WebAuthn — web applicationlarga public-key credential yaratish va ular bilan userni autentifikatsiya qilish imkonini beradigan W3C web standarti. To‘liq nomi Web Authentication API. U browser, relying party server va authenticator o‘rtasidagi registration hamda authentication jarayonini belgilaydi.
WebAuthn passwordless login, passkey va phishingga chidamli MFA uchun asosiy web texnologiyalardan biri.
Relying Party
WebAuthn ishlatayotgan website yoki service Relying Party, qisqacha RP deb ataladi.
RP:
- challenge yaratadi;
- registration optionlarini beradi;
- public keyni saqlaydi;
- assertion signature’ni tekshiradi;
- account policy’ni boshqaradi.
RP ID odatda domain bilan bog‘liq.
Client
Client odatda browser yoki platforma componenti.
U web sahifa va authenticator orasida vositachi bo‘ladi.
Client origin, RP ID, user gesture va security qoidalarini tekshiradi.
JavaScript private keyga bevosita access olmaydi.
Authenticator
Authenticator private keyni yaratadi va saqlaydi.
Turlari:
- platform authenticator;
- roaming authenticator;
- hardware security key;
- telefon;
- credential manager.
Authenticator user presence yoki user verificationni bajarishi mumkin.
Registration ceremony
Registrationda server PublicKeyCredentialCreationOptionsga o‘xshash optionlar beradi.
Ular:
- challenge;
- RP ma’lumoti;
- user handle;
- algorithm;
- authenticator preference;
- timeout;
- exclusion list;
- attestation preference
ni o‘z ichiga olishi mumkin.
Client authenticator orqali yangi credential yaratadi.
Public key saqlash
Server registration response’dan credential ID va public keyni oladi.
Shuningdek:
saqlanishi mumkin.
Private key serverga kelmaydi.
Authentication ceremony
Server yangi challenge va request optionlarini beradi.
Authenticator mos credentialni tanlaydi va assertion yaratadi.
- authenticator data;
- client data hashiga bog‘liq signature;
- credential ID;
- user handlega oid ma’lumot
ni o‘z ichiga olishi mumkin.
Server signature va contextni tekshiradi.
Challenge
Challenge cryptographically random va bir martalik bo‘ladi.
Server uni session yoki transaction bilan bog‘laydi.
Javob kelgach challenge qayta ishlatilmaydi.
Bu replay attackni cheklaydi.
Origin
Client data operation qaysi web origin’dan boshlanganini ko‘rsatadi.
Server kutilgan origin bilan solishtiradi.
Phishing sayt o‘z originini haqiqiy domain sifatida ko‘rsata olmaydi.
Origin validation WebAuthnning asosiy himoyalaridan biri.
RP ID
Credential relying party scope’iga bog‘lanadi.
RP ID odatda domain suffix qoidalariga bo‘ysunadi.
Noto‘g‘ri RP ID configuration credentialni boshqa subdomainlarda keraksiz ishlatish yoki loginni buzishga olib kelishi mumkin.
User Presence
User authenticator bilan real interaction qilganini bildiradi.
Masalan, security keyga tegish yoki platform dialogini tasdiqlash.
Server operation uchun user presence flagini tekshiradi.
User Verification
Authenticator userni PIN yoki biometrika orqali tekshirganini bildiradi.
Bank yoki admin operationi user verificationni required qilishi mumkin.
Registration va authentication policy mos bo‘lishi kerak.
Resident va discoverable credential
Discoverable credential authenticator ichida user va RP bilan bog‘liq holda saqlanadi.
Bu username’siz login va passkey tajribasini qo‘llab-quvvatlaydi.
Server user handle’ni stable, non-sensitive binary identifier sifatida tanlashi mumkin.
AllowCredentials
Server ma’lum account uchun ruxsat etilgan credential IDlar ro‘yxatini yuborishi mumkin.
Bu username-first flow’da ishlatiladi.
Discoverable credential flow’da ro‘yxat bo‘sh bo‘lishi va authenticator accountni tanlashi mumkin.
Attestation
Registration response authenticator modeli yoki key originiga oid attestation berishi mumkin.
Attestation format va trust chain tekshiruvi murakkab.
Consumer applicationlar ko‘pincha privacy uchun nonega yaqin yondashuvni tanlaydi.
Signature counter
Ayrim authenticatorlar signature counter beradi.
Server counter kamayishi yoki takrorlanishini cloned authenticator indikatori sifatida ko‘rishi mumkin.
Barcha passkey va authenticatorlar bir xil counter semantikasiga ega emas, shu sababli u yagona rad etish signali bo‘lmasligi mumkin.
Server tekshiruvi
Server kamida:
ni tekshiradi.
Clientdan kelgan “success” qiymatiga ko‘r-ko‘rona ishonilmaydi.
HTTPS
WebAuthn secure contextda ishlaydi.
Production website HTTPSdan foydalanadi.
Origin security private-key credentialning to‘g‘ri relying party bilan bog‘lanishiga asos bo‘ladi.
Client data
Authenticator signature’i browser tayyorlagan client data hashiga bog‘lanadi. Client data challenge, origin va operation turiga oid qiymatlarni o‘z ichiga oladi. Server raw JSON representation va hash validationini ishonchli library orqali bajaradi.
Algorithm
Registrationda relying party qo‘llaydigan public-key algorithm ro‘yxatini beradi. Server key type va signature formatini to‘g‘ri tekshirishi kerak. Faqat algorithm nomiga ishonib, key parameterlarini validation qilmaslik xavfli.
Credential exclusion
Yangi credential yaratishda ayni authenticator allaqachon ro‘yxatdan o‘tgan credentiallarni exclusion list orqali aniqlashi mumkin. Bu duplicate registrationni kamaytiradi. Biroq multi-device passkey va privacy sabab behavior platformaga bog‘liq bo‘lishi mumkin.
Backup signal
Modern credentiallar backup eligible yoki backup state kabi signal berishi mumkin. Relying party assurance policy’da synced va device-bound credentialni farqlashi ehtimoli bor. Signal yagona risk qarori sifatida ishlatilmaydi.
Registration authorization
Yangi WebAuthn credential qo‘shishning o‘zi sensitive operation hisoblanadi. User active sessionga ega bo‘lsa ham server yaqinda kuchli authentication yoki boshqa tasdiq talab qilishi mumkin. Registration tugagach userga notification yuboriladi va credential boshqaruv sahifasida yangi yozuv ko‘rsatiladi.
Bog‘liq tushunchalar
Web Authentication API, Passkey, FIDO2, Relying Party, Authenticator, PublicKeyCredential, Challenge, User Presence, User Verification, Origin