Lucas Castro
I’m a software engineer, husband, father, latter-day saint, and life-long learner. I like to think deeply about things.
Getting started with passkeys and WEBauthn
Presented by Lucas Castro
Follow along
✅ What is WebAuthn
✅ What is a Passkey
✅ What problems it solves
✅ How to implement registration
✅ How to implement verification
✅ Limitations and concerns
WHAT WE WILL COVER
⛔️ User, session, or credential management
⛔️ Passkey extensions
⛔️ An in-depth look into WebAuthn options
⛔️ Method comparisons
WHAT'S THE PROBLEM?
Google / Harris Poll
Passwords.
Passwords are the problem.
WEBAUTHn
- It is a shift from password-based authentication to asymmetric key cryptography.
- The server only stores a public key. A data breach doesn't compromise the user's credential.
- WebAuthn credentials only work on their registered websites/apps. Cannot be re-used.
No more shared secrets
WEBAUTHn
WebAuthn is a specification.
The spec prescribes data models and an API to allow servers to register and authenticate users with public key cryptography
WEBAUTHn
Currently implemented and supported in all major browsers:
OK. SO WHAT'S A PASSKEY?
For the purposes of this talk, we will define WebAuthn as the specification (API + data models)
Passkeys are the WebAuthn credentials used during passwordless authentication
USE cases
Registration
Authentication / Verification
USE CASES
REGISTRATION
Credits: https://webauthn.guide/
Authentication
Credits: https://webauthn.guide/
USE CASES
CONCERNS AND LIMITATIONS
- You probably should design your WebAuthn flows around the idea of sessions.
- If the user loses access to the passkey, they lose access to the account.
- There's no support for an RP to discover resident credentials in the authenticator.
RESOURCES
LET'S CHAT
-
LinkedIn - /in/lucasamonrc
-
Website - lucasamonrc.dev
- GitHub - /lucasamonrc
UtahJS: Passkeys
By Lucas Castro
