Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add webauthn blogs #139

Merged
merged 5 commits into from
Jan 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
156 changes: 156 additions & 0 deletions content/en/blog/basics-for-passwordless/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
---
date: 2024-01-05
title: "Path to Passwordless"
linkTitle: "Path to Passwordless"
description: "Passwordless user authentication is the new black. If your web application still uses password-based authentication, it is worthwhile to familiarize yourself with this new technology. Luckily, one can already choose a variety of proprietary and open-source tooling for experimenting hands-on and even implementing production-ready solutions."
author: Laura Vuorenoja
resources:
- src: "**.{png,jpg}"
title: "Image #:counter"
---

Passkeys and security keys have gained more and more popularity lately, and no wonder – they provide
much more security and usability than passwords. These authentication methods utilize strong and
phishing-resistant public key credentials that the keys or authenticators, as we call them,
can create automatically. However, implementing passwordless support in your web application,
or even replacing passwords altogether, might initially seem overwhelming.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's a point of view about the last sentence: authentication should have always been a separate 'thing' or a service from the actual web app. If it's not, something has been wrong for a long time. Should it be as 'simple' as changing the authentication service? Is this especially not true with OIDC?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Overwhelming" term refers to the fact that if the passwordless technology is unfamiliar, and you have implemented an existing application with traditional username-password-based authentication, it might seem quite a big job to undertake implementing new routines for the credential handling, both in front-end and back-end side.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Overwhelming" term refers to the fact that if the passwordless technology is unfamiliar, and you have implemented an existing application with traditional username-password-based authentication, it might seem quite a big job to undertake implementing new routines for the credential handling, both in front-end and back-end side.


## FIDO2 and WebAuthn Standards Ease the Job

Integrating the authenticators into your web application happens through common standards
created by [the FIDO alliance](https://fidoalliance.org/). It is good news for us
application developers: we don't have to care about the dirty details of each
authenticator implementation. Our job is to take into use the platform or browser APIs
that enable the creation and use of the authenticator-managed credential.
The operating system or browser handles needed user interaction and shows standard dialogs when appropriate.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the operation system offer a FIDO2 API? This is something I found; it directs the terminology towards the passkey.

https://support.yubico.com/hc/en-us/articles/360016615020-Operating-system-and-web-browser-support-for-FIDO2-and-U2F

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this refers to the same question as "the platform WebAuthn API" in the picture above. Lets discuss online.


{{< imgproc cover Fit "825x825" >}}
<em>The team implements passwordless support by integrating credential handling into
the client application and the backend authentication service. Client applications
can use the platform capabilities through the native APIs or browser JavaScript implementation.
The backend service must support at least credential registration and credential-based user authentication.
</em>
{{< /imgproc >}}

Furthermore, we need to have a backend service in place that is capable of storing and verifying
these credentials so that the authentication can take place correctly. The service must support
[the W3C WebAuthn standard](https://www.w3.org/TR/webauthn/) so that the backend
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I continue with the same subject: if the FIDO2 server supports only WebAuthn endpoints, connections from native apps aren't as simple as they first seemed to be -- as we know. Maybe that should be covered in the blog. That would lead to UAF.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I know, the native apps can use the same endpoints - at least this is how it worked with the Flutter app. I think sending and receiving data from the endpoint is not part of the API - that is left to the app developer, similarly as with the web application.

API responses are compatible with the client-side authenticator logic.
The backend service is called quite often as a FIDO2 server.

## To Buy or To Build?

Choosing one of many authentication service providers may be the most straightforward path on your
passwordless journey. A service provider typically gives you access to a backend as
a SaaS or a product you host yourself. The backend has the above capabilities to store and verify
your users' public keys. In addition to backend functionality, the service providers offer
custom client libraries that enable you to add matching authenticator support to your application,
whether a web or a native application.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And I continue: what are the client libraries for native apps? What are the standards these libraries use, or are they lacking? What can we wait for in the future?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least the libraries mentioned for iOS and Android are using the WebAuthn standards. For instance, with iOS the passkeys and security keys has dedicated APIs but the security key API at least looks similar (haven't tried it out though 😄 )


{{< imgproc platform Fit "825x825" >}}
<em>Platform and browser handle the user interaction dialogs when using authenticators.</em>
{{< /imgproc >}}

Another option is to implement the WebAuthn support yourself. Some excellent [open-source libraries](https://github.com/herrjemand/awesome-webauthn)
already exist that ease the development of your backend service's functionality for
public key handling. [Browser support for WebAuthn capabilities](https://caniuse.com/webauthn) is
rather good, and the integration to the web application is straightforward
once the backend is in place. One can utilize dedicated
client libraries for native applications (for example,
[iOS](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication),
[Android](https://developer.android.com/training/sign-in/passkeys), and
[Windows](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthn-apis)).

## Example of Getting Hands Dirty

In our OSS decentralized identity agency project, we implemented WebAuthn logic ourselves.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We created the authentication functionality in our backend server and web application.
The core functionality consists of two features: registering a new user and authenticating
an existing user (and returning an access token after a successful authentication). Of course,
an end-product would have more features, e.g., for adding and removing authenticators
but starting with the core features is the simplest.

We wrote the authentication server in Go.
It utilizes [`go-webauthn`](https://github.com/go-webauthn/webauthn) library.
Both of the core features need two API endpoints.
On the client side, we use
the [navigator credentials JavaScript API](https://w3c.github.io/webappsec-credential-management/#framework-credential-management)
in a React application.

