FIDO Alliance, profile picture
Uploaded byFIDO Alliance
PDF, PPTX5,203 views

Securing a Web App with Passwordless Web Authentication

This document provides instructions for implementing passwordless authentication for a web application using WebAuthn and FIDO2 security keys. It describes setting up a sample Spring Boot web app with traditional username/password authentication and then enhancing it with passwordless authentication. The workshop is split into modules, with this module focusing on implementing the authentication REST endpoints and updating the UI to allow passwordless sign-in. It provides code examples and diagrams to explain how the authentication flow works when a user attempts to sign in using a previously registered security key.

Presentations & Public Speaking
In this document
Powered by AI

Overview of the passwordless web authentication workshop using Spring Boot and WebAuthn.

Identifying issues with passwords and the different authentication factors: something you know, have, and are.

An introduction to FIDO2/WebAuthn standards focusing on security and trust in credential handling.

The workshop is broken into modules covering credential management and authentication processes.

Detailed explanations of public key credential request options and REST endpoints for authentication.

Code examples for manual authentication and setting up passwordless sign-in UI components.

Encouraging a user-friendly passwordless sign-in experience and best practices for integration.

Summary of the workshop's key points and links to further resources for implementing passwordless authentication.

Download as PDF, PPTX
1 ©2019Yubico © 2019 Yubico Securing a Web App with Passwordless Web Authentication Minimize and eliminate passwords!
2 ©2019Yubico Learn how to implement passwordless authentication for a stand alone web app using: ● Starter Spring Boot web app with traditional username/password ● WebAuthn ○ Backend: Yubico WebAuthn Server Libraries ○ Frontend: JavaScript and W3C WebAuthn API ● Client to Authenticator Protocol Version 2.0 Compatible Browser ○ Resident Credentials enable passwordless authentication ● FIDO2 Security Key What to expect from this workshop
3 ©2019Yubico Some knowledge of: ● Java ● Spring Framework ● JavaScript ● WebAuthn API ○ Browser with resident credential capability ● Security Key ○ Download YubiKey Manager to reset FIDO credentials as needed ● Optional ○ Docker ○ Azure subscription for cloud native development You need
©2018Yubico 4
©2018Yubico Passwords ● Hard to remember ● Easy to crack ● Easy to phish ● Many strong passwords take lot’s of effort! Source: https://xkcd.com/936/
©2018Yubico Something you know ● Password ● PIN Authentication Factors Something you have ● Smart card ● OTP dongle ● Mechanical key ● YubiKey Something you are ● Fingerprint ● Face ● Voice ● Iris
©2018Yubico Pros: ● Can’t be pickpocketed ● Can’t break ● Easy to replace Cons: ● Easy to steal remotely ● Hard to remember ● Theft is hard to detect Authentication Factors Pros: ● Can’t be stolen remotely ● Theft is easy to detect Cons: ● Can be pickpocketed ● Can be forgotten, lost or destroyed Pros: ● Natural to use ● Difficult to lose Cons: ● Difficult to replace ● May change over time ● Environmental dependencies
©2018Yubico Authentication Factors Pros: ● Can’t be pickpocketed ● Can’t break ● Easy to replace Cons: ● Easy to steal remotely ● Hard to remember ● Theft is hard to detect Pros: ● Can’t be stolen remotely ● Theft is easy to detect Cons: ● Can be pickpocketed ● Can be forgotten, lost or destroyed Pros: ● Natural to use ● Difficult to lose Cons: ● Difficult to replace ● May change over time ● Environmental dependencies
©2018Yubico©2016Yubico What is FIDO2 / WebAuthn? Open standards utilizing public-key cryptography with phishing protections to enable strong second-factor, first-factor, multi-factor authentication WebAuthn ServerAuthenticator Browser Client/Platform Platform Application CTAP WebAuthn FIDO2 Client to Authenticator Protocol W3C Web Authentication API
