Hello guys, welcome to the session. today i'm going to discuss about python for passwordless authentication and how can we implement the 502 on the web auth and for a secure feature using the python. So Just want to give some background, right? So why passwordless? the world is, pretty much digital right now, and, with the increasing cyber threats, and the traditional password based authentication is no longer sufficient. the world is marching towards the password less authentication, and that can be achieved using FIDO2, it's something called Fast Identity Online 2. framework and then web auth and ensures a strong and more secure way to authenticate the users Without relying on passwords. So just imagine a world without passwords, right? So It's so cool. It's the user experience will be seamless and It's more secure we can leverage Python and, it's libraries, to do this seamless integration for FIDO2, WebAuthn, using the existing authentication systems. as I said, the key benefits of the passwordless authentications includes enhanced security. And then improve the user experience and then, the compliance, right? all the, at NIST GDPR HIPAA alliances are, forcing all the, Organizations to follow the standards and move towards the passwordless integrations and it also works with Mobile desktop and web applications as well. So just try to understand. Let's try to understand what is Fido 2 and WebAuthn, right? So Fido 2 as I said, it's a fast identity online tool. That's an open authentication standard developed by the Fido alliance so By using that it can we can enable the passwordless authentication by leveraging the public key cryptography So we can go into the details and see how it works in detail also we need to understand what are the key components of a 502 web authen the web authentication api. It's a standard that enables the passwordless authentication via browsers and then there is Ctap p which is client to authenticator protocol. It defines how external authenticators communicate with the browsers. So let's look at how web auth works, right? web auth, simply like you need to understand that's tied to the user device. So user hash to register a device first, the device could be a security key, or a mobile phone or your laptop, or. any iot, right? so user registers with the security key or biometrics, authenticator. as part of the registration, a unique public private key pair, a cryptographic key pair is generated and the public key is stored on the, open server while the private key remains securely on the device. Once the registration process is complete, then the we can also look at the authentication process, right? So whenever for example if you want to do a Face id authentication bar biometrics authentication or retina scan or whatever it is, right? So what happens is the authent server will send a challenge to the client And the client signs the challenge using the private key stored In your device, and, server verifies the signature using the stored public key. And if everything matches, the handshake is good, then, user is allowed to, authenticated and will be allowed to access the resources. So let's take a step and see how we can set up the Fido to WebAuthn with Python, right? So we do have many cloud providers out there. This can be You know this Steps what I'm going to show now will work pretty much with all the famous cloud providers, which manage, which provides the authen, web authen and then the FIDO, FIDO2 capabilities. so the prerequisites are you need to have Python 3. 7 plus versions. anything higher than 3. 7 would do the job and then you either need to have a flask or fast api for the backends and then we need to also download the python, libraries for web 2 So the installation is the first step, right? So we'll have to install the fido 2. packages And then, we'll also take a look at the backend implementation, which is, the code has been provided here. we just need to, import the flask libraries, and then also we need to import the FIDO2 server packages and, public, key credential RP entity package. and then the user registration code is here. we just need to capture the users, users device information and also users, the public key. And then there is this user authentication flow, how the user is authenticated and that's explained here And I know to test this flow, we need to run the flask server and the steps are given here The testing the authentication flow so in order to test, the deployed code, we can use, a current command or rest, API or rest client, for example, the postman to send the post request, to, to register first. As I said, the first step would be to register the. Users, a user device, in order to allow the authentication, the seamless, authentication and then authenticate a user is the second step after registration, testing the authentication, test authentication, using one second. Using this command, right? So you are going to hit the authenticate endpoint again. It's you can request or initiate the request using the curl command or use the postman to find this authenticate endpoint and this will verify the user credentials and return a authentication successful response if the device provided key is matching with what we have on our side with the public key if you want to test with security keys, for example, the security keys could be ub key or a titan security key. These are the physical keys where you need to plug into your device and Use a browser, pretty much all the browsers, all the famous browsers are supported by WebAuthn. you can use Chrome, Edge or Firefox and follow, the prompts to complete the authentication. user device compatibility and the WebAuthn support, right? as I said, WebAuthn is pretty much mature right now and it's, widely accepted by, all the famous browsers across the industry. The most famous ones, as you guys know, are like Chrome Edge, Firefox, and Safari. and then, web Button is also supported by Windows. Hello, or Mac or the Android biometrics. And then, there are web button is again supported by, by using, USBs or NFS, NFC and the Bluetooth security case. so WebAuthn, if you want to test across the devices, here is the website. It's a cool website, webauthn. io. You can use that website to, debug the issues, and look at the request and responses. and then there is, a verify security key, support in the browser settings as well. And troubleshooting, right? So if you guys see any issues while running the code or while registering the device or while authenticating the user, the very common issues are documented here. security key not detected and sure. so if you see a error saying, security key is not detected, ensure that the device supports CT, or invalid credentials error and that key might not be registered properly or, we have to retry the registration, that could be a corrupt, public key or mismatch with the, keys and then the browser and campaign compatibility. so make sure WebAuthn is enabled. in the browser settings. Okay, let me see. So best practices, always enforce the multifactor authentication, combined web bot and with OTP for added security. and then, use the attestations properly. validate all the authenticators using Fido metadata service. or monitor authentication attempts, which is like implement logging for authentication failures and look at the logs and create the alerts, probably if you are using any sim tools you can You know If your logs are flowing into the sim tool Make sure you create the alerts and look at, the authentication failures or the attempts, to flag if there are any, anomalies in the request. So overall, by leveraging the Python to implement the FIDO2 on WebAuthn, Developers can build a robust passwordless authentication system that's both user friendly and highly secure as cyber security threats have all organizations must adopt to modern authentication methods to protect the users and data. so thank you so much for this opportunity. And if you guys want to know more about, Fido two or anything related to web auth and, or if you have any questions, you can reach out to me. I'm available in LinkedIn. my ID is Iram Durkaraju. thanks again for, attending this session.