A year or so ago, I
blogged about the wonderful world of passwordless and how
WebAuthn was going to save the world! Gone will be insecure passwords, with their terrible user experience, and contributions to data breaches and in with a standards driven, crypto based, technology agnostic way of authenticating a user. The panacea! Well, the panacea might just be getting be getting a little better.
Take a look at the above blog for a quick "reccy" on how WebAuthn works and the main flows. TLDR; we're using public/private key pairs for each website or service we want to authenticate against. The private key gets stored somewhere safe - namely within the dedicated USB authenticator fob, or within the secure element on an operating system.
In ForgeRock Access Management 7.0 EA, the WebAuthn registration authentication node has been modified to now include a "Username to device" switch. This essentially allows a user handle to be sent back down to the authenticator, assuming the authenticator supports this. Not all will of course, depending on capability.
 |
AM 7 WebAuthn reg node, with "Username to device" switch enabled
|
I then create a simple registration tree to mint some new creds upon login. Again, using username and password for the initial level of assurance, can easily be switched out for whatever measures are needed, but this is fine for demo purposes:
 |
Simple WebAuthn reg tree |
For the case of the demo, I'm using a
Yubikey 5. This isn't a specific plug for Yubico and lots of other vendors are available that could perform this use case. Take a look at Google's
Titan, or
Feitan by FTSafe. There are lots more. Take a look at the
FIDO2 certified authenticators list. If you're really bored you could probably make your own using Google's
OpenSK project.
 |
A picture of a Yubikey 5 to save you Googling. That's the black one, the blue is my front door, purple my side door. |
So what does this flow look like? Well the only major change, is that there is now a local authentication action to be able to read/write the username data to the fob. This is simply by a PIN. The second action, is the proof of presence, where I tap the 'y' thumb print sensor to carry on the flow.
 |
WebAuthn username-less registration flow
|
I then create a corresponding username-less login tree. This tree is even simpler, with essentially only one node. Again, in the real world, you'd probably handle the failures a lot better.
 |
AM 7 WebAuthn flow, specifically for username-less login
|
So what does this flow look like, when it comes to actually logging in? Well as you guessed, as soon as I trigger the authentication event, I am not prompted for my username - simply my PIN to unlock my local Yubikey, along with the proof of presence tap.
 |
AM7 WebAuthn username-less login flow |
Comments
Post a comment