Summary of "Going Passwordless - A Practical Guide to Passkeys in ASP.NET Core"
Summary: Going Passwordless - A Practical Guide to Passkeys in ASP.NET Core
This talk, presented by Martin Bio from Duende (makers of IdentityServer), focuses on implementing passwordless authentication using passkeys in ASP.NET Core, specifically leveraging new features in .NET 10.
Key Technological Concepts and Analysis
Problems with Passwords
- Passwords are hard to remember, often reused, and prone to phishing attacks.
- Developers face risks storing passwords even when salted and hashed.
- Password breaches are widespread, with billions of accounts compromised.
- Multi-factor authentication (MFA) improves security but has usability and recovery issues, especially in low-connectivity scenarios.
Passwordless Authentication via Public Key Cryptography
- The client generates a public/private key pair.
- The private key stays on the client device; the public key is stored on the server.
- Login involves the client signing a challenge with the private key; the server verifies it with the public key.
- This approach mitigates phishing risks by including the origin URL in the signed challenge and prevents replay attacks by using server-issued challenges.
Standards and Evolution
- Universal 2nd Factor (U2F): Introduced hardware security keys with features like user presence (button press), attestation, and signature counters.
- Web Authentication (WebAuthn) and Passkeys: Extend U2F by supporting stateful credentials, revocation, synchronization across devices, and user verification (PIN, biometrics).
- Authenticators can be hardware (e.g., YubiKey) or software (e.g., Windows Hello, macOS biometrics, password managers).
Passkeys in Practice
- Passkeys allow seamless login via biometrics or PIN without passwords.
- They support cross-device synchronization, enabling login on public computers using a phone.
- Browsers and operating systems provide native support through WebAuthn APIs (
navigator.credentials.createandnavigator.credentials.get).
Product Features and Implementation Guide in ASP.NET Core (.NET 10)
Native Passkey Support in .NET 10
- Integrated into ASP.NET Identity.
- Available in the Blazor Server template with individual authentication.
- Can be added to existing Razor Pages or MVC apps by updating schema version to 3 (to support passkey storage).
Typical Workflow
- Client requests passkey creation or authentication options from the server (JSON with origin, challenge, algorithms).
- Client uses browser API to create or get credentials.
- Credential JSON is posted back to the server for validation and login.
Code Highlights
- Use
AddIdentityCorewith schema version 3. - Configure passkey options such as authenticator timeout, allowed cryptographic algorithms, and origin validation.
- New endpoints provide passkey creation options and request options.
- A Blazor component (
PasskeySubmit) handles UI and JavaScript interop for passkey operations.
User Experience
- Users can register multiple passkeys and name them for easy management.
- Login UI supports autofill and multiple authenticators.
- Supports fallback to hardware keys or phone-based passkey authentication via QR codes.
Considerations
- Initial registration still requires username/email and password.
- To go fully passwordless, apps can check passkey backup properties and adjust UI accordingly.
- Important to understand relying party ID and origin when deploying passkeys across subdomains or multiple top-level domains.
Tutorials, Guides, and Resources
- The speaker references a blog series and GitHub repository demonstrating passkey integration in Razor Pages.
- Demonstrations include:
- Registering and logging in with passkeys.
- Using multiple authenticators (browser, phone, hardware keys).
- Debugging the flow and inspecting JSON options exchanged.
- A QR code is shared at the end linking to deeper resources on passkeys and WebAuthn.
Main Speaker / Source
Martin Bio, identity and security expert at Duende Software (creators of IdentityServer).
In summary, the video provides a thorough introduction to the limitations of passwords and the security/usability benefits of passkeys. It explains the underlying cryptographic and WebAuthn standards and offers a practical guide to implementing passkey authentication in ASP.NET Core applications using .NET 10’s native support. It includes code walkthroughs, UI examples, and deployment considerations, making it a valuable resource for developers aiming to adopt passwordless authentication.
Category
Technology
Share this summary
Is the summary off?
If you think the summary is inaccurate, you can reprocess it with the latest model.
Preparing reprocess...