8. @thisNatasha
Ha I know your passwordz
1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
15. 1qaz2wsx
25. starwars (new!)
SplashData, compiled from more than 3.3 million leaked passwords during the 2015
39. @thisNatasha
U2F: Universal Second Factor
- Is a user present? Same as before?
- Prove you have something
1 2 3
Dongle / buttonVERIFICATION
AUTHENTICATION
41. @thisNatasha@thisNatasha
Fido is kinda cool
because...
Deploy once for all
“authenticators”
No server has your
fingerprint (or other
biometric)
Usability
PKI stronger than user/pw
50. @thisNatasha
Registration
First Factor Auth
Device with own display
User is logged in.
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var userAccountInformation = {
rpDisplayName: "Acme", displayName: "John P. Smith",
name: "johnpsmith@example.com", id: "1098237235409872",
imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
};
// This Relying Party will accept any credential, but prefers an ES256 credential.
var cryptoParams = [
{
type: "ScopedCred", algorithm: "ES256"
},
{
type: "ScopedCred", algorithm: "RS256"
}
];
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var blacklist = []; // No blacklist
var extensions = {"webauthn.location": true}; // Include location information
// in attestation
// Note: The following call will cause the authenticator to display UI.
webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge,
timeoutSeconds, blacklist, extensions)
.then(function (newCredentialInfo) {
// Send new credential info to server for verification and registration.
}).catch(function (err) {
// No acceptable authenticator or user refused consent. Handle appropriately.
});
51. @thisNatasha
Registration
First Factor Auth
Device with own display
User is logged in.
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var userAccountInformation = {
rpDisplayName: "Acme", displayName: "John P. Smith",
name: "johnpsmith@example.com", id: "1098237235409872",
imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
};
// This Relying Party will accept any credential, but prefers an ES256 credential.
var cryptoParams = [
{
type: "ScopedCred", algorithm: "ES256"
},
{
type: "ScopedCred", algorithm: "RS256"
}
];
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var blacklist = []; // No blacklist
var extensions = {"webauthn.location": true}; // Include location information
// in attestation
// Note: The following call will cause the authenticator to display UI.
webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge,
timeoutSeconds, blacklist, extensions)
.then(function (newCredentialInfo) {
// Send new credential info to server for verification and registration.
}).catch(function (err) {
// No acceptable authenticator or user refused consent. Handle appropriately.
});
Credential Setup
52. @thisNatasha
Registration
First Factor Auth
Device with own display
User is logged in.
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var userAccountInformation = {
rpDisplayName: "Acme", displayName: "John P. Smith",
name: "johnpsmith@example.com", id: "1098237235409872",
imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
};
// This Relying Party will accept any credential, but prefers an ES256 credential.
var cryptoParams = [
{
type: "ScopedCred", algorithm: "ES256"
},
{
type: "ScopedCred", algorithm: "RS256"
}
];
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var blacklist = []; // No blacklist
var extensions = {"webauthn.location": true}; // Include location information
// in attestation
// Note: The following call will cause the authenticator to display UI.
webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge,
timeoutSeconds, blacklist, extensions)
.then(function (newCredentialInfo) {
// Send new credential info to server for verification and registration.
}).catch(function (err) {
// No acceptable authenticator or user refused consent. Handle appropriately.
});
Credential is created.
Client finds the authenticator.
Authenticator shows UI
Authenticator returns response.
Send public key to sever.
53. @thisNatasha
Authentication
User visit site...
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var whitelist = [{ type: "ScopedCred" }];
webauthnAPI.getAssertion(challenge, timeoutSeconds, whitelist)
.then(function (assertion) {
// Send assertion to server for verification
}).catch(function (err) {
// No acceptable credential or user refused consent. Handle appropriately.
});
Ask for identity assertion
Client finds authenticator
54. @thisNatasha
Authentication
User visit site...
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var whitelist = [{ type: "ScopedCred" }];
webauthnAPI.getAssertion(challenge, timeoutSeconds, whitelist)
.then(function (assertion) {
// Send assertion to server for verification
}).catch(function (err) {
// No acceptable credential or user refused consent. Handle appropriately.
});
Ask for identity assertion
Client finds authenticator
55. @thisNatasha
Authentication
User visit site…
(no locally stored data)
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var whitelist = [{ type: "ScopedCred" }];
webauthnAPI.getAssertion(challenge, timeoutSeconds, whitelist)
.then(function (assertion) {
// Send assertion to server for verification
}).catch(function (err) {
// No acceptable credential or user refused consent. Handle appropriately.
});
Authenticator returns response
Script sends assertion to server
Server validates
Onwards!
59. @thisNatasha@thisNatasha
Recap
WebAuth (not now, but soon!)
Passwords are crud
Super Phisable
FIDO made some standards
UAF and U2F
Public Key Crypto
Symmetric and Asymmetric
W3C WebAuth Working Group
WebAuth API: Registration and
Authentication
60. @thisNatasha
Thank-you
People: Vijay Bharadwaj (Microsoft), Hubert Le Van Gong (PayPal),
Dirk Balfanz (Google), Alexei Czeskis (Google), Arnar Birgisson
(Google), Jeff Hodges (PayPal), Michael B. Jones (Microsoft), Rolf
Lindemann (Nok Nok Labs), Richard Barnes (Mozilla), Wendy Seltzer
(W3C), Anthony Nadalin, (Microsoft)
62. @thisNatasha
Authentication
Same as before but with
locally stored data
& transaction
authorization extension
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var acceptableCredential1 = {
type: "ScopedCred",
id: "ISEhISEhIWhpIHRoZXJlISEhISEhIQo="
};
var acceptableCredential2 = {
type: "ScopedCred",
id: "cm9zZXMgYXJlIHJlZCwgdmlvbGV0cyBhcmUgYmx1ZQo="
};
var whitelist = [acceptableCredential1, acceptableCredential2];
var extensions = { 'webauthn.txauth.simple':
"Wave your hands in the air like you just don’t care" };
webauthnAPI.getAssertion(challenge, timeoutSeconds, whitelist, extensions)
.then(function (assertion) {
// Send assertion to server for verification
}).catch(function (err) {
// No acceptable credential or user refused consent. Handle appropriately.
});