Presentation is loading. Please wait.

Presentation is loading. Please wait.

A World Without Passwords

Similar presentations


Presentation on theme: "A World Without Passwords"— Presentation transcript:

1 A World Without Passwords
Molly Dalton @mollyadalton

2

3

4

5 “People are prone to taking mental shortcuts. “. - Kevin Mitnick
“People are prone to taking mental shortcuts. “ Kevin Mitnick Infamous information stealer Top-notch Information Stealer

6

7

8 Overview of passwordless authentication
contoso.com Client Server User requests to use passwordless login Challenge Sign Challenge with Private Key Signed Challenge Check signature Return Information

9 Let’s make a few things clear
Relying Party Client contoso.com Browser Platform Server Website

10 Gestures ***** Client Authenticator Windows Hello TPM

11 One User One Device One Account One credential

12 molly personal account
Molly’s Device molly work account outlook.com molly personal account Credentials for Molly Outlook personal Outlook work

13 Overview of traditional password authentication
contoso.com Client Server Input password to site Password + Salt Username Hash (Password + Salt) Password Sign-in user Compare with stored hashed password

14 Overview of passwordless authentication
contoso.com Client Server Request information from Server Challenge Sign Challenge with Private Key Signed Challenge Check signature Return Information

15 DEMO

16 Web Authentication API
- makeCredential (registering a user) - getAssertion (authenticating a user)

17 Overview of registering a user
contoso.com User requests to use passwordless login Relying Party Client

18 var webauthnAPI = navigator.authentication;
if(!webauthnAPI){ /*Handle Error*/ }

19 Overview of registering a user
User requests to use passwordless login contoso.com makeCredential call Relying Party Client

20 webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge, options)
.then(function (newCredentialInfo) { /* Send new credential info to server */ }).catch(function (err) { /* No hardware or permission*/ });

21 makeCredential(userAccountInformation, cryptoParams, challenge, options)
var userAccountInformation = { rpDisplayName: “Contoso ”, displayName: “Molly Dalton”, name: id: “ ”, imageURL: };

22 makeCredential(userAccountInformation, cryptoParams, challenge, options)
var cryptoParams = [ { type: "ScopedCred", algorithm: "ES256" }, algorithm: "RS256" } ];

23 makeCredential(userAccountInformation, cryptoParams, challenge, options)
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";

24 makeCredential(userAccountInformation, cryptoParams, challenge, options)
var options = { timeoutSeconds: 300, excludeList: [] // No excludeList };

25 Overview of registering a user
User requests to use passwordless login contoso.com User account information, crypto params, and attestation challenge makeCredential call Relying Party Client

26

27 Overview of generating a credential
Unlock with Fingerprint Authenticator Client Generate key pair Public Key + Credential ID Windows Hello Attestation Statement Private Key TPM

28 Overview of registering a user
User requests to use passwordless login User account information, crypto params, and attestation challenge makeCredential call contoso.com Public key, attestation statement, and credential id Relying Party Client makeCredential promise resolved User is now registered

29 Molly’s Computer bank.com social.com Authenticator medical.com
Public Key for bank.com social.com Authenticator Public Key for social.com Private Key for social.com Private Key for bank.com medical.com Private Key for medical.com Public Key for medical.com

30 Overview of authenticating a user
User requests to be authenticated contoso.com Client Relying Party

31 webauthnAPI.getAssertion(challenge, options)
.then(function (assertion) { /* Send assertion to server for verification*/ }).catch(function (err) { /*No hardware or rejected*/ });

32 getAssertion(challenge, options)
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";

33 getAssertion(challenge, options)
var options = { timeoutSeconds = 300, // 5 minutes allowList: [] };

34 getAssertion(challenge, options)
var cred1 = {     type: "ScopedCred",     id: "ISEhISEhIWhpIHRoZXJlISEhISEhIQo=" }; var cred2 = {     id: "cm9zZXMgYXJlIHJlZCwgdmlvbGV0cyBhcmUgYmx1ZQo="      var options = {                 timeoutSeconds: 300,    allowList: [cred1, cred2];

35 Login using no credentials
Outlook.com allowList: [] Login Here All credentials from Outlook.com

36 Microsoft.com needs your identity
Molly Dalton Microsoft Molly Dalton Microsoft Ok Cancel

37 var userAccountInformation = {
rpDisplayName: “Outlook ”, displayName: “Molly Dalton”, name: id: “ ”, imageURL: };

38 Login using username UserInfo Outlook.com Login with username madMolly
madMolly - Username madMolly “ ” - Credential ID - Public Key Outlook.com Additional Information

39 Overview of authenticating a user
Requests to be authenticated contoso.com sends Challenge down to the authenticator Client getAssertion call Relying Party

40

41 Overview of signing a challenge
Client authenticatorData clientDataHash authenticatorData clientDataHash Private Key Signature

42 Overview of authenticating a user
Requests to be authenticated sends Challenge down to the authenticator contoso.com getAssertion call signs challenge with private key Relying Party Client getAssertion promise resolved

43 UserInfo Relying Party Signature Additional Information
madMolly - Username Signature “ ” - Credential ID - Public Key Additional Information

44 Overview of authenticating a user
Requests to be authenticated sends Challenge down to the authenticator contoso.com getAssertion call signs challenge with private key Relying Party Client getAssertion promise resolved User is authenticated

45 What’s next

46 1. Experimental version now

47 2. Polyfill available

48 3. Build experience with new update

49 4. Read the spec

50 blog.microsoftedge.com

51 status.microsoftedge.com

52 issues.microsoftedge.com


Download ppt "A World Without Passwords"

Similar presentations


Ads by Google