Ruby Video
Talks

The World of Passkeys 🀝🏽 Ruby

A talk from RubyConfTH 2023, held in Bangkok, Thailand on October 6-7, 2023.
Find out more and register for updates for our next conference at https://rubyconfth.com/

RubyConf TH 2023

00:00:07.600 How about now? Yeah, all right, sounds good.
00:00:10.320 All right, everybody, I'm here today to talk to you about the world of Passkeys.
00:00:13.280 Meet Ruby! My name is Helio Cola, and I've been doing software development for 22 years.
00:00:15.440 For the past 12 years, I've primarily worked with Ruby on Rails.
00:00:20.359 Here is the agenda for my talk.
00:00:23.279 I'm going to discuss the 'what,' 'who,' and 'why' of Passkeys.
00:00:25.880 I'll cover what Passkeys are and how they work.
00:00:29.439 We might have some not-so-exciting demos, but I'll also share some interesting insights.
00:00:34.559 First, let me ask you a couple of questions.
00:00:38.079 Raise your hand if you've ever heard about Passkeys.
00:00:45.440 Now, keep your hands up if you've read about Passkeys from another website.
00:00:51.000 Pretty much everybody! Now, how many of you have set up Passkeys in your GitHub account?
00:01:00.079 There are a couple of people here. I set up my Passkeys on GitHub a couple of weeks ago, but I haven't used them much since.
00:01:10.759 It's a new technology that's starting to gain more traction.
00:01:18.880 Let me start by defining what Passkeys are.
00:01:24.520 Passkeys are a replacement for passwords, designed to reduce our over-reliance on traditional passwords.
00:01:31.040 They are part of a web authentication standard that uses public and private keys for challenge-based authentication.
00:01:37.399 Throughout the presentation, I will go into more details about what that actually means.
00:01:42.439 Passkeys use public key encryption, a technology that has been around for a while.
00:01:48.479 Sometimes, they're protected by biometric devices or are discoverable.
00:01:51.840 Here's another definition that I like. I found it very helpful a handful of months ago while studying the topic: 'A password is something that can be remembered and typed in.' A Passkey is a secret stored on a device, unlocked with biometrics.
00:02:05.920 There are a few caveats to this definition, and it has hidden edge cases, but it resonates with me.
00:02:11.160 However, let me be honest, 99% of my passwords are hard to remember. If I try to type them, I'm going to make errors all the time. I use password managers, and all my Passkeys are strong.
00:02:25.239 Most of my Passkeys are also synced with my cloud account and not just limited to my local devices.
00:02:34.959 While currently all my Passkeys are unlocked with biometrics, perhaps in the future not all of them will use this method.
00:02:45.400 So, this definition captures the majority of users who still remember their passwords and type them out, often resorting to writing them down in a notebook or saving them in notes on their phones.
00:02:57.620 One scenario of Passkeys is that they can be created bound to a specific device.
00:03:10.720 Like I said, all my Passkeys are unlocked with biometrics, but not all of them may necessarily be in the future. However, this could lead to discussions around biometrics and their relationship with Passkeys.
00:03:30.000 Here's a little historical context on Passkeys: Around May 2016, the first public working draft of the web authentication standard was released.
00:03:50.000 Major companies like Microsoft, PayPal, and Google contributed to creating this standard. If you're interested in further reading on web standards, I recommend visiting w3.org.
00:04:06.680 As I mentioned earlier, Passkeys utilize public key encryption, a technology that emerged in the 1970s.
00:04:20.600 It wasn't until 2016 that the first W3C web authentication standard was published, giving rise to various stakeholders involved in the implementation of Passkeys, each playing a crucial role.
00:04:37.680 In a nutshell, Passkeys provide a more secure replacement for passwords, allowing users to authenticate without the need for traditional passwords.
00:04:51.000 During my talk, I'll focus on the small red element in the iceberg graphic, representing the developer's role in integrating Passkeys into their web applications.
