The

Passwordless  Web

What should I expect from this talk?

Brief overview of passwords

What is FIDO2?

DEMO!

How does it work?

How to get started.

Why FIDO2?

Q & A

Passwords

Invented by Fernando Corbato in the 1950s

Why are passwords

bad not good?

Characteristics

  • Can be long & strong, but limited by policy
  • Hard to make unique for every occasion
  • Very Phisable
  • ...Shared Secret

...not great

Is phising a problem?

Microsoft Security Intelligence Report 2019

Phising increased by 400% during '18 and reached 0.8% of all emails analyzed

Phisable (Ticket from our Support-system, last week)

Password Managers!

Stronger, but still phisable

81%

of all hacking-related breaches leverage stolen or weak passwords.

(Source, Verizon)

Authentication without passwords

Options, but you have to design and implement it yourself

Fido2

(You never have to use passwords again. Seriously.)

Introducing...

Promise: Defeat Phising and make it easy to sign in.

Demo!

www.passwordless.dev

On screen

Off Screen (Security Key)

What happened?

We clicked a button in the browser

The Browser did something

We touched a USB stick

We were securely signed in

We used Fingerprint / FaceID

What's going on?

FIDO2 Flow

👍

What is FIDO2?

Fast auth based on Public / Private key cryptography.

WebAuthn (browser JS) + CTAP2 (Devices)

W3C Standards 👆

 

CTAP?????

NFC? WebAuthn?

 

Passwordless?

  • As in no password is sent over the internet.
  • Important fact is that the verification is in the secure storage on the device, and not in the server database that can be leaked.
  • Users can use weaker pins without worrying of being compromised
  • Or Biometrics for better UX

Register an account

Sign in

sendToServer();

Server is responsible for cryptographic verification.
Private Key never leaves your device.
No shared secret
Anonymity *can* be ensured.

github.com/abergs/fido2-net-lib
(17 contributors)

Get Started!

  • https://www.passwordless.dev
  • https://webauthn.guide/
  • MDN WebAuthn API

Thank you!

Q & A?

The Passwordless  web

By abergs

The Passwordless  web

  • 340