-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add webauthn blogs #139
Add webauthn blogs #139
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,156 @@ | ||
--- | ||
date: 2024-01-05 | ||
title: "Path to Passwordless" | ||
linkTitle: "Path to Passwordless" | ||
description: "Passwordless user authentication is the new black. If your web application still uses password-based authentication, it is worthwhile to familiarize yourself with this new technology. Luckily, one can already choose a variety of proprietary and open-source tooling for experimenting hands-on and even implementing production-ready solutions." | ||
author: Laura Vuorenoja | ||
resources: | ||
- src: "**.{png,jpg}" | ||
title: "Image #:counter" | ||
--- | ||
|
||
Passkeys and security keys have gained more and more popularity lately, and no wonder – they provide | ||
much more security and usability than passwords. These authentication methods utilize strong and | ||
phishing-resistant public key credentials that the keys or authenticators, as we call them, | ||
can create automatically. However, implementing passwordless support in your web application, | ||
or even replacing passwords altogether, might initially seem overwhelming. | ||
|
||
## FIDO2 and WebAuthn Standards Ease the Job | ||
|
||
Integrating the authenticators into your web application happens through common standards | ||
created by [the FIDO alliance](https://fidoalliance.org/). It is good news for us | ||
application developers: we don't have to care about the dirty details of each | ||
authenticator implementation. Our job is to take into use the platform or browser APIs | ||
that enable the creation and use of the authenticator-managed credential. | ||
The operating system or browser handles needed user interaction and shows standard dialogs when appropriate. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does the operation system offer a FIDO2 API? This is something I found; it directs the terminology towards the passkey. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this refers to the same question as "the platform WebAuthn API" in the picture above. Lets discuss online. |
||
|
||
{{< imgproc cover Fit "825x825" >}} | ||
<em>The team implements passwordless support by integrating credential handling into | ||
the client application and the backend authentication service. Client applications | ||
can use the platform capabilities through the native APIs or browser JavaScript implementation. | ||
The backend service must support at least credential registration and credential-based user authentication. | ||
</em> | ||
{{< /imgproc >}} | ||
|
||
Furthermore, we need to have a backend service in place that is capable of storing and verifying | ||
these credentials so that the authentication can take place correctly. The service must support | ||
[the W3C WebAuthn standard](https://www.w3.org/TR/webauthn/) so that the backend | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I continue with the same subject: if the FIDO2 server supports only WebAuthn endpoints, connections from native apps aren't as simple as they first seemed to be -- as we know. Maybe that should be covered in the blog. That would lead to UAF. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As far as I know, the native apps can use the same endpoints - at least this is how it worked with the Flutter app. I think sending and receiving data from the endpoint is not part of the API - that is left to the app developer, similarly as with the web application. |
||
API responses are compatible with the client-side authenticator logic. | ||
The backend service is called quite often as a FIDO2 server. | ||
|
||
## To Buy or To Build? | ||
|
||
Choosing one of many authentication service providers may be the most straightforward path on your | ||
passwordless journey. A service provider typically gives you access to a backend as | ||
a SaaS or a product you host yourself. The backend has the above capabilities to store and verify | ||
your users' public keys. In addition to backend functionality, the service providers offer | ||
custom client libraries that enable you to add matching authenticator support to your application, | ||
whether a web or a native application. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. And I continue: what are the client libraries for native apps? What are the standards these libraries use, or are they lacking? What can we wait for in the future? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. At least the libraries mentioned for iOS and Android are using the WebAuthn standards. For instance, with iOS the passkeys and security keys has dedicated APIs but the security key API at least looks similar (haven't tried it out though 😄 ) |
||
|
||
{{< imgproc platform Fit "825x825" >}} | ||
<em>Platform and browser handle the user interaction dialogs when using authenticators.</em> | ||
{{< /imgproc >}} | ||
|
||
Another option is to implement the WebAuthn support yourself. Some excellent [open-source libraries](https://github.com/herrjemand/awesome-webauthn) | ||
