Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure...
Transcript of Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure...
![Page 1: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/1.jpg)
1 © 2
019 Y
ubic
o
© 2019 Yubico
Securing a Web App with
Passwordless Web Authentication
Minimize and eliminate passwords!
![Page 2: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/2.jpg)
2 © 2
019 Y
ubic
o
Learn how to implement passwordless authentication for a stand
alone web app using:
● Starter Spring Boot web app with traditional username/password
● WebAuthn
○ Backend: Yubico WebAuthn Server Libraries
○ Frontend: JavaScript and W3C WebAuthn API
● Client to Authenticator Protocol Version 2.0 Compatible Browser
○ Resident Credentials enable passwordless authentication
● FIDO2 Security Key
What to expect from this workshop
![Page 3: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/3.jpg)
3 © 2
019 Y
ubic
o
Some knowledge of:
● Java
● Spring Framework
● JavaScript
● WebAuthn API
○ Browser with resident credential capability
● Security Key
○ Download YubiKey Manager to reset FIDO credentials as needed
● Optional
○ Docker
○ Azure subscription for cloud native development
You need
![Page 4: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/4.jpg)
© 2
018 Y
ubic
o
4
![Page 5: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/5.jpg)
© 2
018 Y
ubic
o
Passwords
● Hard to remember
● Easy to crack
● Easy to phish
● Many strong passwords
take lot’s of effort!
Source: https://xkcd.com/936/
![Page 6: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/6.jpg)
© 2
018 Y
ubic
o
Something you know
● Password
● PIN
Authentication Factors
Something you have
● Smart card
● OTP dongle
● Mechanical key
● YubiKey
Something you are
● Fingerprint
● Face
● Voice
● Iris
![Page 7: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/7.jpg)
© 2
018 Y
ubic
o
Pros:
● Can’t be pickpocketed
● Can’t break
● Easy to replace
Cons:
● Easy to steal remotely
● Hard to remember
● Theft is hard to detect
Authentication Factors
Pros:
● Can’t be stolen remotely
● Theft is easy to detect
Cons:
● Can be pickpocketed
● Can be forgotten, lost or
destroyed
Pros:
● Natural to use
● Difficult to lose
Cons:
● Difficult to replace
● May change over time
● Environmental
dependencies
![Page 8: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/8.jpg)
© 2
018 Y
ubic
o
Authentication Factors
Pros:
● Can’t be pickpocketed
● Can’t break
● Easy to replace
Cons:
● Easy to steal remotely
● Hard to remember
● Theft is hard to detect
Pros:
● Can’t be stolen remotely
● Theft is easy to detect
Cons:
● Can be pickpocketed
● Can be forgotten, lost or
destroyed
Pros:
● Natural to use
● Difficult to lose
Cons:
● Difficult to replace
● May change over time
● Environmental
dependencies
![Page 9: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/9.jpg)
© 2
018 Y
ubic
o
© 2
016 Y
ubic
o
What is FIDO2 / WebAuthn?
Open standards utilizing public-key cryptography with phishing protections
to enable strong second-factor, first-factor, multi-factor authentication
WebAuthn Server Authenticator
Browser
Client/Platform
Platform
Application
CTAP
WebAuthn
FIDO2 Client to Authenticator Protocol
W3C Web Authentication API
![Page 10: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/10.jpg)
10 © 2
019 Y
ubic
o
Security Keys as Root of Trust
Anchoring FIDO2 / WebAuthn credentials in a root of trust is the
cornerstone for building a secure identity model
● A hardware-backed root of trust strengthens the account
lifecycle ○ Authentication, Step-Up Authentication, Account Recovery, Bootstrapping New
Devices
● An external authenticator, as the root of trust, is the anchor that
creates a chain of trust with the internal authenticator ○ Recording the authenticator used to register other authenticators creates a chain of
trust that can be audited at a later date
![Page 11: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/11.jpg)
11 © 2
019 Y
ubic
o
Passwordless Migration Strategy
4. Eliminate
Passwords
3. Transition users to
passwordless deployment
2. Minimize use of passwords in user
flows
1. Deploy the WebAuthn / FIDO2 credential
management system across the account lifecycle
![Page 12: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/12.jpg)
12 © 2
019 Y
ubic
o
This workshop is split into multiple modules. Each module builds
upon the previous module as you expand the application. You must
complete each module before proceeding to the next.
