2. 2
ยฉ2019Yubico
โ Workshop Overview
โ What is passwordless authentication
โ Security Key as the Root of Trust
โ What to expect and what youโll need to get started
โ Overview of Yubicoโs java-webauthn-server architecture
โ Credential repository
โ Registering credentials
โ Authenticating credentials
โ Best practices
โ Start coding!
Agenda
3. 3
ยฉ2019Yubico
โ Strong MFA
โ WebAuthn offers a strong Multi-Factor Authentication framework to
minimize or replace the use of passwords with scoped public key-based
credentials that are resistant to phishing, replay, and server breach attacks.
โ Passwordless Auth enabled by
โ W3C Webauthn + FIDO2 Client to Authenticator Protocol version 2.0
(CTAP2) specs and resident credentials.
โ Resident Credentials
โ Authenticator not only store the private key but also a user handle. The
server can associate the user handle with an identity for authentication.
What is Passwordless Authentication with WebAuthn?
4. 4
ยฉ2019Yubico
Security Keys as Root of Trust
Anchoring FIDO2 / WebAuthn credentials in a root of trust is the
cornerstone for building a secure identity model
โ A hardware-backed root of trust strengthens the account lifecycle
โ Authentication, Step-Up Authentication, Account Recovery, Bootstrapping New
Devices
โ An external authenticator, as the root of trust, is the anchor that
creates a chain of trust with the internal authenticator
โ Recording the authenticator used to register other authenticators creates a chain of
trust that can be audited at a later date
5. 5
ยฉ2019Yubico
Passwordless Migration Strategy
4. Eliminate
Passwords
3. Transition users to
passwordless deployment
2. Minimize use of passwords in user
flows
1. Deploy the WebAuthn / FIDO2 credential
management system across the account lifecycle
6. 6
ยฉ2019Yubico
Learn how to implement passwordless authentication for web apps
using:
โ Yubico WebAuthn Server Libraries
โ Spring Framework
โ Client to Authenticator Protocol Version 2.0 Compatible Browser
โ Resident Credentials
โ FIDO2 Security Key
What to expect from this workshop
7. 7
ยฉ2019Yubico
Some knowledge of:
โ Java
โ Spring Framework
โ JavaScript
โ WebAuthn API
โ Browser with resident credential capability
โ Security Keys
โ YubiKey Manager to reset FIDO credentials after workshop
You need
8. 8
ยฉ2019Yubico
This workshop is split into multiple modules. Each module builds
upon the previous module as you expand the application. You must
complete each module before proceeding to the next.
1. Getting Started Instructions
2. Implement a Credential Repository
3. Implement WebAuthn Registration REST Endpoints
4. Implement WebAuthn Authentication REST Endpoints
5. Clean Up Instructions
Workshop Modules
9. 9
ยฉ2019Yubico
This workshop can either be completed locally or in the cloud.
โ Instructions for running in the Azure Cloud Shell are included. If you already have a
subscription you can use it or you can get a free trial. Azure Cloud Shell has all of the
prerequisites already installed.
โ If you prefer a different cloud development environment, feel free to use it instead.
Prerequisites:
โ Git
โ JDK 1.8+
โ Maven 3.2+
โ FIDO2 compatible platform / browser
โ MacOS: Safari Technology Preview version 71+
โ Windows 10 version 1809+ with Edge
โ Your preferred text editor or IDE
โ A security key
Development Environment
10. 10
ยฉ2019Yubico
โ Enable the Develop Menu
โ Choose Safari > Preferences, and click Advanced.
โ At the bottom of the pane, select the โShow Develop menu in menu barโ
checkbox.
โ Enable Web Authentication Experimental Feature
โ Choose Safari > Develop > Experimental Features
โ Verify โWeb Authenticationโ is checked
โ Private Window
โ Running a web app on https://localhost:8443 may require using new private
window
โ No Security Key PIN Support
โ Security keys with a PIN set may not work with Safari yet.
โ You can reset a security key back to factory default settings with the
YubiKey Manager. Warning: A reset will remove all FIDO credentials.
macOS Safari TP Tips
11. 11
ยฉ2019Yubico
Start by cloning the repository
โ git clone https://github.com/elukewalker/PasswordlessWorkshop
Getting Started
12. 12
ยฉ2019Yubico
WebAuthn Application Architecture
WebAuthn
API in
Browser
Client/Platform
CTAP1
and/or
CTAP2
Server-Side
App
Relying Party
WebAuthn
Server
WebAuthn
Platform
Auth API
Internal
Authenticator
External
Authenticator
User
Store
External
Metadata
Services
Register
and
Authenticate
Client-Side
JS
Attestation
Trust Store
13. 13
ยฉ2019Yubico
WebAuthn Demo Server Data Flow
Browser API Server
app logic
Core librarystartRegistration()
startAuthentication()
PublicKeyCredentialCreationOptions
PublicKeyCredentialRequestOptions
Client side JS
Encode
to JSON
Decode
JSON
navigator.credentials
.create()
.get()
Encode
to JSON
Decode
JSON
finishRegistration()
finishAssertion()
UserIdentity
PublicKeyCredential
RegistrationResult
AssertionResult
Generate
challenge
etc.
