The Changelog: Software Development, Open Source - Passkeys for a passwordless future (Interview)
Episode Date: June 15, 2023This week we're talking about Passkeys with Anna Pobletts, Head of Passwordless, at 1Password. Will Passkeys enable a passwordless future? Time will tell. Anna shares the what, the why, how, and the w...hen on Passkeys.
Transcript
Discussion (0)
What's up friends? This week on The Change Log we're talking about PassKeys with Anna Poblitz,
head of passwordless at 1Password. Will PassKeys enable a passwordless future?
Time will tell. On today's episode, Anna shares all the details about PassKeys,
where they came from, how to use them, how they're more secure, and why you should
use them.
A massive thank you to our friends and our partners at Fastly and Fly.
Our pod got to you fast because Fastly is fast all around the world.
Check them out at Fastly.com and our good friends over at Fly.io.
They help us put our app and our database close to you, our users, with no ops.
Check them out at fly.io.
Well, I'm here with Richard Moot, the API design lead for all of Square.
And we're talking about the GraphQL API that is now in OpenAlpha looking for feedback.
So Richard, what's the story with this API?
So we've announced this at Unbox last year, and we've been just incrementally adding parts to our GraphQL API.
It's been a big ask from developers within our community because it makes using Square's platform so much easier for particular things.
You're no longer having to, let's say, call like three or four different APIs to like pull together, you know, a bunch of different data.
And so we've just been trying to learn more and more like how developers are planning on using this and making sure that we get this right before we actually transition to the next phase and its release.
So you have the orders API out there, the catalog API, the customers API, the merchants API, the payments API,
the refunds API, and the inventory API out there.
And you also have the GraphQL Explorer out there.
Tell me, what are you expecting from developers?
What feedback do you want?
What are your expectations? I think our expectations is to find out all the different ways
that you're using it and that we can make it better for you. I mean, right now, you know,
we've gotten really good feedback. We have, I mean, as soon as I announced the update to our
docs that we recently did, the very first question that I got on Twitter from someone was like,
when is this going out of alpha? And so we're really happy to see that, but we also are still wanting to hear from
developers. Like, you know, you're, you're implementing this, you're trying to build something.
What is causing you angst? Like what is, why are you, is it issues with like constraints around
query depths or a number of queries? Is it fast enough for you? Are you trying to use it in a
particular mobile app,
or Lepton app, or something?
And what issues are you kind of coming across?
And how can we make it better?
And I would definitely say that anything that you come across
when you come and you try it out,
whether it's in the GraphQL Explorer,
in your command line, in your app,
we want you to reach out to us on our Slack or our forums.
Those would be great.
You can also tweet at us.
I will definitely be keeping an eye on that.
But I will probably still always say like,
hey, like the forums are a great resource
because we have a lot of questions
that are already asked there.
And we really just want to like funnel
all that feedback to the team
so that we can get this into there
in time to make this ready for the next phase.
Very cool. Okay, so if you want to make this ready for the next phase. Very cool.
Okay, so if you want to check this API out yourself,
go to developer.squareup.com.
Again, developer.squareup.com.
It is an open alpha.
They're looking for feedback.
Hit them up on Slack, head to the forums,
whatever works for you.
Once again, developer.squareup.com. So we're joined by Anna Poblitz, head of password list at 1Password.
Thanks for coming on the show.
Thanks, Jared.
Happy to be here.
Happy to have you.
Excited to talk PassKeys.
This is something I've been reading a little bit about, and I'm excited to maybe implement
it in some of what we do here around ChangeLog.
Shout out to listener Vladimir, who requested this show a long time ago.
Hey, Vlad, we're finally getting around to it.
Thanks for your patience.
PassKeys, where should we start, Adam?
Just like, what are they and why?
Or is there a cooler place?
I can't see where else we would start. Like, what are they? How do they work? Why should we start, Adam? Just like, what are they and why? Or is there a cooler place? I can't see where else we would start.
Like, what are they?
How do they work?
Why should we use them?
Why now?
All good questions.
Yeah, those all sound like great topics.
There you go.
All right, Anna, launch into it.
Yeah, so let's start at a high level.
You know, what is a passkey?
From my perspective, a passkey is a new way to sign in to apps and websites without a password.
There's a couple of reasons why that's a good thing.
There's the security side of things.
And then there's the user experience side of things.
So we'll start with the security.
The first thing there is that, you know, passkeys are completely unfishable.
And they're resistant to any type of credential related attacks. So all those things
you hear about, of companies getting breached, and there's giant password leaks, and people are
reusing passwords in all these different places, like none of those attacks are relevant in a
passkey world. So that's a huge win from a security perspective. Then there's also the user experience
side, where they're really easy to use for users,
it really looks and feels just like unlocking your device using your touch ID, face ID,
Windows Hello, whatever your device uses, that's what that experience looks like.
And so I think this is the first time we've ever had both of those things happen at the same time,
where there's a solution to log into websites
that's better than passwords that's both more secure and easier to use.
Usually things are kind of only one or the other, right?
You might have, oh, we can add MFA to a website and like, that's gonna make it more secure.
That's great.
But that's extra steps.
You have to get your app out of your phone, or you could check an email.
That's not actually making anything easier. And so people aren't really going to use it. Like no one really signs
up for MFA if it's optional. And so this is the first time you actually get both of those things.
Yeah. So I love this because I'm actually the head of passwordless here at ChangeLog.
And we've had passwordless for a very long time, but doing it the dorky way, which is
just send them an email, generate a one, which is just send them an email.
Yep.
Generate a one-time string, send them an email.
And I did that because I hated the credential opportunity for failure with credentials.
I saw the password, this email flow as your password recovery, you know, like reset your password.
We're basically already doing it.
So we already have these flows.
Let's just send them an email, click on that, and then remember them for as long as possible.
Our audience is smart people, our readers, they can sign out and they won't be surprised if they
like sign in for a very long time. That is cool, but it's dorky because emails just don't come very
fast every single time. And it's outside of our control, right? Like we can pick the best email
delivery offering and all these things, but it's like, sometimes you just get that one that just
like bounces around from mail server to mail server. And you're sitting there for
5, 10, 30 minutes, like, hey, where's my sign in email? So it's not perfect.
It's definitely not. But honestly, y'all are ahead of your time. Like a lot of people
haven't really been even considering any passwordless options,
whether it's magic links or OTP codes
or anything like that.
And that's still a big win over a password
from a security perspective.
It's not, you know, a user generated password
that they're thinking of.
It's really short lived.
So that is really great.
Like definitely better from a security experience.
Nothing to lose.