1. Getting Started Instructions
2. Implement a Credential Repository
3. Implement WebAuthn Registration REST Endpoints
4. Implement WebAuthn Authentication REST Endpoints
5. Clean Up Instructions
Workshop Modules
![Page 13: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/13.jpg)
13 © 2
018 Y
ubic
o
© 2018 Yubico
Module 1 Getting Started
Walkthrough
![Page 14: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/14.jpg)
14 © 2
019 Y
ubic
o
CTAP2 compatible platform / browser
● MacOS Safari Technology Preview version 71+
● Windows 10 version 1809+ with Edge
Security key is recommended. Platform authenticators can as well (Windows Hello, etc…)
Local development
● Git
● JDK 1.8+
● Maven 3.2+
● Your preferred text editor or IDE
● [Optional] Docker
Cloud native development
● Azure Cloud Shell instructions are included
Development Environment
![Page 15: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/15.jpg)
15 © 2
019 Y
ubic
o
● Enable the Develop Menu
○ Choose Safari > Preferences, and click Advanced.
○ At the bottom of the pane, select the “Show Develop menu in menu bar”
checkbox.
● Enable Web Authentication Experimental Feature
○ Choose Safari > Develop > Experimental Features
○ Verify “Web Authentication” is checked
● Private Window
○ Running a web app on https://localhost:8443 may require using new private
window
● No Security Key PIN Support
○ Security keys with a PIN set may not work with Safari yet.
○ You can reset a security key back to factory default settings with the
YubiKey Manager. Warning: A reset will remove all FIDO credentials.
macOS Safari TP Tips
![Page 16: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/16.jpg)
16 © 2
019 Y
ubic
o
Start by cloning the git repository
https://github.com/YubicoLabs/java-webauthn-passwordless-workshop
Getting Started
![Page 17: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/17.jpg)
17 © 2
019 Y
ubic
o
WebAuthn Application Architecture
WebAuthn
API in
Browser
Client/Platform
CTAP1
and/or
CTAP2
Server-Side
App
Relying Party
WebAuthn
Server
WebAuthn
Platform
Auth API
Internal
Authenticator
External
Authenticator
User
Store
External
Metadata
Services
Register
and
Authenticate
Client-Side
JS
Attestation
Trust Store
![Page 18: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/18.jpg)
18 © 2
019 Y
ubic
o
WebAuthn Demo Server Data Flow
Browser API Server
app logic Core
library startRegistration() startAuthentication()
PublicKeyCredentialCreationOptions PublicKeyCredentialRequestOptions
Client side JS
Encode
to JSON
Decode
JSON
navigator.credentials
.create() .get()
Encode
to JSON
Decode
JSON
finishRegistration() finishAssertion()
UserIdentity
PublicKeyCredential
RegistrationResult AssertionResult
Generate
challenge
etc.
Handle
result
Inform
user
Validation
logic
![Page 19: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/19.jpg)
19 © 2
019 Y
ubic
o
Yubico/java-webauthn-server
webauthn-server-core/
● Entity Data Model ○ Assertion Request
○ Assertion Result
○ Attestation Object
○ Authenticator Response
○ Public Key Credential
○ Public Key Credential Creation
and Request Options
○ Registration Result
○ User Identity
○ Attestation
● Data Providers ○ Credential Repository
○ Metadata Service
● Methods ○ Registration
○ Authentication
○ Authenticated Actions
![Page 20: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/20.jpg)
20 © 2
019 Y
ubic
o
WebAuthn Demo Server Architecture
REST API HTTP/JSON translation
Entities
Registration
Authentication
Registration storage Persistent state
Entry Points WebAuthn-Server-Core Data Providers
DB
Server layer Transient state
(stateless)
Metadata lookup DB
External
services Configuration
Constructor parameters
Not included in workshop
![Page 21: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/21.jpg)
21 © 2
019 Y
ubic
o
Application logic
Core Library internal structure
DB
DB
External
services
Constructor parameters
Start
operation
UserIdentity
PKCCreationOptions PKCRequestOptions
Registration
storage
Metadata
source
Operation
settings
Challenge
generator
Finish
operation
Class RelyingParty
PublicKeyCredential
RegistrationResult AssertionResult
![Page 22: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/22.jpg)
22 © 2
019 Y
ubic
o
What you need to provide
● Storage for requests (temporary) ○ Completely external to the library
○ Library simply returns request objects
○ finish* methods expect them to be passed back in
● Storage for credentials (persistent) ○ Library requires an adapter object (CredentialRepository)
○ Library only looks credentials up
○ You need to save new registrations to the DB
● (Optional) Additional authenticator metadata sources ○ In the future, the library will include a FIDO Metadata Service connector
○ Optional module with Yubico device metadata as static files
![Page 23: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/23.jpg)
23 © 2
018 Y
ubic
o
© 2018 Yubico
Module 2 Credential Repository
Walkthrough
![Page 24: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/24.jpg)
24 © 2
019 Y
ubic
o
Module 2 Overview
1. Add WebAuthn Server libraries to project
2. Implement a Credential Repository 1. Copy data entities, credential repository, and service layer from webauthn server
demo into the project
3. Implement a Model-View-Controller to manage credential
registrations 1. Update the service layer to expose the registrations data model
2. Create a controller for the account page
3. Update the account page UI to add a table of registrations
![Page 25: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/25.jpg)
25 © 2
019 Y
ubic
o
2_Credential_Repository/TLDR.md
cd java-webauthn-passwordless-workshop/2_Credential_Repository/complete
mvn clean package spring-boot:run
or
docker build -t example/demo:module2 .
