710

December 29th, 2023 × #passkeys#authentication#security

A Passwordless Future Passkeys with Anna Pobletts

Discussion on passkeys, a new way to login that is passwordless and phishing resistant while also improving usability. Covers what they are, how they work, benefits over passwords, and timeline for adoption.

or
Topic 0 00:00

Transcript

Announcer

I sure hope you're hungry.

Announcer

Hoo. I'm starving.

Announcer

Wash those hands, pull up a chair, and secure that feed bag, because it's time to listen to Scott Tolinski and Wes Bos attempt to use human language to converse with and pick the brains of other developers. I thought there was gonna be food, so buckle up and grab that old handle because this ride is going to get wild.

Announcer

This is the Syntax supper club.

Topic 1 00:33

Intro to passkeys

Wes Bos

Welcome to Syntax. Today, we have an episode on passkeys.

Wes Bos

This is kind of an interesting one. It's it's one of those things, like, I've been hearing about it for 6 months, And I sort of sat down the other day and went through it both as, like, a a technical user, as somebody who likes to understand what's Happening with, password and password management, as well as, like, a developer who probably will have to implement this thing into The platforms that we use in the next in the next little while. So this is going to be an awesome one. We have Anna Pobblets on.

Wes Bos

She is the CTO of Passkeys, which is a

Guest 2

what what do you call it, Anna? Like, it's a part of one Password? Yeah. So I was the CTO of Passage, which was a passwordless company that was acquired by 1Password.

Guest 2

Now we sort of operate as a,

Wes Bos

A business line within 1 password that's a separate product from, you know, the password manager that everyone knows about. Awesome. Yeah. So it seems like 1 password is Sort of charging ahead with a lot of this pesky things. And I'm going to just start it off real quick and sort of talk about Why I think we need passkeys and then we'll get into to what it is. And essentially, it's like a passwordless future, which I'm pretty excited about. And The reason why I'm really excited about is because, like, for me, I use 1 password. I use 2 factor authentication, And my life is in pretty good shape with that type of stuff.

Wes Bos

But you know who doesn't is literally everybody else in my life that's not It's super as technical as I am. Right? We talk about normal people on this podcast quite a bit, and normal people don't use 2 factor authentication.

Topic 2 02:04

Normal people don't use security measures

Wes Bos

Normal people don't use backup keys, or if they do, they email them to themselves.

Wes Bos

Normal people. Well, a lot of people do use password managers, but I think Most people still don't use a password manager.

Wes Bos

And what ends up happening is they get locked out. They don't wanna use 2 factor, and then you start seeing, like, places like my bank. My bank does not support 2 factor authentication Really? In terms of, like, the thing.

Wes Bos

Well, you it it does, but it they have to text you. And we all know there's SIM swapping and and all that type of stuff. So And I guarantee the bank doesn't wanna do it. You probably have more insight than I do, but bank doesn't wanna do it because, like, what happens if you get locked out? Then you gotta, like, Verify that this person is right and you got to send a picture of your passport and, like, that can be spoofed really easily. And it's it's just a nightmare. So I think pasties like, you know, what people do have is they have a phone in their pocket, and they have a laptop with a fingerprint reader or a Windows Hello on it. And, I think, going to be the replacement for 2 factor auth in making things very, very secure. So,

Topic 3 03:28

What are passkeys?

Guest 2

welcome, Anna. Thank you so much for coming on. Yeah. Excited to be here, and I totally agree. We can replace multifactor. We can replace Passwords, all of it. Awesome. Well, let let's start there. What what are passkeys? Yeah. So at a really high level, passkeys are just a new way to log in to Apps and websites that is fully passwordless.

Guest 2

The idea is that passkeys are both more secure, and they're more user friendly than passwords, Which is a a really big win on both of those departments. Right? Yeah. So before we talk about, like, sort of the technical in and outs of how they work, I think it can be helpful to kinda go back to, like, The beginning of why passkeys. Like, why do we even need a new way to log in? What's wrong with passwords? And I think, you know, no one likes passwords. No one's like, this is how I wanna log in to my apps websites for eternity.

Guest 2

But I think it for me, it really comes down to the fact that it puts all of the burden on a user to be secure. Right? Even like, if he's a password manager, it's a little bit better, for sure. But, you know, my mom doesn't despite the fact that I work for a password manager. And so she has to Think up her passwords and remember good ones, and, you know, hopefully not write them down on a piece of paper. So all the work is on, like, you as a person To make sure you're being secure with passwords.

Guest 2

And so the goal with passkeys is to remove that, like, human element, that human error from logging into apps and websites By giving you this experience where the security is just built straight into the technology.

Guest 2

So back to kind of what it is and how Works when you use a passkey to log in to a website, it's really just going to look and feel like you're unlocking your device. It's gonna be your face ID, your touch ID, Your Windows Hello, maybe a YubiKey if you're one of the rare people who use those in your day to day life.

Guest 2

And then behind the scenes, What's happening is passkeys are built on public key cryptography, which has been around for a really long time. It's the basis for a lot of other technologies that That we all use in our day to day life, even if we don't realize it. And so when a user creates an account with a new website, a unique private and public Key are generated. The private key is stored securely on the user's device, and it never leaves. And then the public key is stored on the website server, And it can be used to, like, verify login actions down the road. And so, your device can cryptographically sign At login attempts on future logins, the server can verify it, then then the sensitive private part of your login experience is never sent to the server. It never Goes anywhere where someone could then, like, hack a website database and dump a whole bunch of private keys.

Guest 2

And so you're getting a lot of really great Security benefits out of this, but you also get the great end user experience where someone's just doing their face ID, and then all of this magic It happens behind the scenes. Wow.

