Navigating Passwordless Authentication with FIDO2 & WebAuthn

so hi everyone this is Jared Jared's been doing some very interesting work he's gonna tell us all about it today because I can't tell you the number of times where my mom over the years has been like John I can't login to X and I'm like what do you mean don't remember the password no I'm old so I got her a password manager okay fine later on just get tired of helping her to install apps on her phone I let's walk through the password reset process for the nth time on our Samsung phones as ID here you guys go here's brand new phone fingerprint reader don't have to worry about it again okay cool the problem has always been the web site

because the web parts like okay got a password manager and she's like John I forgot my password to hotmail hey legend I got breached I need to change my password anyway huge thing on to itself so I can't wait for this talk where you literally take the smaller device to get my mom where she could push a button or get her phone here too very shit's not a theme attaching to the web offense back yeah this is gonna be awesome so thank you thanks a lot so lastly to get me a session before lunch in this year before happy hour well you know where they love it this is dear to our heart I mean this is

everyone's really everybody experiences problems in the wall with partial lists and all these terms and everything else like that I did I did talk last year and it I'm going to try to squeeze everything in into like five minutes to sort of recap everything and then tell you what's super cool and super new I'm really excited because this is I'm not gonna spoil that not gonna be a spoiler but it is gonna be cool so we've seen his problem cartoons galore and everything that you can imagine on why we hate them but there's one element here that I do want to point out which is like password in itself or something you remember it's actually not bad the real problems when

they're two things that is really bad it's when you have to remember a lot of them and when can some and someone else is storing this password hash thing that they can steal without you not knowing so think about that for a moment that's what's actually not bad if you're in foo control where you only have it in the container and you just have to remember one so we think of multi-factor and I want to take it twist everybody knows this this should know this by now I mean if you don't know then you're not in the security professional and there are lot of books you can read up but this sort of generates into people are like

selecting things right like selecting like you have to do two or three or you know one is not good enough and all these various combinations and we know what they are I mean this is sort of everywhere you've seen it people all just do the first one passwords or whatever and everybody's trying to do the thing you're printing but really what we need to think about is that you want to take the best of everyone and combine them and get something really awesome so every set has its pros and cons everything that we choose one or the other has pros and cons what you really want is you want to get the best of everything and then get that into

level where it's just it's just everywhere so we need to think about the world where every factor matters not one or the other not either/or or two or three everything matters and when we can get that in very natural way you just fuse like something that everyone's mom will be able to use right what we want is a multi factor experience that is very easy used but also has all the security principles that allows the sub the flexibility of no one factor would be the downfall of you and if you look at how we think about it over the years it's very picking and picking the best or whatever we need to think of a model

where all three is a more the physical device if you unlock it with both yourself as well as something you remember like a pin is actually the most powerful way to think about how we structure the experience and then only then with these three models then you can get to do whatever you want to do with it whether you can do the off you can do whatever you wanted with it so this is a critical shift in in the way we should be thinking we try to push which am below what we should be striving for and why does this matter it matters because we're doing this today and when we do these today when you do

something like this one device and then one password and one whatever it is we're getting fished and so this is student number one problem in in in sort of like credential breach all the different sessions here you can talk about everything from the zero trust model to identity to meta exploits they all start with a weak credential so let's be honest this this impacts all of us both from a day-to-day experience from a from a you know business experience from a you know wherever you are experience and as a quick recap what were we talking about here so last year I talked a lot about like well how all these things are being fish about you

know there's nothing very crazy about how to fish a user tons of areas of sites that you can go figure it out once you get to the fake site obviously it's the bad guy site the attacker would just take whatever your credential that you put in and then you just put the site gives you a fake login and the attacker goes to the real one right it's pretty pretty standard stuff but so if you add sound like step up with you sort of like very traditional SMS the same thing you get to the site attacker gets a credential puts it in now at this point as a user if you think you're going to the real sub that's actually a fake site

