Everything You Want to Know About WebAuthn
HTML-код
- Опубликовано: 19 июн 2024
- Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can.
WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
Speakers:
Kelley Robinson
__
You can learn more about WebAuthn and debug it yourself in our site: a0.to/web-authn
Don't forget to subscribe to our channel and hit the notification bell so you never miss an upload: bit.ly/OktaRUclips
__
Want more Okta? Check out our social media for updates:
bit.ly/OktaLinkedIn
bit.ly/OktaTwitter
bit.ly/OktaFacebook 
Наука
This was one of the better overviews of WebAuthN that I've watched. It's aged well, considering it was recorded three years ago. Thank. you!
Very high quality presentation . Thanks !!
The real hurdle to adoption is getting software developers to implement this (instead of some off the rack solution like devise), and even more tricky, is getting management to "OK" developers spending "forever" to implement such an authentication solution.
That was a great introduction. Well done.
A lot of concerns actually, eg how to verify user when he logins from computer while his key is stored on mobile?
The way I understand it is you would register/authorize each device or otherwise share keys between them. I favor YubiKeys and the “roaming” approach.
This is a very helpful and informative. Thanks!
Attestation Type & Authenticator Type will just confuse our end users for sure in the form at 6:46. Would there be a more user friendly way to register?
The script returned "No PA found" in my browser when I tried it. May I know what should I do to allow support on PA? Thanks a lot!! And great presentation by the way!! :)
insightful overview!
Great video. Thanks!
Great presentation! One question though: if the computer does not have a finger/face sensor and the user hasn't got a key, what's the fallback scenario of WebauthN? Can anyone without a finger/face sensor use there windows/mac password instead? And can users use this even if their administrators disabled stuff like installing apps for example?
this technology is for the future, not the past. most of the laptops, and phones will have biometrics.
good intro!
What happens for example if i lose the divice i registered with. This means that i can just loggin from the divice i registered with?
I use YubiKeys and, for example, with my spares I have to register each one individually that way they both/all can work equally in case of loss. I presume that’s exactly how it works for mobiles as well. If you do not register a spare/multiple devices, share keys with another device somehow, or use a cloud service(like Authy, not recommended) that will share the keys amongst devices for you…. Then yes, you would effectively be locked out of the service/account unless they offered backup codes when setting it up or provide an account retrieval process (which can also be a glaring vulnerability depending on how it’s implemented).
Just the explanation I was missing
Face fingerprint and key chain key easier to steel than password by theft or when knocked down or dead .
someone has to ripp your face or finger off even if they steal it.
Actual physical access is required, which means it usually has to be a physical/targeted attack to impact you. Not much out there to defend against the $5 wrench, and passwords are just as highly vulnerable in that situation.
That’s why a _combination_ of things you are(biometrics), things you know(passwords), and things you have(physical keys) are the most advisable method. At least with physical keys invoked you are far less likely to be infiltrated by credentials being leaked or exfiltrated from a database. Public keys are far less useful without the private key to sign with. Passwords alone are not at all superior.
Great talk, fluid speaking.
Your voice is beautiful, use it more
Agree. Without The vocal Fry please.