Scott Tolinski

Many developers out there in their careers have fired up, like, a virtual private server at some point and, done the the the step by step on digital ocean of setting up a a public key. So is this technology just a

Guest 2

A much user friendlier wrapper around that same existing technology? It is. It's really similar. So the idea is like, You you get a little pass key prompt up on your device, and it's saying, do you want to create a pass key for this website? You say yes. It's generating a key pair. It is, signing, a challenge and then sending that to the server with a public key, which can be used to verify it. And it's just doing that over and over again every time you log in. And then you're unlocking access to that private key with your face ID or touch ID or PIN for your phone. It looks like you're sending your biometrics to a And a website, but you're not. I think that's a really important, like, privacy fact to touch on is that it's really just unlocking access to A totally random private key that lives on your device. Wow. Cool. That that misinformation

Wes Bos

is certainly something that you have The battle, I'm sure. Like every now and then. Like the other day, Apple came out with the, where you touch 2 iPhones together and you're allowed Share your contact info. Mhmm. And I saw all these TikToks of people being like, hey, everyone. Disable it. You leave your phone in the gym. Someone can come close in it, and they can download All your data. Yeah. Yeah. There's no chance that that's how it works. But there's, like, a 1000000 people in their replies being like, thank you. Just turned it off. So you gotta, like

Guest 2

Like, I'm really glad that you're doing that because, like, this might be our last chance to get people Yeah. To stop using the same password on everything. Right? Yeah. And, like, that's just The reality, and even if I use 1 password and I have great passwords, I don't know what any of them are. They're long. They're random.

Guest 2

There's still the chance that The website isn't properly protecting those passwords. And there's nothing that I as a user can do to like, prevent that breach scenario from happening. But with passkeys, I have a different key pair for every single website. The data that the website has is just a public key. It can in no way be used to compromise my account, to impersonate me. It can't be reused on other websites. Like, you're getting a lot of these things that users just didn't really have control over before, which is also a really big win over passwords.

Topic 4 08:02

Passkeys prevent common attacks

Wes Bos

So in, like, the username password whole thing is that, like, the website obviously stores your password or stores a hash of your password, And then you submit the password to them, and you you hope that they don't console log the password while they're debugging it because then then the text of it. But the idea if anyone hasn't done it before, the idea is that you run the text of the user's password through, like, a hashing algorithm, and then you check, Okay. Is the hash the same as the one as I have on file?

Scott Tolinski

And if those hashes ever get out, you can't really reverse reverse them. Yeah. I think that's important to know, Wes, is that Hashing is one way. Right? You're you can't decrypt a hash in that regard. So it's not like you can compare the hashes, but you can't decrypt them. Yeah. But,

Wes Bos

Like WordPress uses MD 5, and, somebody has figured out every string in the world of the MD 5. Right. Like, if you find an MD 5 You just Google it, and someone will there will be a website that says,

Guest 2

this is the hash of something. So, like, Obviously, you consult them and and change them and whatnot, but I thought that's kinda interesting. Now I was gonna say it's relatively inexpensive to, you know, guess a bunch of passwords and check hashes because if you have a giant list of them, and so that attack path has become just very common, very easy to do once you have a giant list. So websites Mhmm. Like, have to find better ways to protect their passwords, ideally, just by not having them at all. Yeah. And and like you mentioned, you know, I think leaving this up to the users

Scott Tolinski

To put the security on the user themselves, it's always gonna be a a failing. Because even if somebody, you know, thinks they're being secure, there's, Like, you have to take a a master's level course on how to write a password that can't be hacked. Right? You have to use Yeah. Words. You have to use words that are unrelated.

Scott Tolinski

You can't just Swab zeros for o's because the algorithms are too complex these days. It really feels like this solves so many of the problems Related to here, what what took everybody so long to get to here?

Guest 2

Is honestly a fair question. Like, the amount of Rules that are around passwords now. Like, I remember I was making an account for something, maybe like a year ago. And I was like, okay, you know, I'm generating a random password and 1 password. And that didn't meet the requirements. So let me go look and see. And it was something like you couldn't have consecutive letters or the same letter too many times in a row or consecutive numbers in a row. And I was like, I can't even think of a password that meets all these requirements. This is crazy.

Wes Bos

I'm I'm trying to think, like, Private key, public key.

Wes Bos

If somebody gets your private key, someone you leave your laptop open, you go to the washroom, someone runs in, and Somebody bumps your iPhone with another cat forward slash SSH.

Wes Bos

At that point, your private key is as good as a password. Right? Like, then somebody could sign it in. So, like, where's the two factor part? Is that that the key is not stored behind it?

Guest 2

An additional layer on your device? Exactly. So the idea is that it's sort of something you have and something you are. You have to both Have access to the device where that passkey is stored, and you have to be able to use the PIN or the face ID in order to unlock that device. So even if someone had your phone, they can't unlock your phone, and so they don't have access to those things. So you kind of have that extra layer of protection there. What I'm seeing a lot is that people will initially introduce passkeys as a second form of authentication, especially as the people kinda get more used to this. You'll have a password, and then you can let People upgrade to passkey, say, or maybe use it in addition, and you can have it as sort of a a risk based way to check authentication

Wes Bos

On top of maybe a normal password. Okay. That makes sense to me because, like, with two factor authentication, it was something you know, which is your password and some well, was it something you have, Which is your your your token?

Guest 2

Yeah. Exactly. Okay.

Guest 2

That makes sense. So it's very similar to that, but it is all in one place, which I think Makes people a little bit nervous sometimes, or maybe it's not really two factor authentication. But I also think at some point, comparing it to two factor authentication is a little bit Trying to force passkeys into a framework that we already know and talk about. When really, it's just sort of outside of that, and a lot better than a password plus an SMS Token because it's also totally phishing resistant, which is something we haven't talked about. Like, there's all these other things you get kind of outside of just Something you know and something you have and something you are and, like, those sort of standard factors of authentication we're used to talking about. Did so now that you've Mentioned being fishing resistant. Do you wanna talk a little bit more about that? Yeah. I'd love to. So I think that The biggest thing here is that, like, there is no thing to phish. Right? Like, the most common scenario you'll get with a phishing attack is Someone sending you an email. They're telling you to go put your credentials into some websites, some look alike websites say, and then they're gonna proxy those on to the real site and compromise your account. That's a really common method. Right? And it's certainly becoming more prevalent. Like AI articles talk about this all the time. Like, how realistic these emails are how you can impersonate people's voices now and their faces on Zoom. Like, how do I even know it's really you guys that I'm talking to? Like, you can do all this impersonation.

Guest 2

And so, of course, people are gonna fall for those, but there is no, like, password to give up. So if I were to say, like, receive an email, That's facebook.com, but with a 0. So it's like some look alike Facebook site.

Guest 2

If I go there, my passkey actually Won't work. It's like tied to a domain. It's tied to facebook.com.

