Transcript
This transcript was autogenerated. To make changes, submit a PR.
Hello guys, welcome to the session.
today i'm going to discuss about python for passwordless authentication and how
can we implement the 502 on the web auth and for a secure feature using the python.
So Just want to give some background, right?
So why passwordless?
the world is, pretty much digital right now, and, with the increasing
cyber threats, and the traditional password based authentication
is no longer sufficient.
the world is marching towards the password less authentication, and
that can be achieved using FIDO2, it's something called Fast Identity Online 2.
framework and then web auth and ensures a strong and more secure way to authenticate
the users Without relying on passwords.
So just imagine a world without passwords, right?
So It's so cool.
It's the user experience will be seamless and It's more secure we can leverage
Python and, it's libraries, to do this seamless integration for FIDO2, WebAuthn,
using the existing authentication systems.
as I said, the key benefits of the passwordless authentications
includes enhanced security.
And then improve the user experience and then, the compliance, right?
all the, at NIST GDPR HIPAA alliances are, forcing all the, Organizations
to follow the standards and move towards the passwordless integrations
and it also works with Mobile desktop and web applications as well.
So just try to understand.
Let's try to understand what is Fido 2 and WebAuthn, right?
So Fido 2 as I said, it's a fast identity online tool.
That's an open authentication standard developed by the Fido alliance so By
using that it can we can enable the passwordless authentication by leveraging
the public key cryptography So we can go into the details and see how it works
in detail also we need to understand what are the key components of a 502
web authen the web authentication api.
It's a standard that enables the passwordless authentication via
browsers and then there is Ctap p which is client to authenticator protocol.
It defines how external authenticators communicate with the browsers.
So let's look at how web auth works, right?
web auth, simply like you need to understand that's tied to the user device.
So user hash to register a device first, the device could be a security key,
or a mobile phone or your laptop, or.
any iot, right?
so user registers with the security key or biometrics, authenticator.
as part of the registration, a unique public private key pair, a
cryptographic key pair is generated and the public key is stored on
the, open server while the private key remains securely on the device.
Once the registration process is complete, then the we can also look
at the authentication process, right?
So whenever for example if you want to do a Face id authentication bar
biometrics authentication or retina scan or whatever it is, right?
So what happens is the authent server will send a challenge to the client
And the client signs the challenge using the private key stored In your
device, and, server verifies the signature using the stored public key.
And if everything matches, the handshake is good, then, user is
allowed to, authenticated and will be allowed to access the resources.
So let's take a step and see how we can set up the Fido to
WebAuthn with Python, right?
So we do have many cloud providers out there.
This can be You know this Steps what I'm going to show now will
work pretty much with all the famous cloud providers, which manage, which
provides the authen, web authen and then the FIDO, FIDO2 capabilities.
so the prerequisites are you need to have Python 3.
7 plus versions.
anything higher than 3.
7 would do the job and then you either need to have a flask or fast api for the
backends and then we need to also download the python, libraries for web 2 So the
installation is the first step, right?
So we'll have to install the fido 2.
packages And then, we'll also take a look at the backend implementation, which
is, the code has been provided here.
we just need to, import the flask libraries, and then also we need to
import the FIDO2 server packages and, public, key credential RP entity package.
and then the user registration code is here.
we just need to capture the users, users device information
and also users, the public key.
And then there is this user authentication flow, how the user is authenticated and
that's explained here And I know to test this flow, we need to run the flask server
and the steps are given here The testing the authentication flow so in order to
test, the deployed code, we can use, a current command or rest, API or rest
client, for example, the postman to send the post request, to, to register first.
As I said, the first step would be to register the.
Users, a user device, in order to allow the authentication, the seamless,
authentication and then authenticate a user is the second step after
registration, testing the authentication, test authentication, using one second.
Using this command, right?
So you are going to hit the authenticate endpoint again.
It's you can request or initiate the request using the curl command or use
the postman to find this authenticate endpoint and this will verify the user
credentials and return a authentication successful response if the device
provided key is matching with what we have on our side with the public key
if you want to test with security keys, for example, the security keys could
be ub key or a titan security key.
These are the physical keys where you need to plug into your device
and Use a browser, pretty much all the browsers, all the famous
browsers are supported by WebAuthn.
you can use Chrome, Edge or Firefox and follow, the prompts
to complete the authentication.
user device compatibility and the WebAuthn support, right?
as I said, WebAuthn is pretty much mature right now and it's,
widely accepted by, all the famous browsers across the industry.
The most famous ones, as you guys know, are like Chrome Edge, Firefox, and Safari.
and then, web Button is also supported by Windows.
Hello, or Mac or the Android biometrics.
And then, there are web button is again supported by, by using, USBs or NFS,
NFC and the Bluetooth security case.
so WebAuthn, if you want to test across the devices, here is the website.
It's a cool website, webauthn.
io.
You can use that website to, debug the issues, and look
at the request and responses.
and then there is, a verify security key, support in the browser settings as well.
And troubleshooting, right?
So if you guys see any issues while running the code or while
registering the device or while authenticating the user, the very
common issues are documented here.
security key not detected and sure.
so if you see a error saying, security key is not detected, ensure that
the device supports CT, or invalid credentials error and that key might
not be registered properly or, we have to retry the registration, that
could be a corrupt, public key or mismatch with the, keys and then the
browser and campaign compatibility.
so make sure WebAuthn is enabled.
in the browser settings.
Okay, let me see.
So best practices, always enforce the multifactor authentication, combined
web bot and with OTP for added security.
and then, use the attestations properly.
validate all the authenticators using Fido metadata service.
or monitor authentication attempts, which is like implement logging for
authentication failures and look at the logs and create the alerts, probably
if you are using any sim tools you can You know If your logs are flowing into
the sim tool Make sure you create the alerts and look at, the authentication
failures or the attempts, to flag if there are any, anomalies in the request.
So overall, by leveraging the Python to implement the FIDO2 on WebAuthn,
Developers can build a robust passwordless authentication system that's both user
friendly and highly secure as cyber security threats have all organizations
must adopt to modern authentication methods to protect the users and data.
so thank you so much for this opportunity.
And if you guys want to know more about, Fido two or anything related
to web auth and, or if you have any questions, you can reach out to me.
I'm available in LinkedIn.
my ID is Iram Durkaraju.
thanks again for, attending this session.