Passwords are old, Let's use WebAuthn
About Me
Mohammad Shahbaz Alam
Director, Alfaaz Lingua
Full Stack Developer
Auth0 Ambassador
Mozilla Representative
GDG Ranchi Organizer
@mdsbzalam
Agenda
1. Passwords
2. WebAuthn
PASSWORDS
Passwords should be like Joey
WHAT'S A PASSWORD?
ANYTHING THAT'S A SHARED SECRET!
PASSWORD1234
A string
RKYLHWK8@YB&YTI!8UKZH#TY?
A string
CAN BE HARD TO REMEMBER
IF COMPLEX!
A PASSWORD MANAGER CAN HELP!
CAN BE HARD TO GUESS( BY SOMEONE) IF COMPLEX!
BUT DO USE PASSWORD MANAGER SO YOU DON'T FORGET!
1234
A pincode
NOT SO HARD TO GUESS
OFTEN COMBINED WITH THE MAXIMUM ALLOWED NUMBER OF ATTEMPTS!
FAIRLY EASY TO REMEMBER
USUALLY USED ONLY WITH ACCESS TO A PHYSICAL THING
(CARDS, PHONES, KEYPADS, ...)
A pattern
A pattern
Passwordless ✨
ONE TIME PASSWORDS
Valid for one-time use
Often expire after a certain time
Sent directly to the user
SENT IN SMS
iOS and Android let you fill in the OTP with the press of a button
NOT ALL TELECOM OPERATORS TAKE SECURITY SERIOUS, SMS MESSAGES CAN BE INTERCEBTED
You need your cellphone on hand
SENT IN AN EMAIL
You don't need a second device
EMAILS CAN BE INTERCEPTED
AUTHENTICATOR APP
SOCIAL
ONE LESS PASSWORD TO REMEMBER
ONLY GIVE PASSWORDS TO A SERVICE YOU TRUST
YOU RELY ON ANOTHER SERVICE FOR YOUR AUTHENTICATION
OFTEN USED AS A SECOND FACTOR
SO HOW'S YOUR PASSWORD SHOULD BE?
LIKE JOEY
LIKE JOEY
SO DON'T SHARE IT WITH ANYONE
LIKE JOEY
LIKE JOEY
USE UPPERCASE AND LOWERCASE CHARACTER
LIKE THIS?
KXnCTowPLjkTIwQ
LIKE JOEY
Joey doesn't know French, he makes it up,
So, make your Passwords randomly
LIKE JOEY
Joey has One Chandler
Your Password should only be used on one account.
Tips for a good password
-
Use a complex password
-
Don’t use personal data
-
Don’t reuse passwords
-
Change passwords frequently
xkcd: Password Strength
So how about this?
DrTdMeToEtAeBtILePe
Easy to remember!
DrTdMeToEtAeBtILePe
Doctor told be to eat Apple but I like Pineapple
WEB AUTHENTICATION API 🤩
WEBAUTHN 🤩
KEY BASE AUTHENTICATION
HARDWARE AUTHENTICATION
DEMO
navigator.credentials
.create({
publicKey: {
// random, cryptographically secure, at least 16 bytes
challenge: base64url.decode("<%= challenge %>"),
// relying party
rp: {
name: "Awesome Corp" // sample relying party
},
user: {
id: base64url.decode("<%= id %>"),
name: "<%= name %>",
displayName: "<%= displayName %>"
},
authenticatorSelection: { userVerification: "preferred" },
attestation: "direct",
pubKeyCredParams: [
{
type: "public-key",
alg: -7 // "ES256" IANA COSE Algorithms registry
}
]
}
})
.then(res => {
var json = publicKeyCredentialToJSON(res);
// Send data to relying party's servers
post("/webauthn/register", {
state: "<%= state %>",
provider: "<%= provider %>",
res: JSON.stringify(json)
});
})
.catch(console.error);navigator.credentials.create
navigator.credentials
.get({
publicKey: {
// random, cryptographically secure, at least 16 bytes
challenge: base64url.decode("<%= challenge %>"),
allowCredentials: [
{
id: base64url.decode("<%= id %>"),
type: "public-key"
}
],
timeout: 15000,
authenticatorSelection: { userVerification: "preferred" }
}
})
.then(res => {
var json = publicKeyCredentialToJSON(res);
// Send data to relying party's servers
post("/webauthn/authenticate", {
state: "<%= state %>",
provider: "<%= provider %>",
res: JSON.stringify(json)
});
})
.catch(err => {
alert("Invalid FIDO device");
});navigator.credentials.get
Visit https://webauthn.me/debugger to learn more
Resources
WebAuthn
Connect with me
Youtube
mdsbzalam@gmail.com
@mdsbzalam
Slide
@mdsbzalam
Thank you
@mdsbzalam