Security Best Practices
No Passwords, No Problems: Move Beyond Passwords With Web Authn And Passkeys

Summarized using AI

No Passwords, No Problems: Move Beyond Passwords With Web Authn And Passkeys

Carla Urrea Stabile • October 04, 2023 • Vilnius, Lithuania

In her presentation at Euruko 2023, Carla Urrea Stabile discusses a future without passwords through alternatives such as WebAuthn and passkeys. She shares her personal anecdotes regarding the frustrations of password management, highlighting its reliance on memory and vulnerability. She emphasizes the need for passwordless authentication, which improves user experience and security, and reduces the cost of managing passwords. Stabile introduces the concepts of passwordless authentication, which involves methods like magic links and one-time codes, and demonstrates that passwordless options can be both user-friendly and secure by eliminating the knowledge factor in authentication.

Key Points Discussed:
- Dislike for Passwords: Stabile recounts her struggles to remember passwords and how they often lead to panic during transactions, underscoring the sentiment that 'passwords suck.'
- Passwordless Authentication: She explains passwordless authentication as a superior method that improves user experience and security, hinting at alternative mechanisms that allow for easier login.
- Authentication Factors: Three factors are outlined: knowledge, possession, and inheritance. Passwordless systems utilize possession (like devices) and inheritance (like biometrics) to verify identity.
- WebAuthn: Stabile dives into WebAuthn, a browser-based API for authentication using public key cryptography instead of passwords, and discusses its functionality and security advantages.
- Demonstration: A demo of creating WebAuthn credentials illustrates how seamless and secure passwordless authentication can be.
- Introduction to Passkeys: Stabile discusses passkeys, designed to replace passwords, emphasizing their uniqueness, automatic syncing, and resilience to phishing attacks. She distinguishes between sync passkeys and device-bound passkeys and highlights their intuitive nature.
- Conclusion: The speaker encourages exploring early implementations of passkeys for broader application, referencing tools and services like Google, Apple, and GitHub that support passkeys. She closes with a call to engage with resources that facilitate understanding and implementation of these new authentication methods.

Carla Stabile's keynote ultimately advocates for a transformative shift from passwords to more secure, user-friendly alternatives, promoting ongoing exploration and implementation of these technologies in user authentication systems.

No Passwords, No Problems: Move Beyond Passwords With Web Authn And Passkeys
Carla Urrea Stabile • October 04, 2023 • Vilnius, Lithuania

