The state of

********less

auth on the web

Sonar
SonarQube SonarCloud
SonarLint

Phil Nash

twitter.com/philnash

@philnash@mastodon.social

linkedin.com/in/philnash

https://philna.sh

Phil

Passwords

Passwords

Are terrible

Password reuse

,Some of the time, All of the time, Never ,52, 13, 35

Source: Google / Harris Poll December 2018

24%

use a password manager

Top 10 passwords of 2022

  1. password
  2. 123456
  3. 123456789
  4. guest
  5. qwerty
  6. 12345678
  7. 111111
  8. 12345
  9. col123456
  10. 123123

Source: NordPass Top 200 most common passwords

Have I Been Pwned dot com

Passwords

Are terrible

Trade offs

User experience

VS

Security

Passwords

Experience

  • Hard to remember good passwords
  • Hard to choose good passwords
  • Needs password managers

Security

  • Easy to break easy passwords
  • Password leaks/credential stuffing
  • Vulnerable to phishing

Use a password manager

Password manager

Experience

  • Good passwords are easy
  • No repetition

Security

  • Long, difficult passwords
  • Unique passwords
  • Still vulnerable to phishing

24%

use a password manager

Can we improve this?

Credential management API

Store and retrieve credentials

Credential Management

Experience

  • One click logins
  • No need to remember passwords

Security

  • Easy to break easy passwords
  • Password leaks/credential stuffing
  • Less vulnerable to phishing

Two factor authentication

Two factor authentication

Experience

  • Two steps
  • Needs another device
  • Requires phone signal

Security

  • Overcomes poor/leaked passwords with second factor
  • Still vulnerable to phishing
  • Targeted SMS attacks are possible

Can we make it better?

WebOTP API

Credential management API (again)

Two factor authentication

Experience

  • Two (minimal) steps
  • Needs another device
  • Requires phone signal

Security

  • Overcomes poor/leaked passwords with second factor
  • Less vulnerable to phishing
  • Targeted SMS attacks are possible

2FA with security key

WebAuthn

2FA with WebAuthn

Experience

  • Two (minimal) steps
  • Needs authenticator key or platform authenticator
  • Need to either move key around or register multiple devices

Security

  • Overcomes poor/leaked passwords with second factor
  • Public/private key cryptography, unleakable!
  • Phishing resistant!

Passwordless

Passkeys

Multi device credentials

Passkeys

WebAuthn but with platform authenticator

Verifies the user on the device

Authenticates the user with the server

Syncs across your devices

Can be used cross device where sync is not possible

Demo

https://www.passkeys.io/

Passkeys

Experience

  • No need for a password
  • Requires platform authenticator
  • Syncs

Security

  • Phishing resistant
  • Unleakable
  • Perfect?

Other drawbacks?

Browser support!

But it's coming

Recommendations

Detect passkey support and offer it first

Support multiple passkeys

Fallback to password with 2FA

Once a user can use passkeys, upgrade and remove old, weak credentials

Links

https://passkeys.dev/

https://webauthn.me/

https://web.dev/passkey-registration/

https://web.dev/web-otp/

https://philna.sh/blog/2022/12/07/better-two-factor-authentication-experiences-with-web-otp/

https://web.dev/security-credential-management/

Thank you

twitter.com/philnash

@philnash@mastodon.social

linkedin.com/in/philnash

https://philna.sh

Phil