FIDO2 & WebAuthn

Passwordless Logins and 2FA

Benjamin Schmid, @bentolor

Passwords are beyond repair!


Retention


Complexity
 


Reuse
 


Stealing & Phishing

Password Memes: Length restrictions, Weird complexity rules, Expiration

2-Factor / MFA for the rescue?

Grant access only after presenting 2+ pieces of evidence out of:
knowledge, possession or inherence.

  • One-time passwords: Mobile App, SMS, Email

  • Tokens: OTP Token, Security Key

  • Biometrics: Fingerprint, Iris

Issues: UX, Privacy, Phishing, Costs, Portability

FIDO2 & Webauthn

Solving the confusion

FIDO

FIDO Alliance; author of protocols UAF, U2F, FIDO2

FIDO2

Joint Project by FIDO Alliance & W3C.
Bascially: WebAuthn + CTAP

WebAuthn

Browser JS API to talk to Authenticators
and manage Credentials

CTAP

Client to Authenticator Protocol
CTAP1: U2F, CTAP2: FIDO2

Authenticator Types

Platform (TPM)

Verification via Biometrics: Fingerprint, Iris, …
Platforms: Android, Windows 10

Portable: Security Keys (USB, NFC, Bluetooth)

Verification via Presence
Platforms: all

Example client code

const credentialCreationOpts = {
    challenge: Uint8Array.from( serverRandomValue, c => c.charCodeAt(0)),
    rp: { name: "eXXcellent solutions Web", id: "exxcellent.de" },
    user: {
        id: Uint8Array.from("EXXL85T9AFC", c => c.charCodeAt(0)),
        name: "alice@exxcellent.de",
        displayName: "Alice Lee",
    },
    pubKeyCredParams: [{alg: -7, type: "public-key"}],
    timeout: 60000
};

const credential = await navigator.credentials.create(
     { publicKey: credentialCreationOpts }
);

FIDO2/WebAuthn Scenarios

Convenient & Secure 2FA

Just use WebAuthn to register/verify an additional credential. No more OTPs – Yeah!

Passwordless Logins (no MFA)

Just use WebAuthn instead of passwords

Passwordless Logins (with 2FA)

Request User Verification (UV) from Authenticator → Additional PIN, Biometrics, …

"I’m a bank!"

Trusting for only selected authenticators? → request device attestation

"What is my username?"

Use Resident Credentials (RK): Can be acquired without Credential ID.
But: 1. Incomplete browser support 2. UV must be setup 3. Limited storage

FIDO2, WebAuthn & Java

webauthn4j

A portable Java library for WebAuthn server side verification

webauthn4j/webauthn4j-spring-security

Spring Boot / Angular sample application

Keycloak 8.0+

Built-in support using webauthn4j

Resources

Introductions
In-depth materials
Standard Hardware Security Keys

$20-$35 Open-source key: Solo Keys
solokey somu

Indestructible, #1 brand, $20-$70: Yubico
yubisk yubikey

Special Hardware Keys

Biometrics (no PIN for UV!): ezfigner2 1 07

Wearables: motivring

Software-only Key (Android)

wiokey.de (Free)