10 ©2019Yubico Security Keys as Root of Trust Anchoring FIDO2 / WebAuthn credentials in a root of trust is the cornerstone for building a secure identity model ● A hardware-backed root of trust strengthens the account lifecycle ○ Authentication, Step-Up Authentication, Account Recovery, Bootstrapping New Devices ● An external authenticator, as the root of trust, is the anchor that creates a chain of trust with the internal authenticator ○ Recording the authenticator used to register other authenticators creates a chain of trust that can be audited at a later date
12 ©2019Yubico This workshop is split into multiple modules. Each module builds upon the previous module as you expand the application. You must complete each module before proceeding to the next. 1. Getting Started Instructions 2. Implement a Credential Repository 3. Implement WebAuthn Registration REST Endpoints 4. Implement WebAuthn Authentication REST Endpoints 5. Clean Up Instructions Workshop Modules
49 ©2018Yubico © 2018 Yubico Module 4 Authentication Walkthrough
50 ©2019Yubico Module 4 Overview 1. Expose Authentication REST Endpoints 1.1. Add start and finish authentication endpoints 1.2. Given successful WebAuthn authentication, manually authenticate user in Spring Security 2. Update UI to Enable Passwordless Authentication 2.1. Add JavaScript methods to call authentication REST endpoints 2.2. Add UI components to enable passwordless authentication
51 ©2019Yubico 4_Authentication/TLDR.md cd java-webauthn-passwordless-workshop/2_Registration/complete mvn clean package spring-boot:run or docker build -t example/demo:module4 . docker run -p 8443:8443 example/demo:module4 https://localhost:8443 Sign In: user / password, Register: Register security key, Sign out, Passwordless sign in
Authentication Flow Source: www.w3.org/TR/webauthn/#fig-authentication
53 ©2019Yubico challenge: contains challenge that the authenticator signs as part of the authentication assertion rpId: relying party identifier claimed by the caller allowCredentials: list of public key credentials acceptable to the caller, can be omitted for username-less authentication. type: only one type: “public-key”. id: credential Id of the public key credentials userVerification: the default is “preferred”. Can also be set to “required” or “discouraged” Public Key Credential Request Options
©2018Yubico Authentication Sequence First factor mode Client Relying Party id, rpId, challenge id, hash(rpId), s, clientData, userHandle Find user with id or userHandle Check id Check s using kpub Verify origin Verify challenge Authenticator signature(hash(rpId) || c, kpriv ) Validate rpId against origin hash(challenge, origin) clientData id, rpId, c Retrieve kpriv for rpId Sign c after User Presence/ Verification id, hash(rpId), s, userHandle
55 ©2019Yubico Start Authentication Diagram username REST API Start Authentication Challenge Generator Assertion Request challenge username RelyingParty Start Assertion Credential Repository username Extensions PublicKeyCredentialRequestOptions Assertion Request Storage return AssertionRequest to client as JSON Get credentials by username
56 ©2019Yubico Client - Get Credential Response “authData”: ... “clientDataJSON”: ... “signature”: ... Authenticator Assertion Response RP ID Hash Flags Counter Extensions Authenticator Data ED AT: 0 UV UP: 1 “userHandle”: ...
57 ©2019Yubico Finish Authentication Diagram JSON response REST API Finish Authentication Successful Authentication Result Assertion Response Assertion Request Caller Token Binding Id RelyingParty Finish Assertion Credential RepositoryUpdate signature count Assertion Result Performs authentication validation steps Returned to client Get by id and invalidate Assertion Request Storage Credential Repository Get credentials by userHandle
58 ©2019Yubico Authentication Recap 1. Client calls startAuthentication() endpoint ○ With (or without) userName 2. Relying Party generates AssertionRequest ○ With userName, and PublicKeyCredentialRequestOptions 3. Client calls navigator.credentials.get() ○ With data from the AssertionRequest 4. Client calls finishAuthentication() endpoint ○ With authenticatorAssertionResponse JSONObject 5. Relying Party verifies signature ○ After validation, authentication is successful
