1 / 13

Federations in a WebAuthn World

Federations in a WebAuthn World. Something to think about (Leif wanted a more crap-your-pants scary title). What is WebAuthn?.

kmelton
Download Presentation

Federations in a WebAuthn World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federations in a WebAuthn World Something to think about (Leif wanted a more crap-your-pants scary title)

  2. What is WebAuthn? “This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.“ • https://www.w3.org/TR/webauthn/ • Will allow web apps to trust a strong biometric authentication as a credential that is specific only to that service. • IdPs are not required - this is a direct service-to-user relationship • Attribute Authorities will absolutely have a role • What role to federations have?

  3. https://en.wikipedia.org/wiki/WebAuthn#/media/File:Passwordless_Web_Authentication.svghttps://en.wikipedia.org/wiki/WebAuthn#/media/File:Passwordless_Web_Authentication.svg Tom Scavo - CC BY-SA 4.0

  4. Why do this? • Attacks on OTP-based authn is now fully automatable • OTP-based systems make for horrible UX

  5. Google Authenticator on appstore...

  6. We’ve heard this story before... • The smartcard is going to win…. yeah right ! • Only this time the smartcard “driver” moved into the browser and...

  7. Hey presto! • Supported in EDGE, Chrome, FF • Almost ready in Safari for MacOS • Pre-released in Safari for iOS As far as browser support goes, that’s the full monty!

  8. Check your assumptions at the door! • Authentication no longer automatically means password • The default “user recognized” UX for login does not involve a password • Strong authentication no longer means password + something • MFA is no longer best-in-class • Authentication is no longer enough to motivate having an IdP • SSO is “for free” directly at the SP

  9. Implications for IdP Operators • Your IdP has to provided attributes in order to add value • Your MFA-strategy based on Google Authenticator is wrong • In fact… stop talking MFA and start talking Strong Authentication • Login UX not based on FIDO2 will seem “odd” to users - a bad place to be

  10. Implications for Federation Operators • Your IdPs need help to sustain value! • SSO is not enough of a foundation on which to build your kingdom • Research-oriented IdPs can now do all your campuses can do - only faster • Stop talking about MFA - start talking about Strong Authentication

  11. Who has their eyes on this? • Who is implementing services towards this standard? • Duke University • eduID.se • login.gov

  12. REFEDS Is there anything here for REFEDS to do (other than watch this space)?

More Related