you expect to get a push no problem because their attack gets initiated to push for you and so you're just going to prove that takest authentication experience right so this is this is happening today by the way this is not anything crazy it's happening in a while SMS besides other problems to the SMS this is one of the easy ways that you can circumvent any sort of out-of-band experience and sure you can say you can add some other complexity like location-aware and things like that but note if the attacker is knowing where you come from from the fake website they know you're they know your agent you know sort of really where you're coming from

they can redirect their authentication experience to a proxy so it's pretty easy to repeat nothing again nothing really crazy to go exploit so we need a different model and the problem is that is super easy two people we talk about training training training which is important but training is not going to solve some of these things and handily because they the way that we go about some of these basic phishing attacks is because the system is not there to take care of the user so really fooling the computer is pretty hard I mean if you if you get it right the systems the server the protocols they all work together can make it really hard so what do we really want

what we want this is the same user they login to the site in the case of a Google site the site will come back with a challenge so this is sort of a foundational piece not just one way like it goes back and in this sense the browser would actually put the origin which is Google calm in this case for the device to sign and return back to the service and so what you can do is you can validate that the signature came from somewhere something that the user has and that the origin was actually put in to place so he knows it was from Google and then you can obviously get a successful login so if you replay the

same attack with a fake site one of the things that will happen you send the challenge and what's going to happen really quickly is that the device like hey you know what this this I didn't create a credential for this site this seems weird you know because when you when you check systematically it's easy to fool the user to two zeros the computer knows two zeros is two zero two zeros are not two to always right it's it's that simple it's that binary and if you somehow manage to check the user sign for the wrong origin not only the device can figure it out but the server will figure it out like hey you actually

just not for me this is for some other website I'm going to reject you so all this is automatic this is all part of what we wanted the system takes care of it for the user the user to have the care if they go to website fake website or just not be able to authenticate with the real website so I'll pause here this was what why I talked about sort of like last year and this was the foundation of fight authentication this sort of breaks up into layers that we talked about in terms of an open standard that helps the relying party in this case the server able to communicate with the user to the device in this case

the Authenticator and the big part of it is that the client and the platform makes all these magic support like it's automatic like if you were the service you just said do this and everything else is taken care of for you which is what we want we want the open standards to be able to leverage that at scale so that as a service you don't have to tell every user to download a special app to install a special extension to do all these crazy things you just want it to like I call this protocol it just works and we want this prototype be very flexible you can have many different use cases you can have a step-up

authentication or step-up second factor third factor or whatever you also wanted to a multi factor so you want the protocol to be very flexible to solve all the various use cases that you want you hear a lot about adaptive authentication and decide how you want to ask for this credential so this is the this is last year okay this is last year I ended my presentation with this slide so the nice thing about this is that it's super exciting because you're gonna show the next slide so we've seen sort of like how things are developing and the standards you got windows working in some direction you got chrome and everybody's just like jumping on this so here it is tomorrow

w3 is going to propose we're both in as a standard so we we are super excited you guys having obviously first glimpse they're gonna be a obviously press release and stuff but actually why does the major milestone for the industry because this is a standardized Web API that any service can call and if you talk about open standards you talk about Federation standards I open I do connect you talk about samo this is one of them now but then it's part of your arsenal things that you can implement as a as a service now here's where it gets really exciting so here's where we are so it's not just a standard write a standard nothing in the

does anything with it what we have here is sort of scale right --chrome available now Firefox they said was it's been around for a while edge gave it a bow now Safari guys Safari is in development this is a big deal it's a big deal for the industries a big do for all of us driving the standard because we see huge movement in there if you want to try it out it's in Safari technology preview 72 it's live today as a technology preview so hopefully this time next year when I give up here next year I can have a longer list in terms of the authenticated protocols Android is also native now so you don't just get Windows

and you go Android now why why do we care why we care is because now you have so much more options to authenticate the users for free out of the box and that's a big deal so part of the standard says you can use security keys most of you who have used security keys like au baqi or whatever you want use the sighting keys those are security keys but you can also use the built-in authenticators and that's the same sort of I walk through the spec in next several slides but that's all in the spec so again as a service you just sort of get all these things for free when you are using the

