Download presentation
Presentation is loading. Please wait.
1
A World Without Passwords
Molly Dalton @mollyadalton
5
“People are prone to taking mental shortcuts. “. - Kevin Mitnick
“People are prone to taking mental shortcuts. “ Kevin Mitnick Infamous information stealer Top-notch Information Stealer
8
Overview of passwordless authentication
contoso.com Client Server User requests to use passwordless login Challenge Sign Challenge with Private Key Signed Challenge Check signature Return Information
9
Let’s make a few things clear
Relying Party Client contoso.com Browser Platform Server Website
10
Gestures ***** Client Authenticator Windows Hello TPM
11
One User One Device One Account One credential
12
molly personal account
Molly’s Device molly work account outlook.com molly personal account Credentials for Molly Outlook personal Outlook work
13
Overview of traditional password authentication
contoso.com Client Server Input password to site Password + Salt Username Hash (Password + Salt) Password Sign-in user Compare with stored hashed password
14
Overview of passwordless authentication
contoso.com Client Server Request information from Server Challenge Sign Challenge with Private Key Signed Challenge Check signature Return Information
15
DEMO
16
Web Authentication API
- makeCredential (registering a user) - getAssertion (authenticating a user)
17
Overview of registering a user
contoso.com User requests to use passwordless login Relying Party Client
18
var webauthnAPI = navigator.authentication;
if(!webauthnAPI){ /*Handle Error*/ }
19
Overview of registering a user
User requests to use passwordless login contoso.com makeCredential call Relying Party Client
20
webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge, options)
.then(function (newCredentialInfo) { /* Send new credential info to server */ }).catch(function (err) { /* No hardware or permission*/ });
21
makeCredential(userAccountInformation, cryptoParams, challenge, options)
var userAccountInformation = { rpDisplayName: “Contoso ”, displayName: “Molly Dalton”, name: id: “ ”, imageURL: };
22
makeCredential(userAccountInformation, cryptoParams, challenge, options)
var cryptoParams = [ { type: "ScopedCred", algorithm: "ES256" }, algorithm: "RS256" } ];
23
makeCredential(userAccountInformation, cryptoParams, challenge, options)
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
24
makeCredential(userAccountInformation, cryptoParams, challenge, options)
var options = { timeoutSeconds: 300, excludeList: [] // No excludeList };
25
Overview of registering a user
User requests to use passwordless login contoso.com User account information, crypto params, and attestation challenge makeCredential call Relying Party Client
27
Overview of generating a credential
Unlock with Fingerprint Authenticator Client Generate key pair Public Key + Credential ID Windows Hello Attestation Statement Private Key TPM
28
Overview of registering a user
User requests to use passwordless login User account information, crypto params, and attestation challenge makeCredential call contoso.com Public key, attestation statement, and credential id Relying Party Client makeCredential promise resolved User is now registered
29
Molly’s Computer bank.com social.com Authenticator medical.com
Public Key for bank.com social.com Authenticator Public Key for social.com Private Key for social.com Private Key for bank.com medical.com Private Key for medical.com Public Key for medical.com
30
Overview of authenticating a user
User requests to be authenticated contoso.com Client Relying Party
31
webauthnAPI.getAssertion(challenge, options)
.then(function (assertion) { /* Send assertion to server for verification*/ }).catch(function (err) { /*No hardware or rejected*/ });
32
getAssertion(challenge, options)
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
33
getAssertion(challenge, options)
var options = { timeoutSeconds = 300, // 5 minutes allowList: [] };
34
getAssertion(challenge, options)
var cred1 = { type: "ScopedCred", id: "ISEhISEhIWhpIHRoZXJlISEhISEhIQo=" }; var cred2 = { id: "cm9zZXMgYXJlIHJlZCwgdmlvbGV0cyBhcmUgYmx1ZQo=" var options = { timeoutSeconds: 300, allowList: [cred1, cred2];
35
Login using no credentials
Outlook.com allowList: [] Login Here All credentials from Outlook.com
36
Microsoft.com needs your identity
Molly Dalton Microsoft Molly Dalton Microsoft Ok Cancel
37
var userAccountInformation = {
rpDisplayName: “Outlook ”, displayName: “Molly Dalton”, name: id: “ ”, imageURL: };
38
Login using username UserInfo Outlook.com Login with username madMolly
madMolly - Username madMolly “ ” - Credential ID - Public Key Outlook.com Additional Information
39
Overview of authenticating a user
Requests to be authenticated contoso.com sends Challenge down to the authenticator Client getAssertion call Relying Party
41
Overview of signing a challenge
Client authenticatorData clientDataHash authenticatorData clientDataHash Private Key Signature
42
Overview of authenticating a user
Requests to be authenticated sends Challenge down to the authenticator contoso.com getAssertion call signs challenge with private key Relying Party Client getAssertion promise resolved
43
UserInfo Relying Party Signature Additional Information
madMolly - Username Signature “ ” - Credential ID - Public Key Additional Information
44
Overview of authenticating a user
Requests to be authenticated sends Challenge down to the authenticator contoso.com getAssertion call signs challenge with private key Relying Party Client getAssertion promise resolved User is authenticated
45
What’s next
46
1. Experimental version now
47
2. Polyfill available
48
3. Build experience with new update
49
4. Read the spec
50
blog.microsoftedge.com
51
status.microsoftedge.com
52
issues.microsoftedge.com
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.