Exactly.
Like definitely a little bit of an improvement,
but I hate having to like change context and go check my email to log into
a site or if i'm on my phone or my apple tv or something like that and i have to go find a
different device like it's just kind of a pain and so i think pass keys are ultimately solving
that ux problem right like no one's gonna adopt any of this stuff if it's not easy to use.
It's like if you put YouTube, for example, on an Apple TV,
if you want to authenticate with YouTube,
you have to open up your phone
or a device that has the YouTube app on it that is not your Apple TV.
And that's not bad necessarily because you probably authenticated to that.
It's all about how many hurdles slash hoops
can I make you jump through
to keep you secure and i think we've kind of like band-aided if that's a word over time like how to
do this and even the otps like every time i gotta pull out the verify app from unify which i love
it's a great app it's it's secure i use it for my unify network and i like that app over others
but every time i have to do i'm like gosh where, gosh, where's my phone? Let me get that thing out. And it's biometric. So it's my face opening it up
because I use an iPhone. And that makes me feel secure. But it's like, well, that's like you said,
context switching. It's more hoops and more hurdles to jump through and over.
Yeah. Jared, you said something interesting when you were describing your Magic Link implementation
about how the success rate of sign-in and things like that of just like, are people actually getting emails?
And so Google announced pass keys on their services a couple weeks ago. So on your Gmail
account, now you can actually add a pass key to sign in. And in their blog announcement,
they talked about some really interesting stats. And one of them that I hadn't really thought about before was like success on first attempt. So how often does someone succeed to log in the first time they try?
And with passwords, that number is actually pretty low. Like it was, I think like twice as
high when you switch to pass keys, because the first time you're like, okay, crap, I think
my password is, you know, password or it's password plus Google or it's password one,
two, three.
My username is password and my password is password.
Your username is password?
It was just easier.
Or like, which of my passwords did I use?
Right.
And so actually like your success rate on your first attempt or the number of times
you have to go do a forgot password is actually really high.
And so kind of lowering that threshold as well is really cool. All right. So security win, obviously, user experience win,
not so obviously, but it turns out it is. What are pass keys? How do they work? I hear it's like
PKI, public key cryptography stuff. Tell us the details. Yeah. So behind the scenes, we're using
public key cryptography
protocols that have been around algorithms that have been around for decades, even very well
established protocols just being used in a new way. So what happens is when you go to sign into
a website or sign up for a website for the first time, your device or wherever you're storing your
passkeys, I'm sure we'll talk about this later, but you can also store pass keys in 1Password.
Wherever you're storing those pass keys, you will create a public-private key pair.
And you'll store that private key in your provider, on your device, and it's never going to leave.
So it's never sent to the website.
Instead, you'll send this public key to the website, and that public key can then be used to verify any future logins.
So on future login, you say, I'm Anna.
I want to log into this website.
The website will send you a challenge and you will sign that challenge with the private key.
You'll send that back to the website and the website can verify it with the public key
and say, you're all good.
You're authenticated.
Now, when I say you like the user actually isn't doing anything here, right?
This is all happening behind the scenes between your browser and the website and your provider,
your device or your one password account, something like that.
So it's all like really transparent to the user.
All you're doing is essentially proving to the device that you own that device by doing
your touch ID, your face ID, and then that's granting your private key access to sign that challenge.
And so it looks super transparent.
It looks like you're just doing touch ID,
but behind the scenes, there's like all this cool cryptography going on.
Right.
Can I pause there for one second?
This sounds a lot like SSH keys, doesn't it?
I mean, it sounds like you copy and paste the SSH keys
in a way that everybody else can use, basically.
Is that kind of what this is?
Kind of.
I think, like I said, it's a really familiar cryptographic concept.
So we didn't invent a whole bunch of new crypto here.
It's really just how we're using them and how we're using them in a user-friendly context.
So there's always a user involved.
You verify your presence by doing that touch ID and then you can authenticate.
And so it's a very similar model, but it's actually like there's an aspect of you being
there at the device at the moment of authentication that's important for like application and
website login.
So it's been a long time since I was in college, but I actually learned this in college.
Tell me if it's true still today that there's three ways to authenticate somebody. They can have something they know, right? So there's
your password, something they are, which is like your fingerprint, your eye scan biometrics,
and then something you have. And so I have a pass key. So this is like the something you have
style authentication. And as Adam pointed out, like nerds have kind of been doing this. I have an SSH private key
and a public key for a long time.
And it's better.
If you slide into a machine
without password,
it's always been better.
Of course, then there's the managing
of that thing over time
and key rotation and stuff.
But we've been using something
we have for a while.
My guess is the ubiquity of mobile devices.
Like why is now the time that pass keys are suddenly something we can do and not have to
do something, you know? Yeah. So it's been a long time coming, right? Passwords have,
I think, been around since like the sixties. What other technology do you use that's actually
from that time period? Probably not much, but it's taken a long time.
Like there's been a lot of attempts to replace it.
A lot of like proprietary biometrics,
things along those lines
that are more the who you are
or something you have.
Yeah.
But they always fail
because you have to have special hardware, right?
You have to like buy a thing
and carry it with you.
Even security keys,
they're great in an enterprise environment,
but kind of challenging
and more of like a consumer everyday user type of experience, because people just don't want to
have to buy and carry something else around with them all the time. And so about maybe three years
ago, like 2019 2020, you Google, Microsoft, Apple, all kind of came to this agreement that we're
going to support these protocols, and these API's in our browsers and to this agreement that we're going to support these protocols and
these APIs in our browsers and in our platforms. And we're going to give browsers and app
applications access to face ID, touch ID, other biometrics that are built into devices. And so
that basically turned the thing everyone has in their pocket, a mobile device into the equivalent
of a security key and like made it possible to actually do this in a way that would scale reasonably for consumer
applications. So the hard part about something you know is you might forget it. The hard part
about something you are, this is the hardest part, is like you can't change it. Like your
fingerprint, right? Like once that's out, it's hard to revoke your fingerprint. The hard thing
about something you have is when you don't have it anymore. And that's been my biggest struggle with
specifically the authenticator devices, right? Which is the one-time passwords thing is like,
you get that whole deal set up and you have it on your phone and then you upgrade your phone or you
lose your phone or something. And you're just completely out of like, you have to go through a arduous reset process with a lot of these organizations even so far as like scanning
your photo id in order for them to be like this is actually you of course they don't want some
imposter to fraudulently claim that they're you is that a big problem upcoming with passkeys where
if it's something you have on your device and you don't have your device, you're pretty much you're out of luck.
