Espen Henriksen
Front-end team lead
Oslo Market Solutions
espen_dev
esphen
WebAuthn
Or the story of how the Grinch stole the password
What even is it?
Some facts
- "Web Authentication API"
- New browser API
- Generates asymetric crypto keys stored securely in the browser
- Uses the browser Credential Management API
- Integrates with the OS in interesting ways
- Enables passwordless login
Isn't 2FA good enough?
Isn't 2FA good enough?
Isn't 2FA good enough?
Phishing is a real threat
Passwordless login
- Better than passwords
- Cannot be phished
- Cannot be stolen
- Cannot be reused
- Very user friendly
- Is a strong enough authentication that it can be used as the only factor
- Can also work as a second factor
Registration
Login
Authenticator
- OS decides which authenticator to use
- Authenticator be one of:
- TouchID / Fingerprint
- Retina scan
- FaceID
- Windows Hello
- U2F / Phone
- PIN
- etc.
- Opens the door for very ergronomic logon experiences
Example: Key generation
// Get server to issue a challenge
const response = await post('/begin-make-credential', { username });
const data = await response.json();
// register / create a new credential
const credential = await navigator.credentials.create({ publicKey: {
// Relying Party (a.k.a. - OMS):
rp: data.rp,
// User id, name and displayName to identify the key
user: data.user,
// List of random bytes from server
challenge: strToUintArray(data.challenge),
// Options for key generation
pubKeyCredParams: [{ type: "public-key", alg: -7 }]
}});
// Send public key and signed data to server
await post('/submit-and-verify-credential', { credential });
Example: Authentication
// Get server to issue a challenge
const response = await post('/begin-authentication', { username });
const data = await response.json();
// Fetch existing credential from user agent
const credential = await navigator.credentials.get({ publicKey: {
// Relying Party's ID, for example "oms.no"
rpId: data.rpId,
// List of random bytes from server
challenge: strToUintArray(data.challenge),
// Allowed credentials, for example a list of public keys the server knows
allowCredentials: data.allowCredentials,
// Require user interation, for example biometric input
userVerification: 'required',
}});
// Send completed challenge to server for verification
await post('/finish-authentication', { credential });
Prove it!
DEMO
An example:
Elisa and Tri-bank
Example
Example
Example
Example
Example
Example
Why do I care?
Secure
- Passwords are broken
- Users forget passwords
- Users reuse passwords
- Passwords need to be stored safely
- Passwords can be phished, keylogged, screen-peeked, lost...
- 2FA is required for optimal security, WebAuthn has its own second factor
- SMS 2FA is weak
User friendly
- Very user friendly
- Tightly coupled to the OS
- Automatically accessible
- Easier register & login flow means higher conversion rate
- Once implemented can be reused very easily
Use cases
- The primary login avenue
- A secondary, more user-friendly login
- As 2FA after primary login
- Passwordless re-authentication before sensitive operations
- A second primary login avenue with reduced rights
- For example, no trading, only viewing
Is passwordless login 2FA?
Factors
- What factors does WebAuthn provide?
- First factor: Assymetric key
- Second factor: Authenticator
- First factor is something you have
- Second factor is something you are (biometrics)
Browser support
Fin
Questions? Discussion?
https://slides.com/esphen/web-authentication
Web Authentication
By Eline H
Web Authentication
- 133