Go Passwordless with WebAuthn in Ruby

Nowadays, passwords are still our most common authentication method.

Braulio Martinez

Cofounder & Software Engineer @ Cedarcode

Schedule Entry

Slides

Attendees

• Jeremy
• Kyle

Relevancy	Interesting
3, 6	7, 7

Notes

Motivation

Authentication Factors.

Knowledge factors Possession factor Inherent factors

ATM Auth. Factors:

• Bank Card - Posession factor
  • provided by typing a code
• 6-digit PIN Knowledge factor

Passwords

Single shared secret. Prone to many types of attacks. Repetition across systems Bad UX

81% of all hacking related breaches were a result of passwords.

Most used second factors

• One Time Password via SMS
  • Lots of attacks for this as well. Man in the middle etc.
• Time based OTP or TOTP via google authentication.
  • Phishing. Browser cache.

Context

What is WebAuthn

“WebAuthn (Web Authentication) is a standard that defines a set of rules for APIs to enable user to strongly register and authenticate on web applications using public key based cryptography” W3C + FIDO alliance created it.

The Workings

What does it provide?

Possession factor. USB Dongle. Phone

Spec

• Credential
  • Public and private key pair.
  • Strong
  • Scoped. Only works for specific domains
  • Digital signatures
• 3 entities
  • Authenticator. User Device
  • Client. Web Browser
  • Relying Party. Web App
• 2 user flows
  • Registration of a credential
  • Authentication of a credential

Wins

• No brute force
• No sensitive data
• No phishing
• No man-in-the-middle

Challenges

• Device loss recovery UX
• Portability across devices

Adoption

How can we solve this to achieve mass adoption?

Passkeys

https://tinyurl.com/2m4h6yeh Multi device WebAuthn Credentials essentially

• Browser Autofill UI
• Cross device Authentication authenticators
• Cross device Authentication client
• Device Public Key (DPK)

Multi device passkeys are less secure than device bound, but are still more secure than password.

Take the step

How to migrate?

webAuthn.cedarcode.com webAuthn-2fa.cedarcode.com rubygems.org

Future

• Ruby gem is v3.X.X
• Standard is evolving
• WebAuthn + Devise, keep pushing as a second factor
• Passkeys

Resources

• https://webauthn.io/
• https://github.com/cedarcode/webauthn-ruby
• https://fidoalliance.org/fido2-2/fido2-web-authentication-webauthn/
• https://www.yubico.com/authentication-standards/webauthn/
• https://www.w3.org/TR/webauthn/