Follow along

✅ What is WebAuthn
 

✅ What is a Passkey

✅ What problems it solves

✅ How to implement registration

✅ How to implement verification

✅ Limitations and concerns

WHAT WE WILL COVER

⛔️ User, session, or credential management
 

⛔️ Passkey extensions
 

⛔️ An in-depth look into WebAuthn options

⛔️ Method comparisons

WHAT'S THE PROBLEM?

cybernews.com

Google / Harris Poll

security.org

Passwords.
Passwords are the problem.

WEBAUTHn

• It is a shift from password-based authentication to asymmetric key cryptography.
   
• The server only stores a public key. A data breach doesn't compromise the user's credential.
   
• WebAuthn credentials only work on their registered websites/apps. Cannot be re-used.

No more shared secrets

WEBAUTHn

WebAuthn is a specification.

The spec prescribes data models and an API to allow servers to register and authenticate users with public key cryptography

WEBAUTHn

Currently implemented and supported in all major browsers:

OK. SO WHAT'S A PASSKEY?

USE cases

Registration

Authentication / Verification

USE CASES

REGISTRATION

Authentication

USE CASES

passkeys.lucasamonrc.dev

CONCERNS AND LIMITATIONS

• You probably should design your WebAuthn flows around the idea of sessions.
   
• If the user loses access to the passkey, they lose access to the account.
   
• There's no support for an RP to discover resident credentials in the authenticator.

• WebAuthn Spec
   
• FIDO Alliance Passkeys
   
• WebAuthn Guide
   
• Making WebAuthn a Password Replacement
   
• Full Stack Authentication by Max Firtman

RESOURCES

LET'S CHAT

• LinkedIn - /in/lucasamonrc
   
• Website - lucasamonrc.dev
   
• GitHub - /lucasamonrc