Retention
Benjamin Schmid, @bentolor
Retention
Complexity
Reuse
Stealing & Phishing
Password Memes: Length restrictions, Weird complexity rules, Expiration
Grant access only after presenting 2+ pieces of evidence out of:
knowledge, possession or inherence.
One-time passwords: Mobile App, SMS, Email
Tokens: OTP Token, Security Key
Biometrics: Fingerprint, Iris
Issues: UX, Privacy, Phishing, Costs, Portability
FIDO | FIDO Alliance; author of protocols UAF, U2F, FIDO2 |
FIDO2 | Joint Project by FIDO Alliance & W3C. |
WebAuthn | Browser JS API to talk to Authenticators |
CTAP | Client to Authenticator Protocol |
Verification via Biometrics: Fingerprint, Iris, …
Platforms: Android, Windows 10
Verification via Presence
Platforms: all
const credentialCreationOpts = {
challenge: Uint8Array.from( serverRandomValue, c => c.charCodeAt(0)),
rp: { name: "eXXcellent solutions Web", id: "exxcellent.de" },
user: {
id: Uint8Array.from("EXXL85T9AFC", c => c.charCodeAt(0)),
name: "alice@exxcellent.de",
displayName: "Alice Lee",
},
pubKeyCredParams: [{alg: -7, type: "public-key"}],
timeout: 60000
};
const credential = await navigator.credentials.create(
{ publicKey: credentialCreationOpts }
);
Just use WebAuthn to register/verify an additional credential. No more OTPs – Yeah!
Just use WebAuthn instead of passwords
Request User Verification (UV) from Authenticator → Additional PIN, Biometrics, …
Trusting for only selected authenticators? → request device attestation
Use Resident Credentials (RK): Can be acquired without Credential ID.
But: 1. Incomplete browser support 2. UV must be setup 3. Limited storage
webauthn4j
A portable Java library for WebAuthn server side verification
webauthn4j/webauthn4j-spring-security
Spring Boot / Angular sample application
Built-in support using webauthn4j
FIDO2 Developer Primer: webauthn.guide
FIDO2 Demo: webauthn.io
Articles: medium.com/@herrjemand/
$20-$35 Open-source key: Solo Keys
Indestructible, #1 brand, $20-$70: Yubico
Biometrics (no PIN for UV!):
Wearables: