいまい全文検索システム
MySQL・PostgreSQLだけで作る高速あいまい全文検索システム
Kouhei Sutou
 
世界一わかりやすいClean Architecture
世界一わかりやすいClean Architecture世界一わかりやすいClean Architecture
世界一わかりやすいClean Architecture
Atsushi Nakamura
 
【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方
【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方
【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方
kwatch
 
DBスキーマもバージョン管理したい!
DBスキーマもバージョン管理したい!DBスキーマもバージョン管理したい!
DBスキーマもバージョン管理したい!
kwatch
 
webエンジニアのためのはじめてのredis
webエンジニアのためのはじめてのrediswebエンジニアのためのはじめてのredis
webエンジニアのためのはじめてのredis
nasa9084
 
分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11
分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11
分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11
Sadayuki Furuhashi
 
Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2
Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2
Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2
Yahoo!デベロッパーネットワーク
 
GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)
GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)
GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)
NTT DATA Technology & Innovation
 
하이퍼레저 프로젝트 개요
하이퍼레저 프로젝트 개요하이퍼레저 프로젝트 개요
하이퍼레저 프로젝트 개요
TIMEGATE
 
What is Swagger?
What is Swagger?What is Swagger?
What is Swagger?
Philip Senger
 
PostgreSQLアンチパターン
PostgreSQLアンチパターンPostgreSQLアンチパターン
PostgreSQLアンチパターン
Soudai Sone
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteer
VodqaBLR
 

More Related Content

What's hot

今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
onozaty
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Akihiro Suda
 
What's new in Spring Batch 5
What's new in Spring Batch 5What's new in Spring Batch 5
What's new in Spring Batch 5
ikeyat
 
とある脆弱性の永い議論
とある脆弱性の永い議論とある脆弱性の永い議論
とある脆弱性の永い議論
Mtikutea
 
CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)
CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)
CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)
Chen Cheng-Wei
 
TDD のこころ
TDD のこころTDD のこころ
TDD のこころ
Takuto Wada
 
日本語テストメソッドについて
日本語テストメソッドについて日本語テストメソッドについて
日本語テストメソッドについてkumake
 
Laravelを用いたゲームサーバーのチューニング
Laravelを用いたゲームサーバーのチューニングLaravelを用いたゲームサーバーのチューニング
Laravelを用いたゲームサーバーのチューニング
NOW PRODUCTION
 
やはりお前らのMVCは間違っている
やはりお前らのMVCは間違っているやはりお前らのMVCは間違っている
やはりお前らのMVCは間違っている
Koichi Tanaka
 
MySQL・PostgreSQLだけで作る高速あいまい全文検索システム
MySQL・PostgreSQLだけで作る高速あいまい全文検索システムMySQL・PostgreSQLだけで作る高速あいまい全文検索システム
MySQL・PostgreSQLだけで作る高速あいまい全文検索システム
Kouhei Sutou
 
世界一わかりやすいClean Architecture
世界一わかりやすいClean Architecture世界一わかりやすいClean Architecture
世界一わかりやすいClean Architecture
Atsushi Nakamura
 
【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方
【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方
【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方
kwatch
 
DBスキーマもバージョン管理したい!
DBスキーマもバージョン管理したい!DBスキーマもバージョン管理したい!
DBスキーマもバージョン管理したい!
kwatch
 
webエンジニアのためのはじめてのredis
webエンジニアのためのはじめてのrediswebエンジニアのためのはじめてのredis
webエンジニアのためのはじめてのredis
nasa9084
 
分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11
分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11
分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11
Sadayuki Furuhashi
 
Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2
Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2
Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2
Yahoo!デベロッパーネットワーク
 
GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)
GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)
GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)
NTT DATA Technology & Innovation
 
하이퍼레저 프로젝트 개요
하이퍼레저 프로젝트 개요하이퍼레저 프로젝트 개요
하이퍼레저 프로젝트 개요
TIMEGATE
 
What is Swagger?
What is Swagger?What is Swagger?
What is Swagger?
Philip Senger
 
PostgreSQLアンチパターン
PostgreSQLアンチパターンPostgreSQLアンチパターン
PostgreSQLアンチパターン
Soudai Sone
 

What's hot (20)