Yeah, it is by far the biggest like technical problem with passkeys, I think, is how we manage account recovery.
So, you know, the first time anyone heard about the term passkeys was about a year ago.
Right. It was WWDC last year.
And before that, this protocol still existed. It was called WebAuthn. And some websites were still implementing this.
But it was every single passkey was tied to like the TPM of a device.
And there was no way to get it off.
So if you lost that device, it was just gone.
That you could never get that passkey back.
You had to go through the whole whatever that website deemed was a recovery process.
And there wasn't really anything you could do about it. Right. So the big like announcement of pass keys is
essentially saying we're going to take those WebAuthn credentials that have been around for
years, and we're now going to sync them. We're going to sync them across your platform accounts,
across secure end-to-end encrypted channels. So now you can sync pass keys through your iCloud
account or your Google account or your 1Password account. so yeah, I might lose you know, I have an Android phone,
I might lose my phone or get a new phone. But as long as I can log into my Google account,
those pass keys will automatically sync. They'll also be shared across any devices that I have in
the same ecosystem, things like that to help you kind of have passkeys more accessible
in different places to help with the account recovery problem. You know, it's still not
perfect by any means, but it really was almost unusable before that. Like it was so much work
to manage your different devices that had passkeys. With passkeys as they are now,
where they're synced between devices, it's at least a little bit more accessible to people.
And we can start to really focus on the more narrow account recovery problem. This kind of somewhat reminds
me of people who focus on backups, but not recovery. Right? Like you think, oh, I got to
back this up and you got a great backup protocol. It's amazing. Right. Okay, let's recover that data.
Oh, we didn't think about that. So why was the, you know, recovery process an
afterthought with WebAuthn and now Passkeys? Why didn't it go through the paces of actually
thinking through this through? You know, I think they always thought about it and they always,
we always knew it was going to be a problem. But the goal of WebAuthn and Passkeys was
phishing resistant authentication, right? And so a huge part of that is tying a credential to a device,
and also cryptographically tying a device to a domain, right? And so my facebook.com credential,
you can't spoof facebook.com with, you know, using a zero instead of an O,
that credential will simply not work, it will never be sent to that domain. So all of these
like unfishable, really high security properties
are really important. That was like the core of WebAuthn and of Passkeys. But those are also the
things that make it really hard to do account recovery. You know, with a password, you have
one user, one password on any device. With Passkeys or WebAuthn, you have one user and
n number of devices or Passkeys depending on their laptop and their iPad and their phone
and all the different devices they might use,
you have to kind of have a different passkey.
So it just sort of comes with the protocol,
but it was all kept with security in mind.
Is passkeys a doing business as name
where WebAuth then truly is the LLC or Inc,
but you're doing business as passkeys?
WebAuthen.
DBA Passkeys.
Yeah.
Like how does this work?
Is it now Passkeys or is it both?
So WebAuthen is the specification from W3C.
If you want a really long read, feel free to go check it out.
Passkeys is the user friendly term.
If I were to just go to my mom and talk about WebAuthen credentials, that's not a very approachfriendly term. Like if I were to just go to my mom and talk about web auth and credentials,
that's not a very like approachable term. And so part of like renaming them pass keys instead of
just like syncable web auth and credentials was to make it like accessible to people,
not make them scared of it, be able to put that on my target.com website and say pass keys and
not have people kind of just be really confused. WebAuthn is so much. I'm just kidding. It's not cool.
Exactly.
So who owns PassKeys? Is it a branded term? Did Apple come up with this?
Is there a, you know, copyright to this name or trademark? Sorry. You know, is this who owns
PassKeys?
You know, I'm not actually sure.
She is not a lawyer.
There's a, yeah. I don't want to speak on that subject.
I'm going to get in trouble.
I do know there's a group called the Fido Alliance, which is like an industry organization
that is working to like make passwordless authentication a reality.
And they've been around for, I think this year was their 10th anniversary, actually.
So all the major platforms are members, One Password and other password managers are members,
lots of websites who are interested in this.
And we've all just been working to make this web-offend technology real.
And so Passkeys is a very natural evolution of that.
We put out a lot of guidelines about UX and how to add this to your website and things
like that.
And so I don't know that they own any sort of trademark or IP about that, but they are doing a lot of work in that space and like trying
to help people adopt it in a really consistent way. Because if you look at websites that have
Passkeys now, people call it different things, the user flows are all different, everyone's kind of
doing different things. So we're trying to make it a little more consistent so that when you see
Passkeys in one site, and you see it again in another site, you know it's the same thing, right?
You can have confidence that this is a secure way to log in.
Well, it's a great name.
I think it's awesome that these different organizations are coming together and rallying around one thing.
This is kind of like the utopic view of open specs and everybody just comes to the table with their good ideas.
I mean, I'm sure there's probably things going on around the fringes,
but it sounds like it's coming together really well.
You have a spec, you have different...
I mean, the confluence of events of the ubiquity of mobile devices
as kind of like a baseline passkey holder, right?
You have the support of the people who put the software on those devices,
namely Google and Apple in the case of iOS and Android.
And then you have folks like yourselves who are putting out software, how-tos, different things so that people can go ahead and build this flow into their website.
I'm just super excited because I'm so done with passwords in my life and everybody else's life.
I would love to see a passkey based like
a default passkey based world out there. How do we get there? What does it look like, I guess,
maybe in the small, like for a single website owner to implement something like this? And then
maybe, you know, what does the trends look like? Maybe as a secondary follow up?
Yeah, that's a really good question. So it's definitely a little more difficult to implement into a website than passwords. Like I mentioned before, this sort of password model is one user, one password works everywhere. With having to like manage pass keys on different devices, it gets a little bit trickier because every user can have like a whole list of credentials, right? And they might be able to sign in with some of them on some devices and not on other devices.
So it's a little bit trickier.
There are web APIs, libraries,
all that kind of stuff to help.
This is a problem I've personally been thinking about
for a while now.
And at 1Password, we have a product called Passage
that just launched a couple of weeks ago
that's designed to help people do this, right?
We're trying to be Twilio or Stripe for pass keys
and make it easy with SDKs and UI elements, designed to help people do this, right? We're trying to be Twilio or Stripe for pass keys and
make it easy with SDKs and UI elements, things like that to let developers just like implement
pass keys in their website in a couple days and move on, right? Like you should be able to get
this without having to like spend all your time or understand all of the inner workings of pass
keys. Like people shouldn't have to worry about that. They should just be able to kind of use it
out of the box andings of passkeys, people shouldn't have to worry about that. They should just be able to kind of use it out of the box
and get all the benefits.
