SecurityConference50min
Passkeys, one-time tokens: passwordless Spring Security
This talk covers passwordless authentication in Spring Security 6.4, focusing on one-time tokens and passkeys. It explains the theory behind passkeys and demonstrates integrating both methods into applications, highlighting user-friendly flows and the challenges involved in moving away from traditional passwords.
Daniel Garnier-MoirouxSpring
talkDetail.whenAndWhere
talks.scheduleTBD
Room 7
talks.roomOccupancytalks.noOccupancyInfo
Passwords. They're everywhere, they get leaked... A security nightmare! A work-around is to a delegate authentication to a third party, for example using OpenID Connect. But sometimes you can't or don't want to do that - can you go password-less, with user-friendly flows?
Since version 6.4, Spring Security now offers two options: one-time tokens and passkeys. One-time tokens allows for user login without any additional account setup, for example by generating magic links that can be shared via e-mail. Passkeys allow for seamless authentication, using your device's authentication mechanisms, such as Windows Hello, Apple's FaceID and their Android equivalents.
In this presentation, we will shortly go over the theory behind passkeys. Then we will show demo how to integrate one-time tokens and passkey support to an existing application, while discussing the specific challenges of those approaches.
Since version 6.4, Spring Security now offers two options: one-time tokens and passkeys. One-time tokens allows for user login without any additional account setup, for example by generating magic links that can be shared via e-mail. Passkeys allow for seamless authentication, using your device's authentication mechanisms, such as Windows Hello, Apple's FaceID and their Android equivalents.
In this presentation, we will shortly go over the theory behind passkeys. Then we will show demo how to integrate one-time tokens and passkey support to an existing application, while discussing the specific challenges of those approaches.
Daniel Garnier-Moiroux
Daniel Garnier is a software engineer at Broadcom, working in the identity space and on SSO for applications. He is an adjunct professor at Mines Paris, where he teaches CS and software engineering classes.
He contributes to Spring Security, and has a keen interest in automation and developer productivity.
He contributes to Spring Security, and has a keen interest in automation and developer productivity.