Handle
result
Inform
user
Validation
logic
14. 14
ยฉ2019Yubico
Yubico/java-webauthn-server
webauthn-server-core/
โ Entity Data Model
โ Assertion Request
โ Assertion Result
โ Attestation Object
โ Authenticator Response
โ Public Key Credential
โ Public Key Credential Creation
and Request Options
โ Registration Result
โ User Identity
โ Attestation
โ Data Providers
โ Credential Repository
โ Metadata Service
โ Methods
โ Registration
โ Authentication
โ Authenticated Actions
15. 15
ยฉ2019Yubico
WebAuthn Demo Server Architecture
REST API
HTTP/JSON translation
Entities
Registration
Authentication
Registration storage
Persistent state
Entry Points WebAuthn-Server-Core Data Providers
DB
Server layer
Transient state
(stateless)
Metadata lookup DB
External
servicesConfiguration
Constructor parameters
Not included in workshop
17. 17
ยฉ2019Yubico
What you need to provide
โ Storage for requests (temporary)
โ Completely external to the library
โ Library simply returns request objects
โ finish* methods expect them to be passed back in
โ Storage for credentials (persistent)
โ Library requires an adapter object (CredentialRepository)
โ Library only looks credentials up
โ You need to save new registrations to the DB
โ (Optional) Additional authenticator metadata sources
โ In the future, the library will include a FIDO Metadata Service connector
โ Optional module with Yubico device metadata as static files
19. 19
ยฉ2019Yubico
rp: relying party data. name is required. If id is left out then origins effective
domain is used
user: identity data. name, displayName (user friendly), and id
(userHandle) are required
challenge: contains challenge for generating the newly created credentialโs
attestationObject
pubKeyCredParams: desired properties of credential to be created. type:
only one type: โpublic-keyโ. alg: crypto signature algorithm preference
excludeCredentials: limits creation of multiple creds for same account on
a single authenticator. Credential descriptor includes cred type and cred id
authenticatorSelection: specify authenticator requirements. When the
requireResidentKey is true the authenticator must create a client side
resident private key. userVerification can be โpreferredโ, โrequiredโ, or
โdiscouragedโ
attestation: attestation conveyance preference. Default is โnoneโ. โdirectโ
indicates the rp wants to receive the attestation statement. โindirectโ
indicates prefers an attestation statement
Public Key Credential Creation Options
20. 20
ยฉ2019Yubico
Registration Sequence
hash(rpId), id, kpub
, s, Apub
id, clientData,
attestationObject
Verify origin
Verify challenge
Check Apub
trust
Check s using Apub
Register kpub
, id and
userHandle
Generate key
pair (kpriv
, kpub
)
for rpId and
sign c and kpub
after User
Presence/
Veri๏ฌcation
hash(challenge, origin)
clientData
signature(hash(rpId) || id || kpub
|| c, Apriv
)
Validate rpId
against originrpId, c, userHandle
Client Relying PartyAuthenticator
attestationObject
rpId, userHandle, challenge
22. 22
ยฉ2019Yubico
Credential Create Response
โauthDataโ:... โfmtโ:โpackedโ โattStmtโ:...
attestationObject
RP ID Hash Flags Counter Att. Cred Data Extensions
AAGUID L Cred. ID Cred Public Key
Authenticator Data
โalgโ: ... โsigโ: ... โx5cโ: ...
Attestation Statement
โalgโ: ... โsigโ: ... โecdaaKeyIdโ: ...