docker run -p 8443:8443 example/demo:module2
https://localhost:8443
Sign In: user / password
![Page 26: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/26.jpg)
26 © 2
019 Y
ubic
o
Dependency Configuration
Update pom.xml
![Page 27: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/27.jpg)
27 © 2
019 Y
ubic
o
Implement the Credential Repository Interface
public interface CredentialRepository {
Set<PublicKeyCredentialDescriptor> getCredentialIdsForUsername(String username);
Optional<ByteArray> getUserHandleForUsername(String username);
Optional<String> getUsernameForUserHandle(ByteArray userHandle);
// Look up the public key and stored signature count for the given credential registered to the given
user.
Optional<RegisteredCredential> lookup(ByteArray credentialId, ByteArray userHandle);
Set<RegisteredCredential> lookupAll(ByteArray credentialId);
}
CredentialRepository.java
![Page 28: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/28.jpg)
28 © 2
019 Y
ubic
o
Implement the Registration Storage Interface
public interface RegistrationStorage extends CredentialRepository {
boolean addRegistrationByUsername(String username, CredentialRegistration reg);
Collection<CredentialRegistration> getRegistrationsByUsername(String username);
Optional<CredentialRegistration> getRegistrationByUsernameAndCredentialId(String username, ByteArray
userHandle);
Collection<CredentialRegistration> getRegistrationsByUserHandle(ByteArray userHandle);
boolean removeRegistrationByUsername(String username, CredentialRegistration credentialRegistration);
boolean removeAllRegistrations(String username);
void updateSignatureCount(AssertionResult result);
}
RegistrationStorage.java
![Page 29: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/29.jpg)
29 © 2
019 Y
ubic
o
Copy Demo Resources
Copy webauthn demo server resources instead of implementing our
credential repository from scratch
● GetLibs.sh copies the Java WebAuthn Server demo WebAuthnServer
class, its Config file, associated Data Entities, and In-Memory
Credential Repository Implementation to our project
![Page 30: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/30.jpg)
30 © 2
019 Y
ubic
o
Update Service Layer
Make WebAuthnServer class visible as a service via Spring
@Service
public class WebAuthnServer {
Get the registrations data model
public Collection<CredentialRegistration> getRegistrationsByUsername(String
username)
{
return this.userStorage.getRegistrationsByUsername(username);
}
![Page 31: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/31.jpg)
31 © 2
019 Y
ubic
o
Create an Account Controller
@Controller
public class AccountController {
@Autowired
private WebAuthnServer webAuthnServer;
@GetMapping("/account")
public String registerAll(Principal principal, Model model) {
model.addAttribute("registrations",
webAuthnServer.getRegistrationsByUsername(principal.getName()));
return "account";
}
}
AccountController.java
![Page 32: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/32.jpg)
32 © 2
019 Y
ubic
o
Add Registrations Table UI to Accounts
<div class="card card--internal">
<h2 class="section-header">Security Keys</h2>
<table class="table" id="keys" th:classappend="${registrations.empty}? 'hide'">
<thead><tr>
<th> Nickname </th>
<th> Registration Time </th>
</tr></thead>
<tbody id="keys">
<tr th:each="registration : ${registrations}" >
<td><span th:text="${registration.credentialNickname.get()}"> NickName </span></td>