59 ©2019Yubico Authentication REST Endpoints @PostMapping("/authenticate") public ResponseEntity<AssertionRequestWrapper> startAuthentication(@RequestParam("username") Optional<String> username) { Either<List<String>, AssertionRequestWrapper> result = webAuthnServer.startAuthentication(username); return ResponseEntity.status(HttpStatus.OK).body(result.right().get()); } @PostMapping("/authenticate/finish") public ResponseEntity<WebAuthnServer.SuccessfulAuthenticationResult> finishAuthentication( @RequestBody String responseJson) { Either<List<String>, WebAuthnServer.SuccessfulAuthenticationResult> result = webAuthnServer .finishAuthentication(responseJson); if (result.isRight()) { // Manually authenticate user ... WebAuthnController.java
60 ©2019Yubico Manually Authenticate if (result.isRight()) { // Manually authenticate user String username = result.right().get().getRegistrations().iterator().next().getUserIdentity().getName(); Authentication auth = SecurityContextHolder.getContext().getAuthentication(); UserDetails u = userDetailsService.loadUserByUsername(username); Authentication newAuth = new UsernamePasswordAuthenticationToken(u, auth.getCredentials(), u.getAuthorities()); SecurityContextHolder.getContext().setAuthentication(newAuth); return ResponseEntity.status(HttpStatus.OK).body(result.right().get()); } else { throw new ResponseStatusException(HttpStatus.BAD_REQUEST, result.left().get().toString()); } WebAuthnController.java
61 ©2019Yubico Call Authenticate Endpoints function authenticate() { return fetch('/authenticate', { ... }) .then(response => response.json()) .then(function (request) { return webauthn.getAssertion(request.publicKeyCredentialRequestOptions) .then(webauthn.responseToObject) .then(function (publicKeyCredential) { return submitResponse('/authenticate/finish', request.requestId, publicKeyCredential); }) ... } } login.html
62 ©2019Yubico Passwordless Sign In UI <h2 class="form-signin-heading">Passwordless sign in</h2> <p>Sign in with your previously registered security key</p> <p id="status"></p> <p><button onclick="authenticate()">Passwordless Sign in</button><br /> login.html
63 ©2019Yubico Passwordless Sign In!
64 ©2019Yubico Usernameless Passwordless Sign In!
65 ©2018Yubico © 2018 Yubico Best Practices
66 ©2019Yubico Best Practices ● Store the verbatim attestation object ○ Enables future re-evaluation of trust ● Allow registering more than one credential per account ○ Consider allowing credential nicknames ○ Unexpected behavior may occur when greater than 20 credentials registered ● Weigh pros vs cons of requiring attestation ○ Pros: ‒ Higher assurance ○ Cons: ‒ Maintenance for attestation trust store ‒ Compatibility issues for unknown/new authenticators (not in attestation trust store) ● Security and Privacy Considerations ○ W3C WebAuthn spec https://www.w3.org/TR/webauthn/#security-considerations
67 ©2019Yubico Recap ● Plan your passwordless migration strategy across the account lifecycle ● Anchor resident credentials on security keys to enable roaming passwordless authentication scenarios ● Record attestation and build a chain of trust ● Allow users to register multiple credentials ● WebAuthn libraries can jumpstart your journey to passwordless (eg. Yubico Java Webauthn Server libraries)
68 ©2019Yubico Resources ● Workshop ○ https://github.com/YubicoLabs/java-webauthn-passwordless-workshop ● FIDO2/WebAuthn Developer Guide ○ https://developers.yubico.com/FIDO2/FIDO2_WebAuthn_Developer_Guide/ ● Java WebAuthn Server ○ https://github.com/Yubico/java-webauthn-server ● Yubico Developer Videos ○ https://www.yubico.com/why-yubico/for-developers/developer-videos/ ● W3C Web Authentication API ○ https://www.w3.org/TR/webauthn ● FIDO Client to Authenticator Protocol V 2.0 ○ https://fidoalliance.org/specifications/download/
69 ©2019Yubico yubi.co/devs Workshops, Webinars, Documentation, Implementation Guides, Reference Code, APIs, SDKs Yubico Developer Program
70 ©2019Yubico © 2019 Yubico

