by Stepan Suvorov
Christiaan Brand
Security & Identity, Google
Maud Nalpas
Web security & privacy, Google
Â
Something you know
Something you have
Something you are
Somewhere you are
*HYPR, 2022 State of Passwordless Security Report – Download the Report here.
2012: The FIDO (Fast IDentity Online) Alliance was founded.
2016: The FIDO Alliance releases the FIDO U2F (Universal 2nd Factor) standard. This standard allows users to utilize their smartphones or other devices as a second factor for authentication on websites.
2017: Building on the previous standard, the FIDO Alliance introduces FIDO2. This standard includes the WebAuthn (Web Authentication) specification and is designed to support a broader array of authentication methods, including what would eventually be known as passkeys.
2022: Apple announces support for passkeys in iOS 16 and macOS Ventura. Similarly, Google revealed that it will support passkeys in Android 13 and Chrome.
2023: Microsoft joins the movement, announcing passkey support in Windows 11. Google extends its commitment by incorporating passkeys into its login services.
2024: passkeys will become the dominant method of authentication on the web
Public 🔑
 Private 🔑
CTAP
WebAuthn
Public 🔑
 Private 🔑
Public 🔑
challenge
signed package with challenge
Syncing
Passkeys are not stored on a single device
Cross-device
Passkeys on one device can be used on a different device
Discoverable
Passkeys contain metadata that allows your system to present passkey to you
Â
https://www.shopify.com/blog/ecommerce-payment-authentication
const publicKeyCredentialCreationOptions = {
challenge: new ArrayBuffer([219]),
rp: {
name: "Slides",
id: "slides.com",
},
user: {
id: new ArrayBuffer([137]),
name: "elisabeckett",
displayName: "Elisa Beckett",
},
pubKeyCredParams: [{alg: -7, type: "public-key"}],
authenticatorSelection: {
authenticatorAttachment: "platform",
requireResidentKey: true,
},
timeout: 30000
};
const credential = await navigator.credentials.create({
publicKey: publicKeyCredentialCreationOptions
});
// Availability of 'window.PublicKeyCredential' means WebAuthn is usable.
if (window.PublicKeyCredential &&
PublicKeyCredential.isConditionalMediationAvailable) {
// Check if conditional mediation is available.
const isCMA = await PublicKeyCredential.isConditionalMediationAvailable();
if (isCMA) {
// Call WebAuthn authentication
}
}
const publicKeyCredentialRequestOptions = {
// Server generated challenge
challenge: new ArrayBuffer([219]),
// The same RP ID as used during registration
rpId: 'slides.com',
};
const credential = await navigator.credentials.get({
publicKey: publicKeyCredentialRequestOptions,
// Specify 'conditional' to activate conditional UI
mediation: 'conditional'
});
Passkeys are here
It might take time for regulation to catch up
Passkeys are new: It’ll take users some time to become accustomed
Next week you should:
In the first three months following this presentation, you should:
Within six months you should: