Passwords are old, Let's use WebAuthn

About Me

Mohammad Shahbaz Alam

Director, Alfaaz Lingua

Full Stack Developer

Auth0 Ambassador

Mozilla Representative

GDG Ranchi Organizer

 

@mdsbzalam

 

Agenda

1. Passwords

2. WebAuthn

PASSWORDS

Passwords should be like Joey

WHAT'S A PASSWORD?

ANYTHING THAT'S A SHARED SECRET!

PASSWORD1234

A string

RKYLHWK8@YB&YTI!8UKZH#TY?

A string

CAN BE HARD TO REMEMBER

IF COMPLEX!

A PASSWORD MANAGER CAN HELP!

CAN BE HARD TO GUESS( BY SOMEONE) IF COMPLEX!

BUT DO USE PASSWORD MANAGER SO YOU DON'T FORGET!

1234

A pincode

NOT SO HARD TO GUESS

OFTEN COMBINED WITH THE MAXIMUM ALLOWED NUMBER OF ATTEMPTS!

FAIRLY EASY TO REMEMBER

USUALLY USED ONLY WITH ACCESS TO A PHYSICAL THING

(CARDS, PHONES, KEYPADS, ...)

A pattern

A pattern

Passwordless ✨

ONE TIME PASSWORDS

Valid for one-time use

Often expire after a certain time

Sent directly to the user

SENT IN SMS

iOS and Android let you fill in the OTP with the press of a button

NOT ALL TELECOM OPERATORS TAKE SECURITY SERIOUS, SMS MESSAGES CAN BE INTERCEBTED

You need your cellphone on hand

SENT IN AN EMAIL

You don't need a second device

EMAILS CAN BE INTERCEPTED

AUTHENTICATOR APP

SOCIAL

ONE LESS PASSWORD TO REMEMBER

ONLY GIVE PASSWORDS TO A SERVICE YOU TRUST

YOU RELY ON ANOTHER SERVICE FOR YOUR AUTHENTICATION

OFTEN USED AS A SECOND FACTOR

SO HOW'S YOUR PASSWORD SHOULD BE?

LIKE JOEY

LIKE JOEY

SO DON'T SHARE IT WITH ANYONE

LIKE JOEY

LIKE JOEY

USE UPPERCASE AND LOWERCASE CHARACTER

LIKE THIS?

KXnCTowPLjkTIwQ

LIKE JOEY

Joey doesn't know French, he makes it up,

So, make your Passwords randomly

LIKE JOEY

Joey has One Chandler

Your Password should only be used on one account.

 

Tips for a good password

  • Use a complex password

  • Don’t use personal data

  • Don’t reuse passwords

  • Change passwords frequently

xkcd: Password Strength

So how about this?

DrTdMeToEtAeBtILePe

Easy to remember!

DrTdMeToEtAeBtILePe

Doctor told be to eat Apple but I like Pineapple

WEB AUTHENTICATION API 🤩

WEBAUTHN 🤩

KEY BASE AUTHENTICATION

HARDWARE AUTHENTICATION

 

DEMO

 
navigator.credentials
  .create({
    publicKey: {
      // random, cryptographically secure, at least 16 bytes
      challenge: base64url.decode("<%= challenge %>"),
      // relying party
      rp: {
        name: "Awesome Corp" // sample relying party
      },
      user: {
        id: base64url.decode("<%= id %>"),
        name: "<%= name %>",
        displayName: "<%= displayName %>"
      },
      authenticatorSelection: { userVerification: "preferred" },
      attestation: "direct",
      pubKeyCredParams: [
        {
          type: "public-key",
          alg: -7 // "ES256" IANA COSE Algorithms registry
        }
      ]
    }
  })
  .then(res => {
    var json = publicKeyCredentialToJSON(res);
    // Send data to relying party's servers
    post("/webauthn/register", {
      state: "<%= state %>",
      provider: "<%= provider %>",
      res: JSON.stringify(json)
    });
  })
  .catch(console.error);

navigator.credentials.create

navigator.credentials
  .get({
    publicKey: {
      // random, cryptographically secure, at least 16 bytes
      challenge: base64url.decode("<%= challenge %>"),
      allowCredentials: [
        {
          id: base64url.decode("<%= id %>"),
          type: "public-key"
        }
      ],
      timeout: 15000,
      authenticatorSelection: { userVerification: "preferred" }
    }
  })
  .then(res => {
    var json = publicKeyCredentialToJSON(res);
    // Send data to relying party's servers
    post("/webauthn/authenticate", {
      state: "<%= state %>",
      provider: "<%= provider %>",
      res: JSON.stringify(json)
    });
  })
  .catch(err => {
    alert("Invalid FIDO device");
  });

navigator.credentials.get

Visit https://webauthn.me/debugger to learn more

Resources

Connect with me

Twitter

@mdsbzalam

E-mail

mdsbzalam@gmail.com

@mdsbzalam

Slide

@mdsbzalam

Thank you

@mdsbzalam

Made with Slides.com