More Related Content

PPTX
FIDO Masterclass
byFIDO Alliance
 
PDF
Future-proofing Authentication with Passkeys
byNordic APIs
 
PPTX
Getting Started With WebAuthn
byFIDO Alliance
 
PPTX
IBM: Hey FIDO, Meet Passkey!.pptx
byFIDO Alliance
 
PDF
NIST 800-63 Guidance & FIDO Authentication
byFIDO Alliance
 
PDF
FIDO2 Specifications Overview
byFIDO Alliance
 
PPTX
FIDO Workshop-Demo Breakdown.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: FIDO Tech Principles.pptx
byFIDO Alliance
 
FIDO Masterclass
byFIDO Alliance
 
Future-proofing Authentication with Passkeys
byNordic APIs
 
Getting Started With WebAuthn
byFIDO Alliance
 
IBM: Hey FIDO, Meet Passkey!.pptx
byFIDO Alliance
 
NIST 800-63 Guidance & FIDO Authentication
byFIDO Alliance
 
FIDO2 Specifications Overview
byFIDO Alliance
 
FIDO Workshop-Demo Breakdown.pptx
byFIDO Alliance
 
FIDO Munich Seminar: FIDO Tech Principles.pptx
byFIDO Alliance
 

What's hot

PDF
WebAuthn and Security Keys
byFIDO Alliance
 
PDF
FIDO Specifications Overview: UAF & U2F
byFIDO Alliance
 
PDF
Webauthn Tutorial
byFIDO Alliance
 
PDF
FIDO and the Future of User Authentication
byFIDO Alliance
 
PDF
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
byFIDO Alliance
 
PPTX
Intro to Passkeys and the State of Passwordless.pptx
byFIDO Alliance
 
PPTX
FIDO Authentication: Unphishable MFA for All
byFIDO Alliance
 
PDF
FIDO Authentication Technical Overview
byFIDO Alliance
 
PDF
Getting Started with FIDO2
byFIDO Alliance
 
PDF
FIDO UAF Specifications: Overview & Tutorial
byFIDO Alliance
 
PDF
Google & FIDO Authentication
byFIDO Alliance
 
PDF
FIDO2 Specifications Overview
byFIDO Alliance
 
PDF
OAuth & OpenID Connect Deep Dive
byNordic APIs
 
PDF
認証の課題とID連携の実装 〜ハンズオン〜
byMasaru Kurahayashi
 
PDF
FIDO2 ~ パスワードのいらない世界へ
byFIDO Alliance
 
PPTX
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
byFIDO Alliance
 
PDF
#idcon vol.29 - #fidcon WebAuthn, Next Stage
byNov Matake
 
PDF
FIDO認証によるパスワードレスログイン実装入門
byYahoo!デベロッパーネットワーク
 
PDF
Securing a Web App with Security Keys
byFIDO Alliance
 
PDF
Web Authentication API
byFIDO Alliance
 
WebAuthn and Security Keys
byFIDO Alliance
 
FIDO Specifications Overview: UAF & U2F
byFIDO Alliance
 
Webauthn Tutorial
byFIDO Alliance
 
FIDO and the Future of User Authentication
byFIDO Alliance
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
byFIDO Alliance
 
Intro to Passkeys and the State of Passwordless.pptx
byFIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
byFIDO Alliance
 
FIDO Authentication Technical Overview
byFIDO Alliance
 
Getting Started with FIDO2
byFIDO Alliance
 
FIDO UAF Specifications: Overview & Tutorial
byFIDO Alliance
 
Google & FIDO Authentication
byFIDO Alliance
 
FIDO2 Specifications Overview
byFIDO Alliance
 
OAuth & OpenID Connect Deep Dive
byNordic APIs
 
認証の課題とID連携の実装 〜ハンズオン〜
byMasaru Kurahayashi
 
FIDO2 ~ パスワードのいらない世界へ
byFIDO Alliance
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
byFIDO Alliance
 
#idcon vol.29 - #fidcon WebAuthn, Next Stage
byNov Matake
 
FIDO認証によるパスワードレスログイン実装入門
byYahoo!デベロッパーネットワーク
 
Securing a Web App with Security Keys
byFIDO Alliance
 
Web Authentication API
byFIDO Alliance
 

Similar to Securing a Web App with Passwordless Web Authentication

PPTX
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
byapidays
 
PDF
Go passwordless with fido2
byRob Dudley
 
PDF
WebAuthn
byKelley Robinson
 
PDF
WebAuthn & FIDO2
byLeonard Moustacchis
 
PDF
Auth on the web: better authentication
byKelley Robinson
 
PDF
Normalization of Security Key User Experience
byFIDO Alliance
 
PDF
Webinar: Case Study: FIDO, Federation, ID Proofing
byAds Manager
 
PDF
Everything_You_Never_Knew_You_Wanted_to_Know_About_Passkeys.pdf
bydtpentest
 
PDF
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
byRob Dudley
 
PDF
Web Authentication: a Future Without Passwords?
byNatasha Rooney
 
PPTX
How to Simplify and Accelerate Passkey Adoption.pptx
byLoriGlavin3
 
PPTX
U2F Tutorial - Authentication Tokens for Enterprise and Consumers
byFIDO Alliance
 
PPTX
The Yubikey
byDavid Page
 
PDF
How to implement PassKeys in your application
byMarian Marinov
 
PDF
Web Authn & Security Keys: Unlocking the Key to Authentication
byFIDO Alliance
 
