Notes - MCS
Identification, Authentication and Authorization
Notes - MCS
Identification, Authentication and Authorization
  • Identification, Authentication and Authorization
  • Access Control Models
    • Access types
    • Least privilege principle
    • Access control models
      • Access control kinds
    • Access control kinds
    • Separation of duties
    • Segregation of duties
    • Information flow models
    • Multilevel security
    • Windows mandatory integrity control
    • Clark-Wilson Integrity Model
  • OAuth 2.0 Authorization Framework
    • Goal
    • Roles (RFC 6749)
    • Communication endpoints
    • Application (client)
    • OAuth tokens
    • OAuth flows
      • Code flow
      • Implicit flow
      • Resource owner password flow
      • Client credentials flow
    • Proof Key for Code Exchange (PKCE, RFC 7636)
    • Device authorization grant (RFC 8628)
    • Actual protocol flow
  • Linux Security Mechanisms
    • Mechanisms
    • Linux management privileges
    • Privilege Elevation
    • Capabilities
    • Files extended attributes (xattr)
    • File capabilities
    • Capability transfer across exec
    • Control groups (cgroups)
    • Linux Security Modules (LSM)
    • AppArmor
    • Confinement
  • Authentication Protocols
    • Identity attributes
    • Authentication
    • Authentication interactions
    • Authentication of people
      • Biometrics
      • Token-based OTP generators
      • PAP & CHAP (RFC 1334, 1992, RFC 1994, 1996)
      • S/Key (RFC 2289, 1998)
      • GSM
    • Host authentication
    • Service/server authentication
    • TLS (Transport Layer Security, RFC 8446)
    • SSH (Secure Shell, RFC 4251)
    • Single Sign-On (SSO)
    • Authentication metaprotocols
    • Authentication services
    • Key distribution services
  • PAM (Pluggable Authentication Modules)
    • Motivation
    • PAM
    • PAM APIs
    • Orchestration of PAM actions
    • Module invocation
    • Configuration files
    • PAM orchestration files
    • Scenario 1 – Local authentication
    • Scenario 2 – LDAP auth with local backoff
    • Scenario 3 – MS AD auth with local backoff
  • FIDO and FIDO2 framework
    • FIDO (Fast Identity Online) Alliance
    • Universal 2nd Factor (U2F) protocol
    • WebAuthn
    • Client to Authenticator Protocol (CTAP)
    • Passkeys
  • Authentication with Trusted Third Parties / KDCs
    • Shared-key authentication
    • Key Distribution Center (KDC) concept
    • Kerberos
  • Identity Management
    • Digital Identity
    • Identity Manager (IdM)
    • Identity Provider (IdP)
    • Authoritative source
    • Identity claim
    • Approachs
    • Credential
    • Privacy issues
    • Verifiable credential (VC)
    • Self-Sovereign Identity (SSI)
    • Interoperability
    • eIDAS
  • Anonymity and Privacy
    • Privacy
    • IEEE Digital Privacy Model
    • Privacy with computing technology
    • Privacy and companies
    • Privacy and IAA
    • Identification
    • Authentication
    • Anonymity
    • Microdata privacy issues
    • Microdata privacy enhancing
    • L-Diversity
Powered by GitBook
On this page
  • How
  • Functionality
  • Limitations
  1. FIDO and FIDO2 framework

Passkeys

Passkeys appeared as a way to avoid common auth issues:

  • Weak passwords

  • Phishing

  • Password/cookie theft

  • Lack of a second factor

  • MITM or Leak

  • Cost with 2nd factor

They promote better usability, and no need to generate/memorize/manage hundreds of passwords.

How

Using auth material from the user directly in the device, will never be exposed to others.

  • Face, Fingerprint, PIN code (PIN can be alphanumeric)

  • Auth material enables the process but it is not sent.

Generating a keypair, whose public key is stored at the service. Compromise of the service will only allow access to the public key.

Authentication considers the service, device, keys and user, implicit use of 2FA and external HSM may be used.

Why: No secret is exposed to third parties, and the browser matches the domain, blocking phishing and typos.

Functionality

Device Bound Passkeys: device-specific keys that may never leave it, such as typical FIDO2 keys.

Attestation: capability to ensure the provenance of the authenticator. Ensures that the authenticator is providing the auth data.

  • The public key is packed into an attestation object, signed by a private key.

  • Very flexible, as long as the relying party can verify the attestation.

Synced Passkeys: the capability to keep passkeys available. Passkeys are backed up and used when required.

Limitations

Device support: It’s still a new technology.

Device dependency: Passkeys are rapidly device-specific. Cross Device Authentication allows linking devices but authenticators must support it. Different ecosystems may still not be fully interoperable.

Biometrics are not that safe against local attacks, but most attacks are not local, at it’s better than only passwords.

Last updated 1 year ago