Do you or someone you know reuse passwords? How much entropy do your passwords have? Have you selected passwords that are truly random? Do you and your entire family use a password manager? In 2022, over 24 billion passwords were exposed by hackers. With passwords, attackers can steal your identity, money, and leverage your computing resources to attack other users.
Passwords are a way of life, but do they have to be? WebAuthn is probably best known for its ability to provide multi factor authentication, but it has more recently gained attention under the name Passkeys as a replacement for passwords.
In this session, Rob will teach you all there is to know Passkeys. He will also walk you through a demo Spring application that leverages Passkeys so you can see first hand what it takes to implement Passkeys in your applications.
Many Authenticators do will not work unless https is used & some will not work with localhost. This section discusses how to setup your workspace to use https://example.localhost:8443/ with a certificate that is signed by a trusted CA.
For security reasons, many Authenticators do not allow using localhost as the host for WebAuthn. The WebAuthn specification requires that the RP ID is a valid, effective domain. See w3c/webauthn#1204 for details.
https://datatracker.ietf.org/doc/html/rfc2606#section-2[RFC2606 states] that .localhost is a valid TLD that is typically mapped to `127.0.0.1`. This means that we can use example.localhost as our host name.
NOTE: If this does not resolve to 127.0.0.1, you can https://docs.rackspace.com/docs/modify-your-hosts-file[edit your hosts file] to map passkeys.localhost to 127.0.0.1.
+
127.0.1.1 example.localhost
This repository is exploring multifactor authentication with webauthn. To follow along on the discussions see spring-projects/spring-security#6842
-
Visit http://localhost:8080/
-
Log in with user / password
-
If you visit http://localhost:8080/ no additional authentication is required
-
If you visit http://localhost:8080/secure you will be prompted for webauthn log in. The first time you will be required to register.
-
Use http://localhost:8080/logout to log out