Guest 2

And there'll be no way for me at like a device level to even like use that Pass key on that website. And so you're protected from this whole suite of phishing attacks that are based on, like, credential stealing or, like look alike sites, like that whole class of phishing attack kinda goes away. It just sort of becomes irrelevant, as do most most other, like, Common credential attacks. So brute forcing, credential stuffing, all the things that you hear about that are really, like, widespread Internet attacks.

Wes Bos

Mhmm. A lot of those things just aren't really relevant in a passkey world. A lot of people are probably asking right now, okay, what happens if you lose your phone?

Topic 5 14:41

Passkeys prevent phishing attacks

Guest 2

You know? What what's the story there? The main thing I haven't really mentioned about passkeys is that there was actually like a precursor to pass Keys. It's called WebAuthn. It's the protocol that underlies passkey technology.

Guest 2

And up until I think it's like two and a half years ago, WebAuthn was Strictly tied to a a device. The private key was in the TPM of your device. It was in a UV key, like a hardware key, and you could not get it out. It was on that device. If you lost your device, you were just kinda out of luck. And so passkeys were the attempt of primarily the the major platforms Google, Microsoft, Apple, To make this a little bit more accessible, especially for regular consumers by taking those pass those pass keys as web authentication credentials, and syncing them Across your different devices through their platform accounts. So, your Icloud account, your key chain can store your pass keys, or your Google account can store your pass Or more recently, your 1 password account can store your passkeys.

Guest 2

And within those cases, you're already syncing all of your other credentials across your different devices. And so we can do the same for passkeys and make them a little bit easier.

Guest 2

And so this problem of, like, I lost my phone. What do I do? Well, Well, you're already gonna have to recover your Icloud account or your 1 password account or whatever the case is, and so those keys can live in there the same way your passwords or other things do. Nice. Yeah. And and that will happen. I mean

Scott Tolinski

yeah. I know. I had a, a buddy of mine in in college. He had a, It's like audio plug ins at the time, and it was a kind of a precursor to a YubiKey, but the licenses were all stored on a a flash drive.

Scott Tolinski

And Somebody stole his computer, his laptop, along with the flash drive that was plugged into it thinking it was the flash drive.

Scott Tolinski

And then he had to call, you know, 40 different companies.

Scott Tolinski

Half of them won't, you know, re reimburse his license. And he was just like, I just wish They would've just taken the computer, you know, and all my keys. Take the computer. Leave the flash drive. My keys, please. You won't do anything with them. Yeah. And if someone's not Look, you know what? There's no chance I'm putting my

Wes Bos

private keys in the in the cloud, you know, no matter how much they tell me it's encrypted.

Wes Bos

You can also just say, alright, well, I have I have my MacBook. I got my phone and I have my iPad. All 3 of those things could sign in. And, like, there's a demo on the passage website that you can you can sign in with the passkey. So I I signed in there, and then I I went over to my, a different device and tried it as well. So you can set multiple devices as well. Right? So if you lose 1, you go, oh, shoot. Let me go immediately to my computer, remove that device, but you can still access it because there's You're saying multiple keys. Correct? Well, you can have multiple

Guest 2

Private keys. Right? Yeah. Oh, for sure. I actually really recommend this. So, like, for me, for example, I have a Mac computer, but I use an Android phone. And so those are in different ecosystems. So I have my 1 password on both, so I can sync them that way. But if you take a password manager out of the equation, I can't share an Icloud passkey with my Google account. Like, that those aren't syncing. And so what I find is helpful for me is for a website of using a passkey, I'll Typically have 1 on each device. Like I'll save some backup pass keys on different devices just to make sure that I can do a recovery scenario that doesn't involve Buying a whole new device and loading my Icloud account onto it. We also encourage websites to have recovery options as well, which Sort of so having it from the website side and from the end user side, I think is really helpful to improve that story. But what I've actually found overall is that, pass keys actually reduce support requests rather than increase them. And so if you're doing it well and you're encouraging people to have backup pass keys And syncing them across these platforms, it's actually really a a much easier experience and, like, fewer people lose them than, you know, forget their password, for example. Yeah. Well, in that case, like, let's say they did need to recover through a recovery process.

Topic 6 18:46

Recovering lost passkeys

Scott Tolinski

What does that process even look like? Is it Similar to the send an email with a,

Guest 2

you know, an authenticated string in the email? It would probably depend on the website and, like, what they're comfortable with, But that's something we see most commonly is it'll just kinda look like your normal forgot password flow, and then you just add a new passkey. Cool. Very similar sort of magic link, something like that.

Guest 2

If, you know, you have a higher risk application, you can always you could even force that they enroll multiple passkeys at the website level, and then don't give them other backup You could require other, like, support interactions for higher security. But for most consumer use cases, which is what I think about most of the time, Then, yeah, usually an email is fine. Cool. Interesting.

Wes Bos

I always think about that, but, like, but what if your if your email account also is behind a passkey? Like like, they could So do the, like, the printout 10 different recovery tokens. Right? Like, that's that's pretty common thing right now. And, I've heard I was listening to, like, a Bitcoin podcast the other day where a guy, got robbed. And he said he had his Recovery keys in his email, which makes absolutely no sense, but or or people throw them in the dropbox and Then all of a sudden, they're in in one spot.

Wes Bos

So, like, yeah, I guess you could just, like, print them off and and put them in a safe or or go put them in a different location, your Parents' house or something. Yeah. I do think you make a fair point though. Like, at some point, you have to have

Guest 2

1 account that isn't a passkey. Right? Your Icloud account, If that's the place you're storing all of your past keys, how do you get into your Icloud account? Right? There's sort of this a little bit of a chicken and egg problem in some cases of What is your, like, final root of trust, I think, in the place that you store everything? So, you know, for me, that's my 1 password account. All my pass keys from my websites are there, But then the passkey I use to unlock 1 password is, you know, a Mac or an Android or whatever the case is. It's that kind of passkey. And so it's a little bit different where you you kinda have to, like, all these services wanna support passkeys, but you still need a platform account Or some cross platform thing like a password manager to ultimately give you all access to all of that. Do you think there's any kind of solution there, or is that, like, just a A problem that will remain a problem. Probably. I would love to think about it sort of as more like device authentication gives you access to all of these Pass keys by default. And because of the way 1 password works, for example, you know, I have to sign in to 1 password, but there's a way to almost Bring that access a level up where it's you're logging in to your laptop, and that's directly tied into 1 password login.

