Web Authn Der Standard für passwortlose Authentifizierung
Jochen Christ [email protected] @jochen_christ
Photo by William Iven on Unsplash Hi, I'm Jochen
Jochen Christ Senior Consultant at INNOQ Deutschland GmbH
! Java Technologies " Usable Security # Remote Mob Programming remotemobprogramming.org Problem #1 How to take over accounts
1. Phishing 2. Data Breaches 3. Weak Passwords and Hashes 4. Credentials Stuffing
Username Password [email protected] helloworld [email protected] asdfasdf1! [email protected] mathew2014 [email protected] helloworld Username Hash = SHA1(password)
[email protected] 6adfb183a4a2c94a2f92dab5ade762a47889a5a1
[email protected] 859745a0891bf1e76b41cb9c92c86cec7885b958
[email protected] 2e87bdcf8912903a616696e6e6cd39343a9194eb
[email protected] 6adfb183a4a2c94a2f92dab5ade762a47889a5a1 Username Salt Hash = SHA1 (password + salt)
[email protected] GQFyn7bzoU 392e4fe53c37b53e11c281041483726e83b23139
[email protected] 4AxQUoOSFa a476e64459289f5f32840c3790b98d15a4fea0e7
[email protected] Sqt3dBR2nG fd03b4563ea9479800b90828eddf96a66344ef2c
[email protected] qmASNAADui f2897f1996876c1d4724156e27c04881ba53f158
Credential stuffing is the automated injection of breached username/ password pairs in order to fraudulently gain access to user accounts.
This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.
Severity: Credential stuffing is one of the most common techniques used to take-over user accounts.
https://www.owasp.org/index.php/Credential_stuffing Credential Stuffing Defense Options
1. Multi-Factor Authentication 2. Multi-Step Login Process 3. IP blacklists 4. Device Fingerprinting 5. Disallow Email Addresses as User IDs Problem #2
TOTP Username Salt Hash = SHA1 (password + salt) Shared Secret$ jochen.christ@innoq. GQFyn7bzoU 392e4fe53c37b53e11c281041483726e83b23139 cQKbEOyYoU com
[email protected] 4AxQUoOSFa a476e64459289f5f32840c3790b98d15a4fea0e7 BCcpRkNuJa
[email protected] Sqt3dBR2nG fd03b4563ea9479800b90828eddf96a66344ef2c XPkduwdg5r m maria- qmASNAADui f2897f1996876c1d4724156e27c04881ba53f158 XFr0iyfO9e [email protected] WebAuthn WebAuthn
• specifies a JavaScript API • for strong authentication with public key cryptography • with access to local authenticators • implemented by most browsers Caption hier einfügen
What is FIDO?
• Founded 2012 to develop industry-wide specifications to enhance authentication experience and security • Alibaba, Google, Microsoft, Mozilla, Samsung, BSI
• FIDO U2F -> Second Factor Protocol -> Some used • FIDO UAF -> Password Free Protocol -> Not used • FIDO2 -> W3C WebAuthn Protocol + CTAP2 Demo
• https://webauthn.io/
Use Cases
• Password + 2FA • Biometric Reauthentication • Authentication without a password Authenticators
• Generate and store Private/Public Key Pairs (Hardware Security Model, Secure Element) • Have an interface for interaction (e. g. button) to signal user consent Photo by https://www.yubico.com/ Photo by https://www.microsoft.com/en-us/windows/windows-hello Photo by https://www.apple.com/newsroom/ Components
Authenticator Browser Relying Party
Build-In or external Browser communicates Web Application with cryptographic device with Authenticator via client (JS) and server to create public key JavaScript API part credentials
Chrome, Firefox, ... mywebsite.com Yubikey, Touch ID, ... Registration Flow Registration
Authenticator Browser Relying Party
Open Website to register a new user. 1 2FA activation after traditional auth. Registration
Authenticator Browser Relying Party
Create and assign a Challenge and 2 User-ID (Random Byte-Arrays) to current user. Registration
Authenticator Browser Relying Party
Call JavaScript 3 navigator.credentials.create() with Challenge for Relying Party Options to create public key credentials challenge: Server generated random byte array. Prevents replay attacks. let credential = await navigator.credentials.create({ "publicKey": { rp: Relying party. Name of the "challenge": [234, 158, 3, /*...*/], "rp": { application. "name": "demo-app" }, "user": { user: The name is the entered user alias. "id": [177, 150, 217, /*...*/], The id represents unique ID to associate "name": "[email protected]" }, the user to a credential. "attestation": "indirect", "pubKeyCredParams": [{ attestation: The requested information "type": "public-key", "alg": -7 about the authenticator device. }] } }); publicKeyCredParams: Defines the algorithm to use. -7 refers to Elliptic Curve with SHA-256 Registration
Authenticator Browser Relying Party
User touches authenticator to signal 4 consent Registration
Authenticator Browser Relying Party
User touches authenticator to signal 4 consent Registration
Authenticator Browser Relying Party