already exist that ease the development of your backend service's functionality for | ||
public key handling. [Browser support for WebAuthn capabilities](https://caniuse.com/webauthn) is | ||
rather good, and the integration to the web application is straightforward | ||
once the backend is in place. One can utilize dedicated | ||
client libraries for native applications (for example, | ||
[iOS](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication), | ||
[Android](https://developer.android.com/training/sign-in/passkeys), and | ||
[Windows](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthn-apis)). | ||
|
||
## Example of Getting Hands Dirty | ||
|
||
In our OSS decentralized identity agency project, we implemented WebAuthn logic ourselves. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We could reference this section of our earlier blog post. |
||
We created the authentication functionality in our backend server and web application. | ||
The core functionality consists of two features: registering a new user and authenticating | ||
an existing user (and returning an access token after a successful authentication). Of course, | ||
an end-product would have more features, e.g., for adding and removing authenticators | ||
but starting with the core features is the simplest. | ||
|
||
We wrote the authentication server in Go. | ||
It utilizes [`go-webauthn`](https://github.com/go-webauthn/webauthn) library. | ||
Both of the core features need two API endpoints. | ||
On the client side, we use | ||
the [navigator credentials JavaScript API](https://w3c.github.io/webappsec-credential-management/#framework-credential-management) | ||
in a React application. | ||
|
||
The following sequence graphs demonstrate how the logic flows in more detail | ||
and describe the needed functionality at a high level. | ||
|
||
### User Registration | ||
|
||
The first core feature is user registration. The user creates a new public-private key pair. | ||
The authenticator saves the private key to its secure storage, | ||
and the application sends the public key to the service backend. | ||
|
||
```mermaid | ||
sequenceDiagram | ||
autonumber | ||
participant Client | ||
participant Server | ||
Client->>Server: Request for credential creation options.<br/>/attestation/options | ||
Server-->>Client: Return credential creation options. | ||
Note left of Client: Create credential with received options.<br/>navigator.credentials.create | ||
Client->>Server: Send client data and public key to server.<br/>/attestation/result | ||
Note right of Server: Validate data. <br/> Store the public key and the credential id, </br> and attach to user. | ||
Server-->>Client: Registration OK! | ||
``` | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I suggest adding some text here. It doesn't seem very easy to read the sequence diagrams when they are together. The first time, I thought they were one large scenario. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, I am doubting if those diagrams are needed at all, but would like to describe somehow in more details, what exactly needs to be done if one wishes to implement this from scratch 🤔 |
||
*** | ||
|
||
### User Authentication | ||
|
||
Another core feature is user authentication. | ||
The user creates a signature utilizing the authenticator-provided private key. | ||
The service backend verifies the signature using the stored public key and | ||
provides access if the signature is valid. | ||
|
||
```mermaid | ||
sequenceDiagram | ||
autonumber | ||
participant Client | ||
participant Server | ||
Client->>Server: Request for credential request options.<br/>/assertion/options | ||
Server-->>Client: Return credential request options. | ||
Note left of Client: Get credential with received options. <br/> Create signature with the private key.<br/>navigator.credentials.get | ||
Client->>Server: Send assertion to server.<br/>/assertion/result | ||
Note right of Server: Validate data and verify signature. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These are good, but if the blog wants to boost FIDO2 here, we could mention authenticator cloning checks, user prense, etc. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, a good idea, but I don't want to go too deep into the technology pros and cons. That should/could be a topic of its own. |
||
Server-->>Client: Return access token. | ||
``` | ||
|
||
*** | ||
|
||
For more information on how and which data is handled, see, for example, [the WebAuthn guide](https://webauthn.guide/#webauthn-api). | ||
You can also find our [client application source codes](https://github.com/findy-network/findy-wallet-pwa/blob/master/src/components/WebauthnLogin.tsx) | ||
and [the authentication service implementation](https://github.com/findy-network/findy-agent-auth/blob/master/main.go) | ||
on GitHub. You can also read more about how our project has utilized FIDO2 from | ||
[this blog post](https://findy-network.github.io/blog/2021/11/09/anchoring-chains-of-trust/). | ||
|
||
As the example above shows, implementing a passwordless is not impossible. | ||