Wes Bos

That would be really cool, and it would certainly would make Feel a lot more seamless regardless of what the authentication method is. That was my concern before I moved all my 2 factor auth into 1 password. I was always like, That doesn't make any sense because then you're putting your password and your authenticator keys in one spot, And you're just it's just so it's it's in the name. It's 1 password. It's 1 password.

Wes Bos

Yeah. Yeah. But people had to explain to me, no. No. No, Wes. In order for you to get into your one password, you need two factors. You need your one password, and you need Maybe, another device that you're currently logged into. You need a backup code. There's there's a whole bunch of different ways that you could possibly do it. But Even if I were to give somebody my 1 password master password,

Guest 2

unless they broke into my house or kidnapped me or something like that, they wouldn't be able to To get in there. Right? So whatever it is that's holding your passkey still needs to have ideally two factors. Right? Exactly. And so, like, Like, you know, 1 password is ultimately a security tool, but it's really like a productivity tool. And that's really what people use it for. And so It has to be secure enough that we can let people put all of these different things in there and that we have the trust to be able to protect those. Otherwise, It's just another security tool that people don't really wanna use. They're not fully using because it's too hard to use, and so that, like, productivity usability aspect is so important. Yeah. There there really nothing beats when you

Scott Tolinski

fire up a new device. You can do a fresh install, and, like, the very first thing I do is install 1 password because it is Yes. The the gateway to everything else on my device, which which makes it honestly so much easier to relog in to any of your services. Not that is an ad for 1Password, but Les and I both been using it for a long time. So a lot of personal feelings there. Yeah. I love to hear it. One thing that I asked on Twitter people's thoughts on passkeys, and a couple people said

Wes Bos

it's great because you can store them in your on your iPhone, in your iCloud. But If you lose access to your Icloud account, then you're simply just a SIM swap away from getting access to that type of thing. And A lot of people are like, yeah, then that that's a weak point. But somebody swooped in and said, that's only for, like, A small amount of people who only have 1 Apple device.

Wes Bos

And I think they said something like 80% of of iPhone users have at least 1 more device that Can be used as a second factor, and in that case, it doesn't go text message route. Is that is that true? Yeah. I bet that's probably true From a percentage wise and, like, having a backup device certainly enables this whole recovery process to be way, way easier.

Guest 2

And I think, you know, I've always talked about is how great they are. Here's all the attacks they prevent with passwords. And, like, the reality is there will also be attacks against passkeys. Right? But if you think about where we're starting right now, like, the bar is so high with passkeys, and we're, like, moving that bar so far that Yeah. There's gonna be these new attacks, but the good thing is that rather than, like, widespread Internet attacks against passwords where you're just, like, Guessing a whole bunch of passwords on a bunch of websites, it's gonna have to be really targeted. And so things like SIM swapping or having physical access to a device, like, That is an attack path, and that's fair. But it's really narrow and much smaller and really hard for an attacker to do to a 1000000 users all at once. Right? And so, We're gonna have to figure out how to solve some of those problems, but the bar is so low right now with passwords that we can get so much improvement from the current state really, really quickly. The bar's really low.

Guest 2

It is.

Topic 7 24:53

Passkeys will reduce support requests

Wes Bos

The reality is that most people reuse their password on every like, So I I came up with this little exercise.

Wes Bos

I just wanna rattle through it because I think it's kinda interesting is somebody on Twitter the other day was like, Like, why does Buffalo Wild Wings is forcing me to do 2 factor auth? And they're like like, in what world do I need to Secure my Wild Wing points to get free wings. And I thought, that's hilarious. But, like, 1st of all, I've had I had a grocery card thing. I had my points stolen once. Right? It's probably 10 years ago. I was reusing a password And somebody tried it. They got in and they took, like, $200 worth of points, so I had to get in contact with it. They went and spent that immediately.

Wes Bos

So $200 out the grocery stores pocket.

Wes Bos

Then they need to reimburse me $200.

Wes Bos

So that's $400 out of their pocket already.

Wes Bos

And then, like, they had to pay someone to figure it out, all of that support.

Wes Bos

And I'm sure accounting has this weird like, you just created money Out of nowhere, because you duplicated the amount of points that were earned, so now accounting has to do it. Like and I probably caused, like, $500 or the damage to that grocery store by me reusing a password.

Wes Bos

You know? That's why your wild wings needs a needs a 2 factor And you are you, Wes. You're you're a technical person. Imagine

Scott Tolinski

the average cost of the average user. I think that the Scariest thing I ever did to my own family was introduce them to have I been pwned to search their email In the databases to see where their passwords have, you know, showed up. If you haven't done this, this is a a really Interesting exercise, and and luckily, something that 1 password does for you with Watchtower in a a really nice way. But you can just type in your password and see Just how many times your email appears in paste bins or data breaches or anything where people have your password for whatever site you use there and then, subsequently, any site you used that password for afterwards. It's very disturbing.

Guest 2

Yeah. Yeah. You know, Christmas is coming up. If you're looking for a fun family activity Oh, yeah. We can all do that together. That's when I get it. How much you reuse your passwords. Yeah.

Guest 2

Yeah. I think to Wes' point about Buffalo Wild Wings, like, first of all, that's hilarious that they use MFA. I would never expect that. And I think that's a really, Obviously, a common theme in, like, ecommerce companies or anything that's, like, retail based, they really don't wanna make you log in very often because That slows you down. It prevents people from checking out and buying stuff, and you're, like, actually losing money on that.

Guest 2

And so for that reason, like, Any company like that isn't typically, except in Buffalo Wild Wings case, gonna want to add something like two factor.

Guest 2

But If you can use something like passkeys that are actually, like, faster, easier than passwords, then you can get the level of security that you're looking for to protect all your win points. But you don't have to, like, worry about all of this friction and, like, users trying to, like all the support costs associated when the account gets hacked. Like, you don't have to deal with any of that Stuff. And so I think when we think about, you know, I think I've been hearing things like passwords are dead for probably 20 years now. Right? That's not a new statement, But I think that's why passkeys are different. Before it was always like, we have email links and OTP codes now, or we have some sort of proprietary biometric Solution.