<td><span th:text="${registration.registrationTime}"> Registered </span></td>
</tr>
</tbody>
</table>
</div>
account.html
![Page 33: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/33.jpg)
33 © 2
019 Y
ubic
o
List Registrations
![Page 34: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/34.jpg)
34 © 2
018 Y
ubic
o
© 2018 Yubico
Module 3 Registration
Walkthrough
![Page 35: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/35.jpg)
35 © 2
019 Y
ubic
o
Module 3 Overview
1. Update Service Layer 1. Remove the dependency on AuthenticatedActions
1. Modify startRegistration() method to allow registration of multiple credentials
2. Configure JSON Rendering
2. Expose Registration REST Endpoints 1. Create a WebAuthn REST Controller
2. Add start and finish registration endpoints
3. Update UI to Enable Registration 1. Add JavaScript methods to call registration REST endpoints
2. Add UI components to allow user to register a security key
![Page 36: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/36.jpg)
36 © 2
019 Y
ubic
o
3_Registration/TLDR.md
cd java-webauthn-passwordless-workshop/2_Registration/complete
mvn clean package spring-boot:run
or
docker build -t example/demo:module3 .
docker run -p 8443:8443 example/demo:module3
https://localhost:8443
Sign In: user / password, Register: Register security key
![Page 37: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/37.jpg)
https://www.w3.org/TR/webauthn/#fig-registration
Registration Flow
Source: www.w3.org/TR/webauthn/#fig-registration
![Page 38: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/38.jpg)
38 © 2
019 Y
ubic
o
rp: relying party data. name is required. If id is left out then origins effective
domain is used
user: identity data. name, displayName (user friendly), and id
(userHandle) are required
challenge: contains challenge for generating the newly created credential’s
attestationObject
pubKeyCredParams: desired properties of credential to be created. type:
only one type: “public-key”. alg: crypto signature algorithm preference
excludeCredentials: limits creation of multiple creds for same account on
a single authenticator. Credential descriptor includes cred type and cred id
authenticatorSelection: specify authenticator requirements. When the
requireResidentKey is true the authenticator must create a client side
resident private key. userVerification can be “preferred”, “required”, or
“discouraged”
attestation: attestation conveyance preference. Default is “none”. “direct”
indicates the rp wants to receive the attestation statement. “indirect”
indicates prefers an attestation statement
Public Key Credential Creation Options
![Page 39: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/39.jpg)
39 © 2
019 Y
ubic
o
Start Registration Diagram
username, displayName, credNickname REST API
Start Registration
Challenge Generator
Registration Request
challenge
username, credNickname
User Identity
username, displayName
Exclude Credentials
Extensions
RelyingParty Start
Registration
PublicKeyCredentialCreationOptions
Register Request Storage
return RegistrationRequest to client as JSON
Credential Repository
![Page 40: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/40.jpg)
40 © 2
019 Y
ubic
o
Credential Create Response
“authData”:... “fmt”:“packed” “attStmt”:...
attestationObject
RP ID Hash Flags Counter Att. Cred Data Extensions
AAGUID L Cred. ID Cred Public Key
Authenticator Data
“alg”: ... “sig”: ... “x5c”: ...
Attestation Statement
“alg”: ... “sig”: ... “ecdaaKeyId”: ...
