The
Passwordless Web
What should I expect from this talk?
Brief overview of passwords
What is FIDO2?
DEMO!
How does it work?
How to get started.
Why FIDO2?
Q & A
Passwords
Invented by Fernando Corbato in the 1950s
Why are passwords
bad not good?
Characteristics
- Can be long & strong, but limited by policy
- Hard to make unique for every occasion
- Very Phisable
- ...Shared Secret
...not great
Is phising a problem?
Microsoft Security Intelligence Report 2019
Phising increased by 400% during '18 and reached 0.8% of all emails analyzed
Phisable (Ticket from our Support-system, last week)
Password Managers!
Stronger, but still phisable
81%
of all hacking-related breaches leverage stolen or weak passwords.
(Source, Verizon)
Authentication without passwords
Options, but you have to design and implement it yourself
Fido2
(You never have to use passwords again. Seriously.)
Introducing...
Promise: Defeat Phising and make it easy to sign in.
Demo!
www.passwordless.dev
On screen
Off Screen (Security Key)
What happened?
We clicked a button in the browser
The Browser did something
We touched a USB stick
We were securely signed in
We used Fingerprint / FaceID
What's going on?
FIDO2 Flow
👍
What is FIDO2?
Fast auth based on Public / Private key cryptography.
WebAuthn (browser JS) + CTAP2 (Devices)
W3C Standards 👆
CTAP?????
NFC? WebAuthn?
Passwordless?
- As in no password is sent over the internet.
- Important fact is that the verification is in the secure storage on the device, and not in the server database that can be leaked.
- Users can use weaker pins without worrying of being compromised
- Or Biometrics for better UX
Register an account
Sign in
sendToServer();
Server is responsible for cryptographic verification.
Private Key never leaves your device.
No shared secret
Anonymity *can* be ensured.
github.com/abergs/fido2-net-lib
(17 contributors)
Get Started!
- https://www.passwordless.dev
- https://webauthn.guide/
- MDN WebAuthn API
Thank you!
Q & A?
The Passwordless web
By abergs
