FIDO and Passkey

Machine Learning Artificial Intelligence Algorithm Digital Transformation  Mathematics Programming Encryption, Security and Data Compression Navigation of this blog
FIDO

FIDO (Fast Identity Online) is a standardisation framework for more secure and easier online authentication, which will provide a password-independent authentication method to improve security and user experience.

FIDO uses an authentication protocol based on public key cryptography, which generates a pair of public key (stored on the server) and private key (stored on the device) when the device registers user authentication data. This private key is used to digitally sign the user at the time of authentication, and the signature is verified with the public key to authenticate the user. As the private key is not stored on the server, there is no risk of the key itself being compromised even if the server is attacked.

FIDOとはより

Several standards exist for FIDO, which provide different approaches depending on the application, as shown below.

  • FIDO UAF (Universal Authentication Framework).
    – Focuses primarily on authentication without passwords.
    – Uses biometrics (e.g. fingerprints, facial recognition) and PIN codes.
  • FIDO U2F (Universal Second Factor)
    – Focuses on two-factor authentication.
    – Uses hardware tokens such as security keys.
    – Mainly used as an additional security layer for online services.
  • FIDO2 (WebAuthn + CTAP)
    – The latest standard, merging and evolving FIDO UAF and U2F.
  • WebAuthn (Web Authentication API)
    – Allows web browsers and online services to work together and use biometrics and security keys.
    – Many major browsers and devices support it.
  • CTAP (Client to Authenticator Protocol)
    – Defines communication between a device (e.g. smartphone or security key) and a browser or operating system.

The benefits of FIDO include.

  • Improved security: eliminates the need for passwords, reducing the risk of phishing attacks and password compromise.
  • Improved user experience: eliminates the need for password entry and enables one-touch authentication for biometrics and security keys.
  • Widespread support: supported by major platforms such as Google, Microsoft and Apple.

Examples of FIDO applications include login authentication for use when logging in to websites and applications, payment authentication to verify identity for e-commerce and digital payments, and use in corporate systems to manage employee access and improve security.

Currently, FIDO2 is starting to become widely used, with improved compatibility with browsers and operating systems, with Apple’s Passkey and Windows Hello using FIDO as a foundation.

Passkey

Passkey is a password-free authentication method promoted by major technology companies such as Apple, Google and Microsoft, based on the FIDO2 standard, which is gaining attention as a new authentication method that is both secure and easy to use.

Passkey is an authentication method based on public key cryptography with the following features

  • Uses public and private key pairs: only the public key is stored on the server, while the private key is securely stored on the user’s device (smartphone or PC).
  • Uses biometrics and device PINs: when authenticating a user, the private key in the device is used to sign the user’s name, and the server verifies the signature with the public key.
  • Synchronisable: passkeys can be shared securely between multiple devices via Apple’s iCloud, Google account synchronisation, etc.

Features of passkeys include

  1. Increased security.
    • No password required: phishing and list-based attacks are disabled as there is no password.
    • Local storage of private keys: private keys do not leave the device and are therefore not susceptible to database compromise.
  2. Ease of use
    • Biometric authentication: fingerprint and facial recognition for smooth login.
    • Synchronisation: major platforms allow passkey sharing across multiple devices, increasing convenience.
  3. Cross-platform compatibility.
    • Apple, Google and Microsoft cooperate under the FIDO Alliance, enabling cross-platform use.

The following steps are involved in using a passkey.

  1. Initial registration
    1. Set up a passkey when registering for an account on a service (e.g. website or app).
    2. A public and private key is generated on the device and the public key is stored on the service.
  2. At login.
    1. The website or app sends an authentication request.
    2. The user uses the private key with biometrics or PIN on the device.
    3. The server verifies the signature with the public key and allows login.

Practical examples of Passkey include Apple’s Passkey, Google’s Passkey and Microsoft’s Windows Hello.

Passkey is expected to be the future of online authentication and is a technology with growing support on major technology platforms. Many websites and apps are expected to support it in the future to improve user experience and enhance security.

Procedure for implementation

The most common way to implement Passkey is to use an authentication protocol (WebAuthn) based on the FIDO2 standard. The basic flow of the process is described below.

1. knowledge and tools required

Prerequisite knowledge

  • Basic understanding of WebAuthn (Web Authentication API).
  • Basic knowledge of public key cryptography.

Required tools

  • Server-side environment: Node.js, Python, Java, Go and other WebAuthn-compatible libraries are available.
  • Front-end environment: WebAuthn API available in web browsers (Chrome, Edge, Safari, Firefox).

Example server libraries

  • Node.js: fido2-lib
  • Python: py_webauthn
  • Java: webauthn-server

2. implementation flow

The following is the basic registration and authentication flow for a passkey.

(1) Passkey registration

  1. User registration request
    • The server uses the WebAuthn API to generate PublicKeyCredentialCreationOptions to the client.
    • These options include the following information
      • User ID.
      • Server RP ID (e.g. domain)
      • Supported authenticator information (e.g. biometrics, security key)
  2. Key generation on the client side.
    • Generate a passkey by calling navigator.credentials.create() on the front-end.
const options = {
    publicKey: {
        challenge: new Uint8Array(32), // Server-generated challenges
        rp: { name: "Example" },
        user: {
            id: new Uint8Array([1, 2, 3, 4]),
            name: "user@example.com",
            displayName: "User Example"
        },
        pubKeyCredParams: [{ alg: -7, type: "public-key" }]
    }
};
const credential = await navigator.credentials.create(options);

    3.Send public key to server.

    The client sends the generated public key to the server, which stores it in a database.

    (2) Authentication by passkey

    1. Authentication request
      • Server generates PublicKeyCredentialRequestOptions and sends it to the client.
      • Include challenge and target public key information.
    2. Signature generation on the client side.
      • Front-end calls navigator.credentials.get() to create a signature with the private key.
    const options = {
    publicKey: {
        challenge: new Uint8Array(32), // サーバーが生成したチャレンジ
        allowCredentials: [
            { id: credentialId, type: "public-key" }
        ]
    }
};
const assertion = await navigator.credentials.get(options);

      (3) Signatures sent to server.

      • Client sends signature data to server.
      • Server verifies signature using public key.

       (4) Successful login.

      • If the verification is successful, user authentication is complete.

      3. implementation of the required back-end

      Data storage during registration.

      • User ID and public key are stored.
      • RP ID, authenticator type and other metadata are also recorded.

      Signature verification during authentication.

      • Server verifies signature with public key and confirms challenge match.

      4. key points of implementation

      1. Security.
        • Use HTTPS for server-to-server communication.
        • Challenge validity period set by the server.
      2. Device support.
        • Consider use on multiple devices, including mobile devices, PCs and security keys.
      3. User experience
        • Use of biometrics and other authentication to provide smooth login.

      5. example implementations and resources

      Demonstration projects

      • WebAuthn.io.
        Demo site and source code for passkey authentication.

      GitHub project

      • SimpleWebAuthn.
        Simple WebAuthn library based on Node.js.

      Official resources

      • MDN Web Docs: Web Authentication API
      reference book

      The following reference books and documents are useful for a better understanding of Passkey, WebAuthn and FIDO2.

      WebAuthn: Explained

      WebAuthn Specification

      FIDO Alliance

      Node.js Cookbook – Fifth Edition: Practical recipes for building server-side web applications with Node.js 22

      Python for Security and Networking – Third Edition: Leverage Python modules and tools in securing your network and applications

      Web Security for Developers: Real Threats, Practical Defense

      Yubico Developer Resources

      Google WebAuthn Codelab

      コメント

      タイトルとURLをコピーしました