If Basic or Privacy CA
If ECDAA
Refer to W3C Web Authentication API for more details on attestation statements
ED AT: 1 UV UP: 1
![Page 41: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/41.jpg)
41 © 2
019 Y
ubic
o
Finish Registration Diagram
JSON response
REST API Finish
Registration
Credential Registration
Registration Response
Register Request Storage
Registration Request
Caller Token Binding Id
RelyingParty Finish
Registration
Credential Repository
addRegistration
Registration Result
Successful Registration
Result
Performs registration validation steps
Returned to client
Get by id and
invalidate
![Page 42: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/42.jpg)
42 © 2
019 Y
ubic
o
Registration Recap
1. Client calls startRegistration() endpoint ○ With userName, displayName, and credentialNickname args
2. Relying Party generates RegistrationRequest ○ With userName, credentialNickname, and PublicKeyCredentialCreationOptions
3. Client calls navigator.credentials.create() ○ With data from the RegistrationRequest
4. Client calls finishRegistration() endpoint ○ With authenticatorAttestationResponse JSONObject
5. Relying Party verifies attestation signature ○ After validation, add user and associated credential to the credential repository
Note ○ Unexpected behavior can occur after 20 credentials registered
![Page 43: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/43.jpg)
43 © 2
019 Y
ubic
o
Start Registration Method
rp.startRegistration(
StartRegistrationOptions.builder()
.user(user)
.authenticatorSelection(Optional.of(AuthenticatorSelectionCriteria.builder()
.requireResidentKey(requireResidentKey)
.authenticatorAttachment(AuthenticatorAttachment.CROSS_PLATFORM) // Default
to roaming security keys (CROSS_PLATFORM). Comment out this line to enable either PLATFORM
or CROSS_PLATFORM authenticators
.build()
))
.build()
)
WebAuthnServer.java
![Page 44: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/44.jpg)
44 © 2
019 Y
ubic
o
JSON Rendering
@Bean
public ObjectMapper objectMapper() {
ObjectMapper mapper = new ObjectMapper();
mapper.registerModule(new Jdk8Module());
mapper.setVisibility(PropertyAccessor.FIELD, Visibility.ANY);
mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
mapper.setSerializationInclusion(Include.NON_NULL);
mapper.setSerializationInclusion(Include.NON_ABSENT);
return mapper;
}
"publicKeyCredentialCreationOptions":{
"rp":{
"id":"localhost"
},
"user":{
"name":"user",
"id":"sYr36b..."
},
"challenge":"BD0n...",
"pubKeyCredParams":[
{"alg":-7,
"Type":"public-key"}],
"excludeCredentials":[],
"authenticatorSelection":{
"authenticatorAttachment":"cross-platform",
"requireResidentKey":true,
"userVerification":"preferred"
},
"attestation":"direct",
"extensions":{}
}
WebAuthnServer.java
![Page 45: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/45.jpg)
45 © 2
019 Y
ubic
o
Registration REST Endpoints
class WebAuthnController {
...
@PostMapping("/register")
ResponseEntity<RegistrationRequest> startRegistration(...) {
Either<String, RegistrationRequest> result = webAuthnServer.startRegistration(username,
displayName, credentialNickname, requireResidentKey);
return ResponseEntity.status(HttpStatus.OK).body(result.right().get());
}
@PostMapping("/register/finish")
ResponseEntity<WebAuthnServer.SuccessfulRegistrationResult> finishRegistration(...) {
Either<List<String>, WebAuthnServer.SuccessfulRegistrationResult> result =
webAuthnServer.finishRegistration(responseJson);
return ResponseEntity.status(HttpStatus.OK).body(result.right().get());
}
}
WebAuthnController.java
![Page 46: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/46.jpg)
46 © 2
019 Y
ubic
o
Enable registration on UI
function register() {
return fetch('/register', {
...
username, displayName, credentialNickname, requireResidentKey,
...
})
.then(response => response.json())
.then(function(request) {
return webauthn.createCredential(request.publicKeyCredentialCreationOptions)
.then(webauthn.responseToObject)
.then(function (publicKeyCredential) {
return submitResponse('/register/finish', request.requestId, publicKeyCredential);
...
}
account.html
![Page 47: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/47.jpg)
47 © 2
019 Y
ubic
o
Enable Registration on UI
<h2 class="section-header">Register a Security Key</h2>
<label class="input-group">
<input type="text" id="inputNickname">
<span>Nickname</span>
</label>
<button onclick="register()">Register</button>
<p id="status"></p>
<div id="takeAction">
<p>Please insert and take action on the security key.</p>
<div class="loader-container" role="status">
<svg class="loader" viewBox="22 22 44 44"><circle class="loader-circle" cx="44" cy="44" r="20.2"
fill="none" stroke-width="3.6"></circle></svg>
</div>
</div>
account.html
![Page 48: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/48.jpg)
48 © 2
019 Y
ubic
o
Register a Security Key
![Page 49: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/49.jpg)
49 © 2
018 Y
ubic
o
© 2018 Yubico
Module 4 Authentication
Walkthrough
![Page 50: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/50.jpg)
50 © 2
019 Y
ubic
o
Module 4 Overview
1. Expose Authentication REST Endpoints 1. Add start and finish authentication endpoints
2. Given successful WebAuthn authentication, manually authenticate user in Spring
Security
2. Update UI to Enable Passwordless Authentication 1. Add JavaScript methods to call authentication REST endpoints
2. Add UI components to enable passwordless authentication
![Page 51: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/51.jpg)
51 © 2
019 Y
ubic
o
4_Authentication/TLDR.md
cd java-webauthn-passwordless-workshop/2_Registration/complete
mvn clean package spring-boot:run
or
docker build -t example/demo:module4 .