devices that support all these platforms and of course you know you're going to have a lot of people using Chrome using windows using Android those all come obviously with with a great out-of-the-box experience so what is happening now what's happening now is that these things are happening and available on shipping devices like you all you're all can experience this yourself the ones at the bottom I highlighted our DOS that kind of works out the Box where well then you are using Android if you're using Chrome on Mac OS edge on Windows Chrome on Chrome OS they all come with this platform Authenticator roaming Authenticator experience you can you call what's coming soon again really exciting is

that then you have all the others that can just add on to that whereas Firefox on Windows Firefox on Android Chrome on Windows all giving solve a very rich experience and so when you start to layer on all the things that you you know we know everybody is like bring your own device you go whatever you want to do as this sort of stack up you start to see that everything becomes sort of again native out of the box and you as the service provider don't have to keep going oh exception this if the users on this platform and this and then do that right so as this expands then you have less exception over time when your users

are coming in to your user agents and say okay you know what there's no exceptions anymore everything is all supported I'll pause there because I think today my murmuring app is actually working pretty well normally I don't do the demo but this mirroring app is doing pretty good today so I'll do a demo so I'm logging into a website is our demo test website and this is system call so this is not what what this is what comes out of Android so in this case you've got a couple of options you can login with NFC Bluetooth or a USB device on Android I actually just logged in it's that fast so now I logged in notice that I've got

four going to my security settings I have a security key that added just logged in and also got internal one good into Windows I'll show that in a second but now what I can do is I can actually add a thought okay ten occator Aneta Android built-in that Authenticator so I go in an Authenticator now which is I logged in first obviously with something because this is assuming this is my brand new Android it doesn't knows me right now but because I've logged in with a security key I can bootstrap the device and now I added a internal Authenticator right so that's why you want externo Authenticator to bootstrap it so now the service knows is me

strongly authenticated right public key crypto now I can register my platform of ten occator my biometrics so when I log in again now it knows hey you've got this device there's biometrics and I login if I can use my fingerprint you login and you get in again so now this experience becomes sort of what you want this seamless experience whereby you have portable authenticators what we call the security keys and you have new devices and existing devices you start to play around as a servant you can think of a service now it's like this is like I would say an incredible experience that you can allow you your journey with the same time being safe

because you can you imagine if you did everything and then you got a new phone and says hold on check your SMS and do that whole thing again so by being able to piece together different parts you can really provide a rich experience for the user and very secure so I will show you on Windows machine which I am logging out now so in this case I've created my credentials on this device I can login I can obviously use the fingerprinting here as well I can use a pin I can use my security key this thing here so that's how I use my fingerprint I can get in and if for some reason I actually

want it to fail and when it fails if I can't get in I can always fall back to security key and do the same device that I use on my Android and I take the action and login so you start to experience this very rich options when you talk about strongly authenticating the users and you're getting strong signals for your wrist engine that can make good decisions and one of the things that we are really excited about is that these are just going to get this is just a start this is some of the experience that you're gonna see you're going to hopefully in some future wall we'll have all the i/os things up here

but we believe that's going to happen sooner or later so how does it work I'll dive in a little bit on just how all these things are being played out so you get some bits of that definitely not gonna be can cover everything so I'll upload my slides and you can definitely see how all these all works but notice the richness in what we get is that if you call the web both NS a server a server service you just care about web both N and you let all the magic happens on the other end you're gonna let the platform take care of it you let the browser's take care of it in fact there's a combination now of the

browser calling the platform API so for example you can think of Firefox calling Android api's to create the experience but guess what you don't have to deal with it it's between Mozilla guys and the chrome got team or the Android team or the windows team and the chrome team and the windows team and the Firefox team two basic commands register authenticate it's that simple to implement this protocol the flow this is just a this comes straight from the w3c specs called level 1 it basically describes what I showed you the diagram earlier about challenge origin checking getting back the credential server validating it these are some of the parameters that we use this is a