EuRuKo 2023

00:00:12.240 Hello everyone! How’s everyone doing? I’m happy to be the first speaker after the keynote. Today, I’m here to share my vision of a world where you don’t have to use passwords anymore. Can you hear me okay?
00:00:26.220 Now, you might think that someone who works in identity and access management would know a lot about passwords and how to deal with them. But I want to tell you about one of the many stories I’ve had related to passwords, and I'm pretty sure many of you have dealt with this as well. It's one of those situations where you wish you didn’t have to rely on your memory for something as simple as paying with your credit card.
00:00:39.540 A few months ago, I found myself in a furniture shop at the checkout. I wanted to pay with my credit card using the contactless payment option. Usually, it doesn’t ask for a PIN, but of course, this time it did.
00:00:52.320 I didn’t remember my PIN, so I thought, ‘Okay, let me check my bank’s application to find my PIN.’ I opened the app and usually sign in with my fingerprint, but this time, it required my password, which I also didn’t remember. Here I am at the checkout, starting to sweat because it had already been about ten minutes of me trying to pay.
00:01:05.300 I eventually managed to pay, but not before getting a six-digit code sent to my phone to unlock the app and access my PIN. This isn’t the first time something like this has happened to me. Yes, I use a password manager to store my passwords, but I forgot to save that particular password. The truth is, passwords suck!
00:01:24.900 Does anyone agree with that? Yes, you’re my people! One of the problems with passwords is they rely on your memory. We have to create long passwords, and with everything else we juggle in our minds daily, it’s easy to forget them. Additionally, passwords can be vulnerable and stolen by unauthorized individuals.
00:01:37.440 And passwords can also be reused by unauthorized people. So, hello everyone, I’m Carla, and I work as a Senior Developer Advocate for Okta, which is an identity and access management company. You’d think I would have mastered passwords, but I haven’t. I’ve been working as a software engineer for the past ten years. Sometimes I make YouTube videos; you can find me as Carla Stabile almost everywhere, although some handles were already taken.
00:01:56.700 Before we dive in, I have some disclaimers. First, I might simplify certain concepts to explain them in an easier way. Second, whenever you see a QR code, feel free to scan it. I brought a bunch of resources, and I will also share these slides on my Twitter, or somewhere else.
00:02:10.320 Everything I share here will also be available to you all. Today, I’m going to share my dislike for passwords (I’ve already started that), and then we will go through a list of topics. We will discuss alternatives, specifically two concepts: WebAuthn and passkeys.
00:02:30.300 So, if we don’t use passwords, what’s the alternative? The slide may have given you a spoiler already. The alternative is passwordless authentication.
00:02:46.740 To get a fancier definition, passwordless authentication is any form of authentication that doesn’t require the user to provide a password at login. There are various ways to implement passwordless authentication, such as using a magic link sent to your email or a code sent via SMS to your phone. However, there are many other methods of implementing passwordless authentication.
00:03:03.060 Now, I believe passwordless authentication is superior for several reasons. Firstly, it improves user experience. Users only need to remember their email or phone number—or maybe their username, if we want to get creative.
00:03:15.360 There’s no need to remember complex passwords. On the other hand, I also believe that passwordless authentication is more secure.
00:03:27.120 Passwords can be vulnerable; we often reuse them or share them with others. If you’ve ever used streaming services, you know this is true. Over 90% of web application attacks stem from credential abuse, like stealing passwords. In contrast, passwordless authentication is more secure because it requires a second factor to prove identity.
00:03:40.320 Another reason why passwordless authentication is better is that it reduces the cost of ownership. Managing passwords can be expensive. We often discuss password expiration, password reset policies, hashing, and secure storage—all of which can be complex and stressful. How many of you have had to implement an authentication system for your application? Each time I have to do this, I think, ‘Did I cover everything? Is this secure enough?’ It can be quite stressful.
00:03:56.040 If passwordless authentication is the alternative, how does it work? Before we dive into that, we need to mention authentication factors. There are three main types of authentication factors: knowledge, which is proving who you are using something you know (like a password or answer to a security question); possession, which involves proving your identity with something you own (like a device); and inheritance, which relates to proving your identity through inherent traits, like biometrics.
00:04:18.720 In passwordless authentication, we eliminate the knowledge factor by using either the possession factor or the inheritance factor. For instance, you can authenticate using a device you own or by using your fingerprint.
00:04:36.180 There are various ways to implement these factors. For example, you can send magic links, one-time codes, push notifications, or use authenticator apps. I may have given away part of the answer with this information.
00:04:55.380 When you combine multiple authentication factors, you add another layer of security to the system. Depending on the type of authenticator and factor used, it can increase what is known as the level of assurance.
00:05:08.880 The level of assurance refers to how confident you are that this user is who they claim to be, rather than an attacker or someone attempting to undermine your system. One way to increase that level of assurance is through public key cryptography.
00:05:19.740 I won’t delve deeply into this, but chances are, if you’ve used Git or GitHub, you’ve engaged with public key cryptography, such as via SSH keys. In a nutshell, public key cryptography uses a public key, which is accessible to everyone, and a private key, which only you know.
