webauthn with php...webauthn with php arne blankerts co-founder, the php consulting company...
TRANSCRIPT
International PHP Conference 2019 - Spring Edition - Berlin
The Future of AuthenticationWebAuthn with PHP
Arne Blankerts
Co-Founder, The PHP Consulting Company
Passwords are a shared secret
How to find a good password
A good Password policy?
Must contain numbers
Must contain mixed case
Must contain special char
Must be at least 5 characters long
...
A good password?
theseer@nyda ~ $ pwgen -syn 32 1
O;v;RzO/5z:4`!VF0onL&Tb"Cq*+h4/R
⟫ Your password contains illegal chars.
A good enough password?
theseer@nyda ~ $ pwgen -sn 32 1
YN1XCWvo10fxD816xdSIjYVrC5b4jaCO
⟫ Your password is too long.
"Do I really want to sign up here?" - password
theseer@nyda ~ $ pwgen -synB -r \" 10 1
+{-LmJC4~#
⟫ Password successfully set.
https://xkcd.com/936
⟫ Through 20 years of e�ort, we'vesuccessfully trained everyone to usepasswords that are hard for humans toremember, but easy for computers toguess.
Yet, every major website and service uses passwords
Most of them had security breaches
Most of them had security breaches
Password got stolen
Sites should not be trusted to store passwords
How to avoid using passwords?
Remember me
HTTPS
Client Side Certificates!
Client Side Certificates with NGINX
server { listen 443;
ssl on; ssl_certificate /etc/ssl/certs/not_self_signed.crt; ssl_certificate_key /etc/ssl/private/not_self_signed.key; ssl_session_timeout 5m;
ssl_client_certificate /etc/ssl/ca/certs/ca.crt; ssl_crl /etc/ssl/ca/private/ca.crl;
ssl_verify_client on;
location / { fastcgi_param VERIFIED $ssl_client_verify; fastcgi_param DN $ssl_client_s_dn; include fastcgi_params; }
}
Keep passwords?
Keep passwords?
Just reduce impact of stolen passwords
Two Factor Authentication
One Time Passwords
via SMS
RSA Key
OTP Application on Phone or USB Key
One Time Passwords
via SMS
RSA Key
OTP Application on Phone or USB Key
One Time Passwords
via SMS
RSA Key
OTP Application on Phone or USB Key
https://yourbank.com.5xefxd232exfgcetre.totallylegit.ru
https://yourbank.com.5xefxd232exfgcetre.totallylegit.ru
aka Phishing
Passwords don't work.
Passwords don't work.
Time for something new.
WebAuthn
O�cial W3C Standard
A sub-spec of FIDO2 specs
Public keys for authentication in browsers
Registration
Browser Server
1
UserFIDO2-HW
Browser Server
1
UserFIDO2-HW
2Registration
Browser Server
1
UserFIDO2-HW
2 3Registration Fetch registration page
Browser Server
1
UserFIDO2-HW
2 3
4
Registration Fetch registration page
HTML + JS
Browser Server
1
UserFIDO2-HW
2 3
4 5
Registration Fetch registration page
HTML + JS
Fetch args
Browser Server
1
UserFIDO2-HW
2 3
4 5
6
Registration Fetch registration page
HTML + JS
Fetch args
Create args
Browser Server
1
UserFIDO2-HW
2 3
4 5
67
Registration Fetch registration page
HTML + JS
Fetch args
Create args
Create key
Browser Server
1
UserFIDO2-HW
2 3
4 5
67
8
Registration Fetch registration page
HTML + JS
Fetch args
Create args
Create keyGo?
Browser Server
1
UserFIDO2-HW
2 3
4 5
67
8
9
Registration Fetch registration page
HTML + JS
Fetch args
Create args
Create keyGo?
Go!
Browser Server
1
UserFIDO2-HW
2 3
4 5
67
8
9 10
Registration Fetch registration page
HTML + JS
Fetch args
Create args
Create keyGo?
Go!
Public key & Signature
Browser Server
1
UserFIDO2-HW
2 3
4 5
67
8
9 10 11
Registration Fetch registration page
HTML + JS
Fetch args
Create args
Create keyGo?
Go!
Public key & Signature Public key & Signature
Authentication
Browser Server
1
UserFIDO2-HW
Browser Server
1
UserFIDO2-HW
2Login
Browser Server
1
UserFIDO2-HW
2 3Login Fetch login page
Browser Server
1
UserFIDO2-HW
2 3
4
Login Fetch login page
HTML + JS
Browser Server
1
UserFIDO2-HW
2 3
4 5
Login Fetch login page
HTML + JS
Challenge?
Browser Server
1
UserFIDO2-HW
2 3
4 5
6
Login Fetch login page
HTML + JS
Challenge?
The challenge
Browser Server
1
UserFIDO2-HW
2 3
4 5
67
Login Fetch login page
HTML + JS
Challenge?
The challenge
Please sign challenge
Browser Server
1
UserFIDO2-HW
2 3
4 5
67
8
Login Fetch login page
HTML + JS
Challenge?
The challenge
Please sign challengeGo?
Browser Server
1
UserFIDO2-HW
2 3
4 5
67
8
9
Login Fetch login page
HTML + JS
Challenge?
The challenge
Please sign challengeGo?
Go!
Browser Server
1
UserFIDO2-HW
2 3
4 5
67
8
9 10
Login Fetch login page
HTML + JS
Challenge?
The challenge
Please sign challengeGo?
Go!
Signature
Browser Server
1
UserFIDO2-HW
2 3
4 5
67
8
9 10 11
Login Fetch login page
HTML + JS
challenge?
The challenge
Please sign challengeGo?
Go!
Signature Signature
Phot
o Co
pyrig
ht b
y Yub
ico,
http
s://
ww
w.yu
bico
.com
/pro
duct
/sec
urity
-key
-nfc
-by-
yubi
co-2
-pac
k
Phot
o Co
pyrig
ht b
y Yub
ico,
http
s://
ww
w.yu
bico
.com
/pro
duct
/sec
urity
-key
-nfc
-by-
yubi
co-2
-pac
k
WebAuthn & PHP
WebAuthn & PHP
As the relying party
WebAuthn & PHP
As the relying party
(aka server side)
WebAuthn & PHP
https://github.com/web-auth/webauthn-frameworkComes with a ready to use Symfony Bundles
https://github.com/asbiin/laravel-webauthnLaravelWebauthn is an adapter to use Webauthn on Laravel
Uses the above library
https://github.com/Firehed/u2f-phpAn implementation of the FIDO U2F server protocol in PHP
https://github.com/lbuchs/WebAuthnA simple PHP WebAuthn (FIDO2) server library
https://github.com/madwizard-thomas/webauthn-serverEarly stage of development
WebAuthn Demos
https://webauthn.io/
https://webauthn.me/
https://demo.yubico.com/webauthn/
https://webauthn.lubu.ch/For lbuchs' WebAuthn Implementation
Browsers with WebAuthn Support
Firefox 60+Only USB supported
Chrome 67+On Android 70+
Opera 54+
Edge 18+
With WebAuthn ...
no passwords neededno more weak passwords
no password reuse
no sensitive information is stored on the server
users do not need to trust the website
phishing is fundamentally not working
Read up more on https://webauthn.guide/
Thank you
https://thephp.cc [email protected] @arneblankerts