Passkeys are a new login credential based on public-key cryptography that replace the need for username and password sign-ins.
Overview
The article discusses the integration of passkeys into Shopify's authentication flows to enhance security and user experience. It details the implementation process, the benefits of using passkeys over traditional methods, and future plans for broader adoption.
What You'll Learn
1
How to implement passkeys in authentication flows using the webauthn-ruby gem
2
Why passkeys provide a more secure alternative to passwords
3
When to use platform authenticators versus roaming authenticators
Prerequisites & Requirements
- Basic understanding of public-key cryptography and authentication mechanisms
- Familiarity with Ruby on Rails and the webauthn-ruby gem(optional)
Key Questions Answered
How do passkeys enhance security in authentication?
Passkeys enhance security by eliminating the need for usernames and passwords, which are susceptible to phishing attacks. Instead, they use public-key cryptography, where the private key remains on the user's device, making it significantly more secure.
What is the process for registering a passkey?
The passkey registration process involves the user enrolling a new passkey, generating a private/public keypair, and verifying the public key against a stored challenge on the server. This ensures that only authorized devices can register passkeys.
What challenges did Shopify face when implementing passkeys?
Shopify faced challenges such as ensuring that passkeys associated with a domain could authenticate across all subdomains and protecting against replay attacks by managing challenges during the verification process.
What is Conditional UI for passkeys?
Conditional UI for passkeys refers to the feature where the passkey provider displays available passkeys proactively during login, improving user experience by reducing the need for explicit actions to use passkeys.
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Backend
Webauthn-ruby
Used to implement passkeys in Shopify's authentication flows.
Backend
Ruby On Rails
Framework on which Shop Pay is built.
Key Actionable Insights
1Implement passkeys as a primary authentication method to enhance security and user experience.By adopting passkeys, you can reduce the risk of phishing attacks and streamline the login process for users, leading to higher satisfaction and security.
2Utilize platform authenticators for a seamless user experience.Encouraging the use of built-in device features like biometrics can simplify the authentication process and improve security, making it easier for users to log in.
3Monitor the implementation of Conditional UI to enhance user awareness of passkey availability.As browsers refine their Conditional UI features, understanding user interactions can help optimize the login experience and reduce confusion for new passkey users.
Common Pitfalls
1
Failing to properly manage challenges during the passkey verification process can lead to security vulnerabilities.
It's crucial to save the challenge during verification and verify it upon receiving the public key to prevent replay attacks.
2
Not whitelisting specific subdomains for passkey authentication can lead to unintended access issues.
If passkeys are allowed across all subdomains without restrictions, it may expose users to security risks if not properly managed.
Related Concepts
Public-key Cryptography
Authentication Mechanisms
User Experience Design