Guest 2

But all of those things either, like, are a lot of friction for the users, or they're not a meaningful security step up the way that passkeys are. And I think having both of those things together are, like, the reason it could actually happen right now, and the reason why e commerce retail companies Actually, see could see a lot of benefit here from problems they already face that are outside of security. And I think that's, like, really, really cool to think about. That's a really good point. I didn't think about it. It's Apple Pay for logging in. You know? A 100%. Yeah. It is, like, literally that. And, like, how great is that experience? Like, you don't have to have an extra thing. You don't have to check your email. It It just happens. Get the card out and type the numbers in. Yeah.

Topic 8 29:02

Passkeys are like Apple Pay for login

Guest 2

Exactly. That's that's a really good point. I never even thought about that. Like, it's it's gonna help online sales because it Reduces friction. Yeah. I hate having to check out as a guest because I have to type all my information in again. But I also don't really wanna make an out on this random site because then I have another password to think about. Yeah. And so it kinda, like, marries those 2 things where it feels simple, but you can also, like, save all of your information.

Guest 2

Wow.

Wes Bos

Let's talk about the the actual tech behind it now.

Wes Bos

So I I don't even know if I mentioned this, but, like, Passkeys is not a 1 password or passage thing. Passkeys is an open standard. Right? Correct. And what are what's the What are the standards that go behind that? I know there's there's several that sort of have come together. Yeah. So typically, you'll hear things about, like, web authn or this, like, overarching protocol that Underlies passkeys.

Guest 2

And there's 2 parts to that. There's sort of the browser or client to device side, and then there's the, like, web server side of this. And it's a lot more complicated than passwords, unfortunately.

Guest 2

So you have this client side where a browser or mobile app has to interact With some APIs, in order to actually create and store those pass keys in the device. In the TPM, or in your Icloud account key chain. Yeah. You have to have those sorts of APIs.

Guest 2

Then you also have to have, like, pass key management on the web server. This part has to, like, Store public keys, verify login actions.

Guest 2

It has to manage this idea that a single user is gonna have A lot of different credentials. I think this is really different than in a password world. You have, like, 1 user, 1 password across every device. Right? But with passkeys, you have 1 user, and they can have n number of devices and passkeys, and you have to, like, manage those relationships.

Guest 2

It's a lot more complicated.

Guest 2

So you sort of have these 2 two sides of implementation. What I typically find is that there's a lot of resources for one Specific part of that, like, if you're an Android or an Ios developer, there'll be really good docs for how to do the client side of that, and how to go implement those APIs.

Guest 2

And there might be a really great Go library that talks about how to do the passkey management and verification on the server side. But there's very few, Like, really complete comprehensive guides of how to do all of these things things in one place, and, like, how to connect all the dots, and How to manage the edge cases around different browsers and their implementations. And that's where I find it really gets complicated once you kind of Get past those initial implementations, like, what are all the stuff that's left around the edges?

Wes Bos

How I found you was I was googling for which is, like, If you are ever thinking about doing a a tutorial and you think, no one's gonna watch this, I googled For tutorials on how to implement passkeys in JavaScript, and Anna's video came up first. I was like, who is this? And, like, it didn't say your name anywhere, so I was just like and then I saw it said Anna in the top right hand corner of your Mac. So I started doing a bunch of research into, like, was like, who made this video? We need to have them on. And then I was surprised that, like, you work for passage and, obviously, not even worked. CTO.

Wes Bos

So that's an aside, but fake videos, everybody. I'm glad to hear it. I'm glad it was useful. And there was only, like, There's a couple 100 views on it. It wasn't very popular because and just by viewing that, I was like, we gotta talk about this. I don't think enough people are are talking about passkeys just yet. I think that's a good indication that not enough people are talking about past fees just yet because I think that's the type of thing that you'll see start to blow up because you don't you don't really hear people talk about them, and I think you will. Yeah. Oh, yeah. Yeah. For sure. And I think it's it's on us developers to try to start to implement them into our application. So I saw Amazon. Unfortunately, Amazon .com, Niamazon Canada, has implemented them into their application. Do Do you know offhand any other major players who have have implemented them? I do. We actually.

Guest 2

Here's another shameless plug a little early. We have a website Called passkeys dot directory, which is just a site we maintain of all of the different websites and apps that we know about that have, passkey support. It could be a sign in. It could be, multifactor. We kinda track all of them. So, Amazon's a big one. Some, like, Best Buy and eBay have actually had it for a really long time, which is interesting.

Guest 2

Coinbase, CBS, like, a lot of really interesting, like, consumer applications have support for passkeys, which has been really cool. But What I found is that typically, they're kind of they're not usually the primary form of authentication. Right? There maybe you can go to the profile settings and dig and find it and go Add it, but they're not really putting it front and center, which is a bummer. And I think it's something that is kind of slowing like, I think we need to figure out That's a problem we need to solve in order to really speed up adoption is how can we make it front and center in a way that people are comfortable with, and that they're willing to try it, without, like, hurting conversions, of course. Kayak .com is actually one of the few that does do a pretty, like, passkey first login experience. If you use Kayak, go try it out. Oh, cool. I've been seeing in in Wesson. I know you use 1 password. If you're out there, if you go to the watchtower,

Scott Tolinski

there is a pass keys available, And it'll tell you how many of the passwords in your one password have a passkey available.

Scott Tolinski

And I can see it is obviously a GitHub, Nintendo, AWS TikTok.

Scott Tolinski

I have, like, 35 or something. So You guys have some pass keys to go, man. That's exactly what I I am intending on doing.

Scott Tolinski

I'm wondering about, like you know, you mentioned a little bit about whether it is the main login or a supplemental or second factor or anything like that. I'm wondering about the UI for stuff like this because oftentimes, even as I've been clicking on some of these let's say I add the passkey for Synology.

Scott Tolinski

I went to Synology's website.

Scott Tolinski

When I went to log in, it still is prompting me for a username and password, and the only indication that I can do a passkey to log in as that one password pops up. Is that typically how the UIs

Guest 2

are are seen is that the The device understands that there's a a passkey situation here, or or do we see this implemented in different ways? So there's of different ways. I'll tell you what I kinda think is best, and this is based on, obviously, a lot of research through Passage. Because, basically, what our product is is, oh, A whole web component custom element you can put in your website that does all of these login flows for you based on our research and kind of guides users through it. So my general recommendation is that it doesn't need to be the 1st form of authentication. Though, I love it if it is. That's great. If you feel confident going fully passwordless, Awesome.

