Web Authentication APIs Auth Strategies Usage
Transcript from the "Auth Strategies Usage" Lesson
>> This is the current options that we have these days, okay, different kind of authentication. At the bottom, we see more red, that's less secure, at the top is more secure. And of course, less websites are actually using the top right now. So we started with a form-based authentication at the bottom.
[00:00:22] So every website is supporting this, okay? Then some websites on top of that, they are increasing security by adding multi-factors. Less website, but still a couple, they're adding web authentication as a multi-factor. So they still have username and password, but also after you sign in with the username and password for the first time, they say, hey, next time, do you wanna log in with Face ID or Touch ID to increase user experience?
[00:00:53] Probably you have seen that as a user. So as a backup, you still have a username and password, an insecure username and password, okay? But you are adding a factor, another factor, on top of that that uses biometrics or USB keys. And the goal, the final goal, is to get to a passwordless authentication world, where in that case, your database will not have a password at all, okay?
[00:01:25] And so this has appear, so a few months ago, 2022. So the full passwordless solution, it's called passkeys. So we will talk about at the end of today's workshop about that. It's on iOS and Safari, and it's coming on Edge on Windows, on Chrome on Android, on Chrome on desktop in a couple of months, early 2023.
[00:01:53] So from 2023, every browser, or at least latest versions of every browser in every platform, are going to support passkeys. So we will start seeing more websites offering the user the experience of logging in or registering an account with a passkey and not with a password anymore. It will take time to make the whole shift to a passwordless world, okay?
[00:02:20] But we are going towards that goal, make sense? Do you have any question at this point?
>> I have a question. So for the passwordless auth world, how does that work with multiple devices then?
>> In fact, that's a spoiler for later, but the passwordless or passkeys are actually WebAuthn.
[00:02:44] It's actually the same technology, the same API. Server side is just the same, so you implement WebAuthn. So what's the difference? There are a couple of difference, but one of the difference is that the device is storing the passkey in multiple devices. So in a standard WebAuthn that works with your face or with your finger, stores the private key only on that device.
[00:03:12] In fact, if you buy a new phone, even if you have the same finger, you won't have the same credentials, okay? When you change your phone, you need to register your Face ID again on different apps, even on the phone itself. I mean, for those of you that are buying new phones, new Android phones, or new iPhones, even if you're recovering the backup, you still need to register your fingers and your face again, okay?
[00:03:39] This is for another hardware security thing. And you will also need to do that on every website on every native app. But with passkeys, Microsoft, iOS, or Apple and Google, they will store your passkeys in your cloud account, in your Google account, in your iCloud, in your Microsoft account.
[00:04:03] And it's going to be multi-device. For example, if I'm saving a passkey in my iPhone, it will be available immediately in my iPad and in my Mac. And I'm not going to use the same, well, maybe I'm not going to use the same biometric identification because on my Mac, I don't have Face ID.
[00:04:23] It's going to be Touch ID, okay? It's going to be, in that case, store with iCloud and with the security of iCloud. So you still need to access your iCloud account to get your passkeys. But that also leads to another question that we will also see later. What happens if you need to log in on a Windows machine?
[00:04:42] Because, yeah, right now, I mean, my computer is being repaired, so I don't have a Mac, I have a Windows computer. How can I use my passkeys? Well, there is a solution for that. We will talk about that later, but through QR codes and Bluetooth, you can log in on Windows with your phone.
[00:05:03] So if you still have one device that has access to the passkey, you can share the passkey with another device. And this is multi-vendor, so it will work between Microsoft, between Microsoft Edge and Safari on iOS.
>> So passkeys are the private keys which are shared through a cloud on different devices.
>> So the passkey is the name, it is a noun that we use for the idea of replacing the password. So the user will create passkeys. But behind the passkey, we have a whole architecture, a whole solution that includes the private key, and also a public key, and also sharing the private key between your devices in the cloud.
[00:05:50] So it's a whole system, it's not just the name of the private key. But the idea that this group of browsers have that includes Microsoft Edge, Google's Chrome, and Apple's Safari, the idea is to create this mindset of passkey. So when the user sees, I wanna log in with the passkey, they know what we're talking about, okay?
[00:06:17] That's the idea. So instead of a password, we have passkeys. So we will see that later, okay? But that's kind of the idea. So the passkey is not just the private key, it's the whole system. But from a user perspective, it's kind of the new password, okay? Password 2.0, that's kind of a passkey, okay?
[00:06:36] That is not just a secret that you define, that kind of idea, that it's a complex thing behind the scenes.