Home

Awesome

Securing a Website with Passwordless Authentication

In this workshop you will build a simple web application that enables users to register a security key and then use the security key to sign in without typing in a username or password.

<details> <summary><strong>TLDR</strong></summary><p>

If you'd rather see the end result without installing the dependencies and going through all the steps then do this (requires docker):

  1. Clone the repo
    git clone https://github.com/YubicoLabs/java-webauthn-passwordless-workshop
    
  2. Build the docker image
    docker build -t example/demo:latest java-webauthn-passwordless-workshop/4_Authentication/complete/.
    
  3. Run the image
    docker run -p 8443:8443 example/demo:latest
    
  4. Open https://localhost:8443/ in a CTAP2 compatible browser (Edge on Windows 10 1809+ or Safari Technology Preview on macOS)
  5. Sign in with username user and password password
  6. Register a security key
  7. Sign out
  8. Click Passwordless sign in to sign in without typing a username or password
<p></details>

What you'll build:

You'll start with a java web application that secures access to a page with a login form. Then you'll integrate Yubico's WebAuthn Server libraries to enable FIDO2 security key registration and passwordless authentication.

What you'll need:

High Level Components

alt text

FIDO2 Authenticator: The authenticator makes credentials, generates cryptographic proof of user authentication, and manages the PIN.

Client: The client is the bridge between the authenticator and the server. It implements the FIDO2 Client to Authenticator Protocol (CTAP) and the WebAuthn API. The client could be a browser exposing the WebAuthn API to web applications, or an OS subsystem exposing a platform-specific FIDO2 API to native applications such as mobile or desktop apps.

Server: The server, also know as Relying Party or RP, consists conceptually of at least a web server and the server-side portions of a web application, plus a WebAuthn server. The WebAuthn server has a trust store, containing the (public) trust anchors for the attestation of FIDO2 Authenticators. Note: a trust store is needed only if RP cares about attestation metadata.

See the diagram below for a depiction of the server architecture alt text

Additional WebAuthn Resources

If you need more resources to understand WebAuthn and FIDO2 then

Modules

This workshop is split into multiple modules. Each module builds upon the previous module as you expand the application. You must complete each module before proceeding to the next.

  1. Getting Started
  2. Credential Repository
  3. Registration
  4. Authentication
  5. Clean Up

Getting Started

Before you begin, make sure you have completed the steps in the Getting Started Module