idcon

idcon vol.29 WebAuthn, Next Stage Summary

Nat 2022-10-19 No Comments
873 VIEWS
Pinterest LinkedIn LINE

On October 10th, idcon vol.12 was held at Money Forward in Tamachi.1.

Below is a summary of what was tweeted in real time.

Passkey implementation on Android & Chrome by @agektmr

Presentation Summary

  • 1) Passkey is a technology that replaces passwords. It also replaces two-factor authentication. 2) It can authenticate locally. Biometric authentication is not sent to the network. 3) The created passkey is synchronized between devices.
  • Passkey is a collaborative effort between Google, Apple, and Microsoft.
  • Here's what's great about passkey:
    1. Technology @FIDOAlliance and is standardized by the W3C WebAuthn WG.
    2. It is a two-factor authentication in itself. Possession + Knowledge or Inheritance
    3. Resistant to phishing attacks. Passkeys are bound to your domain.
    4. If it becomes widespread, passwords will no longer be necessary. Since only the public key is stored on the server, there is little risk even if it is leaked.
  • demo
    • In this example, the message "Use your screen lock" will appear and you can log in using biometric authentication.
  • Google's #passkey is implemented as discoverable credentials. In the case of Apple, when you create a FIDO credential, it's all a passkey.
  • The scope of Passkey differs slightly depending on the company. Apple calls it all #fido credentials. Google calls it only what is synced between devices. It is synced with Google password manager.
  • Why being synchronized is a breakthrough: Previously, it was tied to the local device, so you couldn't use it on another device. You had to log in on the old device or do SMS authentication, and if you had 100 devices...
  • It is synchronized with the Device unlock code. Google play services is required. If you are using Android, you can use #passkey if your device supports Google Password Manager.
  • Google password manager cannot be used on Mac/iOS/iPadOS/Windows. It can only be used on Android. In the Apple ecosystem, they are moving towards using iCloud Keychain, but there is no API for it at the moment.
  • Google will also let you use third-party password managers
  • Recommended #passkey UX
    • 1) Form autofill – This allows for seamless login for users who use passwords. ConditionalUI. Creates a passkey immediately after the user logs in for the first time.
    • 2) In the case of Ecosystem Matagi, use the mode that has been renamed from caBLE to Hybrid. Display the QR code and scan it with your smartphone. Since proximity authentication is done with BLE, you cannot log in by sending the QR code somewhere.
  • Device public key – The assumption that it was tied to the device has collapsed, but this was defined to answer the question of whether that is a good thing. It is an extension of WebAuth. Apple has no plans to support it. Android supports it. However, attestation will not be supported initially.

Q&A

Q. #passkey Could it be that the synchronization involves the private key?
A. YES. Encrypt it. <Questioner: "That's bold."

Q.What to do with E2EE?
A: I don't know.

Q. If I try to use Conditional UI and hybrid on a different device, will it not find my account?
A. There is room for improvement. I think Apple's approach is good.

Passkey implementation on iOS, iPadOS, and macOS by @nov

Presentation Summary

  • #passkey can be used on iOS16+, iPadOS16+ (end of this month), and macOS13+.
  • #passkey was originally announced at WWDC21. It was advertised as being easy to use.
  • Always with you (if you only use Apple devices)
  • Passkey + Autofill = new WebAuthn UX. I've been using #fido for about 10 years, but no one uses it. No one cares about security. It's okay if the UX is good, even if the security is slightly lowered.
  • demo
    • Log in using the QR code from your browser with your iPhone as a lock.
    • There is a link below the QR code to call up the yubikey, but the conditional UI is not good for people who use yubikeys.
    • Syncing the passkey took just a few seconds.
  • Resolved issues:
    1. If you have an Apple device, it will be synced.
    2. Instead of filling in the email field and filling in the password twice, you can now just do it once.
  • Unresolved issues:
    1. Updating the email address included in the discoverable credentials is being discussed at the W3C but is not currently resolved.
    2. If you want to use the conditional UI for re-authentication. With the conditional UI, you cannot specify which key to use. Therefore, multiple candidates are displayed for password fill-in. This has been merged into the spec.
    3. How can I sign up with autofill? For passwords, the password manager does it automatically. I want something done.
    4. It doesn't provide a solution for when you need to use all three platforms, so it's not really a game changer.
    5. If iCloud Keychain is disabled on Apple devices, you cannot create a fido credential. It is disabled on company devices. What's the point? <However, you can use Roaming Credentials.
    6. Like POST /.well-known/change-password, if we could do POST /.well-known/webauthn-credentials, wouldn't it be possible to achieve our goal without the user even realizing it?