今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
What's new in Spring Batch 5
What's new in Spring Batch 5What's new in Spring Batch 5
What's new in Spring Batch 5
 
とある脆弱性の永い議論
とある脆弱性の永い議論とある脆弱性の永い議論
とある脆弱性の永い議論
 
CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)
CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)
CI、CD、Automation你還沒準備好!?(Agile Tour Kaohsiung 2017)
 
TDD のこころ
TDD のこころTDD のこころ
TDD のこころ
 
日本語テストメソッドについて
日本語テストメソッドについて日本語テストメソッドについて
日本語テストメソッドについて
 
Laravelを用いたゲームサーバーのチューニング
Laravelを用いたゲームサーバーのチューニングLaravelを用いたゲームサーバーのチューニング
Laravelを用いたゲームサーバーのチューニング
 
やはりお前らのMVCは間違っている
やはりお前らのMVCは間違っているやはりお前らのMVCは間違っている
やはりお前らのMVCは間違っている
 
MySQL・PostgreSQLだけで作る高速あいまい全文検索システム
MySQL・PostgreSQLだけで作る高速あいまい全文検索システムMySQL・PostgreSQLだけで作る高速あいまい全文検索システム
MySQL・PostgreSQLだけで作る高速あいまい全文検索システム
 
世界一わかりやすいClean Architecture
世界一わかりやすいClean Architecture世界一わかりやすいClean Architecture
世界一わかりやすいClean Architecture
 
【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方
【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方
【SQLインジェクション対策】徳丸先生に怒られない、動的SQLの安全な組み立て方
 
DBスキーマもバージョン管理したい!
DBスキーマもバージョン管理したい!DBスキーマもバージョン管理したい!
DBスキーマもバージョン管理したい!
 
webエンジニアのためのはじめてのredis
webエンジニアのためのはじめてのrediswebエンジニアのためのはじめてのredis
webエンジニアのためのはじめてのredis
 
分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11
分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11
分散ワークフローエンジン『Digdag』の実装 at Tokyo RubyKaigi #11
 
Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2
Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2
Java Clientで入門する Apache Kafka #jjug_ccc #ccc_e2
 
GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)
GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)
GraalVMを3つの主機能から眺めてみよう(Oracle Groundbreakers APAC Virtual Tour 2020 講演資料)
 
하이퍼레저 프로젝트 개요
하이퍼레저 프로젝트 개요하이퍼레저 프로젝트 개요
하이퍼레저 프로젝트 개요
 
What is Swagger?
What is Swagger?What is Swagger?
What is Swagger?
 
PostgreSQLアンチパターン
PostgreSQLアンチパターンPostgreSQLアンチパターン
PostgreSQLアンチパターン
 

Similar to 使用 Passkeys 打造無密碼驗證服務

2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteer
VodqaBLR
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
KAI CHU CHUNG
 
WP Passkey: Passwordless Authentication on WordPress
WP Passkey: Passwordless Authentication on WordPressWP Passkey: Passwordless Authentication on WordPress
WP Passkey: Passwordless Authentication on WordPress
WordPress
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
FIDO Alliance
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015
Somkiat Khitwongwattana
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
CIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CIS 2015b FIDO U2F in 10 minutes - Dirk BalfanzCIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CloudIDSummit
 
Fido u2 f in 10 minutes (cis 2015)
Fido u2 f in 10 minutes (cis 2015)Fido u2 f in 10 minutes (cis 2015)
Fido u2 f in 10 minutes (cis 2015)
CloudIDSummit
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.js
Matthew Beale
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
How to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAMHow to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAM
Provectus
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
5 6
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
Francois Marier
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 

Similar to 使用 Passkeys 打造無密碼驗證服務 (20)

2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteer
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
 
WP Passkey: Passwordless Authentication on WordPress
WP Passkey: Passwordless Authentication on WordPressWP Passkey: Passwordless Authentication on WordPress
WP Passkey: Passwordless Authentication on WordPress
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015Smart Lock for Password @ Game DevFest Bangkok 2015
Smart Lock for Password @ Game DevFest Bangkok 2015
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
CIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CIS 2015b FIDO U2F in 10 minutes - Dirk BalfanzCIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
 
