Getting started with passkeys and WEBauthn

Presented by Lucas Castro

Follow along

✅ What is WebAuthn

✅ What is a Passkey

✅ What problems it solves

✅ How to implement registration

✅ How to implement verification

✅ Limitations and concerns

WHAT WE WILL COVER

⛔️ User, session, or credential management

⛔️ Passkey extensions

⛔️ An in-depth look into WebAuthn options

⛔️ Method comparisons

WHAT'S THE PROBLEM?

cybernews.com

Google / Harris Poll

security.org

Passwords.
Passwords are the problem.

WEBAUTHn

It is a shift from password-based authentication to asymmetric key cryptography.
The server only stores a public key. A data breach doesn't compromise the user's credential.
WebAuthn credentials only work on their registered websites/apps. Cannot be re-used.

No more shared secrets

WEBAUTHn

WebAuthn is a specification.

The spec prescribes data models and an API to allow servers to register and authenticate users with public key cryptography

WEBAUTHn

Currently implemented and supported in all major browsers:

OK. SO WHAT'S A PASSKEY?

For the purposes of this talk, we will define WebAuthn as the specification (API + data models)

Passkeys are the WebAuthn credentials used during passwordless authentication

USE cases

Registration

Authentication / Verification

USE CASES

REGISTRATION

Credits: https://webauthn.guide/

Authentication

Credits: https://webauthn.guide/

USE CASES

passkeys.lucasamonrc.dev

CONCERNS AND LIMITATIONS

You probably should design your WebAuthn flows around the idea of sessions.
If the user loses access to the passkey, they lose access to the account.
There's no support for an RP to discover resident credentials in the authenticator.

RESOURCES

LET'S CHAT

LinkedIn - /in/lucasamonrc
Website - lucasamonrc.dev
GitHub - /lucasamonrc