docker run -p 8443:8443 example/demo:module4
https://localhost:8443
Sign In: user / password, Register: Register security key, Sign
out, Passwordless sign in
![Page 52: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/52.jpg)
https://www.w3.org/TR/webauthn/#fig-authentication
Authentication Flow
Source: www.w3.org/TR/webauthn/#fig-authentication
![Page 53: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/53.jpg)
53 © 2
019 Y
ubic
o
challenge: contains challenge that the authenticator signs as part of the
authentication assertion
rpId: relying party identifier claimed by the caller
allowCredentials: list of public key credentials acceptable to the caller, can
be omitted for username-less authentication. type: only one type: “public-
key”. id: credential Id of the public key credentials
userVerification: the default is “preferred”. Can also be set to “required” or
“discouraged”
Public Key Credential Request Options
![Page 54: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/54.jpg)
© 2
018 Y
ubic
o
Authentication Sequence First factor mode
Client Relying Party
id, rpId, challenge
id, hash(rpId), s, clientData, userHandle
Find user with id or userHandle Check id Check s using kpub
Verify origin Verify challenge
Authenticator
signature(hash(rpId) || c, kpriv)
Validate rpId against origin
hash(challenge, origin)
clientData
id, rpId, c
Retrieve kpriv for rpId Sign c after User Presence/ Verification
id, hash(rpId), s, userHandle
![Page 55: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/55.jpg)
55 © 2
019 Y
ubic
o
Start Authentication Diagram
username REST API Start Authentication
Challenge Generator
Assertion Request
challenge
username
RelyingParty Start
Assertion Credential Repository
username
Extensions
PublicKeyCredentialRequestOptions
Assertion Request Storage
return AssertionRequest to
client as JSON
Get credentials by username
![Page 56: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/56.jpg)
56 © 2
019 Y
ubic
o
Client - Get Credential Response
“authData”: ... “clientDataJSON”: ... “signature”: ...
Authenticator Assertion Response
RP ID Hash Flags Counter Extensions
Authenticator Data
ED AT: 0 UV UP: 1
“userHandle”: ...
![Page 57: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/57.jpg)
57 © 2
019 Y
ubic
o
Finish Authentication Diagram
JSON response
REST API Finish Authentication
Successful Authentication
Result
Assertion Response
Assertion Request
Caller Token Binding Id
RelyingParty Finish
Assertion
Credential Repository Update
signature count
Assertion Result
Performs authentication validation steps
Returned to client
Get by id and
invalidate Assertion Request Storage
Credential Repository
Get credentials by userHandle
![Page 58: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/58.jpg)
58 © 2
019 Y
ubic
o
Authentication Recap
1. Client calls startAuthentication() endpoint ○ With (or without) userName
2. Relying Party generates AssertionRequest ○ With userName, and PublicKeyCredentialRequestOptions
3. Client calls navigator.credentials.get() ○ With data from the AssertionRequest
4. Client calls finishAuthentication() endpoint ○ With authenticatorAssertionResponse JSONObject
5. Relying Party verifies signature ○ After validation, authentication is successful
![Page 59: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/59.jpg)
59 © 2
019 Y
ubic
o
Authentication REST Endpoints
@PostMapping("/authenticate")
public ResponseEntity<AssertionRequestWrapper> startAuthentication(@RequestParam("username")
Optional<String> username) {
Either<List<String>, AssertionRequestWrapper> result = webAuthnServer.startAuthentication(username);
return ResponseEntity.status(HttpStatus.OK).body(result.right().get());
}
@PostMapping("/authenticate/finish")
public ResponseEntity<WebAuthnServer.SuccessfulAuthenticationResult> finishAuthentication(
@RequestBody String responseJson) {
Either<List<String>, WebAuthnServer.SuccessfulAuthenticationResult> result = webAuthnServer
.finishAuthentication(responseJson);
if (result.isRight()) {
// Manually authenticate user
...