Fido u2 f in 10 minutes (cis 2015)
Fido u2 f in 10 minutes (cis 2015)Fido u2 f in 10 minutes (cis 2015)
Fido u2 f in 10 minutes (cis 2015)
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.js
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
How to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAMHow to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAM
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
ChromeからMacBookのTouchIDでWebAuthenticationする ~Idance vol1~
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 

More from 升煌 黃

陽明交大 - 跟著 AI 學習 Angular
陽明交大 - 跟著 AI 學習 Angular陽明交大 - 跟著 AI 學習 Angular
陽明交大 - 跟著 AI 學習 Angular
升煌 黃
 
用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端
用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端 用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端
用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端
升煌 黃
 
.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式
.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式
.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式
升煌 黃
 
DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!
DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!
DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!
升煌 黃
 
gRPC - 打造輕量、高效能的後端服務
gRPC - 打造輕量、高效能的後端服務gRPC - 打造輕量、高效能的後端服務
gRPC - 打造輕量、高效能的後端服務
升煌 黃
 
Modern web 2020 - 使用 Nx 管理超大型前後端專案
Modern web 2020 - 使用 Nx 管理超大型前後端專案Modern web 2020 - 使用 Nx 管理超大型前後端專案
Modern web 2020 - 使用 Nx 管理超大型前後端專案
升煌 黃
 
Angular Taiwan 2019 - Schematics Workshop
Angular Taiwan 2019 - Schematics WorkshopAngular Taiwan 2019 - Schematics Workshop
Angular Taiwan 2019 - Schematics Workshop
升煌 黃
 
Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧
Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧
Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧
升煌 黃
 
Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731
Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731
Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731
升煌 黃
 
Angular Taiwan 2018 - Angular CDK
Angular Taiwan 2018 - Angular CDKAngular Taiwan 2018 - Angular CDK
Angular Taiwan 2018 - Angular CDK
升煌 黃
 
玩轉 Schematics - Modern Web 2018
玩轉 Schematics - Modern Web 2018玩轉 Schematics - Modern Web 2018
玩轉 Schematics - Modern Web 2018
升煌 黃
 
OAuth2介紹
OAuth2介紹OAuth2介紹
OAuth2介紹
升煌 黃
 
Docker - 30秒生出100台伺服器
Docker - 30秒生出100台伺服器Docker - 30秒生出100台伺服器
Docker - 30秒生出100台伺服器
升煌 黃
 
敏捷開發與Scrum
敏捷開發與Scrum敏捷開發與Scrum
敏捷開發與Scrum
升煌 黃
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
升煌 黃
 

More from 升煌 黃 (15)

陽明交大 - 跟著 AI 學習 Angular
陽明交大 - 跟著 AI 學習 Angular陽明交大 - 跟著 AI 學習 Angular
陽明交大 - 跟著 AI 學習 Angular
 
用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端
用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端 用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端
用 Standalone Component 來寫 Angular 吧! - STUDY4.TW 2023 小聚 - 聊前端
 
.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式
.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式
.NET Conf Taiwan 2022 - Tauri - 前端人員也能打造小巧快速的 Windows 應用程式
 
DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!
DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!
DevFest 2022 Taipei 使用 Standalone Component 來寫 Angular 吧!
 
gRPC - 打造輕量、高效能的後端服務
gRPC - 打造輕量、高效能的後端服務gRPC - 打造輕量、高效能的後端服務
gRPC - 打造輕量、高效能的後端服務
 
Modern web 2020 - 使用 Nx 管理超大型前後端專案
Modern web 2020 - 使用 Nx 管理超大型前後端專案Modern web 2020 - 使用 Nx 管理超大型前後端專案
Modern web 2020 - 使用 Nx 管理超大型前後端專案
 
Angular Taiwan 2019 - Schematics Workshop
Angular Taiwan 2019 - Schematics WorkshopAngular Taiwan 2019 - Schematics Workshop
Angular Taiwan 2019 - Schematics Workshop
 
Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧
Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧
Angular Taiwan 2019 - 大型 Angular 專案的的管理心得與技巧
 
Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731
Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731
Angular Meetup 04 - Angular PWA 之沒有網路的日子 20190731
 