00:05:38.520 Any information encrypted with your private key can only be decrypted with the corresponding public key and vice versa. We talked about having multiple authentication factors, and public cryptography enhances security. However, we also want this system to be phishing resistant.
00:05:56.700 For a system to be phishing resistant, every party in the authentication process must prove their identity and intent through deliberate action. It sounds fancy, but it means you need to assert or confirm that you wish to authenticate or create new credentials.
00:06:12.180 This is where WebAuthn comes into play. WebAuthn, short for Web Authentication API, is a browser-based API that allows servers to register and authenticate users using public key cryptography instead of a password.
00:06:26.040 This is a W3C recommendation that's been around for a few years. I’m curious to know how many of you have heard of or used WebAuthn? I see a few hands. Are you all from 1Password or something like that?
00:06:45.060 WebAuthn uses public cryptography for registering and authenticating credentials. It can also utilize hardware authenticators, which can look like this.
00:07:01.320 Which of you own one of these? These devices are known as security keys. In the image, you can see several options such as Google’s Titan and Yubikey from Ubiico. This type of device creates and securely stores public and private key pairs for authentication.
00:07:15.720 Besides hardware authenticators, you can also use a platform authenticator like your Mac’s Touch ID.
00:07:25.680 I’ve been talking a lot, and now I want to show you how this all looks in action with a little demo. Fingers crossed that this video works.
00:07:38.040 There’s a video, believe it or not. Okay, here we go...
00:07:52.860 Music is playing as I try to get this video ready to show you more about WebAuthn and how to create a WebAuthn credential.
00:08:05.280 Let’s see if this works; let me pull up the video.
00:08:32.460 Well, I’m trying to show the video, but it seems to be giving me a hard time. Let’s do a refresh... Still not quite working. You know, it’s strange; it worked perfectly during our morning test.
00:08:47.880 But we have the video saved on my device, so I may just pull that up instead.
00:09:18.240 As I find the video… it’s quite the process, isn’t it?
00:09:31.740 Ok, let’s give this another attempt. Hoping for a better result this time.
00:09:49.920 We want to showcase how to create and use a WebAuthn credential.
00:10:02.760 Yay, this is working! So, what I want to show you is how we create a new WebAuthn credential. I’ll be using just the username, no password required.
00:10:16.920 The browser will ask if I want to create a new credential. I’ll click to continue, and then I'm prompted to use my fingerprint with MacBook’s Touch ID.
00:10:29.520 Later on, when I want to authenticate, the process is similar; I’ll go to sign in using the same username.
00:10:42.000 Unlike a password, the browser won’t prompt me to create anything new but will simply ask for my fingerprint instead.
00:10:56.880 This might seem straightforward, but let’s see what happens under the hood during this interaction.
00:11:05.520 To create a new WebAuthn credential, first, the user sends their username to the browser. The browser then forwards this information to the server, called the relying party in this context.
00:11:18.120 The relying party sends a cryptographically random challenge to the client, which the client sends to the authenticator.
00:11:31.680 Before the authenticator processes the information, it requires user interaction; the user must confirm their intent to create a credential by touching the UB key or using Touch ID.
00:11:44.760 Once confirmed, the authenticator generates the key pair and sends that information back to the browser, signing the challenge with the created key pairs.
00:12:01.440 We send back the signed challenge, the public key, and a private key ID. Note that the private key never leaves the authenticator; we’re only sending an identification that we can use later.
00:12:16.440 The client then sends this back to the relying party, which can store the public key and private key ID.
00:12:30.000 When you want to log in again, the user sends their username to the browser, which forwards that to the relying party. The relying party recognizes an existing user and sends back a new challenge to be signed.
00:12:43.740 The private key ID is essential because it verifies that the signed challenge originates from the same key used for the initial credential creation.
00:12:56.340 Once again, user interaction is required to confirm that they want to sign the challenge using their UB key or MacBook’s Touch ID.
00:13:10.860 The signed challenge, public key, and a public key, are sent back to the relying party for verification.
00:13:25.380 This highlights what happens behind the scenes; the communication between the client and the authenticator occurs through a protocol called the Client to Authenticator Protocol (CTAP2).
00:13:39.480 The interaction between the client and the relying party involves the WebAuthn standard. These two components make up what is known as FIDO2, developed by the FIDO Alliance.
00:13:56.520 FIDO2 aims to eliminate the need for passwords entirely. For further learning, you can scan the QR code provided.
00:14:09.480 Now, having discussed WebAuthn, let’s focus on the methods available. The two main methods are navigator.credentials.create and navigator.credentials.get.
00:14:24.720 The create method assists in generating those public key credentials, while the get method is used for authentication later.
00:14:41.760 As a browser-based API, it is exposed through JavaScript. Fortunately, there is also a gem for Ruby on Rails applications that allows them to operate as a WebAuthn relying party.
00:14:58.560 This involves specifying the origin. In my demo, it was localhost with the name WebAuthn Demo.
00:15:13.920 We set up the options for the registration method, which prepares the payload to send to the WebAuthn API.