Q&A

Q. If icloud keychain is disabled, does that mean I should use YubiKey or something similar?
A. YES. Use your iPhone or Roaming credentials. (But I think Apple's answer is to use a password because it's too much work.)

Introduction to Yahoo!'s WebAuthn UX and considerations of Passkey-compatible UX by YumejiHattori (junior of @kura_lab)

  • YJ authentication is two-screen authentication (identifier first pattern). If FIDO is registered in the ID, WebAuthn will be automatically triggered when you go to the second screen. In this case, a failure dialog will be displayed on a device where the credentials are not registered.
  • This is because FIDO did not support credentials.exisits (credentialId) because it could be used as a SuperCookie.
  • To get around this, the OS makes guesses about whether credentials exist.
  • Issue 1 caused by the appearance of passkey. #iOS: Registered #MacOS: If not registered, #webauthn does not work.
  • If the flag BackupState (BS) is included in authenticatorData.flags, it may be synchronized between iOS and MacOS, so WebAuthn can be invoked on Mac.
  • Issues with the introduction of Passkeys (2) Issues caused by the lack of support for hybrid (caBLE). When logging in to Windows using iOS, the message "Windows: Registered" appears, while "iOS: Not Registered."
  • I want the service to suggest WebAuthn to users, but...
  • An example of how to achieve full Passkeys support:
    1. In cases where users are required to select an authentication method (e.g. GitHub), the "Use biometric authentication" button is displayed very prominently. However, most users press this button regardless of whether they can use it or not, resulting in a "disappointing experience."
    2. With Conditional UI, if the credentials exist, Touch ID is an option. If they don't exist, PW and Use another device... are displayed. This is exactly what I wanted to do.
  • Challenges with Conditional UI
    • Behavior when deleting credentials on the service side: The credentials can be used on the terminal but will no longer be accepted by the service side → disappointing experience
  • Taking these factors into consideration, what should a better UX look like?
    • if Re-authentication use case: Automatically trigger WebAuthn based on cookie authentication history, etc.
    • elseif: New Login: Conditional UI
    • else: WebAuthn selection screen (including passive and hybrid) since the chances of WebAuthn success are low

Q&A

Q. If I use Hybrid and log in from Windows using iOS, will it not be possible to tell that I've been using iOS?
A. If you sign up via Hybrid, you won't know. Apple has made it so that you don't know.

Q. What if you want to switch users who have fallen back to SMS back to WebAuthn?
A. I think you will have to register Webauthn on the confirmation code authentication screen.

Q. If an operation is run on the RP side and the credentials are deleted, the same applies to the password. If you change the password, it will be reflected in Password Manager. What about Passkey?
A. In the case of Android, if you create new credentials with the same user handle, they will be overwritten. (by @agektmr )

Q: Won't AirDrop be used to share subscriptions?
A. Many sites, such as Netflix, are shared among family members, so this is not a problem.

General Q&A

Q. Is airdrop phishing possible?
A. This is only possible if you are both in each other's contacts, but it may be possible to break through.

Q. Will the word "Passkey" be used for end users? Currently, UX is different for each company.
A. It is not yet being used in tables, but it is being used in help etc.

Q. I am sometimes asked for a passkey in the email field and also in the password field. The timing of the response varies depending on the platform.
A. Considering reverse brute force...

Q. During reauthentication,#passkey If we respond to this, it will depend on the risk of the platform being taken over, but what are RP's thoughts on this?
A. If you can't bear the risk, don't use it. (A certain US financial institution said this with a grumble (by @_nat).

Q. Is it assumed that there will be no attestation for consumer games?
A. This is not a premise held by a certain company.

Q. If an authenticator is malicious, can it pretend not to have attestation?
A: In theory, yes.
A2. A certain PF vendor said that no one in the US uses attestation. Actually, there are.
A3. Originally it was agreed that it could be trusted, but now it has been explicitly stated that it cannot be trusted?

Q. Passkey? Passkeys?
A. Treated the same as password/passwords.
A2. By the way, you can think of better password as a password that you can tell is being managed by password manager.

footnote

  1. First meeting since COVID-19

Leave a comment

This site uses Akismet to reduce spam.For details of how to process comment data, please click here.