This episode is brought to you by our friends at Drada.
Automate and accelerate your SOC 2 compliance, your ISO 27001 compliance, and many, many more compliance frameworks.
With a suite of more than 75 integrations, Drada easily integrates with your tech stack through applications such as AWS, Azure, GitHub, Okta, and CloudFlare,
and countless security professionals from companies including Lemonade,
Notion, and Fivetran have shared how crucial it has been
to have Drada as a trusted partner in the compliance process.
They have deep native integrations that provide instant visibility
into a security program
and continuous monitoring to ensure compliance is always met.
DrawDi allows companies to see all their controls, easily map them to SOC 2, ISO 27001,
and many other frameworks to gain immediate insight into framework overlap.
They are the only player in the industry to build on a private database architecture from day one,
meaning your data can never be accessed
by anyone outside your organization.
It is time to say goodbye to manual evidence collection
and hello to automated compliance
by visiting drada.com slash partner slash changelog.
That's drada.com slash partner slash changelog. They's drada.com, slash partner, slash changelog.
They are bringing automation to compliance at Drada speed. Is this one password's first move into like developer services?
Because you've always been like a business to consumer, you know, like buy our software
or subscribe to our software.
But now this is like we are going to be a Twilio or would love to be a Twilio for pass
keys.
That seems like a change in direction or maybe just another direction.
Yeah. So we do have some developer tools, actually.
If you've never used them, you should check it out.
We have like a CLI tool that for secrets management
and shell plugins and all sorts
of really cool developer tools.
Right.
But you are right.
It's a little bit of a different approach
as far as like where a different business line
and like where we fit in the organization.
It's interesting
because one passwords whole mission and goal has always been just make sign in easier for people,
right? We're just trying to make it easier for people to log in on the internet. And so the
password manager is doing that from the user's perspective, they're giving users a tool to sign
in easier to manage all their credentials. And then passage is kind of taking it from the
other angle of we want to make people more secure by helping businesses give their users the best
possible authentication. And you can't really do one without the other, right? So if websites don't
actually implement passkeys, users can't use them. And if users are intimidated by the technology,
or they don't have easy ways to store their
pass keys, then they're never going to use them even if websites adopt them.
And so the way we were thinking about it is like both Passage and the password manager
are working towards the same goal of just eliminating passwords completely as much as
possible and then also helping them transition, right?
Like, unfortunately, passwords probably not going away anytime soon.
It's going to be a little while.
So 1Password is in a unique position
to kind of help people
with all the different credentials.
You have passwords,
you have OTP codes,
you have pass keys,
and just kind of help people
manage that whole process.
I store my SSH keys in 1Password.
I'm one of those people
who uses the 1Password CLI.
I believe it's called OP or something like that. I don't use it often, but I've used it, which I love
because I have biometrically SSH into servers on the network or on the internet via having my stuff
in there, which I love. Biometrically getting into something, to me, is the way to go. It's
the future because you can't... I suppose if you cut my finger off then maybe you could be
me but like that's really bad
and something bad's happened to me so I got
different problems. Yeah I mean if someone cuts your finger off
you got bigger problems. Yeah. Right?
Yeah I mean they can steal my eyes like they've done
in different you know sci-fi
movies you know to get into. That network attached
storage is not going to be your problem at that
point. No we got different issues.
Not my SSH keys.
That's my best effort, though, to be me.
Right?
Like Jared said before, I can't change my fingerprints.
Last time I checked, maybe I could burn them off and put different ones on.
Who knows?
But that's going to be me forever.
And my face is my face.
As I age, it may change.
But I think face ID is smart enough to go with that aging process as a human being.
Totally.
I do actually want to clarify one point about this, because I think it's important for me,
maybe like a privacy perspective is when we're talking about like, you know, my fingerprint
or my face is being used to authenticate to these sites.
Like that's true.
But those are just being used to authenticate like locally on your device,
right? Like these random websites that you're signing into do not have your fingerprint data,
your face data or anything like that, right? And so it's all about like, it's almost more,
it's less about what you are, like your biometric and more about what you have,
your device, right? You're really just proving that you own that device through biometrics. And so it looks really easy, but I think it's an important distinction there because
I could totally reasonably, people would get caught up in the idea that, you know,
my biometrics are just being sent across the internet. And that's not the case.
It's like you have a key like in a box, right? And the key's going to get you into the room,
but the box is locked. And to open the box, you've got to put your fingerprint on there.
That opens the box, gets the key out, puts it in the room.
Yep, exactly.
I've been playing a lot of Tears of the Kingdom.
Sorry for bringing Zelda video games into this.
We like that.
It's part of it.
You might have to ascend up through the roof.
But keep going.
Yeah, well, the point is that whatever the process is,
web auth in pass keys,
the DBA for this cool new biz,
you know,
is essentially I have to authenticate to my device first.
And the device says,
okay,
this is truly Adam.
So you can now pass key away.
And that's what I love.
Like even now being SSH into machines with,
I know I'm not biometric sending my,
you know, stuff over there to the machine, but'm not biometrics sending my, you know,
stuff over there to the machine,
but it's authenticating me to my device.
Yes,
this is Adam.
Right.
Trust this process.
There you go.
That's the future,
right?
To,
to prove on me in the best way possible.
And that's how you do it.
Totally.
And you don't even have to think about it.
Right.
I think we talk about this idea of like password hygiene a lot and,
you know,
users having to think
up passwords and not reuse them and all that kind of stuff. And like people aren't trying to be
insecure. It's like actually hard. I have like well over 200 passwords I'm keeping track of,
like that's really hard. And so the idea of I'm just using my finger and I don't have to
think about what I'm doing, but I'm just automatically secure and it's built in.
It's just so nice to not have to put that burden on people.
Can we just rant real quick about password requirements too?
It must really be between 8 and 20 characters.
It must have a special character.
It must have a number and a capital.
It's like, just leave me alone.
The only one of those that's legit is it has to be longer than X.
And X should be like 8.
4 to 8.
Don't put a maximum limit on my password. Rid don't work quite anyways and for a long time they
used to make you rotate them like every three months yeah i can't think of new ones that often
right and then some very smart people would keep a list of your most recently used ones and they're
like you can't just go back and forth between two like no you use that one three times ago like i
hate you that means they're just storing all of your old passwords i'm just trying to check my email
you know let me in i was going to mention uh steve krug's book because like this is the
ultimate user experience if you've ever heard of this book stop me it is called literally don't
make me think and like it was about web and web development in its original edition i think
it's been revised a couple times at least but the basic premise is there right if you've got
passwords out there you're making people who don't like you said want to be insecure think about this
process and before password managers like one password and others you literally had to keep
a spreadsheet that was probably insecure,
or a file with permissions on your local machine.