00:15:28.920 The payload includes user information such as the username, an ID generated by the WebAuthn gem, and a selection of authenticators.
00:15:45.660 By verifying user interaction, we can stipulate whether the authentication is required, meaning you cannot use a device like a UB key without user verification.
00:16:05.400 As you are building your application, your front-end code will also need to call the WebAuthn API.
00:16:21.480 You will call navigator.credentials.create with the appropriate parameters, including sending along the challenge.
00:16:37.740 Here we send necessary information like the user’s details, keeping in mind that this challenge is a randomly generated value.
00:16:52.680 The browser will assist in guiding users through authenticating with their fingerprint or other means, and you’ll receive a response containing the public data necessary for storage.
00:17:08.640 Once it's time to authenticate with a WebAuthn credential, you will again fetch the user from the database, initializing a call using the get method.
00:17:22.020 You would be using a reference to the WebAuthn generate user ID from the registration process and providing relevant challenges.
00:17:37.620 As for the front-end, again, the call structures will resemble one another closely. You need to ensure you retrieve a challenge from the server side.
00:17:54.720 Also, allow user authentication through various transport mechanisms like USB, Bluetooth, or NFC.
00:18:09.720 I genuinely believe WebAuthn surpasses passwords, primarily because it employs public/private key-based authentication, rendering the private key securely within the authenticator.
00:18:23.820 Moreover, its options ensure user interaction throughout the authentication process, meaning no stored credentials can be breached.
00:18:36.840 WebAuthn simplifies the overall storage protocol — you only store public information in your databases, facilitating a better user experience, and most importantly, there are no more passwords.
00:18:55.920 Now, reflecting back on the agenda, I’ve expressed my dislike for passwords, discussed alternatives, including passwordless and WebAuthn.
00:19:09.540 However, we can look to the future: Is there a way we can eliminate the need to even remember if we created an account for a website?
00:19:25.920 Yes, there’s a solution, and it’s known as passkeys. How many of you have heard about passkeys? Yes, a few of you.
00:19:44.520 Passkeys are designed to replace traditional passwords, and they are intuitive because there’s nothing for you to memorize; your authentication is straightforward.
00:20:00.240 They’re automatically unique for each server, preventing reuse, and they are resistant to breaches, as only public data is stored.
00:20:16.680 Furthermore, they are also inherently phishing-resistant due to their reliance on public/private key cryptography.
00:20:35.520 More technically, passkeys are FIDO2 discoverable credentials, which means they utilize the WebAuthn standard under the hood.
00:20:52.500 While WebAuthn credentials aren’t technically considered passkeys unless they are discoverable, discoverable credentials allow the relying party or server to automatically recognize a username.
00:21:06.480 You might be curious; why shouldn’t we just stick with discoverable credentials? The short answer lies in compatibility. Passkeys are quite new—only gaining popularity in June last year—so some authenticators still don’t support these features.
00:21:24.780 As for passkeys themselves, there are two forms: sync passkeys and device-bound passkeys. Sync passkeys utilize cloud-based systems (like iCloud) to operate across devices, while device-bound passkeys are linked to a single device, such as a YubiKey.
00:21:41.200 One notable feature regarding sync passkeys is their automatic syncing across all devices. For example, if you create a passkey on your Mac, and sync it via iCloud, you can use it on other devices.
00:22:00.200 Let me show you how this looks in a video demonstrating Okta’s implementation of passkeys —currently in early access.
00:22:18.200 So, let's click on login. Apologies if this appears too small; here we have a login form for a system that previously required a password.
00:22:35.860 Upon entry of my email, it prompts me for a password, but instead I click to create a passkey.
00:22:49.680 Using my fingerprint with Touch ID, I can log in. The process is quite seamless!
00:23:05.480 Later, I can log in again using the passkey seamlessly, with the system auto-filling my email. I simply use my fingerprint to authenticate.
00:23:18.680 As mentioned, passwords and passkeys can coexist during the transitional period as we adapt to this new security method.
00:23:34.680 The exciting Multi-Device feature allows syncing passkeys through the cloud, meaning they are available across devices, like a phone login.
00:23:50.800 So, I can authenticate using my passkey across devices seamlessly. You’ll notice I consistently used fingerprint authentication, but I can easily switch to using face identification.
00:24:05.380 This flexibility is important as we shift from relying on passwords towards embracing passkeys.
00:24:20.520 As a recap, I’ve expressed my dislike for passwords extensively. We talked about alternatives and the benefits of WebAuthn.
00:24:35.760 Finally, we discussed passkeys and their advantages for streamlining this evolving area.
00:24:50.320 So what can you do with this information? You can gain early access to the passkey technology within applications that rely on it.
00:25:06.080 Well-known services like Google, Apple, and GitHub are already supporting passkeys, and I’ve personally created a new passkey for GitHub recently.
00:25:20.120 Additionally, I recommend checking out the website webauthn.me to view interactive examples of how WebAuthn flows work along with debugging capabilities.
00:25:32.520 Passkeys.dev is another great resource to learn about passkeys since it’s hosted by the FIDO Alliance.
00:25:44.680 I encourage you to try the implementation at Okta as well. Despite the technical hiccups, it’s been an informative session.
00:26:01.440 Most importantly, we've shared this knowledge without relying on passwords at all. Thank you for your attention, and enjoy the rest of the conference!
Explore all talks recorded at EuRuKo 2023
+12