Angular Taiwan 2018 - Angular CDK
Angular Taiwan 2018 - Angular CDKAngular Taiwan 2018 - Angular CDK
Angular Taiwan 2018 - Angular CDK
 
玩轉 Schematics - Modern Web 2018
玩轉 Schematics - Modern Web 2018玩轉 Schematics - Modern Web 2018
玩轉 Schematics - Modern Web 2018
 
OAuth2介紹
OAuth2介紹OAuth2介紹
OAuth2介紹
 
Docker - 30秒生出100台伺服器
Docker - 30秒生出100台伺服器Docker - 30秒生出100台伺服器
Docker - 30秒生出100台伺服器
 
敏捷開發與Scrum
敏捷開發與Scrum敏捷開發與Scrum
敏捷開發與Scrum
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
 

Recently uploaded

Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 

Recently uploaded (20)

Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 

使用 Passkeys 打造無密碼驗證服務

  • 1. 黃升煌 Mike Huang 使用 Passkeys 打造無密碼驗證服務 無密碼時代降臨!
  • 2. About Me • 黃升煌 Mike • Angular GDE • Microsoft MVP • Awards • 2018 iT 邦幫忙鐵人賽 冠軍 • 2019 iT 邦幫忙鐵人賽 優選 • 第 12 屆 iThome 鐵人賽 冠軍 https://github.com/wellwind https://www.facebook.com/fullstackledder https://fullstackladder.dev
  • 4.
  • 6. 關於 Passkeys • FIDO 聯盟提出的標準 • 一種用來代替密碼,以達到無密碼的驗證方式 • 提供更快速、更簡便、更安全的登錄方式 • 具有抵抗釣魚網站攻擊的能力 • 可以跨裝置進行驗證 • 簡化應用程式和網站的帳戶註冊流程 https://fidoalliance.org/passkeys/
  • 11. WebAuthn (Web Authentication) • FIDO 聯盟與 W3C 聯合提出的驗證標準 • 利用非對稱金鑰的方式進行驗證 • 伺服器端只會儲存公鑰 • 私鑰儲存在使用者個人設備上,可透過生物特徵進行加密 • 私鑰會與網域綁定,避免釣魚網站攻擊 • Passkeys 透過 WebAuthn,同時加入跨裝置驗證的支援 • 需要作業系統支援 • 開發上只需要調整 WebAuthn API 的參數 https://webauthn.guide/
  • 12. 5 分鐘非對稱金鑰小教室 • 使用金鑰對 (分成公鑰與私鑰) 的加解密 & 驗證系統 Public Key Private Key
  • 17. const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, }); 使用 WebAuthn 註冊裝置
  • 18. 使用 WebAuthn 註冊裝置 從伺服器產生的隨機字串 (challenge) 避免重播攻擊 (replay attack) SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
  • 19. 使用 WebAuthn 註冊裝置 relying party 資訊 通常也就是驗證伺服器的資訊 id 需要與網域名稱相符,避免釣魚網站攻擊 SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
  • 20. 使用 WebAuthn 註冊裝置 目前要註冊裝置的使用者資訊 SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
  • 21. 使用 WebAuthn 註冊裝置 指定允許使用的簽章演算法 SPEC 建議包含以下幾種演算法已達到最佳的支援 • -8 (Ed25519) • -7 (ES256) • -257 (RS256) const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
  • 22. 使用 WebAuthn 註冊裝置 (非必要) 用來限定可以使用的驗證器來源 SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
  • 23. 使用 WebAuthn 註冊裝置 註冊流程到期時間 (毫秒) SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
  • 24. 使用 WebAuthn 註冊裝置 是否要回傳驗證器資訊給伺服器 SPEC const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
  • 25. 使用 WebAuthn 註冊裝置 產生裝置公鑰及相關認證資訊 const publicKeyCredentialCreationOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), rp: { name: "FullStackLadder", id: "fullstackladder.dev", }, user: { id: Uint8Array.from("User Id", (c) => c.charCodeAt(0)), name: "mike@fullstackladder.dev", displayName: "Mike Huang", }, pubKeyCredParams: [{ alg: -7, type: "public-key" }], authenticatorSelection: { authenticatorAttachment: "cross-platform" }, timeout: 60000, attestation: "direct", }; const credential = await navigator.credentials.create({ publicKey: publicKeyCredentialCreationOptions, });
  • 26. 產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' }
  • 27. 產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' } 產生的認證 ID SPEC
  • 28. 產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' } 也是認證 ID,只是為 binary 格式 SPEC
  • 29. 產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' } 瀏覽器與驗證器之間傳遞的資料 SPEC