I don't know, how would you even manage these things,
and then generate them, and then be more than 16,
and have these special characters?
It's like, that's making me think as a user.
Now we're at a place with Passkeys where you have to think less.
There's still some thought in there, I'm sure,
but it's minimized to almost the littlest possible necessary to think about being secure. And I guess it's sort
of built into your devices now. So like if my iPhone supports it, like Apple supports it, then
I don't have to think anymore about passwords. Exactly. You're just making the easy thing,
the secure thing. No one has to think about it. It just works. That's all anyone
really wants. They just want to go buy something from Target or go read an article on New York
Times. They don't want to think about how they have to authenticate. How do we educate people?
And maybe that's not the best way to describe it. So let me give an example. I use Home Depot. It's
my favorite place to go. I do not like Lowe's. Home Depot, if you want to sponsor us, I would gladly accept that.
I'm a Lowe's guy.
Oh, gosh.
Just kidding.
The great divide. The great divide.
Anyways, Lowe's, if you'd like to sponsor us, we'd love it.
We'll deny that request and replace you with Home Depot right away.
So it helps. I'm team Home Depot.
Oh, no.
Break the tie.
Okay, great. Two to one. Two to one here.
That does not help, Anna. Break the tie. Great. Two to one. Two to one here. That does not help, Anna. Thanks for nothing.
So I obviously keep my credentials to homedepot.com in 1Password because I am a tried and true many, many, more than a decade now, 1Password user.
And so that's great.
But every time I go there, I have to use this scanning thing to prove that I was in the military to get this military discount they offer.
And I have to do that every time I make a purchase.
So I have to essentially authenticate with their website every time I'm a consumer, whether it's on the web, which is obvious, or literally in person.
I have to scan this code that's only on the web that's generated.
It's like a QR code, essentially.
So I have to authenticate all the time.
And I have been resisting this other way they've said before because they did not describe
it as pass keys they did not describe it as one no password they said there's another way that you
can log in faster and i thought it was like some sort of gimmick so what i'm getting at is how do
we describe to users in a world that's password filled to a passwordless world how do we describe
this because i spent a couple months resisting this pass keys world with home depot offering
it to me and now that i know about pass keys and here i am like host of the change like forever
should know these things i do not know much about pass keys and i resisted and the other day i was
like jared i just created a pass key today it It was like three days ago. And it was with Home Depot.
So, but how they explained it was not normal or I didn't read it right.
Yeah.
Or they made me think.
So, how do we live in this world where we go from passwords being the norm to passkeys and how they work?
How do you, it's a marketing challenge, right?
Like it's a uphill battle.
It really is.
Like it's a really hard problem.
People are used to passwords.
And so, like I said, you're just trying to go buy something from Home Depot.
They're just trying to read an article.
Like I'm not sure that that's the right time to be saying like, here's some new fancy technology.
Like right when they're in the middle of trying to do something.
We did some UX research as part of the Fido Alliance.
And that was actually one of the findings was there are times to actually not tell people about passkeys because they're kind
of busy and like they're really focused on their goal. But what we found is that users don't
necessarily respond to the security benefits of passkeys. It's more about the user experience and
the speed of signing in and not having to use a password, like explicitly saying things like
sign in without a password is a pretty appealing thing to people to at least go check it out.
And so I think those things are moving in the right direction. We're doing tons of research
on the marketing there. I also think it's just going to take some time like Google just
implemented passkeys for Gmail and for personal accounts. And, you know, that's billions of people around
the world who now might start to see a pass key experience. And it'll still take some time. But I
think once people see it the first time, right, you've done it now one time, aren't you just like,
wow, I want this everywhere. This is amazing. Can't wait. I could do it again. Yes.
Like literally that. And so I think it's just getting people to that first experience, whether that's through the really big websites and players like like Google, or giving people
a really consistent experience. So in the Home Depot login experience, with pass keys, and the
terms that they use are kind of different than Google or Best Buy or eBay or any of these big
sites that have pass keys now, some of them don't even use
the term pass key. So I think it's just kind of confusing, like you wouldn't necessarily know that
those are all the same thing until you actually go through the flow and start to set it up.
And so we've been talking a lot about like, how do we make it more consistent? How do we give
people parameters and, and assistance in the UX of this to make sure users are just like,
Oh, yes, pass keys.
I've heard about that.
Let me go set that up everywhere I can.
Yeah.
Well, shout out to Home Depot
for having the software at least rolled out.
And then we just tell them,
if you're listening Home Depot,
just use the word pass keys on there, right?
So like, let's just-
They may have, Jared, honestly.
They might.
Oh, so it's on you.
It didn't, it seemed like some sort of benefit
from Home Depot directly. And you know, sometimes brands have other motives honestly they might oh so it's on you it didn't it seemed like some sort of benefit from home depot
directly and you know sometimes brands have other motives for making me change my common workflow
and pattern i just was resistant like whatever that is i know how to log in with one password
to your site leave me alone i don't understand what you're asking me to do and it was like
it was a bother because i'm trying to transact. I'm not trying to deepen my relationship or become more secure or become educated about
this new fangled thing. You know, get off my lawn. Let me just do my thing here. So it was not the
right time. Yeah, I think that's where it can really come from. People like Google who have
such a like trusted place in people's lives. It's your email that they're protecting, right? It's
not just a shopping site. And so it's a different level of maybe willingness to add MFA to that
account that will make you at least willing to read more about passkeys. Like I said before,
you know, if you're going through a checkout flow, you're in the middle of trying to do something
else, like you're probably it's not the right time to tell you about passkeys, right? You have to
when you're already doing account related activities like if you had to reset your
password that's a great time to offer someone to add a pass key because you just had to go
through the pain of resetting a password right or like letting people know in other ways and not
like blocking their flow one of the big things we've seen is like i expect e-commerce to be
an industry that adopts this type of technology pretty quickly we've seen is like, I expect e commerce to be an industry that adopts this type of
technology pretty quickly. We've seen people like Home Depot and Best Buy and eBay adopt pass keys
pretty early. And there's like really big benefits for those types of companies. Because if you can
get more people to sign in and convert, and they're not running into issues trying to check out like
that's a huge win for your business. But what we found is that if you
do pass keys, if you implement pass keys wrong, it actually hurts your conversions. If you just
put a button on your website with a pass key icon on it, and like, that's not going to work,
people are just going to click it, it's not really going to work, you're not sure what to expect.