00:05:07.400 It's essential to understand the entire process, as well as the various pieces that enable Passkeys to function correctly in applications.
00:05:20.760 A Passkey consists of a public and private key pair, protected by your device and biometric data to facilitate challenge-based authentication.
00:05:35.560 Let's break this down into smaller chunks. When you create a Passkey, you're actually generating a public and a private key pair. Your private key is used to encrypt data, while the public key is used for decryption.
00:05:52.639 The private key remains on your device, but it may also sync with your cloud account, whereas the public key is shared with the website for which you are creating the Passkey.
00:06:02.000 Before initiating the Passkey flow, your device will first validate your biometric data, whether it's through Touch ID or Face ID.
00:06:11.239 This validation is crucial for ensuring challenge-based authentication. In this context, when you try to log in to a website using Passkeys, you're not merely presenting a login and password.
00:06:20.560 Instead, the website will issue a challenge, allowing you to prove your identity without revealing your private key. The website will send you data to encrypt using your private key.
00:06:41.760 After encrypting the data, you'll send your digital signature back to the website. The website will then utilize the public key stored during registration to decrypt your signature.
00:07:01.440 If everything checks out, then voila, you are authenticated.
00:07:10.880 Now that you're aware of how authentication works, let's delve deeper into the registration process, which includes multiple entities, each playing a distinct role.
00:07:25.640 In registration, we have four main components: the user, the browser, the cloud account, and the relying party (the website).
00:07:41.320 For instance, in our scenario, SPKman.com is a friendly website implementing Passkeys.
00:07:59.960 When you want to sign up, the website will request your public key. Your device will then create a Passkey, validate your biometric data, and generate your public and private keys.
00:08:17.040 Once the biometric validation is complete, the private key will sync with your cloud account while the public key returns to the browser and subsequently to the website.
00:08:41.000 This method streamlines the user experience since the only action required from the user is to grant consent and authenticate through biometric validation.
00:09:07.560 Currently, major players like Google, Microsoft, and Apple support Passkeys, but unfortunately, Mozilla and Firefox lag behind.
00:09:20.880 Once you have an account using Passkeys, you can authenticate by signing in to the website.
00:09:29.400 You will be asked to sign a piece of data using your private key, and by validating your biometric data, your device will access the private key to sign the data before sending it back to the browser.
00:09:43.920 The browser will then send this signed data back to the website, where it will be verified using the public key.
00:09:58.480 If the signature checks out, congratulations, your session is authenticated and you are logged into the system.
00:10:10.080 One vital point to highlight is that sites no longer store critical authentication information. For example, if a database is compromised, all that is left is the username and public key.
00:10:29.720 With this information alone, nobody can impersonate a user because they would still need the private key, which remains securely stored on the user's device.
00:10:44.640 In many scenarios, breaking into the system will yield no access to private keys, which is a significant improvement in security.
00:11:03.880 These keys are unique per site by design, which is enforced by the standards and guarantees set by browsers.
00:11:20.320 They are strong by design, leveraging public key cryptography, while your device and browser manage and replicate your private keys.
00:11:35.640 This level of trust now rests with major players like Apple, Google, and Microsoft.
00:11:41.040 Are you guys ready for some demo time?
00:11:50.640 Let me see if I can pull this off. All right, here we go! This is a Rails application that uses Passkeys.
00:12:05.280 I created this application not too long ago to demonstrate the implementation of Passkeys.
00:12:18.560 Let's do this. I'm creating a new account. This is the signup screen. I input my email and a label, and that's all I need to do.
00:12:35.440 Now, after I click signup, the browser initiates the Passkeys process.
00:12:41.920 It will request biometric validation to confirm my identity, enabling the creation and syncing of the private key.
00:12:57.760 If I provide the correct biometric input, I'm authenticated successfully, and my account is created.
00:13:12.360 Now let's imagine a situation where I need to reauthenticate to change sensitive information, such as my name.
