Building secure web experiences with Passwordless Authentication

Passwords are a problem. Yubico did a survey of devs…

  • 69% admitted they’ve shared passwords at work
  • 67% don’t use 2FA at home
  • 51% have experienced an attack
  • 57% aren’t going to change their password practices(!)

How can we solve this? WebAuthn is a W3C standard that aims to improve security when accepting user credentials by using public key cryptography.

How it works:

Authenticator eg. yubikey or code generator
(connects to…)
Client
(connects to…)
Relying Party

Demo:

  1. Enter a username
  2. Chrome prompts for an authenticator
  3. Yubikey is pressed
  4. Application accepts authentication

There are some browser prompts to accept/enable the tech.

Benefits of this:

  • Industry standard – good browser interest
  • No passwords
  • Seamless UX, faster authentication
  • Secure by design (private keys never shared to the relying parties – the key is stored on the OS, eg. recognised fingerprint)

(code walkthrough was too complex to capture accurately)

Browser support – ok apart from IE11 and Safari. Safari is on the way for desktop, there’s no clear advice for mobile.

Design considerations – authorizers are not always equal. Some options are easier than others; and people may not know the ins and outs of the options, like fingerprints being stored on a single device. Also people can injure themselves and not be able to use the same fingerprint and you need to be able to handle that scenario. Or they might lose the security key, replace their mobile and so on.

@mkairys

Passwords are a problem. Yubico did a survey of devs…

  • 69% admitted they’ve shared passwords at work
  • 67% don’t use 2FA at home
  • 51% have experienced an attack
  • 57% aren’t going to change their password practices(!)

How can we solve this? WebAuthn is a W3C standard that aims to improve security when accepting user credentials by using public key cryptography.

How it works:

Authenticator eg. yubikey or code generator
(connects to…)
Client
(connects to…)
Relying Party

Demo:

  1. Enter a username
  2. Chrome prompts for an authenticator
  3. Yubikey is pressed
  4. Application accepts authentication

There are some browser prompts to accept/enable the tech.

Benefits of this:

  • Industry standard – good browser interest
  • No passwords
  • Seamless UX, faster authentication
  • Secure by design (private keys never shared to the relying parties – the key is stored on the OS, eg. recognised fingerprint)

(code walkthrough was too complex to capture accurately)

Browser support – ok apart from IE11 and Safari. Safari is on the way for desktop, there’s no clear advice for mobile.

Design considerations – authorizers are not always equal. Some options are easier than others; and people may not know the ins and outs of the options, like fingerprints being stored on a single device. Also people can injure themselves and not be able to use the same fingerprint and you need to be able to handle that scenario. Or they might lose the security key, replace their mobile and so on.

@mkairys