Presented at All Things Open 2023
Presented by Phil Nash - Sonar
Title: The State of Passwordless Auth on the Web
Abstract: Can we get rid of passwords yet? They make for a poor user experience and users are notoriously bad with them. The advent of WebAuthn has brought a passwordless world closer, but where do we really stand?
In this talk we'll explore the current user experience of WebAuthn and the requirements a user has to fulfil to authenticate without a password. We'll also explore the fallbacks and safeguards we can use to make the password experience better and more secure. By the end of the session you'll have a vision of how authentication could look in the future and a blueprint for how to build the best auth experience today.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
8. 1. password
2. 123456
3. 123456789
4. guest
5. qwerty
6. 12345678
7. 111111
8. 12345
9. col123456
10. 123123
Source:
Source: NordPass Top 200 most common passwords
NordPass Top 200 most common passwords
9.
10.
11.
12.
13. Hard to remember
good passwords
Hard to choose
good passwords
Needs password
managers
Easy to break easy
passwords
Password
leaks/credential
stuffing
Vulnerable to
phishing
14.
15. Good passwords
are easy
No repetition
Long, difficult
passwords
Unique passwords
Still vulnerable to
phishing
29. One click logins
No need to
remember
passwords
Easy to break easy
passwords
Password
leaks/credential
stuffing
Less vulnerable to
phishing
30.
31.
32. Two steps
Needs another
device
Requires phone
signal
Overcomes
poor/leaked
passwords with
second factor
Still vulnerable to
phishing
Targeted SMS
attacks are possible
47. Two (minimal) steps
Needs authenticator
key or platform
authenticator
Need to either move
key around or
register multiple
devices
Overcomes
poor/leaked
passwords with
second factor
Public/private key
cryptography,
unleakable!
Phishing
resistant!
48.
49.
50. No need for a password
Relies on email
Friction
Pretty secure
51.
52. WebAuthn but with platform authenticator
WebAuthn but with platform authenticator
Verifies the user on the device
Verifies the user on the device
Authenticates the user with the server
Authenticates the user with the server
Syncs across your devices
Syncs across your devices
Can be used cross device where sync is not
Can be used cross device where sync is not
possible
possible
59. Detect passkey support and offer it first
Detect passkey support and offer it first
Support multiple passkeys
Support multiple passkeys
Fallback to password with 2FA
Fallback to password with 2FA
Once a user can use passkeys, upgrade and
Once a user can use passkeys, upgrade and
remove old, weak credentials
remove old, weak credentials