However, as with any new technology, it takes time and dedication from the team | ||
to familiarize themselves with the new logic and concepts. In addition, | ||
as there are strict security requirements, testing the authentication flows | ||
in a local development environment might be challenging at times, as the client and server | ||
need to belong to the same domain. The local testing environment is something that the team | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ... domain, or even more difficult, the plain HTTP works only for the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, and iOS brings yet another bunch of limitations: you need to have the associated domain. |
||
should resolve and enable together already early in the project so that it will not become a bottleneck. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should this chapter be split into a tips list? |
||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I mentioned the architecture 'thing' earlier. As far as I understand web apps, I have always thought pros should handle authentication. That leads to preferring federated authentication or OIDC, at least. What kind of implications could the security (end decentralization) passkey have? Storing just public keys is far better than storing password hashes. I just wanted to let you know that I leave it to you to think if you want to bring these things to the blog or if they are even relevant. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, it would be good to sum the technology pros but I am thinking this post already the next step: the reader has heard about this new passwordless technology, has understood the benefits and now wants to take it into use. It is true that many apps do and should do the authentication in the way you mentioned, but in many applications the first implemented authentication method is username+password. Also, I think that it would be good to play around with this tech just to undestand the basics better. Good comments, and they make me start to wonder if I should publish this at all 😄 |
||
## Not All Things Are Standardized | ||
|
||
One might still find using an external authentication service provider a safer bet. Especially when | ||
there is a need to support a variety of native devices, it may be tempting to pay someone to deal | ||
with the device-specific problems. However, in this case, there is one essential thing to notice. | ||
|
||
Usually, the service provider solutions are proprietary. It means that the interaction between | ||
the client application and the backend API happens in a manner defined by the service provider. | ||
Even though the WebAuthn requests and responses are standardized, the payload wrapper structures | ||
and API endpoint paths depend on the implementation. | ||
There exists [a FIDO recommendation](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#transport-binding-profile) | ||
on how the server API should look like, but it is a mere recommendation and | ||
not all service providers follow this guidance. Therefore, you cannot mix and match client | ||
and server implementations but will likely end up in a vendor lock when choosing a proprietary solution. | ||
|
||
*The path to passwordless is a journey that all web application developers will eventually travel. | ||
Will your team take the steps sooner rather than later?* |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
--- | ||
date: 2024-01-09 | ||
title: "Passwordless Flutter App" | ||
linkTitle: "Passwordless Flutter App" | ||
draft: true | ||
description: "" | ||
author: Laura Vuorenoja | ||
resources: | ||
- src: "**.{png,jpg}" | ||
title: "Image #:counter" | ||
--- | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
--- | ||
date: 2024-01-10 | ||
title: "Automation Testing for WebAuthn Flows" | ||
linkTitle: "Automation Testing for WebAuthn Flows" | ||
draft: true | ||
description: "" | ||
author: Laura Vuorenoja | ||
resources: | ||
- src: "**.{png,jpg}" | ||
title: "Image #:counter" | ||
--- | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's a point of view about the last sentence: authentication should have always been a separate 'thing' or a service from the actual web app. If it's not, something has been wrong for a long time. Should it be as 'simple' as changing the authentication service? Is this especially not true with OIDC?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Overwhelming" term refers to the fact that if the passwordless technology is unfamiliar, and you have implemented an existing application with traditional username-password-based authentication, it might seem quite a big job to undertake implementing new routines for the credential handling, both in front-end and back-end side.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Overwhelming" term refers to the fact that if the passwordless technology is unfamiliar, and you have implemented an existing application with traditional username-password-based authentication, it might seem quite a big job to undertake implementing new routines for the credential handling, both in front-end and back-end side.