Guest 2

If you don't, maybe you have millions and millions of users right now, and you have a password based login scheme. What I typically recommend is saying, like, okay.

Guest 2

When users log in the next time, prompt them and offer them to add a passkey. Ask if they wanna add that.

Guest 2

And then going forward, you wanna track Users who have pass keys, and if they do, you wanna offer that as their 1st option for sign in. And then if they don't have it, or they hit cancel, or they can't find their pass key, they can always log in with their password, When they have that backup method, be you wanna be, like, slowly nudging people towards that past key experience because the only way you're really gonna get Any adoption or, like, learn anything from that experience is if you kind of put it front and center. And what we found is that this came up in, the Fido Alliance A lot of interesting UX research around this as well. And one thing they found was that you wanna prompt people to use passkeys in moments where they're already doing, like account related tasks. So say someone's resetting their password, that's a really great time to offer to add a passkey for them. Because they are Already kind of annoyed about using a password, and they already, like, had trouble with it. Now is a great time to add a passkey. Right? And so finding the right times to do that And also the right language to use is really, really important. I think what you'll see if you go set up 30 websites with passkeys on them is that calls them something different. They use slightly different language, and you might not even realize that it's actually the same technology behind the scenes If we hadn't, like, had this conversation about it. And so I think all these websites need to kinda settle on a consistent UI, a consistent, A conversation around past keys and the words we use and how we talk about them. And that'll make it a lot easier for regular people to say like, oh, yeah. I've done this on Home Depot. So now when I go do it on eBay, I know it's the same. Like, this is cool. I like this way of logging in, but I don't really feel like it's there quite yet. And so I think that's an area We have a lot of work to do on. Yeah. I noticed that immediately. I noticed that Yeah. Synology

Scott Tolinski

said passwordless, and the word passkey was not to be found anywhere. Oh,

Wes Bos

Passwordless is nice or, like, even just, like, log in with face ID or log in with this device. Do you see that as well? Yeah. That's really common.

Guest 2

You log in with your device, log in with biometrics.

Guest 2

Like, all of those, especially for, companies that maybe implemented passkey a while ago, That's a much more, like, common phrasing. The term passkey is actually pretty new, maybe, like, a year and a half ago.

Guest 2

And so before that, it was like, Log in with WebAuthn or a security key or, like, something kinda scary sounding, or you had to have a YubiKey to do it. But it's the same protocol. Most of those Website support passkeys as well. You just might not know about it. And if you're signing into something on your desktop, but your key is on your phone,

Wes Bos

Part of the spec is a way to transmit that via Bluetooth or other

Guest 2

protocols. Right? Exactly. So If they're both, say, in the Ios ecosystem, they'll just exist automatically in your key chain. But in the case like I have, I have an Android and an Apple device. And so if I wanna log in on my desktop Apple device with a passkey that's only on my Android, typically, I'll get like a QR code pop up, that I'll scan and that will activate my pass key from my Android phone, which I can then say like, oh, actually, I do want my pass key on my iowa or my, Apple device as well. So let me go ahead and add that too, and that's, like, how you would go ahead and, like, bootstrap other devices typically. That's beautiful. Like that Recovery, set up multiple device type of flow. Alright. So back to implementing it into

Wes Bos

your own platform. So I have a I have an application, React Front end. No JS back end.

Wes Bos

That is totally something that you can implement this 100% yourself. Right. However, you can also use a service just like auth is right now, right? You can do auth entirely yourself.

Topic 9 39:28

Implementing passkeys in web apps

Wes Bos

Username and password is pretty simple, but once you start getting into OAuth or multifactor or sign in with Twitter, it gets a little bit more complicated. So that's where where passage would come in. Right? It's a bunch of APIs for working with it? Exactly. So yeah. Like, password username and password,

Guest 2

Fairly straightforward on the surface. But, yeah, like you said, once you get into the nitty gritty, it can get a lot more complicated. A lot of people will use a product for that. And when I think about passkeys, they're like 10 times more complicated than that. And so I hope one of the takeaways from this episode is, like, this technology is really cool and I want it, But it's also really hard to implement, and so I need something to help me do that. Right? Like that's why we built passage was to make it easier for developers. So we have APIs and SDKs, and Honestly, every product out there is, you know, API first now and but I think what makes a really good tool like this is You have a really complex, like, technology problem that requires a lot of specialized knowledge.

Guest 2

Maybe you have a lot of sensitive data that's processed through compliance reasons, And you have end users who, like, want something cohesive across the different websites. And that's a really good case to, 1, build APIs and SDKs for it, build a tool to help. But also to go a step further and build, like, a web component, like, the UI side of this as well to help. Because, You know, there's Go libraries and node libraries that will do WebAuthn for you. But honestly, the hard part is what we just talked about. It's the user experience. It's Guiding them through the edge cases. What if they don't have access to their passkey on this device? Then what do we do? And so a lot of what passage is is, like, How can you give users a cohesive, like, easy experience without you having to actually make all those decisions and write all of that code yourself? We can just, like, give it to you. We've done all the research for passage, and then you you implement it just like you would any other library. You you hit an API, and we kinda handle it. Okay. And, like, that that's a paid product

Wes Bos

That you pay based on one of our favorite words on this podcast, MAUs, monthly active users.

Guest 2

Exactly.

Wes Bos

We have a nice big free tier if you wanna use it on, you know, a side project or whatever. But yeah. One other really The cool thing I thought about this is I was chatting with some of the the devs from 1password, and I didn't realize, but they have open sourced All of the, like, low level libraries Yes. Were doing this type of stuff yourself. And what I thought was so Cool is it's all written I think it's all written in Rust It is. Yes. And runs in the runs in the browser or runs on the the client, might be your device,

Guest 2

Via Wasm. Right? Yeah. So 1 password's kinda cool. A lot of all of our client apps are built with this Rust core that handles a lot of the, like, Hardcore cryptography that we do, the past key libraries, and then we just build, like, a UI typescript layer on top of it, Which allows us to, like, you know, support a lot of different platforms at once and, provides a nice way to build some of that more complex functionality. It's really cool.