  • 30. 產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' } 驗證器相關資料,包含公鑰等資訊 SPEC
  • 32. const publicKeyCredentialRequestOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), allowCredentials: [ { id: Uint8Array.from( "credential id", (c) => c.charCodeAt(0)), type: "public-key", transports: ["internal"], }, ], timeout: 60000, }; const assertion = await navigator.credentials.get({ publicKey: publicKeyCredentialRequestOptions, }); 使用 WebAuthn 驗證
  • 33. const publicKeyCredentialRequestOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), allowCredentials: [ { id: Uint8Array.from( "credential id", (c) => c.charCodeAt(0)), type: "public-key", transports: ["internal"], }, ], timeout: 60000, }; const assertion = await navigator.credentials.get({ publicKey: publicKeyCredentialRequestOptions, }); 使用 WebAuthn 驗證 (非必要) 允許使用的驗證資訊 可用來限定登入的裝置 SPEC
  • 34. const publicKeyCredentialRequestOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), allowCredentials: [ { id: Uint8Array.from( "credential id", (c) => c.charCodeAt(0)), type: "public-key", transports: ["internal"], }, ], timeout: 60000, }; const assertion = await navigator.credentials.get({ publicKey: publicKeyCredentialRequestOptions, }); 使用 WebAuthn 驗證 登入流程的到期時間 (毫秒) SPEC
  • 35. const publicKeyCredentialRequestOptions = { challenge: Uint8Array.from( "challenge from server", (c) => c.charCodeAt(0)), allowCredentials: [ { id: Uint8Array.from( "credential id", (c) => c.charCodeAt(0)), type: "public-key", transports: ["internal"], }, ], timeout: 60000, }; const assertion = await navigator.credentials.get({ publicKey: publicKeyCredentialRequestOptions, }); 使用 WebAuthn 驗證 取得註冊的裝置資訊,以及相關簽章結果
  • 36. 產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAssertionResponse { authenticatorData: ArrayBuffer(191), clientDataJSON: ArrayBuffer(118), signature: ArrayBuffer(70), userHandle: ArrayBuffer(10), }, type: 'public-key' }
  • 37. 產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAssertionResponse { authenticatorData: ArrayBuffer(191), clientDataJSON: ArrayBuffer(118), signature: ArrayBuffer(70), userHandle: ArrayBuffer(10), }, type: 'public-key' } 用來完成這次驗證的裝置資訊 注意:不會包含公鑰資訊 SPEC
  • 38. 產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAssertionResponse { authenticatorData: ArrayBuffer(191), clientDataJSON: ArrayBuffer(118), signature: ArrayBuffer(70), userHandle: ArrayBuffer(10), }, type: 'public-key' } 由驗證器私鑰產生的簽章資訊 Client 端根據特定規則產生簽章 Server 端使用已註冊的公鑰驗證簽章 SPEC
  • 39. 產生的認證資訊 PublicKeyCredential { id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAssertionResponse { authenticatorData: ArrayBuffer(191), clientDataJSON: ArrayBuffer(118), signature: ArrayBuffer(70), userHandle: ArrayBuffer(10), }, type: 'public-key' } 由驗證器提供的額外使用者資訊 SPEC
  • 40. WebAuthn JavaScript Library • SimpleWebAuthn • https://simplewebauthn.dev/ • 支援 TypeScript • 前後端皆支援 • Server: • npm install @simplewebauthn/server • Browser: • npm install @simplewebauthn/browser
  • 41. DEMO 用 SimpleWebAuthn 實作前後端 Passkeys https://github.com/wellwind/webconf23-passkeys-demo
  • 42. Resources • Passkeys (Passkey Authentication) • passkeys.com • WebAuthn vs Passkeys • SimpleWebAuthn • [Google] 使用密碼金鑰進行無密碼登入 • 一起來了解 Web Authentication • [影片]有 Google 帳號的人注意!這個功能請火速把它打開