If Basic or Privacy CA
If ECDAA
Refer to W3C Web Authentication API for more
details on attestation statements
ED AT: 1 UV UP: 1
23. 23
ยฉ2019Yubico
Finish Registration Diagram
JSON
response
REST API
Finish
Registration
Credential
Registration
Registration
Response
Register
Request
Storage
Registration
Request
Caller Token
Binding Id
RelyingParty
Finish
Registration
Credential
Repository
addRegistration
Registration
Result
Successful
Registration
Result
Performs registration
validation steps
Returned to client
Get by id
and
invalidate
24. 24
ยฉ2019Yubico
Registration Recap
1. Client calls startRegistration() endpoint
โ With userName, displayName, and credentialNickname args
2. Relying Party generates RegistrationRequest
โ With userName, credentialNickname, and PublicKeyCredentialCreationOptions
3. Client calls navigator.credentials.create()
โ With data from the RegistrationRequest
4. Client calls finishRegistration() endpoint
โ With authenticatorAttestationResponse JSONObject
5. Relying Party verifies attestation signature
โ After validation, add user and associated credential to the credential repository
26. 26
ยฉ2019Yubico
challenge: contains challenge that the authenticator signs as part of the
authentication assertion
rpId: relying party identifier claimed by the caller
allowCredentials: list of public key credentials acceptable to the caller, can
be omitted for username-less authentication. type: only one type:
โpublic-keyโ. id: credential Id of the public key credentials
userVerification: the default is โpreferredโ. Can also be set to โrequiredโ or
โdiscouragedโ
Public Key Credential Request Options
27. ยฉ2018Yubico
Authentication Sequence
First factor mode
Client Relying Party
id, rpId, challenge
id, hash(rpId), s, clientData,
userHandle
Find user with id or
userHandle
Check id
Check s using kpub
Verify origin
Verify challenge
Authenticator
signature(hash(rpId) || c, kpriv
)
Validate rpId
against origin
hash(challenge, origin)
clientData
id, rpId, c
Retrieve kpriv
for rpId
Sign c after User
Presence/
Veri๏ฌcation
id, hash(rpId), s, userHandle
28. 28
ยฉ2019Yubico
Start Authentication Diagram
username
REST API Start
Authentication
Challenge
Generator
Assertion
Request
challenge
username
RelyingParty
Start
Assertion
Credential
Repository
username
Extensions
PublicKeyCredentialRequestOptions
Assertion
Request
Storage
return
AssertionRequest to
client as JSON
Get
credentials
by username
29. 29
ยฉ2019Yubico
Client - Get Credential Response
โauthDataโ: ... โclientDataJSONโ: ... โsignatureโ: ...
Authenticator Assertion Response
RP ID Hash Flags Counter Extensions
Authenticator Data
ED AT: 0 UV UP: 1
โuserHandleโ: ...
30. 30
ยฉ2019Yubico
Finish Authentication Diagram
JSON
response
REST API Finish
Authentication
Successful
Authentication
Result
Assertion
Response
Assertion
Request
Caller Token
Binding Id
RelyingParty
Finish
Assertion
Credential
RepositoryUpdate
signature
count
Assertion
Result
Performs authentication
validation steps
Returned to
client
Get by id
and
invalidate
Assertion
Request
Storage
Credential
Repository
Get credentials by
userHandle
31. 31
ยฉ2019Yubico
Authentication Recap
1. Client calls startAuthentication() endpoint
โ With (or without) userName
2. Relying Party generates AssertionRequest
โ With userName, and PublicKeyCredentialRequestOptions
3. Client calls navigator.credentials.get()
โ With data from the AssertionRequest
4. Client calls finishAuthentication() endpoint
โ With authenticatorAssertionResponse JSONObject
5. Relying Party verifies signature
โ After validation, authentication is successful
32. 32
ยฉ2019Yubico
Best Practices
โ Store the verbatim attestation object
โ Enables future re-evaluation of trust
โ Allow registering more than one credential per account
โ Consider allowing credential nicknames
โ Weigh pros vs cons of requiring attestation
โ Pros:
โ Higher assurance
โ Cons:
โ Maintenance for attestation trust store
โ Compatibility issues for unknown/new authenticators (not in attestation trust
store)
โ Security and Privacy Considerations
โ Refer to W3C Web Authentication API spec
https://www.w3.org/TR/webauthn/#security-considerations
33. 33
ยฉ2019Yubico
Recap
โ Anchoring resident credentials on roaming authenticators can
enable passwordless authentication scenarios
โ Yubicoโs java-webauthn-core library provides the entities and
validation logic to integrate Web Authentication into server-side
applications
โ Attestation can be stored and looked up to build a chain of trust
and provide high assurance authentication
โ Build a UI that enables users to register multiple authenticators
34. 34
ยฉ2019Yubico
Resources
โ Workshop
โ https://github.com/elukewalker/PasswordlessWorkshop
โ FIDO2/WebAuthn Developer Guide
โ https://developers.yubico.com/FIDO2/FIDO2_WebAuthn_Developer_Guide/
โ Java WebAuthn Server
โ https://github.com/Yubico/java-webauthn-server
โ Yubico Developer Videos
โ https://www.yubico.com/why-yubico/for-developers/developer-videos/
โ W3C Web Authentication API
โ https://www.w3.org/TR/webauthn
โ FIDO Client to Authenticator Protocol V 2.0
โ https://fidoalliance.org/specifications/download/