WebAuthn
New authentication
for the new web
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Yuriy Ackermann
Sr. Certification Engineer @FIDOAlliance
twitter/github: @herrjemand
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2956744/CC-BY_icon.svg.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477598/300px-American_Express_logo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477599/aetna-300x127.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477600/Amazon-logo-RGB.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477601/arm-logo-limited-use.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477602/bac_lo1_293_186_h_300_37.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477603/bc-card.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477604/daon-logo_300x100-300x100.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477605/Feitian_Sponsor.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477606/fingerprint.jpeg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477607/Gemalto_Sponsor.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477608/googlelogo_color_272x92dp.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477609/infineon-logo-300.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477610/intel-logo-300x198.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477611/LenovoLockup-POS-Color_300_126-300x126.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477612/LINE_Logo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477613/library_logos_alibabaev_large_300_127.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477614/logo.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477615/mcsig_pos_ppt_png_300_215.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477616/microsoft-logo_300_110.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477617/Nok-Nok-Labs-2018-Board.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477618/ntt-docomo.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477625/NXP_logo_RGB_web_00_300_160.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477626/paypal-fido.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477627/Qualcomm_Logo-fido.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477628/Raonsecure-CI.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477629/RSA-logo.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477630/Samsung_Logo_for_TV__Internet_300_100.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477631/synaptics-logo_300_65.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477632/usaalogo2.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477633/vasco-logo-300.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477634/vbm_blugrad01_300_97.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477635/yubico-logo2.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4633035/FIDO_Alliance_logo_black_RGB.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/5005757/facebook-770688_960_720.png)
PASSWORD AUTHENTICATION
brief intro
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944045/auth-01.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944047/auth-02.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944054/auth-03.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944056/auth-04.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944057/auth-05.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944058/auth-06.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944060/auth-07.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944063/auth-08.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944064/auth-09.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944066/auth-10.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944067/auth-11.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944069/auth-12.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944072/15.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944078/auth-13.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944083/passwordleak-01.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944084/passwordleak-02.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944086/passwordleak-03.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944087/passwordleak-04.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944090/passwordleak-05.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Password authentication is like balancing rocks. Fail to secure one, and everything is compromised.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
WebAuthn
User
API
Protocol
CTAP
Four layers of
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3916446/Touch-ID-in-action.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3916466/green-tick-in-circle_21335495.jpg)
User layer
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
API
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
API: Create PublicKeyCreditential
var randomChallengeBuffer = new Uint8Array(32);
window.crypto.getRandomValues(randomChallengeBuffer);
var base64id = 'MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII='
var idBuffer = Uint8Array.from(window.atob(base64id), c=>c.charCodeAt(0))
var publicKey = {
challenge: randomChallengeBuffer,
rp: { name: "FIDO Example Corporation" },
user: {
id: idBuffer,
name: "alice@example.com",
displayName: "Alice von Wunderland"
},
pubKeyCredParams: [
{ type: 'public-key', alg: -7 }, // ES256
{ type: 'public-key', alg: -257 } // RS256
]
}
// Note: The following call will cause the authenticator to display UI.
