Getting started with passkeys and WEBauthn

Presented by Lucas Castro

Follow along

✅ What is WebAuthn
 

✅ What is a Passkey


✅ What problems it solves


✅ How to implement registration


✅ How to implement verification


✅ Limitations and concerns

WHAT WE WILL COVER

⛔️ User, session, or credential management
 

⛔️ Passkey extensions
 

⛔️ An in-depth look into WebAuthn options

 

⛔️ Method comparisons

WHAT'S THE PROBLEM?

Google / Harris Poll

Passwords.
Passwords are the problem.

WEBAUTHn

  • It is a shift from password-based authentication to asymmetric key cryptography.
     
  • The server only stores a public key. A data breach doesn't compromise the user's credential.
     
  • WebAuthn credentials only work on their registered websites/apps. Cannot be re-used.

No more shared secrets

WEBAUTHn

WebAuthn is a specification.

The spec prescribes data models and an API to allow servers to register and authenticate users with public key cryptography

WEBAUTHn

Currently implemented and supported in all major browsers:

OK. SO WHAT'S A PASSKEY?

For the purposes of this talk, we will define WebAuthn as the specification (API + data models)

Passkeys are the WebAuthn credentials used during passwordless authentication

USE cases

Registration

Authentication / Verification

USE CASES

REGISTRATION

Credits: https://webauthn.guide/

Authentication

Credits: https://webauthn.guide/

USE CASES

CONCERNS AND LIMITATIONS

  • You probably should design your WebAuthn flows around the idea of sessions.
     
  • If the user loses access to the passkey, they lose access to the account.
     
  • There's no support for an RP to discover resident credentials in the authenticator.

RESOURCES

LET'S CHAT