译文/Translated:
EOSIO 2的稳定版引入对WebAuthn的支持,之后,应用开发者可以开始集成其设备对YubiKeys和其它WebAuthn支持的2FA(双因素认证)设备的支持。今天我们荣幸地宣布我们对WebAuthn示例应用程序进行更新,给开发人员一个一站式的服务,让有兴趣在项目中集成WebAuthn的开发人员能够利用设备,如YubiKey,在签署交易的时候进行2FA认证。
WebAuthn允许用户使用硬件设备,如YubiKeys,在浏览器中进行2FA认证,而不需要在设备中安装插件或其它软件。我们很高兴地看到EOSIO开发者能够在EOSIO应用中建立对WebAuthn 2FA的支持,该技术是万维网联盟(W3C)的著名的科技公司开发的。
在EOSIO中支持WebAuthn有助于区块链应用实现更安全和无缝的验证。我们鼓励应用开发者能够加入第一波早期参与者队伍,来测试这项针对区块链平台的技术,我们也会继续探索机制支持新兴企业和其它企业为这项创造性的科技进行应用评级。
密码问题
单单依靠基于密码的保密措施不一定就够了。骗子会用层出不穷的各种方法欺骗轻信的受害人,他们会靠钓鱼、物理安全漏洞、恶意网站或嵌入链接、甚至冒用账号欺骗他人点击恶意链接。如果这些罪犯成功了,那么服务器就出现了漏洞、密码也就泄露了。
而WebAuthn 2FA则给高风险交易提供了一个稳健的安全层,让现有区块链应用最好的做法都更上一层楼。在支持WebAuthn的设备,如YubiKey,中,用户想要验证的每个应用都可以进行注册。公钥只开放给该特定应用,而私钥则封存在YubiKey中。注册以后,用户可以轻轻点击YubiKey就给区块链交易提供2FA验证。WebAuthn设备作为2FA层启用之后,它就能减少恶意账户访问。
WebAuthn在管理2FA验证凭证的时候是完全在硬件设备内部完成的,因此它几乎可以减少所有类型的攻击,如钓鱼等。用户会一直处于被保护状态,因为没有硬件设备进行验证的话,一般依靠窃取密码行动的犯罪分子根本不能绕过2FA路障。
工作方法
我们发布了更新过的WebAuthn示例应用以供参考,这个应用描述了开发者如何为用户在签署可能的高风险交易时集成基于WebAuthn的2FA层。开发者要注意的是,为了成功地使用带着WebAuthn示例应用的2FA设备,如YubiKey,他们需要参考EOSJS v21.0.0候补版,直到稳定版发布。
在实例应用中,用户登录到财产租赁应用Tropical中。该应用支持两种交易:“连接”财产的低风险交易和“租赁”财产的高风险交易。用户遵循以下步骤部署YubiKey作为其进行“租赁”财产的高风险中交易中的2FA方法。
WebAuthn示例应用为开发者提供了一个一站式的体验,了解如何执行基于WebAuthn的2FA
首先用户登录。接下来他们从下拉菜单中选择“Enable WebAuthn 2FA(启动WebAuthn 2FA)”。WebAuthn 2FA对可能是由内置传感器,如Macbook pro上的TouchID,或USB密钥,如YubiKey。用户可以自己选择,并通过在TouchID传感器录入指纹、插入YubiKey设备,或在NFC传感器接收范围放置YubiKey。最后验证完成之后,其选择的2FA方法也就注册完成。
用户在执行需要2FA的高风险活动的时候,他就向服务器提出了一个挑战。作为回应,服务器利用用户公钥和与该高风险活动(这里为租赁财产)相关的可靠数据共同产生的私钥签署返回该挑战。用户受到服务器的回应之后就要提出新的要求,此时即利用2FA进行用户验证。一旦验证通过,这个挑战就变成一个可以被验证的交易,接下来就被发布到区块链上。
一旦启用,基于YubiKey的WebAuthn 2FA的功能就被要求签署任何被认为是“高风险”的交易。
开发者可以参考WebAuthn示例应用发布笔记,对如何启用基于WebAuthn的2FA的各项步骤有更深入的理解,让用户进行高风险交易的时候多一重安全。
社区开发者的反馈
本示例应用展示如何在EOSIO应用中支持WebAuthn,但是我们也很期待着看到开发者社区在开发环境中测试和采用该功能的方法。我们现在正寻求开发者的反馈,若您在EOSIO应用中集成了WebAuthn,您的反馈能够帮我们理解更多用例,让我们知道这项技术还会在哪些地方帮助EOSIO应用。
EOSIO品牌下的YubiKeys很快就会推出,让开发者能够在EOSIO应用中集成对WebAuthn的支持。今天就加入首批测试者的队伍,在你的应用中搭建2FA支持,帮助我们建立安全的生态。
联系我们
我们致力于为EOSIO生态带来有创意的解决方法,比如WebAuthn 2FA。如果您想给我们提供反馈,和我们的团队更紧密地工作为开发者改进EOSIO,您可以给我们的开发者关系小组发邮件developers@block.one
. . .
