Skip to content
This repository has been archived by the owner on Sep 18, 2024. It is now read-only.

Latest commit

 

History

History
46 lines (29 loc) · 2.45 KB

README.adoc

File metadata and controls

46 lines (29 loc) · 2.45 KB

Passkeys…​Yes Please!

Do you or someone you know reuse passwords? How much entropy do your passwords have? Have you selected passwords that are truly random? Do you and your entire family use a password manager? In 2022, over 24 billion passwords were exposed by hackers. With passwords, attackers can steal your identity, money, and leverage your computing resources to attack other users.

Passwords are a way of life, but do they have to be? WebAuthn is probably best known for its ability to provide multi factor authentication, but it has more recently gained attention under the name Passkeys as a replacement for passwords.

In this session, Rob will teach you all there is to know Passkeys. He will also walk you through a demo Spring application that leverages Passkeys so you can see first hand what it takes to implement Passkeys in your applications.

Many Authenticators do will not work unless https is used & some will not work with localhost. This section discusses how to setup your workspace to use https://example.localhost:8443/ with a certificate that is signed by a trusted CA.

Using a Valid Domain

For security reasons, many Authenticators do not allow using localhost as the host for WebAuthn. The WebAuthn specification requires that the RP ID is a valid, effective domain. See w3c/webauthn#1204 for details.

https://datatracker.ietf.org/doc/html/rfc2606#section-2[RFC2606 states] that .localhost is a valid TLD that is typically mapped to `127.0.0.1`.
This means that we can use example.localhost as our host name.
NOTE: If this does not resolve to 127.0.0.1, you can https://docs.rackspace.com/docs/modify-your-hosts-file[edit your hosts file] to map passkeys.localhost to 127.0.0.1.

+

/etc/hosts
127.0.1.1	example.localhost

mkcert

This repository is exploring multifactor authentication with webauthn. To follow along on the discussions see spring-projects/spring-security#6842