PPTX
Hardware Authentication
byCoder Tech
 
PDF
Yubico case-study-github
byWJN
 
PPTX
Digital authentication
byallanh0526
 
PDF
FIDO Technical Overview at FIDO KWG Hackathon
byKi-Eun Shin
 
PDF
FIDO Technical Specifications Overview
byFIDO Alliance
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
byapidays
 
Go passwordless with fido2
byRob Dudley
 
WebAuthn
byKelley Robinson
 
WebAuthn & FIDO2
byLeonard Moustacchis
 
Auth on the web: better authentication
byKelley Robinson
 
Normalization of Security Key User Experience
byFIDO Alliance
 
Webinar: Case Study: FIDO, Federation, ID Proofing
byAds Manager
 
Everything_You_Never_Knew_You_Wanted_to_Know_About_Passkeys.pdf
bydtpentest
 
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
byRob Dudley
 
Web Authentication: a Future Without Passwords?
byNatasha Rooney
 
How to Simplify and Accelerate Passkey Adoption.pptx
byLoriGlavin3
 
U2F Tutorial - Authentication Tokens for Enterprise and Consumers
byFIDO Alliance
 
The Yubikey
byDavid Page
 
How to implement PassKeys in your application
byMarian Marinov
 
Web Authn & Security Keys: Unlocking the Key to Authentication
byFIDO Alliance
 
Hardware Authentication
byCoder Tech
 
Yubico case-study-github
byWJN
 
Digital authentication
byallanh0526
 
FIDO Technical Overview at FIDO KWG Hackathon
byKi-Eun Shin
 
FIDO Technical Specifications Overview
byFIDO Alliance
 

More from FIDO Alliance

PPTX
Securing Account Lifecycles in the Age of Deepfakes.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
byFIDO Alliance
 
PPTX
FIDO Alliance Seminar State of Passkeys.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Securing Smart Car.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Workforce Authentication Case Study.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar FIDO Automotive Apps.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Introduction to FIDO.pptx
byFIDO Alliance
 
PPTX
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
byFIDO Alliance
 
PPTX
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
byFIDO Alliance
 
PPTX
UX Webinar Series: Aligning Authentication Experiences with Business Goals
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
byFIDO Alliance
 
Securing Account Lifecycles in the Age of Deepfakes.pptx
byFIDO Alliance
 
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
byFIDO Alliance
 
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
byFIDO Alliance
 
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
byFIDO Alliance
 
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
byFIDO Alliance
 
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
byFIDO Alliance
 
FIDO Alliance Seminar State of Passkeys.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Securing Smart Car.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
byFIDO Alliance
 
FIDO Munich Seminar Workforce Authentication Case Study.pptx
byFIDO Alliance
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
byFIDO Alliance
 
FIDO Munich Seminar FIDO Automotive Apps.pptx
byFIDO Alliance
 
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
byFIDO Alliance
 
FIDO Munich Seminar Introduction to FIDO.pptx
byFIDO Alliance
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
byFIDO Alliance
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
byFIDO Alliance
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
byFIDO Alliance
 

Recently uploaded

PPTX
2025-11-02 Moses 05 (shared slides).pptx
byDale Wells
 
PDF
how to createhow to createhow to createhow to create _jpg2pdf.pdf
by東京北医療センター
 
PDF
APEC Workshop - KAHIS - Michael Lesniak - Final.pdf
byMichael Lesniak
 
PDF
A Session on Study Jams and its Updates.pdf
byArnavGupta114673
 
PDF
ECOWAS AT 50: REIMAGINING WEST AFRICAN REGIONAL COOPERATION AND INTEGRATION: ...
byKayode Fayemi
 
PPTX
Cloud Computing Odedara Manav B. 23bit289d
byManavOdedara
 
PDF
250923 Meeting 1 - Descriptive Text grade 11
byarsipkusemester4
 
DOCX
Class notes All_Document_Reader_1760707740442.docx
byBelkisAizpuraV
 
PDF
Booklet Research and Technology Transfer BINUS University
byBinusResearch
 
PDF
The Time Has Come: Roarsome Learning, Thinking, Reflecting and Acting - Sheil...
byWellingtone
 