重要通知:所有提供的材料都受此重要通知的约束,您必须自行熟悉此间条款。该通知包含与我们软件、出版物、商标、第三方资源以及前瞻性声明相关的信息、限制和约束内容。通过访问我们的材料,您接收并同意此通知的条款。
原文/Original:
With the stable release of EOSIO 2 introducing support for WebAuthn, application developers can begin integrating support for YubiKeys and other WebAuthn enabled 2FA devices in their applications. Today we are excited to announce a WebAuthn Example Application update that provides a walkthrough for developers interested in integrating WebAuthn in their projects to use a device like a YubiKey for two-factor authentication (2FA) when signing transactions.
WebAuthn allows for the use of hardware devices, like YubiKeys, for secure 2FA in a browser without extensions or other software installed on your device. We are excited to see EOSIO developers build support for WebAuthn 2FA in EOSIO applications, developed by notable technology companies who are part of the World Wide Web Consortium (W3C).
Support for WebAuthn in EOSIO is a step towards more secure and seamless authentication in blockchain applications. We encourage application developers to join the first wave of early adopters testing the applications of this technology for blockchain platforms and we will continue to investigate mechanisms to support startup and enterprise grade applications of this innovative technology.
The Problem with Passwords
Relying solely on password based credentials isn’t always enough. Malicious actors use numerous methods to trick unsuspecting users by way of phishing attempts, physical security breaches, corrupt websites or embedded links, or even messages impersonating a friend or coworker that are sent in an effort to trick someone to click on a bad link. When criminals are successful, servers can be breached and passwords exposed.
WebAuthn 2FA introduces a more robust security layer for high-risk transactions, augmenting existing best practices in blockchain applications. WebAuthn enabled devices, like a YubiKey, can be registered with each application a user wants to authenticate with. The public key is only shared with that specific application and the private key remains enclaved in the YubiKey. Once registered, a user can provide 2FA verification for blockchain transactions with just a tap using their YubiKey. When enabled as a 2FA layer, WebAuthn devices can diminish illicit account access.
By managing 2FA authentication credentials entirely within hardware devices, WebAuthn has been shown to essentially mitigate entire classes of attacks such as phishing. Users remain protected because, without the hardware device to verify, criminals who normally rely on stolen passwords can’t bypass 2FA roadblocks.
How It Works
We have released an updated WebAuthn Example Application for reference that describes how developers can integrate a WebAuthn based 2FA layer for users signing transactions considered high-risk. Developers should note that in order to successfully use a 2FA device like a YubiKey with the WebAuthn Example Application, they will need to reference the EOSJS V21.0.0 Release Candidate until a stable release is available.
In the example app, a user logs in to a property rental application called Tropical. In the application there are two types of possible transactions: low-risk transactions “liking” properties, and high-risk transactions “renting” properties. The user follows the steps to designate a YubiKey as their 2FA method for high-risk “renting” property transactions.
First the user logs in. Next they select “Enable WebAuthn 2FA” from a dropdown menu. A WebAuthn 2FA pairing works with either a built in sensor, such as a TouchID reader on a Macbook Pro, or with a USB Key, such as a YubiKey. Users make their selection and activate their selected device by either applying their fingerprint to the TouchID sensor, inserting their YubiKey into the device, or placing their YubiKey within range of the device’s NFC sensor. After a final verification, their 2FA method of choice is registered.
When a user performs a high-risk activity that requires 2FA, the client requests a challenge from the server. In response, the server returns the challenge, signed with its own private key generated from the user’s public key and concrete data correlated with the high-risk activity, in this case, renting a property. After the client receives the server’s response the client makes a new request, this time for the user verify by way of 2FA. Once verified, the challenge is wrapped as a provably authenticated transaction which is then broadcast to the chain.
Developers can refer to the WebAuthn Example Application release notes for an in-depth walkthrough of steps to follow to enable WebAuthn based 2FA and provide users additional security for high-risk transactions.
Community Developer Feedback
This example application is built to show how to support WebAuthn in an EOSIO Application, but we are excited to see how the developer community tests and adopts this functionality in production environments. We are currently seeking feedback from developers who integrate WebAuthn in their EOSIO applications to help us understand additional use cases where this technology may be beneficial in EOSIO applications.
EOSIO branded YubiKeys will soon be available for developers to start integrating support for WebAuthn for in EOSIO applications. Join first movers and help create a safe and secure ecosystem by building 2FA support in your application today.
Stay Connected
We’re committed to bringing innovative solutions, such as WebAuthn 2FA, to the EOSIO ecosystem. If you would like to offer feedback and work more closely with our team to improve EOSIO for developers, you can send our developer relations team an email at developers@block.one.
. . .
Important Note: All material is provided subject to this important notice and you must familiarize yourself with its terms. The notice contains important information, limitations and restrictions relating to our software, publications, trademarks, third-party resources and forward-looking statements. By accessing any of our material, you accept and agree to the terms of the notice.
原文链接/Original URL:
