The real hurdle to adoption is getting software developers to implement this (instead of some off the rack solution like devise), and even more tricky, is getting management to "OK" developers spending "forever" to implement such an authentication solution.
Attestation Type & Authenticator Type will just confuse our end users for sure in the form at 6:46. Would there be a more user friendly way to register?
The script returned "No PA found" in my browser when I tried it. May I know what should I do to allow support on PA? Thanks a lot!! And great presentation by the way!! :)
I use YubiKeys and, for example, with my spares I have to register each one individually that way they both/all can work equally in case of loss. I presume that’s exactly how it works for mobiles as well. If you do not register a spare/multiple devices, share keys with another device somehow, or use a cloud service(like Authy, not recommended) that will share the keys amongst devices for you…. Then yes, you would effectively be locked out of the service/account unless they offered backup codes when setting it up or provide an account retrieval process (which can also be a glaring vulnerability depending on how it’s implemented).
Great presentation! One question though: if the computer does not have a finger/face sensor and the user hasn't got a key, what's the fallback scenario of WebauthN? Can anyone without a finger/face sensor use there windows/mac password instead? And can users use this even if their administrators disabled stuff like installing apps for example?
Actual physical access is required, which means it usually has to be a physical/targeted attack to impact you. Not much out there to defend against the $5 wrench, and passwords are just as highly vulnerable in that situation. That’s why a _combination_ of things you are(biometrics), things you know(passwords), and things you have(physical keys) are the most advisable method. At least with physical keys invoked you are far less likely to be infiltrated by credentials being leaked or exfiltrated from a database. Public keys are far less useful without the private key to sign with. Passwords alone are not at all superior.
The real hurdle to adoption is getting software developers to implement this (instead of some off the rack solution like devise), and even more tricky, is getting management to "OK" developers spending "forever" to implement such an authentication solution.
Attestation Type & Authenticator Type will just confuse our end users for sure in the form at 6:46. Would there be a more user friendly way to register?
A lot of concerns actually, eg how to verify user when he logins from computer while his key is stored on mobile?
The way I understand it is you would register/authorize each device or otherwise share keys between them. I favor YubiKeys and the “roaming” approach.
This was one of the better overviews of WebAuthN that I've watched. It's aged well, considering it was recorded three years ago. Thank. you!
That was a great introduction. Well done.
Very high quality presentation . Thanks !!
The script returned "No PA found" in my browser when I tried it. May I know what should I do to allow support on PA? Thanks a lot!! And great presentation by the way!! :)
What happens for example if i lose the divice i registered with. This means that i can just loggin from the divice i registered with?
I use YubiKeys and, for example, with my spares I have to register each one individually that way they both/all can work equally in case of loss. I presume that’s exactly how it works for mobiles as well. If you do not register a spare/multiple devices, share keys with another device somehow, or use a cloud service(like Authy, not recommended) that will share the keys amongst devices for you…. Then yes, you would effectively be locked out of the service/account unless they offered backup codes when setting it up or provide an account retrieval process (which can also be a glaring vulnerability depending on how it’s implemented).
Great presentation! One question though: if the computer does not have a finger/face sensor and the user hasn't got a key, what's the fallback scenario of WebauthN? Can anyone without a finger/face sensor use there windows/mac password instead? And can users use this even if their administrators disabled stuff like installing apps for example?
this technology is for the future, not the past. most of the laptops, and phones will have biometrics.
Face fingerprint and key chain key easier to steel than password by theft or when knocked down or dead .
someone has to ripp your face or finger off even if they steal it.
Actual physical access is required, which means it usually has to be a physical/targeted attack to impact you. Not much out there to defend against the $5 wrench, and passwords are just as highly vulnerable in that situation.
That’s why a _combination_ of things you are(biometrics), things you know(passwords), and things you have(physical keys) are the most advisable method. At least with physical keys invoked you are far less likely to be infiltrated by credentials being leaked or exfiltrated from a database. Public keys are far less useful without the private key to sign with. Passwords alone are not at all superior.
insightful overview!
This is a very helpful and informative. Thanks!
Great video. Thanks!
Just the explanation I was missing
good intro!
Great talk, fluid speaking.
"kelly robinson".. quintessential English name..
Your voice is beautiful, use it more
Agree. Without The vocal Fry please.