And so you really have to be smart about how you introduce the technology to people
to give them through like conditional flows at certain points.
Like only show them this button if they actually could log in with a passkey.
Like don't just always have this button here.
And it's really small things like that that actually go a long way in making sure your implementation goes well.
And that's a lot of what we spend our time thinking about at Passage is like how can we worry about all that stuff for you and make sure we're giving you the best experience?
So how does Passage determine that, that this person can have a passkey?
How are you doing it?
Yeah, there's a lot of things involved in that, actually.
If else, then.
One big if else statement.
Yeah, so every platform does passkeys a little bit different. The APIs are fairly consistent,
but the way in which like the support levels are different, Safari makes you requires there to be
a user gesture before you can do a passkey prompt, like there's a lot of sort of differences between
different platforms and different browsers, things like that. So that's a big part of what we do is like manage, like, can I even use a passkey on this device? And then we'll also keep track for users,
what are their passkeys? And what platforms are they on? And, you know, where am I right now?
And should I be able to log in on that? And so it's a lot of just like conditional checking and
like trying really hard not to let users see errors, right? We want to really minimize the
times that a user runs into an error, because that's just going to scare them away from pass keys. Right? Yeah. How does it work
when somebody signs up, but then switches devices? So let's say I come to example.com, which is
powered by passage, right? And I say, I'd like to sign up. I'm Jared Santo. Here's my pass key,
click a button, I sign up, it's all well and good. And then I come to it
on my iPad later that same day. And I say, I'm Jared Santo. I'm on a new device. How do you know
I'm me? Yeah, good question. So there's a few sort of levels to that. The first one depends on where
your pass key is stored. So if it was on a MacBook, and your iCloud account is used on both
that iPad, so iCloud would sync it. both that iPad. So iCloud would sync it.
Yeah, exactly.
The iCloud will sync it and it'll just be there.
Okay.
The same is true for 1Password.
So even if you're on, if you stored that passkey on a MacBook in 1Password,
and then you go to your Android phone, which also has the 1Password app,
you would still have access to your passkey there.
And so a big part of this like synced passkey initiative is exactly that,
to make passkeys
available on all the different platforms.
In the event that that's not the case, then Passage or the website, whoever's doing it
will have a backup or a recovery type of option to let you either use a passkey on another
device or to add a passkey to that device, usually through like an email magic link or something along those lines.
I see.
So on sign up, you probably captured my email and then you can say, OK, we don't know who
you are.
You're on a different device and you're not synced or something like this.
I'm sure you'll be that kind as you in your copy.
Who are you and what are you doing here?
And then you'll say, OK, well, you don't have a pass key.
Would you like to generate one using your email address or something like that?
And then you'd go through kind of a magic link flow that would then generate a new passkey on my new device and add it to my list of passkeys for that website.
Exactly.
If you want to.
There's this flow.
I don't know if you all have seen it, if you've used pass keys in this way yet. But if you create a pass key on one device and go to another device,
sometimes it'll pop up with a QR code
that you scan on your phone that has your pass key.
And then it will like sync it over Bluetooth kind of.
Oh, wow.
It's called like a hybrid flow.
It's sort of a new thing that we're experimenting
with for cross-platform pass keys.
And it's kind of confusing, but it does exist.
And the idea is you could have like an iPhone, your iPhone has your passkey and you can just kind of carry
that around in your pocket and use that passkey on public computers or shared computers or places
you don't want to store a passkey. And so there's a lot of these different types and formats of
passkeys, but it's really hard to kind of like keep track of all those different options. And so
that's kind of what Passage does, right? right yeah so is your phone then in that case i know we're getting
to the weeds on a very specific thing but that's what we do here necessary necessary is your is
your phone that scans the qr code then is it passing the challenge response over that or is
it actually it's not taking the private key
and giving it to this public computer, right?
Like it's doing the challenge on the phone
and passing the response maybe?
Right, it's getting the challenge from the computer
that you're trying to log into
and then it'll sign it on your iPhone or whatever
and then send it back.
That's not much different than OTP really in that case
because it does require the other thing.
In terms of user experience? Well, yeah. Well, I mean, it's really a strange world i'm gonna go back to home depot
because i i have to this is my only experience with passkeys i have authenticated because i'm
mobile in the store i did it on my phone and then i come back to my mac and i i did this the other
day i'm like now i have two pass keys, one per device to Home Depot.
And then now we're here on this call and I go back to just, I logged out of Home Depot. I was like, what's the flow? So let's just use them as a potentially wise implementation poster child for
this. So I plug in my email address because they do require something to say, who is this person?
That's my email address. This is Adam. I click continue. And then the, the, the native Safari, I'm using Safari as a browser comes up and it says,
now that I just got an issue, just now I'm trying to do this again. Gosh, this is failing live demos
fail. Well, at least it's not our software. Yeah. Right. Um, well it came up and it says,
do you want to sign in with this pass key or click this blue link that says there's other
signing options. And one of them was a scan it like you had just said Anna where you go on a different device
and do that passage back and forth these guys are on top of they got the hybrid flow already
yeah they seem to and then this other one let me see if I can get this back up oh now they're
making me do it a different way now they have defaulted since I didn't do it the way they wanted me to with a pass key.
Now they're making me verify the code via email again, which is okay, I guess, because I can still get in.
My concern was like if pass keys fail, am I locked out?
Like do I now have to only pass key on this device?
Apparently no.
But long story short, there was another way to go in.
It was scan a QR code.
And I think the other one was like, I don't even know what it was.
It was like three different options.
Do you know what that third option might be?
Mother's maiden name, your first pet.
Yeah, all your security questions.
Right.
Mom's maiden name, etc.
Yeah.
Yeah.
I definitely think most websites and definitely what I'm seeing is most websites are not implementing
pass keys full stop.
There's always some sort of backup. So if you're
using Passage, that backup is usually still passwordless. It's magic links or login codes
typically for people who just like some people don't have devices that support passkeys. So we
got to give them an option for a lot of websites like Home Depot that are sort of like have huge,
large user bases and are just like, I just want to test it out with a small subset.
They'll keep their passwords, right?
And then they'll just sort of add this as an option.
And so you can always fall back to your password
or to an OTP code or whatever,
all these different options that they have to log in.
It looks like they have quite a few,
but I'm really seeing it happen as like an add-on.