registration API this is the one that you want to be looking at a couple of things that call out authenticate a selection here's where the magic happens if you are a service and you want to implement this you can talk about the authenticated attachment and you can talk about cross-platform or platform in the case of cross-platform you're going to get the security key experience which I've seen here across platform you've seen that notice at the bottom right you can also achieve that on a chrome on Mac OS you can actually do touch ID on that one I've shown the Android because my demo works so we can move on the other thing about this is that

you care about the platform now now like this is available you want to care about the platform as well so there's a way to check whether it's available it is available you're gonna create a platform credential and how you create a platform credential a couple things you select the authenticate attachment you select platform when you do that the magic happens and you you get what's native with whatever the operating system or the device it has in this case obviously you've seen on a Windows machine you can do the windows hello Thank You prayin face whatever you want on Mac and you do touch ID on the Android you get the fingerprint there are other improvements

that will soon happen to do face and all these other capabilities again it's only gonna get more and once you add it then you have a brilliant arsenal now what you want in this wall where all these credentials are really easy to create is that because it's easy to create and you constantly bootstrapping the new credential with the oak adentro rather than the new credentials bootstrap by some weaker credential like SMS so for example then you can add on a layer and then you you really get a good breath so that what we want in this in the state of like I forgot something it's like go go to the other device that I know

you've registered this thing or like I know you registered two security keys use the first one because your second one is lost so by able to add all these capabilities very quickly the services can now really in some ways really go well with just asking and asking people to register the experience and so that's automatically self-service so the authentication flow is really much the same thing you're going to give the challenge you're going to ask the Authenticator to sign it whether the Authenticator is signing it on the device like a platform of sanik here or signing it on a device like a Yubikey it does the same thing and the server can validate that the signature

is correct and so one of the things that you can do in the authentication experience is to do an allow credential list and you can specify sort of what experience you want so they're different transport today that we support in the specs which is USP NFC ble and internal you saw most of them already and so what you can can sort of navigate to is you can sort of prompt the users to use stuff that they that you have again when you when you do the registration you know what authenticators that their user has registered on so you sort of know the capabilities of the Authenticator and so you can guide so the user journey as you as they

transverse different devices that they maybe get into different areas you know that user agent they're coming on a new device or not a new device things like that you can start promote the right user experience and obviously in this case if it's just a USB you you get sort of a USB dialogue interface and then the nice thing about it's like as we've seen before is that most of the platforms today or in this case I'm talking about the Windows environment if you are not sure you can give the platform all the credentials and the platform actually figures it out so I didn't show one example I didn't show the demo but in the case of Windows if I if somehow my

finger pretty didn't work and I just couldn't get in it will step me true like oh I see that you also have a security key go put it in now so it's all very consistent in experience if you just watching one otherwise what's going to happen is that I got the wrong credential and then you create another web flow and you create another initialization of our authenticate command and it sort of gets clunky we figured it out so the platform's gonna get better with the experience so if you show them all the list then they'll figure out what to do and they give you the right response and all you really need from them is a good

bad here's the response do something with it there are tons of resources we have invested a lot on working with our partners Mozilla Microsoft Google and try and get this all out we've got many demo sites we've got two Taro's webinars encourage you to look at them I'll make my slides again available for everyone and and then there's a bunch of things for developers to read up on and and go deep eye deep I know I went through a little bit fast in some of these areas but we have a step-by-step on several of the things that's available so I open up for some questions I've got maybe a couple minutes we have ten minutes for

Q&A so here we go sir hi so I'm trying to understand where you've transferred the you you've used an external Authenticator and and associated it with your with your phone and you start using an internal Authenticator yes your phone is an internal one is that something that I just do once and now my phone is basically equivalent to my external Authenticator or do I need to do that on every site that I use my phyto Authenticator on and so you can think of even though it's internal to the phone the principles of the registration is unique per site therefore you would have to register that to every site that you intend to do think of it as you're just

using an Authenticator built-in but you still need to follow the same flows if you're going to Google you're going to do it once for Google or going to Microsoft gonna do one so you're gonna do whatever it is you're gonna do once just like you would have done it with the security key now you just get the convenience of doing it on the device up to bootstrap okay so basically if I I basically would log in using my say external Authenticator and then register the internal one on a particular site correct thank you anyone else up here how about down below anyone come on it's really awesome tech go ahead