Wes Bos

So, yeah, we recently open sourced the Rust libraries that do WebAuthn. So cool. I remember so he he gives the links, and I was looking at it. I was like, these are Rust crates. And Yeah. I was like, that's a I was like, why is this not a NPM package? And then I was like, so this runs on, like, the servers? Like, no. It runs in the client, and it's in Rust. I'm like, oh, that's So cool that you're really cool. To run it from you can put it on the all devices. Is the One password. I don't know if you know this or not. It's I know you don't work on 1 password, but, the 1 password app itself, is that written in, Like, wet like, HTML, CSS, JavaScript?

Guest 2

Or is that, like, native on Ios and native on I think we have, like, an electron app that works across, Like desktop and maybe web clients, and then we have specific, like, iOS and Android applications, I think I think.

Wes Bos

Yeah. Yeah.

Wes Bos

I'm pretty sure that's that's what that, was it Andrew Burkhart I was chatting with on? Nice. Yeah. It's funny because He he said that he was involved in a lot of it, and then he sent a DM. He's like, I first got started coding listening to you and Scott. And I was That's amazing. That's pretty fascinating. Whole circle. I love that. Yeah. That's so cool.

Guest 2

I do think it's important to talk about, like, the the role the developers play here because, Obviously, they are the people implementing the websites, and so, you know, they're gonna do a lot of this work.

Guest 2

You know, and there's a lot of edge cases, and it's important to give them tools. But Developers are also consumers and typically very tech forward consumers, and often the 1st people to adopt these new technologies, whether it's personal life or work life. And so I think making passkeys usable for developers as just people and consumers of passkeys is really, really important. Because if they can see the value In their life, then it's a very natural fit to be like, oh, this would be really great if I could get these benefits also for my apps and websites that I'm building, and if my teams could build this into Into our tools. And I think, like, realistically, developers are gonna be the 1st people with significant passkey usage. And so Really, like, leaning into that group. Like, people like GitHub implementing pass keys is a huge step in that direction, I think. Yeah. I think that's such a a key point, and I'm I'm

Scott Tolinski

I'm sold. I'm ready to start shouting it. So this is, I think we we need just more awareness. I wanna stop using

Wes Bos

Okta to sign into Notion every week. Oh my god. We get sick. I haven't signed into Notion on my phone because I just can't Can't do it. Just do it. You know? Right? I'll tell you, it's, like, impossible to. And it took me I don't know if there was an update that I need to get past, but I would like, It would send me to 1 screen, then send me to another screen, and then I I just did this on loop. You're just in this this spin of forever, and then I I was I I did it the other day. I had a I had to do it 9 times, and the 9th time it worked.

Wes Bos

And I was just like, give me a passkey for this type of stuff. Like, I The The fact that you tried 9 times is impressive.

Wes Bos

I probably tried more than that before I got to work finally, but I I gave up on several different occasions. It's always when we're, like, trying to jump on a call. Yeah. And it's like it's like 1 minute past the hour, and you're like, oh, no.

Guest 2

Please. I think that's a really good point. Like, know, in your at your work life, you probably use Okta to log in to most things. Right? Like, I certainly do. You use Okta at one password. And so most of my apps are protected that way, which If I'm on my desktop, it's a really pretty painless process.

Guest 2

But if you think about, like, pre small companies like Passage, we were just 10 people. We didn't have Okta. We couldn't afford that or do the setup or anything like that. And so passkey's kind of give you a middle ground between everyone just make up a password and use that for websites And SSO, which is expensive and hard to maintain. And so there's kind of this middle ground with passkeys where you can actually get better security for businesses and enterprises Maybe without having a full,

Scott Tolinski

like, managed SSO. Yeah. I was new to the entire world of Okta until March when we joined the century, and that was the same thing. It was just like,

Wes Bos

Holy cow. This is a whole world that I did not know it was. Yeah. We've I've never done any corporate stuff before. Yeah. Totally random thought I just had. First of all, Us developers, we can't fumble this. Right? Like, that's why I I was hoping to have you on this podcast because it's it's the exact, overlap of developers are gonna be using it, and we're gonna be implementing it. So this is my my call to developers is we we can't fumble this. We gotta Get this into all these websites. I'm sold. Yeah. 2nd totally unrelated thing is I have an idea.

Wes Bos

I'm the merch guy for syntax, so I just had a merch idea for for passage, sticky notes with a private key on them because you know how in, like, corporate environments, people would write their password and stick it to their monitor.

Wes Bos

Oh, yeah. Hilarious would it be if you have sticky notes with a, like, a a private key on it? Private key on it. You're gonna get hired by the 1 password. Like, the world's biggest sticky note And just stick it on something.

Guest 2

Just a whole sweatshirt that's a sticky note. Yeah.

Guest 2

Amazing. That's great. I I'm curious

Wes Bos

What you think what what is the the horizon look like for this thing? Like, obviously, it would be beautiful if it was Tomorrow.

Wes Bos

But I feel like there has been major momentum in the last 6 months or so. Like, I had not you said a year and a half ago. Right? You probably been working on this for a while, but I feel like the last 6 months has been Yeah. Been pretty big. Do you foresee? Like, is this, like, a 5 year thing that you hope To to get everyone using?

Topic 10 48:02

Timeline for passkey adoption

Guest 2

Yeah. I don't know about time horizon. I'm hoping sooner rather than later. But I think that's because I have been working on it for a long time. Yeah. I'm like, We can do it. Like, we're ready. But I do think, like, in the next, you know, 1 to 2 years, we're gonna hopefully see a lot of consumer applications, you know, kinda taking off in that direction. And, you know, I'm fairly optimistic about the technology, but I don't think we're ever gonna get rid of passwords completely. I don't think that's really realistic. But I think we can say, like, you know, most of the apps I use every day are using passkeys. And then, yeah, maybe I have 1 or 2 kind of legacy things somewhere that are Passwords and maybe standard multifactor, but, like, the things I'm using every day, my banking apps, my Netflix, my Google, all of those are, like, using passkeys every day. Like, within the next 2 you know, certainly within 5 years, I would think that that would be the case for a lot of consumer applications.