Like you can opt into this feature,
but it's not necessarily the default
or even like something that they're really heavily forcing on people. It's like, feature, but it's not necessarily the default, or even like something
that they're really heavily forcing on people. It's like, let's get it out there. Let's give
people who want it the opportunity to try it out. And then we'll kind of expand and migrate over what's up friends i'm here in the breaks with one of our sponsors raycast i'm here with thomas
paul man the co-founder and ceo of raycast so thomas i recently moved from alfred to raycast
i'm on the pro plan loving the AI integrations and everything else helped me
to be productive. Also helped you launch the ProPlan recently on ChangeLog News. That was
awesome. But what I want to know is why you built Raycast in the first place.
I think software, as we experience, is flawed and inefficient. And I know this is a pretty big
and bold statement, but this is really where the
idea from Raycast comes from. Because when you think about it, when you interact with a computer,
you have a certain action in your mind that you want to do. To perform that, you need to translate
that into clicks and keystrokes on a computer. And that isn't really intuitive. That's not how
we used to work. When we crap something in the real world, we just crap it and do it. There is no communication or something like that necessary.
But somehow we got used to that this is how software works. And we work around that.
It kind of works, but I feel really it's an inefficient way to use a computer.
So with Raycos, we re-envisioned that and we said, what if I could use all my tools in a
single interface? They look the single interface they look the same
they behave the same i'm super efficient at it i just enter what i want to do everything is driven
by the keyboard which i'm used to as a developer we basically started building exactly that and
started with the basics of like what if i could launch an application that's an easy task right
what if i could find a file that i'm looking for? Okay, that's nice. But at some
point reached in the threshold where we said, Oh, but now I need to create a Jira issue or see my
assigned issues and change the status. And that is where it gets really interesting. It quickly
became clear to us like, wow, okay, there is actually demand for that. That was really the
start of Raycast where we felt this is something special. They're like so many people want to be
more productive. They want to have a great tool that they can use, but they're also willing
to put in a bit of work of maybe integrating with their own services that we don't have support for
now. Okay, cool. So one of the things that stood out to me for your homepage when kind of learning
about Raycast and discovering what it can do, it says in big bold letters on the homepage,
supercharge your productivity. Why is that the leading statement for Raycast?
Yeah. So for us, productivity is like, it's very hard to measure if you look down for it. People
say they can do something faster. People say they're more productive, but it's very hard to
quantify. So we thought, hey, we have a tool that generally just makes you more productive
in many different ways.
So it supercharges your productivity.
It brings us to the next level.
You like just can do things much faster than anybody else.
You can interact with your tools quicker.
You're basically like operating on a different level.
There's always a saying of a 10X developer,
which can do things a lot faster, right?
So it goes along those lines where when you see people using a Mac with Raycast, they
use a Mac differently to somebody that uses a Mac without Raycast.
Okay, so if you're on a Mac and you want to be productive, you owe it to yourself to try
Raycast.
You can try it free.
Almost everything they have is free.
I mean, lots.
I mean, I told him, Thomas, you kind of give
away too much for free, but hey, that's their choice, right? But if you want to be productive
on a Mac, Raycast. If you're using a launcher, if you're using Spotlight or anything like it,
Raycast will take you to a whole new level. I'm using it. I love it. I think you should
check it out. Go to Raycast.com. Again, Raycast.com.
I just had an idea.
Only passkey-based signup as a means of spam prevention.
Because I bet the spammers are not onto this yet.
Like they probably don't have the flows in their bots that will do,
because they'll click on it yet, signup links, like confirmation emails.
Like they're that sophisticated now.
They will get through your captcha.
Then they will click on their confirmation email,
and then they will spam your website.
But I bet they don't have passkey flows all figured out yet
because it's just too new.
So if you just required passkeys,
I'm just thinking about us in particular,
I wouldn't do this at Home Depot.
Then you've got a real person with a real passkey,
and you don't have to deal with spammers as much, Adam.
What do you think?
Require it.
Yeah.
I guess if you're a sophisticated user you can do that sure because if you want to go the route of only pass keys then
yeah well i would only do that to stop spammers i wouldn't do that otherwise because i think it's
too heavy-handed otherwise i mean most people out there let's talk about transitions i mean
we're in a password world i do think as users we're getting more used to password lists because
of the advancements like for instance like apple pay samsung pay, we're getting more used to password lists because of the advancements,
like for instance, like Apple Pay, Samsung Pay, like we're getting used to the idea of like,
just face ID it, just tap it here, right? Put your thumb here. And so I think we'll be just as a
population ready to adopt these things. But we have to get there from here. And a lot of us have
websites with hundreds, thousands, tens of thousands, hundreds of thousands, millions of users that have passwords that we're managing.
What do you suggest for us in terms of like, just we just add this as an option? Do we push it real
hard? What do we do? Yeah, so from a business or developer perspective, I can kind of see both
sides. You know, I personally think it's kind of worth going fully passwordless if you can
and still having those fallbacks of magic links or OTP codes, which are still a little
bit better than passwords, right?
Even if they're not great and they're familiar to users enough, I think.
But I also think it's important to give people the option to just add on to whatever they
have right now, right?
I think that's faster.
It's easier.
And if we want to like incentivize developers and businesses to implement PASCIs, we have to make it really easier. And if we want to like incentivize developers and businesses to implement pass keys,
we have to make it really easy. We don't have we can't make them like lift and shift their entire
authentication infrastructure. I just don't think that's reasonable. And so I think it'll be a lot
of sort of like Home Depot has where you have a password option, and maybe you even always register
with a password. And then you can just add a passkey on top of that as a faster sign in.
I think that like still getting people used to that user experience is what's going to
going to lead the charge. You know, on the passage front, we kind of support both of those options.
We have a product called Flex that is basically that it's like, we'll do the passkey management
for you, but you still handle all your user management, your password management,
whatever other authentication you want to do, we'll just add it on top. And so I think that's a lot easier for websites like
Home Depot to go do than it is to maybe make that full switch. If they're just not totally
convinced of the benefits yet, they get to see it in action first.
These guys are ahead of their times, I'll tell you, that's for sure. So I finally got back to
this. If you don't mind going back one more time.
That's why they're better than Lowe's.
Well, I'm all about user experience.
And this is what it says.
So I'm going back to your thing and what you just said, which is provide the ability to sign up with a password.
The typical way that everybody does.
And then layer on more higher security.
And that's the thing they gave me first because they know now that I have a passkey with them on this device.
So they're going to say, well, Adam, hey, you're back.
Sign with your passkey first.
Oh, that failed.
Let me give you the one-time password.
I just emailed to you.
Oh, that failed.
Okay, you can use your password.
So it's like layers.
And so I finally got it to give me this prompt back.
So I guess my passkey got obliterated
because I didn't respond fast enough with my fingerprint.
So like, forget it.
You can't have that option anymore.
