DEV Community

Evan Lin
Evan Lin

Posted on • Originally published at evanlin.com on

What Backend Developers Should Know About Passkeys (WWDC22)

#learning #security #backend #go 
title: [TIL][WWDC][Golang] What should you know as a backend developer about the Passkeys feature announced at WWDC22?
published: false
date: 2022-06-07 00:00:00 UTC
tags: 
canonical_url: http://www.evanlin.com/til-apple-passkeys/
---

![image-20220608151748839](http://www.evanlin.com/images/2021/image-20220608151748839.png)

# Background:

Although [WWDC22](https://developer.apple.com/videos/wwdc2022/) is an Apple developer conference, I was quite surprised by the [Passkeys](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys) feature when watching the Keynote that day. So, after waiting for the detailed agenda of [Meet passkeys](https://developer.apple.com/videos/play/wwdc2022/10092/), the entire agenda brought many new ideas. So I did some serious research and found that Apple had already developed the related processes and development methods for Passkey in WWDC 21 (refer to [WWDC21 Agenda: Move beyond passwords](https://developer.apple.com/videos/play/wwdc2021/10106/)). However, native support on mobile phones and iOS Apps was only available in iOS16.

# How many ways are there to authenticate?

Passkey is a communication protocol that is more secure than the old Password mechanism. There are several authentication methods now:

- **Memorized passwords:**
  - This is the method of entering ID and PW. Then use human effort to record. Very dangerous because you often use the same one for fear of forgetting.
- **Password manager:**
  - Examples include Apple/Chrome AutoFill. In this case, you may not need to record the password (and it will even generate a password for you). But the problem is that it's hard to use across systems, or even just across browsers.
- **Security Key:**
  - Many commercially available USB Security Keys (can also be used with other transmission methods) can be used to log in to some websites directly through the Security Key.

You can take a look at the summary presented by WWDC regarding the related security levels of the above methods.

![image-20220608161334928](http://www.evanlin.com/images/2021/image-20220608161334928.png)

(From:[WWDC21 Agenda: Move beyond passwords](https://developer.apple.com/videos/play/wwdc2021/10106/) )

![image-20220608152142705](http://www.evanlin.com/images/2021/image-20220608152142705.png)

(from [WWDC22 Session: Meet passkeys](https://developer.apple.com/videos/play/wwdc2022/10092/))

# What are Passkeys?

## **Passkey:**

- The latest Passkey is an authentication method that uses WebAuthn and FIDO2.

![image-20220608170126374](http://www.evanlin.com/images/2021/image-20220608170126374.png)

(Edit on [PlantText](https://www.planttext.com/?text=SoWkIImgAStDuU8goIp9ILLuENtEisbx508IYukpKokB5PxFQdc-RTFprJEVjNS-dxBY-UmT81LT3IyMJdwsjV7vYkx73KrSN4_sxWTAlcXeLR3HrRLJUDRP_MpbV2k5bmtzBnlx5DmyNVoD580YJpks0SrxiQhtnTfEZHVjdI-RL-WeFEjfVxwbMvCBeWbY0CHAAuMdJPjVDZGg19GcvMGcAtYdLiAC34zDSYmjoSXJ05lla9gN0lG30000))

This is just a simple technical summary diagram. Passkeys are integrated through FIDO2 and WebAuthn. And because there are more applications on the entire iOS ecosystem.

- Native support in iOS16 App and Safari (iOS15 Safari is already supported, but the App side is not yet supported)
- Can use iCloud backup (this is [also what many developers say](https://blog.hypr.com/what-apples-wwdc-passkeys-announcement-means-for-enterprise-iam), the only insecure point)
- Can share Passkeys with other trusted people.

![image-20220608152153013](http://www.evanlin.com/images/2021/image-20220608152153013.png)

The entire process is as follows:

- The Server will encrypt a piece of data through the Public Key.
- The data is decrypted and returned through the Private Key on the mobile phone (or browser).
- After authentication, confirm that the data is correct.

# As a backend developer, how should you apply WebAuthn?

To implement Passkeys, you need to implement the following related processes:

- FIDO2 package
- Develop server-related packages through WebAuthn

When it comes to WebAuthn packages, you will first see [https://github.com/duo-labs/webauthn](https://github.com/duo-labs/webauthn), and the usage is as follows:

- Try it out: https://webauthn.io/
  - Use Auth Type:
    - Cross Platform is Securrity Key
    - Platform (TPM) is through FIDO2
- Open source package: [https://github.com/duo-labs/webauthn](https://github.com/duo-labs/webauthn)

![image-20220608191211814](http://www.evanlin.com/images/2021/image-20220608191211814.png)

### Use WebAuthn as SaaS HANKO

It sounds a bit troublesome, but I saw that a company [HANKO](https://www.hanko.io/) has related SaaS API services (free should be enough), you can refer to the article [Passkeys for web authentication](https://www.hanko.io/blog/passkeys-part-1), which also has an Open Source package that can be used.

### Developing WebAuthn and Passkey on Golang

[https://github.com/teamhanko/apple-wwdc21-webauthn-example](https://github.com/teamhanko/apple-wwdc21-webauthn-example)

He also provides a [sample website](https://apple-passkey.demo.hanko.io/), if you want to play with it directly.

![image-20220608182120053](http://www.evanlin.com/images/2021/image-20220608182120053.png)(link: [https://apple-passkey.demo.hanko.io/](https://apple-passkey.demo.hanko.io/))

I kind of want to change it to another version, but it doesn't seem to have a complete set of organized processes. In fact, the process is really a bit troublesome. In addition to storing the user name, you also have to store the Public Key for backup. Although the user is quite simple, backend developers actually need a lot of things.

# Conclusion:

Passkey is a Passwordless solution proposed in WWDC last year, which not only allows the password transaction key generation to be placed on the phone, but also makes login simple and fast. It opens up a new authentication method for websites and services in the future, but the entire development process is still quite cumbersome on the server side, and many major websites' OpenID is not supported. If more and more websites can be supported in the future, I believe the real Passwordless day will come.

These examples, I won't mention the development part this time. I'll play with it for a few days and make a quick deployment version for everyone!

# Reference

- [Apple Doc: Supporting Passkeys](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys)
- [WWDC22 Session: Meet passkeys](https://developer.apple.com/videos/play/wwdc2022/10092/)
- [WWDC21 Agenda: Move beyond passwords](https://developer.apple.com/videos/play/wwdc2021/10106/)
- [FIDO2: Web Authentication (WebAuthn)](https://fidoalliance.org/fido2-2/fido2-web-authentication-webauthn/)
- [Passkeys for web authentication](https://www.hanko.io/blog/passkeys-part-1)
- [What Apple’s WWDC Passkeys Announcement Means for Enterprise IAM](https://blog.hypr.com/what-apples-wwdc-passkeys-announcement-means-for-enterprise-iam)
- [https://github.com/duo-labs/webauthn](https://github.com/duo-labs/webauthn)
- [WebAuthn.io: A demo of the WebAuthn specification](https://webauthn.io/)
Enter fullscreen mode Exit fullscreen mode

Top comments (0)