Guest 2

And then I I also really like looking, Like, beyond that even of, like, what's after passkeys? Which is really fun for me to think about. And I think there's, like, a lot of Cool things that are interesting that build on this passkey technology as well. So the focusing sort of in this larger identity space of How to best give people more control over their online data and online identity, and, like, how to make that a little bit closer to their real person identity, But in a way that protects their privacy online and isn't just, like, horrifying and you're giving all your information to websites. Right? So there's a lot of new, like, technologies coming out that Are really promising in that area, like, letting people prove their identity with digital passports or employee ID cards, but in a way that maintains privacy. And so I think a lot of that builds on the passkey technology. So if we can make passkey successful, that sets us up to do, like, a lot of other really cool things in the future. Yeah. We just got, like, digital Driver's license

Scott Tolinski

support Yeah. In Colorado.

Scott Tolinski

Yeah.

Scott Tolinski

And you it is, like, multifactor. They have to send you something in the mail. You have to do a whole bunch.

Scott Tolinski

It's been a process to get get access to it, to be honest, but,

Guest 2

it's interesting. Yeah. I'm sure it's a headache to be the one of the first ones, but I'm hoping it Gets a little easier maybe. But I think that's such a cool concept that you could prove to a website that, you know, you're over 21. Yeah. That's all they need know, they just need to know you're over 21. They don't need to know your specific age or your date of birth or any of that kind of stuff, and I think it's a really cool concept. Yeah. Totally. And it it only landed in Ios

Wes Bos

Just over a year ago. Right? Like, that's probably why we're starting to hear about it now is that, like, once it's in everyone's iPhone, then I think people start to to really use it

Guest 2

Or at least implement it. For a while, it was really browser heavy, and it was hard to do in, like, mobile applications.

Guest 2

And so now that it's in, like, iOS 17, Android 14, I think have, like, the most, like, real syncable passkeys like this in the way that we think about them now. And so it's really just those most recent versions of both platforms that really have comprehensive support. And I think that will make websites and and companies more likely to start Adding pesky support going forward as it actually becomes, like, most of their consumers have these devices.

Wes Bos

So the next Section we have here is, supper club questions. These are a set of questions we ask everyone.

Wes Bos

We are curious which computer and code editor you're using? I have MacBook.

Guest 2

The 1 Password standard issue MacBook currently.

Guest 2

And, I use Versus Code, though I will admit I don't write as much code as I'd like to these days, unfortunately.

Wes Bos

Well and enough to get on this podcast because I'll take it. Yeah. We're

Scott Tolinski

seeing as this stuff does feel like it's super cutting edge and and you were obviously very early on this stuff, where do you go to stay up to date? Yeah. There's a

Guest 2

Couple really good resources, things that I would actually recommend to developers listening.

Guest 2

There's a site called passkeys.dev that the Fido Alliance keeps, keeps up to date, mainly headed by Tim Capaldi from Microsoft. And it's a lot of really like a collection of resources basically for developers.

Guest 2

It includes things like, What does browser and platform support look like across all the different browsers? And, you know, like, what libraries can I use to go implement this? And I think it especially if you're looking to build from scratch, a really good place to start to, like, understand, like, fundamentally, what's going on behind the scenes and, like, how am I gonna make this happen? The Fido alliance also puts out a lot of other good resources that really range in level from, like, pretty high level to pretty technical.

Guest 2

And so I'd really recommend, like, checking out the stuff that they put out. A lot of good UX guidelines. That's a big area they focus on. Just a lot of really interesting stuff.

Guest 2

And so that's a big area for me. 1 Password participates in a lot of the Fido Alliance work, and so that's kind of a fun way to, like, really be on the cutting edge of new stuff that's coming out. Cool. Yeah. I thought that was a a really interesting it's not a working group. It I guess it is. Like, the it's a w three c. Is that who is Who's So the specifications are w three c. The FIDO Alliance is just like an industry group that's their mission is, Like, to bring passwordless authentication to the world. And so they have a number of different working groups that focus on different things.

Guest 2

One of the small groups within the Fido works on passkeys.dev.

Guest 2

Like, that's kind of their mission is, like, really focused on developers and developer adoption.

Guest 2

There's other groups that are Focused on, like, enterprise deployments or consumer deployments or all sorts of different things.

Guest 2

But really anything related to passkeys Or hardware keys or WebAuthn in general kinda fits under the Fido Alliance's umbrella. Awesome. Yeah. It's a really cool organization. If you haven't heard of it, would recommend checking it out. Well, this episode's been really illuminating to me. I'm like,

Scott Tolinski

I went from, like, being kind of you know, it's a big mystery to now I'm I'm very excited about passkey. So thank you, Anna. I think this has been incredible. I think a lot of people are really going to like it. Before we get out of here, do you have any Sick pics and shameless plugs for us today. Oh, I do. Okay.

Guest 2

I love playing board games. That's one of my the things I do a lot in my free time. And so the most recent game I discovered that I'd highly recommend is called Cascadia.

Guest 2

It's a tile based game. It's really beautiful, which I care a lot about in a game. I realize not everyone does, but I love a beautiful game.

Guest 2

It's really easy to learn, lots of cool strategies and things to think about.

Guest 2

Christmas is coming up. It's a fun gift. But if you're into board games, I highly recommend it. It's really fun. Cool. Yeah.

Guest 2

And then shameless plug is really just passage. Like, you are all developers, and so I would love for people to come try it out. We'll give you a 1000 users for free. You can try it out. Join our Discord. Give us feedback. Like, we're building this for developers and we want it To be as easy to use as, you know, I claim that it is, and so we would really appreciate people trying it out and giving us feedback. Cool.

Scott Tolinski

Man, this caskets looks pretty sweet because it kind of looks obviously, with the tiles, it looks kind of like a tannish, but, like, your goals to attract wildlife and build nature corridors? That's, like, way better than conquering the world. Exactly.

Guest 2

Right? It's so pretty. I love it. I love Any game that's about animals, like Wingspan, it's just, like, my favorite type of game. Oh, that's fun. But I love it. It's a fun game. Cool. Yeah. I'll check this out. Alright. Thanks so much time. Really appreciate it.

Guest 2

Yeah. Thank you for having me. I really enjoyed it.

Scott Tolinski

Head on over to syntax.fm for a full archive of all of our shows.

Scott Tolinski

And don't forget to subscribe in your podcast player or drop a review if you like this show.

Share