The following sequence graphs demonstrate how the logic flows in more detail
and describe the needed functionality at a high level.

### User Registration

The first core feature is user registration. The user creates a new public-private key pair.
The authenticator saves the private key to its secure storage,
and the application sends the public key to the service backend.

```mermaid
sequenceDiagram
autonumber
participant Client
participant Server
Client->>Server: Request for credential creation options.<br/>/attestation/options
Server-->>Client: Return credential creation options.
Note left of Client: Create credential with received options.<br/>navigator.credentials.create
Client->>Server: Send client data and public key to server.<br/>/attestation/result
Note right of Server: Validate data. <br/> Store the public key and the credential id, </br> and attach to user.
Server-->>Client: Registration OK!
```

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest adding some text here. It doesn't seem very easy to read the sequence diagrams when they are together. The first time, I thought they were one large scenario.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I am doubting if those diagrams are needed at all, but would like to describe somehow in more details, what exactly needs to be done if one wishes to implement this from scratch 🤔

***

### User Authentication

Another core feature is user authentication.
The user creates a signature utilizing the authenticator-provided private key.
The service backend verifies the signature using the stored public key and
provides access if the signature is valid.

```mermaid
sequenceDiagram
autonumber
participant Client
participant Server
Client->>Server: Request for credential request options.<br/>/assertion/options
Server-->>Client: Return credential request options.
Note left of Client: Get credential with received options. <br/> Create signature with the private key.<br/>navigator.credentials.get
Client->>Server: Send assertion to server.<br/>/assertion/result
Note right of Server: Validate data and verify signature.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are good, but if the blog wants to boost FIDO2 here, we could mention authenticator cloning checks, user prense, etc.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, a good idea, but I don't want to go too deep into the technology pros and cons. That should/could be a topic of its own.

Server-->>Client: Return access token.
```

***

For more information on how and which data is handled, see, for example, [the WebAuthn guide](https://webauthn.guide/#webauthn-api).
You can also find our [client application source codes](https://github.com/findy-network/findy-wallet-pwa/blob/master/src/components/WebauthnLogin.tsx)
and [the authentication service implementation](https://github.com/findy-network/findy-agent-auth/blob/master/main.go)
on GitHub. You can also read more about how our project has utilized FIDO2 from
[this blog post](https://findy-network.github.io/blog/2021/11/09/anchoring-chains-of-trust/).

As the example above shows, implementing a passwordless is not impossible.
However, as with any new technology, it takes time and dedication from the team
to familiarize themselves with the new logic and concepts. In addition,
as there are strict security requirements, testing the authentication flows
in a local development environment might be challenging at times, as the client and server
need to belong to the same domain. The local testing environment is something that the team
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... domain, or even more difficult, the plain HTTP works only for the localhost.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, and iOS brings yet another bunch of limitations: you need to have the associated domain.

should resolve and enable together already early in the project so that it will not become a bottleneck.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this chapter be split into a tips list?


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mentioned the architecture 'thing' earlier. As far as I understand web apps, I have always thought pros should handle authentication. That leads to preferring federated authentication or OIDC, at least. What kind of implications could the security (end decentralization) passkey have? Storing just public keys is far better than storing password hashes.

I just wanted to let you know that I leave it to you to think if you want to bring these things to the blog or if they are even relevant.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it would be good to sum the technology pros but I am thinking this post already the next step: the reader has heard about this new passwordless technology, has understood the benefits and now wants to take it into use.

It is true that many apps do and should do the authentication in the way you mentioned, but in many applications the first implemented authentication method is username+password. Also, I think that it would be good to play around with this tech just to undestand the basics better.

Good comments, and they make me start to wonder if I should publish this at all 😄

## Not All Things Are Standardized

One might still find using an external authentication service provider a safer bet. Especially when
there is a need to support a variety of native devices, it may be tempting to pay someone to deal
with the device-specific problems. However, in this case, there is one essential thing to notice.

Usually, the service provider solutions are proprietary. It means that the interaction between
the client application and the backend API happens in a manner defined by the service provider.
Even though the WebAuthn requests and responses are standardized, the payload wrapper structures
and API endpoint paths depend on the implementation.
There exists [a FIDO recommendation](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#transport-binding-profile)
on how the server API should look like, but it is a mere recommendation and
not all service providers follow this guidance. Therefore, you cannot mix and match client
and server implementations but will likely end up in a vendor lock when choosing a proprietary solution.

*The path to passwordless is a journey that all web application developers will eventually travel.
Will your team take the steps sooner rather than later?*
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
12 changes: 12 additions & 0 deletions content/en/blog/passwordless-flutter-app/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
date: 2024-01-09
title: "Passwordless Flutter App"
linkTitle: "Passwordless Flutter App"
draft: true
description: ""
author: Laura Vuorenoja
resources:
- src: "**.{png,jpg}"
title: "Image #:counter"
---

12 changes: 12 additions & 0 deletions content/en/blog/webauthn-testing/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
date: 2024-01-10
title: "Automation Testing for WebAuthn Flows"
linkTitle: "Automation Testing for WebAuthn Flows"
draft: true
description: ""
author: Laura Vuorenoja
resources:
- src: "**.{png,jpg}"
title: "Image #:counter"
---