Authentication is scary, difficult, dangerous, and… essential. Most apps need some form of it, often as a prerequisite for almost all end-user requests. This is a fresh and practical perspective on authentication architecture for the modern, open web, using modern standards like WebAuthn. Showcasing a passwordless authentication layer that's fast, distributed, secure, isolated from the rest of your system, and minimally annoying to integrate and maintain.

1. zen and the art of edge authentication
Dora Militaru
gh: @doramatadora
x: @doramilitaru

2. Dora Militaru
gh: @doramatadora
x: @doramilitaru

3. adjective • informal • /zen/
Relaxed and unconcerned about things beyond one's control.
zen

4. noun • hot topic • /edʒ kəmˈpjuː.tɪŋ/
Bringing computation and data as close as possible to
where it is needed.*
edge [computing] large-scale, coordination free.
.distributed systems ✨

5. noun • hot topic • /edʒ kəmˈpjuː.tɪŋ/
Bringing computation and data as close as possible to
where it is needed.*
* while retaining control of the environment
edge [computing] large-scale, coordination free.
.distributed systems ✨
at the network’s edge.

6. noun • /ɑːˌθen.t̬əˈkeɪ.ʃən/
The process of verifying the identity of a person or device.
authentication secure.
login flows ✨

7. …not very zen
OAuth • OIDC • identity provider • RBAC • SSO • certificates •
authorization • MFA • SAML • tokens • SSL/TLS • tokens • X.509
• FIDO • SCRAM • identity management • LDAP • encryption •
JWT • keys • KMS • credential stuffing • XSS • MitM • session
hijacking • phishing • data breach • brute force • SQL injection
authentication secure.
login flows 🚒 🔥.

8. owasp.org/API-Security/editions/2023/en/0x11-t10
2023: most critical web application security risks
Broken Object Level Authorization
Broken Authentication

11. devchat.edgecompute.app

12. FIDO credential
multi-device

13. FIDO credential
multi-device
discoverable WebAuthn

14. key pair
private key
public key
secure communication
data protection

15. key pair
private key
public key
encryption decryption
data
confidentiality

16. key pair
private key
public key
verifying signing
data
authenticity + integrity

17. key pair
󰞂 󰥡
private key
public key

18. key pair
󰞂 󰥡
private key
public key
cipher text
plain text encryption plain text
decryption

19. key pairs
󰞂 󰥡
private key
signing
public key
verification
private key
public key
encryption cipher text
plain text plain text
decryption

20. key pair
private key
public key
encryption decryption
verifying signing

21. key pair
private key
public key
secret

22. photo by 五玄土 ORIENTO on Unsplash
WebAuthn

23. user client server
relying party
authenticator
authentication
registration

24. registration

25. user client server (relying party) authenticator
🙏 register
using passkey
registration

26. user client server (RP) authenticator
get registration
options
🙏 register
using passkey

27. options +
random challenge
{ R4n60M57r… }
user client server (RP) authenticator
get registration
options
🙏 register
using passkey

28. client
navigator.credentials.create( )
{ R4n60M… }
user server (RP) authenticator

29. client
verify user
navigator.credentials.create( )
{ R4n60M… }
user server (RP) authenticator

30. client
verify user
create key pair +
sign challenge
navigator.credentials.create( )
{ R4n60M… }
sig:R4n60M… credentialId
user server (RP) authenticator

31. user client server (RP) authenticator
sig:R4n60M…
credentialId

32. user client server (RP) authenticator
verify signature +
store public key &
credential
sig:R4n60M…
credentialId

33. user client server (RP) authenticator
verify signature +
store public key &
credential
passkey registered
🎉
sig:R4n60M…
credentialId
registration

34. authentication

35. user client server (RP) authenticator
get authentication
options
🙏 sign in
with passkey
options +
random challenge
{ o7Hr4N60m… }

36. user client server (RP) authenticator
verify user
sign challenge +
get credentials
sig:o7Hr… credentialId
navigator.credentials.get( )
{ o7Hr4N60m… }

37. user client server (RP) authenticator
signed in 🎉
sig:o7Hr…
credentialId
verify signature +
sign in

38. photo by Moja Msanii on Unsplash
p w n e d?
have u been

39. photo by Moja Msanii on Unsplash
p w n e d?
have u been
nope
no more

40. fast
secure
autonomous
distributed

41. user client server
relying party
authenticator
edge
compute

42. devchat.edgecompute.app
fastly
compute

43. 313 Tbps
global edge
capacity
Dec 2023
1.8 trillion
requests served
daily

44. instant
global
deployment
Fastly
Compute
edge compute =

45. instant
global
deployment
Fastly
Compute
WebAssembly
(Wasm)

46. instant
global
deployment
<50μs
execution
start-up time
Fastly
Compute
WebAssembly
(Wasm)

47. instant
global
deployment
<50μs
execution
start-up time
Fastly
Compute
WebAssembly
(Wasm)
terraform github actions cli api

48. config
store
Fastly
Compute
kv
store
secret
store
real-time
messaging
Fanout
edge
state

49. Compute
KV Store backend system
origin
public keys
edge compute
& state store

50. Code + Passkey resources
zen-edge-auth.glitch.me
DevOps Exchange Chat
devchat.edgecompute.app
@doramilitaru fastly.com fastly.dev
thank you ❤
glitch.com