so the question is about what about frames are frames is a pretty is one of the topics that we discuss at the web authentication right now iframes is not allowed it's classier questions it doesn't happen but there are some legitimate use cases fire frames so we're discussing what's a reasonable way to allow that because there are some are peas that do want to have that richness but right now it's not allowed so say from that perspective it will fail for now hi what are circum some common pitfalls or challenges people run into when implementing the protocol oh great question one of the pitfalls in general is that so not all as we sow standards rectified now with standard it takes

everybody to sort of catch up on the platform in a client perspective so if you if I would just go back to this slide is sort of important to understand that you you have to work with the lowest common denominator right so not every combination can get you sort of experience and if you're out of these things that you're gonna say Oh Windows 7 and so yeah that's one of those corner cases most common case to solve is to solve for what's your you know you go stand with your practical state I would say you you need to look at all options on the table that's why most services to have sort of fall back at ste OTP I

would say that with my my goal is to say that in a year everybody's gonna be more adoption because the platform's gonna be better but the first thing we need to look at is like I understand your user base what they user agents are being used on and start to carve out the best experience for the ones that are available then everybody would start to migrate because they want an experience right but also make sure you cater for the ones that are still so where they are today but also my recommendation now recognition by putting out the standard is that we should start to deprecated some of the older ones like if we get more options now you should take away

some the other ones that we've been using I think a big one that the industry is trying to move away from its SMS right just too many it's not just a phishing attack it's just it's just out of control SIM swaps as a seven attacks I mean just it's just so many I mean the list is like 10 you can write a hope one hour presentation this thing so as we give more options we need to remove some of the other options so to move everybody forward so I would say that I understand your baseline as you implement those things and see where you can really get the best experience and sort of show their users if you're on this particular

platform combination with the browsers they're going to get a really slick experience and that's where I think you're gonna get it all adoption do you think some websites are gonna really be able to get rid of passwords like in the in the event the user loses their authenticators how are they going to be able to reset their credentials without using a password it might be really hard for the the website yes is it there's a good point that's a good point so I think you we should think about that we would never get rid of passwords in probably in our lifetime I just think that there's just a we're all realistic about it but what we need to make sure

is that we don't use password as the as the reliance on the authentication we started used you can think of it we need to move that's like I said we provide more options and we need to take stuff away what we need to treat passwords in general is a user identifier that's it I mean if you think about that model then you can actually get somewhere with getting security rounded now the question about does all sites gonna be password lives in a year probably not I mean it's just not gonna happen but what we're going to start to see is that password doesn't become sort of the barrier to to drive sort of like the

experience which means that it's okay to probably cache your passwords for certain devices like you saw me cache passes all the time on my devices what people are doing that now anyway but that is not what you use as a security signal anymore like over time there's not a security signal they just identifiers and so you need other things and because it's so easy I would I would definitely see that most services or relying parties would want to encourage authenticating or sorry register asking the users register more than one Authenticator I would say a minimum is two in fact you saw how simple it is you should probably rush to the three for every device that you have you should do one

right so because all you take is one to add another one right so if you lost a next-door Authenticator but you've got a built-in Authenticator you register you go back to the site and then from this machine because you've got the built-in fingerprint then you add an security key so you can do any combination you don't have the thing is you just stuck with one when you have a built-in you should add a security key if you have security keys you have built in and you just keep multiplying that effect the reason we say that is because the specs is there it's all for free I mean if you don't use it you just not maximize your

self-service capability one of the founding principles of the specs is privacy right that's where you have to register your your authenticated with every site because they can't share it security we talked about public key crypto it's public keys that we're talking about with challenge-response and the last one is really about credential credential scaling which is you can register more than one easily Thank You Jared that was awesome sorry everyone for the AV delay early on hopefully we can get you guys back on track happy hour is ready to go but I tell me you guys good over there and once again thank you everyone [Applause]