adam's notes

Passwordless Authentication

Passwordless is a multifactor authentication scheme that uses ownership and biometric factors, but not knowledge factors.

  • FIDO2 with WebAuthn specifications provides a framework for passwordless authentication
  • provides similar security to smart card authentication
    • but does not require accounts to have digital certificates and PKI
    • reducing the management burden
  • FIDO2 WebAuthn improves on FIDO U2F by adding an API
    • that allows web applications to work without a password element to authentication
  • Most FIDO U2F authenticators should also support FIDO2/WebAuthn

How it Works

  1. The user chooses either:
    • a roaming authenticator
      • such as a security key
    • or a platform authenticator implemented by the device OS
      • such as Windows Hello or Face ID/Touch ID for macOS and iOS
  2. user configures a secure method or local gesture to confirm presence and authenticates the device
    • gesture could be a fingerprint, face recognition, or PIN
    • This credential is only ever validated locally by the authenticator
  3. user registers with a web application or service
    • referred to as a relying party
    • For each new relying party,
      • the authenticator generates a public/private key pair
    • user’s client browser obtains the public key from the authenticator and registers it to associate it with an account on the relying party
  4. When presented with an authentication challenge, the user performs the local gesture to unlock the private key
    • private key is used to sign a confirmation that the local gesture worked
      • which is then sent to the relying party
  5. The relying party uses the public key to verify the signature and authenticate the account session

Security

  • For a passwordless system to be secure
    • the authenticator must be trusted and resistant to spoofing or cloning attacks
    • attestation is a mechanism for an authenticator device to prove that it is a root of trust
    • each security key is manufactured with an attestation and model ID
    • During the registration step, if the relying party requires attestation,
      • the authenticator uses this key to send a report
    • relying party can check the attestation report to verify that the authenticator is a known brand and model and supports whatever cryptographic properties the relying party demands

Attestation is the capability of an authenticator or other cryptographic module to prove that it is a root of trust and can provide reliable reporting to prove that a device or computer is a trustworthy platform.

Info

  • The attestation key is not unique
    • if it were unique, it would be easy to identify individuals and be a serious threat to privacy
    • Instead, it identifies a particular brand and model.

Graph View

Backlinks