PPTX
The Case for Neighborhood Reinvention in Kuwait 2.pptx
bydhuhaalsafii
 
PPTX
THE IMPORTANCE OF PEACE- Values Education.pptx
bydaisyabonita2
 
PDF
GDGoC PIET Kick Off 6 October 25 PPT.pdf
byArnavGupta114673
 
PPTX
RESEARCH ABOUT PHILIPPINE LITERARY PERIODS
byDJFlores1
 
PPTX
Roman_Residential_Architecture_b.arch.pptx
bychirayu8105
 
PPTX
Cybersecurity Threats and Prevention Odedara Manav
byManavOdedara
 
PPTX
Paul McManis - My India Our India.pptx india
bymcmanispaul3
 
2025-11-02 Moses 05 (shared slides).pptx
byDale Wells
 
how to createhow to createhow to createhow to create _jpg2pdf.pdf
by東京北医療センター
 
APEC Workshop - KAHIS - Michael Lesniak - Final.pdf
byMichael Lesniak
 
A Session on Study Jams and its Updates.pdf
byArnavGupta114673
 
ECOWAS AT 50: REIMAGINING WEST AFRICAN REGIONAL COOPERATION AND INTEGRATION: ...
byKayode Fayemi
 
Cloud Computing Odedara Manav B. 23bit289d
byManavOdedara
 
250923 Meeting 1 - Descriptive Text grade 11
byarsipkusemester4
 
Class notes All_Document_Reader_1760707740442.docx
byBelkisAizpuraV
 
Booklet Research and Technology Transfer BINUS University
byBinusResearch
 
The Time Has Come: Roarsome Learning, Thinking, Reflecting and Acting - Sheil...
byWellingtone
 
