WebAuthn: House Keys for the Web

WebAuthn:

House Keys for the Web

My talk tonight about new browser API WebAuthn, new security-oriented capability we now have access to front end space.

I'm very excited represents a huge improvement over standard username/password website authentication flows that love to hate.

Who am I?

Matthew Miller

MasterKale IAmKale

Matthew Miller. senior full stack engineer at BCG Digital Ventures in Manhattan Beach.

spend lot time in front end, love experiment new technologies, see what makes tick.

free time build libraries reduce developer frictions so we can focus on building cool stuff.

What to look forward to:

Keeping people out

Exploring "passwordless"

WebAuthn pros and cons

Starting your own WebAuthn journey

🎉 Launch Party 🎉

The Humble Housekey

House Key

Used to secure entry to private places for almost 1200 years
A lock requires a specific key - reliable
Easy to carry - convenient
Inconvenient to duplicate - secure

start talk, brief overview humble house key

nearly 1200 years, secure private property.

Withstood three reasons:

A lock requires a specific key - reliable
Easy to carry - convenient
Inconvenient to duplicate - secure

The Tragedy of the Password

"We 'accept' that passwords are the best we have for securing access, despite all of their obvious pitfalls" - Me

Poor auth implementations create locks that accept multiple passwords - not reliable
Difficult to remember, so users write them
down - not convenient
Very easy to duplicate, just need to dump a user DB to the internet - not secure

Unlike house key, passwords pain point long as existed.

Read Quote

Such pitfalls include:

Poor auth implementations create locks that accept multiple passwords
Difficult to remember, so users write them
Very easy to duplicate, just need to dump a user DB to the internet

What if we could have house keys for our websites?

🤔

Wouldn’t be nice, could realize benefits of house key for websites?

What if web developers had reliable, convenient, and secure method locking down account access?

I’d argue we do.

Exploring the idea:
Don’t Need A Password

What did this prove?

Authenticator

≈

House Key

So what did this prove?

Exhibit A for argument that hardware authenticator are perfect analogue to house key.

Benefits of WebAuthn

Authenticators can hold many keys - reliable
Easy to carry - convenient
Inconvenient to duplicate - secure

In fact, demonstrate/sometimes surpass same three strengths of house keys:

single authenticator holds unique key pair for every website.

no credential reuse of any kind
remember which key pair for a given website
reliable

small, fit comfortably on a keyring next to your other keys

convenient

Hardware authenticators difficult to duplicate

private keys never leave hardware
secure.

Challenges of WebAuthn

WebAuthn dev community is very nascent
Account recovery in case of lost/replaced authenticator is more difficult
A stolen authenticator can allow a bad actor to impersonate a user

Challenges working with WebAuthn:

still early days for the API

Development community is still a bit of a wild west.
API ratified by W3C, modern browsers implement spec
but no clear winner in terms of integration libraries.

Account recovery UX needs rethought

Need to handle case of user losing authenticators since can’t duplicate hardware
Right now, need encourage users to register multiple authenticators in case one is lost, or traded in.
Improvements proposed to enable “backup” authenticator, takes time

Some authenticators cannot verify identity, rely on simple interactions to prove that at the very least someone was present.

Someone can steal authenticator and become them online.

Is this 2FA?

Not if it’s used to replace a password!
It can still be paired with other 2FA methods

Regarding “passwordless”, WebAuthn not 2FA when replaces a password.

would still need paired with emailed code, One Time Password generator.

Who’s backing it?

Google
Mozilla
Microsoft
Apple

In terms of org support, many big names support standard, actively participating in development, implementation.

Many websites already enabling use

Github
Shopify

How do I get started?

Software

Duo Security’s intro site
Awesome WebAuthn
Spec github (for discussions in Issues)
WebAuthn Adoption Community Group

Hardware

Yubico - Security Key NFC
SoloKeys - Solo, Somu
macOS - TouchID (Chrome)
Android - Fingerprint sensor
iOS - NFC

WebAuthn Support Matrix: https://fidoalliance.org/fido2/fido2-web-authentication-webauthn/

If like what heard, some resources help started.

Browser and OS support grows

consult the FIDO Alliance’s support matrix for an up-to-date list of what all supports WebAuthn.

Let’s empower users to lock up their accounts!

Time is now start empowering users to lock up their accounts!

Not question of if, but when users requesting extra level of security.

Great time to dive into the API, get ahead demand.

One more thing...

The SimpleWebAuthn Project

https://github.com/MasterKale/SimpleWebAuthn

Before I go, something like to introduce.

proud announce new open-source project I call SimpleWebAuthn.

Pair of complimentary libraries, one front end and one back end, aims to reduce complexity of working with WebAuthn to few simple methods.

Please take a look, include example to familiarize with general WebAuthn integration

Welcome any feedback you might have.

Thank you!

Matthew Miller

MasterKale IAmKale

Thank you all for your time tonight!

Any questions on Twitter @iamkale, or hit me up on js.la Slack, IAmKale.

WebAuthn: House Keys for the Web

Matthew Miller @IAmKale