00:13:29.520 I'll need to prove my identity again, so I'll input my biometric data once more.
00:13:45.600 Once authenticated, I will be able to proceed with the name change.
00:14:00.880 After signing out, I can sign back in using the stored Passkeys.
00:14:13.360 The process will show me the accounts I have available for signing in.
00:14:29.960 I select the relevant account and input my biometric data once again.
00:14:46.480 The system will process the public and private key interactions, handle encryption and decryption, and authenticate me.
00:15:07.160 I'm pleased to see the demo working smoothly with no hiccups.
00:15:26.080 Now let's talk about the user-friendliness of Passkeys.
00:15:41.640 Passkeys are intuitive; all you need is your biometric data, making them quite easy to use.
00:15:48.960 During signup, the user's only task is to give consent and validate their biometric data.
00:16:02.360 While Passkeys are discoverable, they do so in a manner similar to how password managers retrieve credentials.
00:16:20.960 The keys are automatically unique for each application, a design feature built into Passkey standards.
00:16:35.760 With regards to security, should a database be compromised, the only exposed information would be your username and public key.
00:16:48.360 No one can impersonate you without access to your private key.
00:16:59.000 Private keys remain securely on your device or cloud account, highlighting the robust security architecture of Passkeys.
00:17:09.360 Social engineering techniques to acquire personal information are less impactful now, as users are not aware of their private keys.
00:17:26.600 The key creation and information flow are automated, decreasing the likelihood of manual errors.
00:17:35.200 If somebody were to try and extract information from me directly, it would not yield any results, as I don’t know my private key.
00:17:51.640 Shifting gears, let's talk about the future of Passkeys and the idea of device-bound Passkeys.
00:18:09.600 These Passkeys are restricted to the specific device, which presents both advantages and disadvantages.
00:18:26.040 In the event of losing your device, you could be locked out unless a manual process exists for generating a new device-bound Passkey.
00:18:39.440 The more common Passkeys are those that sync across devices via cloud accounts, enhancing accessibility.
00:19:00.000 If I lose my device, I can quickly acquire a new one and retrieve my Passkeys.
00:19:20.240 For instance, if I lose my iPhone and replace it with another iPhone, I can easily log in and retrieve all my information.
00:19:39.320 The technical standards supporting Passkeys make it intriguing to explore cross-device authentication and user presence verification.
00:19:47.840 Check out the w3c.org website, which has extensive information on the emerging standards for user experiences.
00:20:04.080 The goal here is to make authentication easier and more secure to ultimately replace passwords.
00:20:18.640 We all know passwords are problematic, and their common usage doesn't solve many security challenges.
00:20:35.920 Interestingly enough, statistics from past studies show that the most common passwords haven’t changed in years.
00:20:52.960 There's a growing consensus that password-based authentication is not user-friendly.
00:21:07.040 Ultimately, Passkeys can provide a smoother alternative, which can also enhance the overall user experience.
00:21:29.440 As we move forward, let's applaud the innovations in the Ruby community that have contributed to the world of Passkeys.
00:21:48.640 Let's discuss the Ruby community and its involvement in this technological transition.
00:22:07.760 Shout out to trailblazers like Gonzalo Rodriguez, Peter Lava, and Thomas Canon for their contributions.
00:22:21.760 Gonzalo and his team at SED code released the Ruby Authorization framework, among various contributions.
00:22:40.880 Peter Lava wrote brilliant articles about multi-factor authentication algorithms for Ruby.
00:22:58.560 Thomas Canon, the creator behind the Ruby Passkeys GitHub organization, has also played a pivotal role.
00:23:16.480 Now that I've shared all this information, I sincerely thank you all for your attention today.
00:23:36.280 The future of Passkeys looks promising, and I'm thrilled to see how this technology will evolve.
00:23:53.840 Thank you to RubyConf Thailand for hosting such a meaningful event, and please feel free to reach out with any questions!
Edit