build 2016 - p514 - windows hello in microsoft edge
TRANSCRIPT
#Build2016
Windows Hello in Microsoft EdgeAnoosh SabooriSenior Program Manager
Microsoft Passport & Windows HelloA multi-factor authentication system built for you and your users
Achieve higher levels of security while reducing costs
Increase user convenience with simple
unlock gestures
Integrate Microsoft Passport & Windows Hello
Windows 10 apps Enterprise content Edge-friendly websites
X
Windows Hello in Microsoft Edge - DemoAnoosh Saboori
Microsoft has contributed this technology to the Fast Identity Online (FIDO) Alliance
Best-in-class security standards should not be kept secret
Integrate Microsoft Passport & Windows Hello
Edge-friendly websites
X
Windows Hello
Coming soon: Integrate FIDO Devices
Edge-friendly websites
X
FIDO Devices
API overviewinterface MSCredentials { Promise<MSAssertion> makeCredential(MSAccountInfo accountInfo, sequence<MSCredentialParameters> params, optional DOMString challenge);
Promise<MSAssertion> getAssertion(DOMString challenge, optional MSCredentialFilter filter, optional MSSignatureParameters params); };
Code WalkthroughmakeCredential
Promise<MSAssertion> makeCredential(MSAccountInfo accountInfo, sequence<MSCredentialParameters> params, optional DOMString challenge);
interface MSAssertion { readonly attribute MSCredentialType type; readonly attribute DOMString id; //Used as key identifier }; enum MSCredentialType { "FIDO_2_0" };
Promise<MSAssertion> makeCredential(MSAccountInfo accountInfo, sequence<MSCredentialParameters> params, optional DOMString challenge);interface MSFIDOCredentialAssertion : MSAssertion { readonly attribute AlgorithmIdentifier algorithm; // RSASSA-PKCS1-v1_5 readonly attribute DOMString publicKey; //JSON WebKey readonly attribute MSAttestationStatement? //Returns NULL readonly attribute sequence<MSTransportType> transportHints; //Always return Embedded }; enum MSTransportType { "Embedded", "USB", "NFC", "BT" };
Promise<MSAssertion> makeCredential(MSAccountInfo accountInfo, sequence<MSCredentialParameters> params, optional DOMString challenge);
dictionary MSAccountInfo { required DOMString rpDisplayName; //ignored required DOMString userDisplayName; //ignored DOMString accountName; //ignored DOMString userId; //Used as key identifier DOMString accountImageUri; //ignored };
Promise<MSAssertion> makeCredential(MSAccountInfo accountInfo, sequence<MSCredentialParameters> params, optional DOMString challenge);
dictionary MSFIDOCredentialParameters : MSCredentialParameters { AlgorithmIdentifier algorithm; //Set to RSASSA-PKCS1-v1_5 sequence<AAGUID> authenticators; //ignored };
typedef DOMString AAGUID;
Promise<MSAssertion> makeCredential(MSAccountInfo accountInfo, sequence<MSCredentialParameters> params, optional DOMString challenge);
Code WalkthroughgetAssertion
Promise<MSAssertion> getAssertion(DOMString challenge, optional MSCredentialFilter filter, optional MSSignatureParameters params);
dictionary MSCredentialFilter { sequence<MSCredentialSpec> accept; //Acceptable list of credential type }; dictionary MSCredentialSpec { required MSCredentialType type; //Set to "FIDO_2_0" DOMString id; };
Promise<MSAssertion> getAssertion(DOMString challenge, optional MSCredentialFilter filter, optional MSSignatureParameters params);
dictionary MSSignatureParameters { DOMString userPrompt; };
Promise<MSAssertion> getAssertion(DOMString challenge, optional MSCredentialFilter filter, optional MSSignatureParameters params); interface MSFIDOSignatureAssertion : MSAssertion { readonly attribute MSFIDOSignature signature; }; interface MSFIDOSignature { readonly attribute DOMString clientData; //UTF JSON Encoded of
//{ // Challenge: <>, // User Prompt: <>,
//} readonly attribute DOMString authnrData //set to 10000000 readonly attribute DOMString signature; // UTF8 encoding of signature over // (authnrData|| SHA-2 Hash of
// clientData) };
API overviewMakeCredentialIf the same id is used for makecredential, keys get overwrittenGet public key out of assertion data structureInsert public key and id to index DB for later usageRecommendation: store the id on server side to protect against cookies deleted
GetAssertionNeeds a challengeAssertion.signature goes to serverSupport for contextual string
Other related itemsNo delete APIUse PIN reset
No support for attestation Support coming once W3C specs are settled down Key isolationKey isolation exists between modern apps and browser also origin based isolation based on TLD
• Experiment and prototype with these APIs and give us feedback
• Visit http://aka.ms/fidoblog for more information
• W3C submission links:• http://www.w3.org/Submission/fido-web-api/• http://
www.w3.org/Submission/2015/SUBM-fido-signature-format-20151120/• http
://www.w3.org/Submission/2015/SUBM-fido-key-attestation-20151120/
Call to Action
© 2016 Microsoft Corporation. All rights reserved.