Detailed notes on passkeys and ID federation – OpenID Summit 2024

OpenID Summit 2024 (2024-01-19) At@ritou This is a summary of his lecture.

Overview:

This document outlines the relationship between passkeys and ID federation, their respective characteristics, their mutual complementarity, and related specifications based on Mr. Ito's presentation at OpenID Summit Tokyo 2024. In particular, it focuses on the benefits of introducing passkeys in ID federation, the possibility that ID federation can complement areas where passkeys are weak, and related technical specifications.

Key themes:

1. Passkey and ID linking features:

• Passkey: It is characterized by its security and convenience. It uses public key cryptography and is highly resistant to phishing. It improves convenience by providing local authentication using biometric authentication and passcodes, and synchronization functions using a password manager. However, there are issues with account recovery, such as losing all devices or losing security keys, and issues with synchronization between platforms.
• ID federation (OpenID Connect): An authentication method used as a social login. It can be used not only for authentication, but also for identity proofing, such as verifying email addresses and personal information. It is supported in a wide range of environments because it uses the basic mechanisms of browsers. It is highly extensible, and extension specifications and profiles have been formulated to suit different use cases. On the other hand, it is difficult to achieve a UX that goes beyond the limitations of the browser, and there are issues with sharing authentication status between services. It is also necessary to consider issues with name matching and problems caused by ID providers.
  • "Passkey is often cited as having two features: security and convenience. First, it is an authentication method that uses public key cryptography. Second, it has a different resistance to phishing than other authentication methods because it is mediated by a browser or an intermediary browser. Also, it is highly convenient because it uses local authentication such as biometric authentication or pattern authentication used in screen locking."
  • “OpenID Connect has been around for 10 years, and as was shown in the morning session, it can be implemented using basic browser mechanisms, so it is supported in a very wide range of environments.”

2. Benefits and complementarity of Passkey in ID integration:

• Passkeys compensate for the weaknesses of ID linking: Improved UX, popularization among users who dislike ID integration, and enhanced security. The mechanism mediated by the browser makes it easier to understand which service you are logged in to. Management by a password manager reduces privacy risks.
• ID federation compensates for the weaknesses of passkeys: Support for non-compliant environments. By having the ID provider support various authentication methods including passkeys, a strong authentication foundation can be built. Support for account recovery when the passkey is lost.
  • "The passkey can be used to compensate for the weaknesses of ID federation. This can improve the user experience (UX) and make it possible to accommodate people who are resistant to ID federation. Conversely, ID federation may also have an aspect of strengthening the weaknesses of the passkey."

3. Related specifications:

• OpenID Connect extensions: When making an authentication request, you can specify the authentication strength (such as requiring passkey authentication) using the acr_values ​​parameter, identify the authentication method using the amr claim, and use the max_age parameter if re-authentication is required.
• OAuth 2.0 Step-up Authentication Challenge Protocol: It provides a mechanism to request re-authentication from the relying party when the authentication strength provided by the resource server (API) is insufficient.
  • The parameters that can be used in the authentication request are defined. ACR (Authentication Context Class Reference) refers to the reference of the authentication context, and AMR (Authentication Methods Reference) refers to the reference of the authentication method. The second request at the bottom allows you to specify a specific authentication method, such as "users who authenticated with a passkey", for example.
  • The following scenario is an example of the OAuth 2.0 Step-up Authentication Challenge Protocol: For example, a user who has authenticated using a password attempts to use a payment service application but is found not to meet the security policy.
  • In these situations, additional authentication is required because the ACR value is insufficient or the authentication method is insufficient. For example:
    • Insufficient authentication level
    • A specific authentication method is required
    • Re-authentication is required because a certain period of time has passed since authentication (3 days in this example).
  • The system will return an error if these conditions are not met and can request a higher level of authentication.

in conclusion:

Passkeys and ID federation each have different characteristics, but they complement each other to build a safer and more convenient authentication infrastructure. In particular, introducing passkeys into an ID federation system offers a variety of benefits, including improved UX, enhanced security, and support for non-compliant environments. Developers can maximize the benefits of passkeys by understanding and utilizing related specifications such as the OpenID Connect extension specifications and the OAuth 2.0 Step-up Authentication Challenge Protocol. convert_to_textConvert to source

Introduction

• Presenter: Ritou, mixi
• Theme: Relationship between passkey and ID linking

Passkey Features

• Providing both safety and convenience
• Authentication method using public key cryptography
• Browser-based phishing resistance
• Utilizing biometric authentication used for screen lock
• Password manager passkey synchronization

Passkey Challenges

• Account recovery if you lose all your synced devices
• Problems with losing your security key
• Challenges of cross-platform synchronization between different ecosystems (Apple, Google, Microsoft)
• True cross-platform support requires an external password manager

Current status of passkey implementation

• 2023: Sites add passkey support to existing authentication methods
• 2024: Focus on new user registration without passwords and directly with passkeys
• A migration strategy from passwords to passkey authentication is important

Features of ID integration (OpenID Connect)

• OpenID Connect turns 10
• Uses basic browser mechanisms for broad compatibility
• Highly extensible with working groups developing extensions for various use cases
• Creating profiles to standardize implementation patterns

Issues with ID integration

• Browser restrictions limit user experience
• It is not easy to understand the authentication status between services (cross-domain issue)
• Certain implementations rely on third-party cookies
• Name resolution issues between identity providers and relying parties
• Risk of identity provider outage or account suspension
• There is a bias in the implementation of the OpenID Connect specification

Comparison of authentication methods

• Passkey uses the browser's autofill feature to display available credentials, providing a great UX
• Password managers that manage your passkeys offer privacy benefits because they don't share your service usage patterns
• Passkey provides a clear consent mechanism and user verification for re-authentication
• Depending on the implementation, ID linking systems may lack re-authentication functionality.

Complementary relationship

• Passkeys can compensate for the weaknesses of ID federation:
  • Improved UX
  • Appealing to users who don't like ID integration
• ID federation can strengthen passkey weaknesses:
  • Identity providers support multiple authentication methods
  • Support in environments without passkey support
  • Identity providers with verification systems offer more account recovery options

Technical Features of OpenID Connect

• You can request a specific authentication method using an Authentication Context Reference (ACR) value.
• You can specify the authentication method in the Authentication Method Reference (AMR) parameter.
• The core specification includes reauthentication parameters:
  • max_age: Maximum time since user authentication
  • login_hint: Helps identify the correct user account
  • id_token_hint: ensures user consistency

Advanced features

• FAPI (Financial-grade API) authentication profile supports phishing-resistant and hardware-protected credentials
• AMR values ​​defined in RFC 8176 support various authentication methods, including public key cryptography.
• OAuth 2.0 Step-up Authentication Challenge Protocol (RFC 9470):
  • Extend security requirements to resource servers (APIs)
  • Enable policies requiring stronger authentication for sensitive operations
  • Ability to reject requests with insufficient authentication strength
  • Supports re-authentication requests to meet security requirements

Application to modern architecture

• Applicable to internal IAM systems
• Identity provider platform authenticates SPAs and native apps (relying parties)
• Resource servers (payment services, healthcare microservices, etc.) can enforce authentication requirements

Conclusion

• Although passkeys and ID linking have different characteristics, they can be used together
• We can complement each other's weaknesses
• The OpenID Connect specification already supports many of the features required for secure authentication.
• Combining these technologies makes it possible to bring the benefits of a passkey to an ID federation system.