WebAuthnController.java
![Page 60: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/60.jpg)
60 © 2
019 Y
ubic
o
Manually Authenticate
if (result.isRight()) {
// Manually authenticate user
String username =
result.right().get().getRegistrations().iterator().next().getUserIdentity().getName();
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
UserDetails u = userDetailsService.loadUserByUsername(username);
Authentication newAuth = new UsernamePasswordAuthenticationToken(u, auth.getCredentials(),
u.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(newAuth);
return ResponseEntity.status(HttpStatus.OK).body(result.right().get());
} else {
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, result.left().get().toString());
}
WebAuthnController.java
![Page 61: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/61.jpg)
61 © 2
019 Y
ubic
o
Call Authenticate Endpoints
function authenticate() {
return fetch('/authenticate', {
...
})
.then(response => response.json())
.then(function (request) {
return webauthn.getAssertion(request.publicKeyCredentialRequestOptions)
.then(webauthn.responseToObject)
.then(function (publicKeyCredential) {
return submitResponse('/authenticate/finish', request.requestId,
publicKeyCredential);
})
...
}
}
login.html
![Page 62: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/62.jpg)
62 © 2
019 Y
ubic
o
Passwordless Sign In UI
<h2 class="form-signin-heading">Passwordless sign in</h2>
<p>Sign in with your previously registered security key</p>
<p id="status"></p>
<p><button onclick="authenticate()">Passwordless Sign in</button><br />
login.html
![Page 63: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/63.jpg)
63 © 2
019 Y
ubic
o
Passwordless Sign In!
![Page 64: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/64.jpg)
64 © 2
019 Y
ubic
o
Usernameless Passwordless Sign In!
![Page 65: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/65.jpg)
65 © 2
018 Y
ubic
o
© 2018 Yubico
Best Practices
![Page 66: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/66.jpg)
66 © 2
019 Y
ubic
o
Best Practices
● Store the verbatim attestation object ○ Enables future re-evaluation of trust
● Allow registering more than one credential per account ○ Consider allowing credential nicknames
○ Unexpected behavior may occur when greater than 20 credentials registered
● Weigh pros vs cons of requiring attestation ○ Pros:
‒ Higher assurance
○ Cons:
‒ Maintenance for attestation trust store
‒ Compatibility issues for unknown/new authenticators (not in attestation trust
store)
● Security and Privacy Considerations ○ W3C WebAuthn spec https://www.w3.org/TR/webauthn/#security-considerations
![Page 67: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/67.jpg)
67 © 2
019 Y
ubic
o
Recap
● Plan your passwordless migration strategy across the account
lifecycle
● Anchor resident credentials on security keys to enable roaming
passwordless authentication scenarios
● Record attestation and build a chain of trust
● Allow users to register multiple credentials
● WebAuthn libraries can jumpstart your journey to passwordless
(eg. Yubico Java Webauthn Server libraries)
![Page 68: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/68.jpg)
68 © 2
019 Y
ubic
o
Resources
● Workshop ○ https://github.com/YubicoLabs/java-webauthn-passwordless-workshop
● FIDO2/WebAuthn Developer Guide ○ https://developers.yubico.com/FIDO2/FIDO2_WebAuthn_Developer_Guide/
● Java WebAuthn Server ○ https://github.com/Yubico/java-webauthn-server
● Yubico Developer Videos ○ https://www.yubico.com/why-yubico/for-developers/developer-videos/
● W3C Web Authentication API ○ https://www.w3.org/TR/webauthn
● FIDO Client to Authenticator Protocol V 2.0 ○ https://fidoalliance.org/specifications/download/
![Page 69: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/69.jpg)
69 © 2
019 Y
ubic
o
yubi.co/devs
Workshops, Webinars, Documentation,
Implementation Guides, Reference Code,
APIs, SDKs
Yubico Developer Program
![Page 70: Securing a Web App with Passwordless Web Authentication · cornerstone for building a secure identity model A hardware-backed root of trust strengthens the account lifecycle Authentication,](https://reader034.fdocuments.in/reader034/viewer/2022042104/5e8186819651c532e01d4de5/html5/thumbnails/70.jpg)
70 © 2
019 Y
ubic
o
© 2019 Yubico