5 Send attestation to server. Attestation let credential = await navigator.credentials.create(options); console.log(credential); id: The Credential ID. Base64 encoded. PublicKeyCredential { id: 'Y3JlZGVudGlhbElk', rawId: The Credential ID. As byte array. rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: The data sent to the clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), authenticator. JSON as byte array. }, type: 'public-key' attestationObject: The generated } public key, authenticator information and other meta data. CBOR encoded byte array. ClientDataJSON
{ "challenge": "iyEtF0CMnjwlPse9zMtFT048rP8", "origin": "http://localhost:8080", "type": "webauthn.create" } attestationObject Registration
Authenticator Browser Relying Party
Assign attestation to current user and 6 save to database. Authentication Flow Authentication
Authenticator Browser Relying Party
Open Website and enter your 1 username. Click Login. Authentication
Authenticator Browser Relying Party
Lookup the credentialId for this user. 2 Generate a challenge. Authentication
Authenticator Browser Relying Party
Call JavaScript 3 navigator.credentials.get() with Challenge Options to get assertions let assertion = await navigator.credentials.get({ challenge: Server generated random publicKey: { byte array. Used to validate signature. challenge: [2, 99, 121, /*...*/], rpId: "mydemoserver.com", rp: Relying party. Part of Domain Name. allowCredentials: [{ id: [177, 150, 217, /*...*/], type: "public-key" allowCredentials: The ID(s) of the }], registered credentials. timeout: 60000 } }); timeout: Max time in milliseconds to wait for user consent. Authentication
Authenticator Browser Relying Party
User touches authenticator to signal 4 consent Authentication
Authenticator Browser Relying Party
User touches authenticator to signal 4 consent Authentication
Authenticator Browser Relying Party
5 Send attestation to server. Assertion id: The Credential ID. Base64 encoded. rawId: The Credential ID. As byte array. let assertion = await navigator.credentials.get({options}); console.log(assertion); authenticatorData: Information about the PublicKeyCredential { id: 'Y3JlZGVudGlhbElk', authenticator. rawId: ArrayBuffer(50), response: AuthenticatorAssertionResponse { clientDataJSON: The data sent to the authenticatorData: ArrayBuffer(200), authenticator. JSON as byte array. clientDataJSON: ArrayBuffer(120), signature: ArrayBuffer(80), userHandle: ArrayBuffer(10) signature: Signature generated with the }, private key associated to the credential ID. type: 'public-key' This signature must be validated on the server } with the saved public key. userHandle: The user.id, that was specified during registration. Authentication
Authenticator Browser Relying Party
Verify signature with stored public key 6 for this user. User is logged in. Scoping
• Credentials are scoped for a Relying Party • Relying Party is identified by its domain name
% Privacy & No SSO for the web Attestation Types
• Attestation contains data about the authenticator (device) that created the public key • Attestation data can be used to track users. • RP can state an AttestationConveyancePreference • none -> No authenticator data required • indirect -> Authenticator data may be anonymised • direct -> Authenticator data is requested
https://w3c.github.io/webauthn/#sec-attestation-privacy
Use Cases
• Password + 2FA • Reauthentication • Passwordless Authentication Knowledge Possession Inherence
• PINs • Smartcard • Fingerprint • Passwords • USB-Token • Voice • Security Questions • TAN-List • Iris • Gestures • Mobile Phone • Face • Private URLs • Key • Skin Color • Current Account Balance • Birthmark • Place of a hidden item • Tattoo • Key strike sequences Is it a good 2FA Solution?
• Uses PKI • Private Key never leaves Authenticator • Built-in Authenticators (Touch ID) are supported • Authenticators with biometrics • Official W3C Specification • -> One of the most secure and most convenient 2FA solutions Excursus Magic Links
Summary Benefits
• Common standard, widely implemented • Royalty free • Resistent to data breaches and credentials stuffing • Support for Passwordless authentication Challenges
• Mobile Browser Support • Limited Multi-Device support • Reset (Authenticator is lost) • Your Customers' habits Web Authn Der Standard für passwortlose Authentifizierung
Jochen Christ [email protected] @jochen_christ
Photo by William Iven on Unsplash Resources
• https://www.w3.org/TR/webauthn-1/ • https://github.com/webauthn4j/webauthn4j • https://techcommunity.microsoft.com/t5/Identity-Standards-Blog/ All-about-FIDO2-CTAP2-and-WebAuthn/ba-p/288910 • https://webauthn.io/ (by Duo Security) • https://webauthn.guide/ (by Duo Security) • https://webauthn.me/ (by Auth0)