Awesome
Securing a Website with Passwordless Authentication
In this workshop you will build a simple web application that enables users to register a security key and then use the security key to sign in without typing in a username or password.
<details> <summary><strong>TLDR</strong></summary><p>If you'd rather see the end result without installing the dependencies and going through all the steps then do this (requires docker):
- Clone the repo
git clone https://github.com/YubicoLabs/java-webauthn-passwordless-workshop
- Build the docker image
docker build -t example/demo:latest java-webauthn-passwordless-workshop/4_Authentication/complete/.
- Run the image
docker run -p 8443:8443 example/demo:latest
- Open
https://localhost:8443/
in a CTAP2 compatible browser (Edge on Windows 10 1809+ or Safari Technology Preview on macOS) - Sign in with username
user
and passwordpassword
- Register a security key
- Sign out
- Click
Passwordless sign in
to sign in without typing a username or password
What you'll build:
You'll start with a java web application that secures access to a page with a login form. Then you'll integrate Yubico's WebAuthn Server libraries to enable FIDO2 security key registration and passwordless authentication.
What you'll need:
- Git
- Docker
- JDK 1.8 or later
- Maven 3.2+
- FIDO2 Compatible browser
- MacOS: Safari Technical Preview version 71+
- Windows 10 Version 1809+: Edge
- A favorite text editor or IDE
- A security key
- [Optional] An Azure Subscription. If you already have a subscription you can use it or you can get a free trial here.
High Level Components
FIDO2 Authenticator: The authenticator makes credentials, generates cryptographic proof of user authentication, and manages the PIN.
Client: The client is the bridge between the authenticator and the server. It implements the FIDO2 Client to Authenticator Protocol (CTAP) and the WebAuthn API. The client could be a browser exposing the WebAuthn API to web applications, or an OS subsystem exposing a platform-specific FIDO2 API to native applications such as mobile or desktop apps.
Server: The server, also know as Relying Party or RP, consists conceptually of at least a web server and the server-side portions of a web application, plus a WebAuthn server. The WebAuthn server has a trust store, containing the (public) trust anchors for the attestation of FIDO2 Authenticators. Note: a trust store is needed only if RP cares about attestation metadata.
See the diagram below for a depiction of the server architecture
Additional WebAuthn Resources
If you need more resources to understand WebAuthn and FIDO2 then
- Read the WebAuthn Developer Guide
- Review the Java WebAuthn Server Library Code
- Watch the Developer Videos
Modules
This workshop is split into multiple modules. Each module builds upon the previous module as you expand the application. You must complete each module before proceeding to the next.
- Getting Started
- Credential Repository
- Registration
- Authentication
- Clean Up
Getting Started
Before you begin, make sure you have completed the steps in the Getting Started Module