The Case for Neighborhood Reinvention in Kuwait 2.pptx
bydhuhaalsafii
 
THE IMPORTANCE OF PEACE- Values Education.pptx
bydaisyabonita2
 
GDGoC PIET Kick Off 6 October 25 PPT.pdf
byArnavGupta114673
 
RESEARCH ABOUT PHILIPPINE LITERARY PERIODS
byDJFlores1
 
Roman_Residential_Architecture_b.arch.pptx
bychirayu8105
 
Cybersecurity Threats and Prevention Odedara Manav
byManavOdedara
 
Paul McManis - My India Our India.pptx india
bymcmanispaul3
 

Securing a Web App with Passwordless Web Authentication

  • 1.
    1 ©2019Yubico © 2019 Yubico Securinga Web App with Passwordless Web Authentication Minimize and eliminate passwords!
  • 2.
    2 ©2019Yubico Learn how toimplement passwordless authentication for a stand alone web app using: ● Starter Spring Boot web app with traditional username/password ● WebAuthn ○ Backend: Yubico WebAuthn Server Libraries ○ Frontend: JavaScript and W3C WebAuthn API ● Client to Authenticator Protocol Version 2.0 Compatible Browser ○ Resident Credentials enable passwordless authentication ● FIDO2 Security Key What to expect from this workshop
  • 3.
    3 ©2019Yubico Some knowledge of: ●Java ● Spring Framework ● JavaScript ● WebAuthn API ○ Browser with resident credential capability ● Security Key ○ Download YubiKey Manager to reset FIDO credentials as needed ● Optional ○ Docker ○ Azure subscription for cloud native development You need
  • 4.
  • 5.
    ©2018Yubico Passwords ● Hard toremember ● Easy to crack ● Easy to phish ● Many strong passwords take lot’s of effort! Source: https://xkcd.com/936/
  • 6.
    ©2018Yubico Something you know ●Password ● PIN Authentication Factors Something you have ● Smart card ● OTP dongle ● Mechanical key ● YubiKey Something you are ● Fingerprint ● Face ● Voice ● Iris
  • 7.
    ©2018Yubico Pros: ● Can’t bepickpocketed ● Can’t break ● Easy to replace Cons: ● Easy to steal remotely ● Hard to remember ● Theft is hard to detect Authentication Factors Pros: ● Can’t be stolen remotely ● Theft is easy to detect Cons: ● Can be pickpocketed ● Can be forgotten, lost or destroyed Pros: ● Natural to use ● Difficult to lose Cons: ● Difficult to replace ● May change over time ● Environmental dependencies
  • 8.
    ©2018Yubico Authentication Factors Pros: ● Can’tbe pickpocketed ● Can’t break ● Easy to replace Cons: ● Easy to steal remotely ● Hard to remember ● Theft is hard to detect Pros: ● Can’t be stolen remotely ● Theft is easy to detect Cons: ● Can be pickpocketed ● Can be forgotten, lost or destroyed Pros: ● Natural to use ● Difficult to lose Cons: ● Difficult to replace ● May change over time ● Environmental dependencies
  • 9.
    ©2018Yubico©2016Yubico What is FIDO2/ WebAuthn? Open standards utilizing public-key cryptography with phishing protections to enable strong second-factor, first-factor, multi-factor authentication WebAuthn ServerAuthenticator Browser Client/Platform Platform Application CTAP WebAuthn FIDO2 Client to Authenticator Protocol W3C Web Authentication API
  • 10.
    10 ©2019Yubico Security Keys asRoot of Trust Anchoring FIDO2 / WebAuthn credentials in a root of trust is the cornerstone for building a secure identity model ● A hardware-backed root of trust strengthens the account lifecycle ○ Authentication, Step-Up Authentication, Account Recovery, Bootstrapping New Devices ● An external authenticator, as the root of trust, is the anchor that creates a chain of trust with the internal authenticator ○ Recording the authenticator used to register other authenticators creates a chain of trust that can be audited at a later date
  • 11.
    12 ©2019Yubico This workshop issplit into multiple modules. Each module builds upon the previous module as you expand the application. You must complete each module before proceeding to the next. 1. Getting Started Instructions 2. Implement a Credential Repository 3. Implement WebAuthn Registration REST Endpoints 4. Implement WebAuthn Authentication REST Endpoints 5. Clean Up Instructions Workshop Modules
  • 12.
    49 ©2018Yubico © 2018 Yubico Module4 Authentication Walkthrough
  • 13.
    50 ©2019Yubico Module 4 Overview 1.Expose Authentication REST Endpoints 1.1. Add start and finish authentication endpoints 1.2. Given successful WebAuthn authentication, manually authenticate user in Spring Security 2. Update UI to Enable Passwordless Authentication 2.1. Add JavaScript methods to call authentication REST endpoints 2.2. Add UI components to enable passwordless authentication
  • 14.
    51 ©2019Yubico 4_Authentication/TLDR.md cd java-webauthn-passwordless-workshop/2_Registration/complete mvn cleanpackage spring-boot:run or docker build -t example/demo:module4 . docker run -p 8443:8443 example/demo:module4 https://localhost:8443 Sign In: user / password, Register: Register security key, Sign out, Passwordless sign in
  • 15.
  • 16.
    53 ©2019Yubico challenge: contains challengethat the authenticator signs as part of the authentication assertion rpId: relying party identifier claimed by the caller allowCredentials: list of public key credentials acceptable to the caller, can be omitted for username-less authentication. type: only one type: “public-key”. id: credential Id of the public key credentials userVerification: the default is “preferred”. Can also be set to “required” or “discouraged” Public Key Credential Request Options
  • 17.
    ©2018Yubico Authentication Sequence First factormode Client Relying Party id, rpId, challenge id, hash(rpId), s, clientData, userHandle Find user with id or userHandle Check id Check s using kpub Verify origin Verify challenge Authenticator signature(hash(rpId) || c, kpriv ) Validate rpId against origin hash(challenge, origin) clientData id, rpId, c Retrieve kpriv for rpId Sign c after User Presence/ Verification id, hash(rpId), s, userHandle