navigator.credentials.create({ publicKey })
.then((newCredentialInfo) => {
console.log('SUCCESS', newCredentialInfo)
})
.catch((error) => {
console.log('FAIL', error)
})
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
API: Create GetAssertion
var options = {
challenge: Uint8Array.from(window.atob("AsdeE22Sd/sSKnJIFjomA="), c=>c.charCodeAt(0)),
timeout: 60000,
allowList: [{ type: "public-key" }]
};
navigator.credentials.get({ "publicKey": options })
.then((assertion) => {})
.catch((err) => {})
let encoder = new TextEncoder();
let acceptableCredential1 = {
type: "public-key",
id: encoder.encode("550e8400-e29b-41d4-a716-446655440000")
};
let acceptableCredential2 = {
type: "public-key",
id: encoder.encode("1098237235409872")
};
let options = {
challenge: Uint8Array.from(window.atob("B0soes+KsieDjesEm="), c=>c.charCodeAt(0)),
timeout: 60000,
allowList: [acceptableCredential1, acceptableCredential2];
extensions: { "webauthn.txauth.simple": "Wave your hands in the air like you just don’t care" };
};
navigator.credentials.get({ "publicKey": options })
.then((assertion) => {})
.catch((err) => {})
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Protocol
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Challenge-Response
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3916534/webauthn-01-Challenge-Response-svg-1497775866818.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Phishing
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3916537/webauthn-02-Phishing-svg-1497775850514.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Replay Attack
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3916539/webauthn-03-ReplayAttack-svg-1497775794708.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Registration-specific key-pairs
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3916545/webauthn-04-RegKeys-Reg-svg-1497776037018.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3916546/webauthn-04-RegKeys-Auth-svg-1497775772573.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Attestation
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3944038/webauthn-05-Attestation.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Authentication vs Verification
Verification
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3916187/ID.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3916189/Man-Beverage-Party-Lager-Drink-Restaurant-Beer-2103845.jpg)
Authentication
Can I have your ID?
Jup, that's good.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Authentication vs Verification
Password Authentication
Password-less Authentication
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Test of User Presence (TUP)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3940561/finger-touch7-1000.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
User verification
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3940497/pin-icon.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3940498/iris-icon.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3940499/fingerprint-icon.png)
User-Verification-Index
Your fingerprint
Your partners fingerprint
(UVI)
A5UCuKeCroUSPxcy
o3RPqEvThvtjoRE3
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
CTAP
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
CTAP2
- Simple and lightweight hardware protocol
- CBOR encoding(a la JSON ASN1)
- Only two operational commands
- authenticatorMakeCredential
- authenticatorGetAssertion
- Two meta commands
- authenticatorGetInfo
- authenticatorCancel
- Successor of CTAP1(U2F) protocol
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
CTAP2 Message
var userAccountInformation = {
rpDisplayName: "ACME",
displayName: "John P. Smith",
name: "johnpsmith@example.com",
id: "1098237235409872",
imageUri: "https://pics.acme.com/00/p/aBjjjpqPb.png"
};
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
CTAP2 Transports
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2578031/Google_Chrome_icon__2011_.svg.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2578029/firefox-512.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2578030/Microsoft_Edge_logo.png)
Browser support
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Review
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3945496/screencapture-file-C-Users-IptC-Desktop-WebAuthnPresentation-wiil2-svg-1498572055901.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3945497/screencapture-file-C-Users-IptC-Desktop-WebAuthnPresentation-wiil3-svg-1498572064636.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3945498/screencapture-file-C-Users-IptC-Desktop-WebAuthnPresentation-wiil4-svg-1498572072995.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3945499/screencapture-file-C-Users-IptC-Desktop-WebAuthnPresentation-wiil5-svg-1498572081877.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3945500/screencapture-file-C-Users-IptC-Desktop-WebAuthnPresentation-wiil6-svg-1498572090118.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3945503/screencapture-file-C-Users-IptC-Desktop-WebAuthnPresentation-wiil1-svg-1498572045137.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3945276/1rl7cg.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Pros
- Weak passwords and password reuse become less of an issue
- Users don't need to trust relying party
- Phishing is fundamentally not working with WebAuth
- Relying party has no credentials to leak
- Relying does not need to invent it's own authentication
- Standard dictates best security authentication decisions, and not developers.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3945736/SoLongAndThanksForAllThePhish.png)
Cons
- User hardware(minor issue due to smartphones)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Things to play
- Specs: https://www.w3.org/TR/webauthn/
- CTAP2: https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.html
- http://slides.com/fidoalliance/jan-2018-fido-seminar-webauthn-tutorial#/
- https://github.com/fido-alliance/webauthn-demo
- https://webauthn.org/
- https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Thank you!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
WebAuthn Overview
By Ackermann Yuriy
WebAuthn Overview
- 3,443