  • 18.
    55 ©2019Yubico Start Authentication Diagram username RESTAPI Start Authentication Challenge Generator Assertion Request challenge username RelyingParty Start Assertion Credential Repository username Extensions PublicKeyCredentialRequestOptions Assertion Request Storage return AssertionRequest to client as JSON Get credentials by username
  • 19.
    56 ©2019Yubico Client - GetCredential Response “authData”: ... “clientDataJSON”: ... “signature”: ... Authenticator Assertion Response RP ID Hash Flags Counter Extensions Authenticator Data ED AT: 0 UV UP: 1 “userHandle”: ...
  • 20.
    57 ©2019Yubico Finish Authentication Diagram JSON response RESTAPI Finish Authentication Successful Authentication Result Assertion Response Assertion Request Caller Token Binding Id RelyingParty Finish Assertion Credential RepositoryUpdate signature count Assertion Result Performs authentication validation steps Returned to client Get by id and invalidate Assertion Request Storage Credential Repository Get credentials by userHandle
  • 21.
    58 ©2019Yubico Authentication Recap 1. Clientcalls startAuthentication() endpoint ○ With (or without) userName 2. Relying Party generates AssertionRequest ○ With userName, and PublicKeyCredentialRequestOptions 3. Client calls navigator.credentials.get() ○ With data from the AssertionRequest 4. Client calls finishAuthentication() endpoint ○ With authenticatorAssertionResponse JSONObject 5. Relying Party verifies signature ○ After validation, authentication is successful
  • 22.
    59 ©2019Yubico Authentication REST Endpoints @PostMapping("/authenticate") publicResponseEntity<AssertionRequestWrapper> startAuthentication(@RequestParam("username") Optional<String> username) { Either<List<String>, AssertionRequestWrapper> result = webAuthnServer.startAuthentication(username); return ResponseEntity.status(HttpStatus.OK).body(result.right().get()); } @PostMapping("/authenticate/finish") public ResponseEntity<WebAuthnServer.SuccessfulAuthenticationResult> finishAuthentication( @RequestBody String responseJson) { Either<List<String>, WebAuthnServer.SuccessfulAuthenticationResult> result = webAuthnServer .finishAuthentication(responseJson); if (result.isRight()) { // Manually authenticate user ... WebAuthnController.java
  • 23.
    60 ©2019Yubico Manually Authenticate if (result.isRight()){ // Manually authenticate user String username = result.right().get().getRegistrations().iterator().next().getUserIdentity().getName(); Authentication auth = SecurityContextHolder.getContext().getAuthentication(); UserDetails u = userDetailsService.loadUserByUsername(username); Authentication newAuth = new UsernamePasswordAuthenticationToken(u, auth.getCredentials(), u.getAuthorities()); SecurityContextHolder.getContext().setAuthentication(newAuth); return ResponseEntity.status(HttpStatus.OK).body(result.right().get()); } else { throw new ResponseStatusException(HttpStatus.BAD_REQUEST, result.left().get().toString()); } WebAuthnController.java
  • 24.
    61 ©2019Yubico Call Authenticate Endpoints functionauthenticate() { return fetch('/authenticate', { ... }) .then(response => response.json()) .then(function (request) { return webauthn.getAssertion(request.publicKeyCredentialRequestOptions) .then(webauthn.responseToObject) .then(function (publicKeyCredential) { return submitResponse('/authenticate/finish', request.requestId, publicKeyCredential); }) ... } } login.html
  • 25.
    62 ©2019Yubico Passwordless Sign InUI <h2 class="form-signin-heading">Passwordless sign in</h2> <p>Sign in with your previously registered security key</p> <p id="status"></p> <p><button onclick="authenticate()">Passwordless Sign in</button><br /> login.html
  • 26.
  • 27.
  • 28.
  • 29.
    66 ©2019Yubico Best Practices ● Storethe verbatim attestation object ○ Enables future re-evaluation of trust ● Allow registering more than one credential per account ○ Consider allowing credential nicknames ○ Unexpected behavior may occur when greater than 20 credentials registered ● Weigh pros vs cons of requiring attestation ○ Pros: ‒ Higher assurance ○ Cons: ‒ Maintenance for attestation trust store ‒ Compatibility issues for unknown/new authenticators (not in attestation trust store) ● Security and Privacy Considerations ○ W3C WebAuthn spec https://www.w3.org/TR/webauthn/#security-considerations
  • 30.
    67 ©2019Yubico Recap ● Plan yourpasswordless migration strategy across the account lifecycle ● Anchor resident credentials on security keys to enable roaming passwordless authentication scenarios ● Record attestation and build a chain of trust ● Allow users to register multiple credentials ● WebAuthn libraries can jumpstart your journey to passwordless (eg. Yubico Java Webauthn Server libraries)
  • 31.
    68 ©2019Yubico Resources ● Workshop ○ https://github.com/YubicoLabs/java-webauthn-passwordless-workshop ●FIDO2/WebAuthn Developer Guide ○ https://developers.yubico.com/FIDO2/FIDO2_WebAuthn_Developer_Guide/ ● Java WebAuthn Server ○ https://github.com/Yubico/java-webauthn-server ● Yubico Developer Videos ○ https://www.yubico.com/why-yubico/for-developers/developer-videos/ ● W3C Web Authentication API ○ https://www.w3.org/TR/webauthn ● FIDO Client to Authenticator Protocol V 2.0 ○ https://fidoalliance.org/specifications/download/
  • 32.
    69 ©2019Yubico yubi.co/devs Workshops, Webinars, Documentation, ImplementationGuides, Reference Code, APIs, SDKs Yubico Developer Program
  • 33.