So now the only way I can get back into this thing is with my password or the one-time
code they give me via email.
So I did that.
And as soon as the very next thing I did, once I got this code back in my email, they
said, okay, now you can sign in faster on this device.
And it gives me what looks like a finder type icon with like a face in it which i think represents
face maybe that's the face id is that the pass key icon or the face id it might be the face id
icon i don't i don't know that one very well the fingerprint and then a key and it says enable face
or fingerprint id and then below that says what is this and explains it i push that big orange
button because that's the the color of home dep My gosh, Home Depot, you should be sponsoring this show. Too much praise for you. And then they let me in.
They're like, bam, you've got this. They never said PASCU though. They never said WebAuth.
Did they say bam?
They never, they didn't say bam. Not like.
They spice it up a notch?
They did not say bam. They didn't even say no password. They just said
faster. They described what you said before, which was the thing I want,
which is like ease of use, user experience and speed. So that's closing the loop. Thank you.
Thank you for closing that loop.
And I think people like, okay, if everyone's logged into like an iPhone app with their face
ID before, right? Like your banking app or something like that. So in that context,
it's a pretty familiar thing to say, log in with
your face or log in with your fingerprint. So I think they're kind of playing off of that
familiarity that people have to something kind of like it, even if it's not quite the same.
So it got you there eventually. Right. I'm back in. Passed you away.
Crisis averted. Adam is back in at Home Depot. He was about to go to Lowe's, but he didn't. I was never going to go to Lowe's.
No more lumber for
me at this point. No more things. No more
tools. Okay.
Let me mention some other brands. I like Ryobi.
I like Ryobi. You don't need to just name all these
brands. They're not necessary.
I like Rubbermaid. That's my favorite garbage can.
I don't think they support pass keys on
their website. Yeah, not yet. Traditional
padlocks. Get us back on track, Jared.
Please help me.
So the other area that we haven't really talked much about,
which I think is burgeoning because we're fresh off of the WWDC keynote,
there's some Apple announcements around pass keys and sharing, I think.
I think when you get into Teams, you get into sharing families.
Just like a password.
We have password problems around here.
Give me the password.
Did you update the password? Yes. Can you give it to me again? Write it on a scratch note. have password problems around here. Give me the password. Did you update the password?
Yes.
Can you give it to me again?
Write it on a scratch note.
Put it on my desk.
I think all these problems are going to also be there with something that you have, which is a passkey.
So is there a passkeys native solution to this?
Or is it all just like, well, Apple's going to handle sharing.
Google's going to handle sharing.
One password's going to handle sharing.
Yeah, so it's that second one, it's going to be on the provider to share in whatever sort of native way they have. So,
you know, for iCloud, you can share through keychain the same way I think you can share
other types of items in one password, you've been able to share passwords with people or
move them to different vaults for years, it'll be a very similar experience. And I think it's
really important that all of those things still exist for passkeys, right? We can't like reduce the functionality you
get, or the way that you operate as a family or as a business to be able to share things just to
get this higher security, like you kind of have to go both ways. WWDC was interesting this year,
because they announced a few exciting like passkey related things actually one of them was around you sharing and teams and things like that the other was support for
syncing through external providers so providers like one password so google announced this fairly
recently as well so once android 14 and ios 17 come out one password will be like a native passkey provider. And it would like when
you get that passkey prompt on your phone, you'll be able to like select a passkey directly from one
password instead of Google or iCloud. And you can kind of see all of those and switch between them,
which is a really exciting update for us. Like, it's really important for us. And we've worked
very closely with those those companies to be able to support things like that.
So we're personally really excited about being able to give that to our users.
And they also announced some cool work around enterprise passkeys and being able to use
passkeys in like a managed environment.
So if you want to enforce in your enterprise that passkeys are coming from a device that
has an MDM solution on it, you can do that.
So that's kind of a cool thing coming out of Apple too.
What's MDM?
Like a mobile device management software.
So, you know, my MacBook has, I don't know what it's called.
We have some sort of software that we run, right, to manage our devices.
And so that way I know it's a corporate device.
It's not some random laptop
that I've brought and tried to authenticate with a passkey. I can say like, this is an iCloud
passkey for this enterprise. And you can kind of attest cryptographically to that.
I assume passkeys has some kind of revocation process similar to like OAuth where you can say,
you know, kick out all current devices or can you target a specific
device and say, throw this passkey away? Is that all part of the spec?
Yeah. So you can do it either on like the client side that you could delete a passkey from your
iCloud account or from your 1Password account or on a website you could go in, you'll see like
usually a list of passkeys like in your profile and you can delete them from there as well. So
you can kind of have the website
forget your pass keys or you can
delete the private key from your device.
Either one would work.
Sounds good. Where do I buy one?
Well, you already have one.
I don't know what else to say. I feel like we've covered so much
and I just feel like it's up for
web developers
to go out there and start implementing this
and people tell your friends,
we've got to get the word passkey out there
and all this stuff.
The passwordless future is right here in front of us,
it seems like.
I don't know.
That's just way too rosy.
What are the drawbacks?
Let's get some.
We're too excited.
We have to settle down.
Anna, tell us the cons.
There have to be cons
there definitely are a few downsides though my my co-worker like uh Nick Steele likes to say it's
the hot girl summer of pass keys this year so I do think it'll be like when everything kind of
takes off but I think that comes with with time and implementation challenges and all these things
we're talking about with Home Depot even of like oh like, oh, okay, like, I did this, but it didn't quite work. And then I do this other method,
like, I think there's going to be a lot of sort of confusion around that type of stuff at first.
And that's why a lot of these websites are implementing them sort of slowly alongside
of passwords, because we just have to get people familiar with it and, and educate people. And I
think once they see that first pass key and get to use it,
you know, they want it places, but it's just going to take time for websites to
feel comfortable implementing it. And so we're all about just how do we help? How do we make
this go a little bit faster for businesses, for developers, for end users, like just get everyone
comfortable with the technology and, and able to get there. And then I think it's a big win,
right? I think it's kind of a given that it's going to happen. And this is the direction the internet
is going. But it'll just take some time, have some growing pains for sure.
Is the goal of Passage to provide these SDKs so that they don't have to implement it on their own
or themselves and have to? I don't even know. Home Depot may be a Passage user.
You may not even know.
Who knows?
They're not, unfortunately.
They're not.
I wish.
Gosh, Home Depot, get together.
Sponsor the show and use Passage.
Exactly.
If they use Passage, though, they will get the blessed way.
You all have put all the work in to ensure the workflows are right,
to ensure if I didn't put my fingerprint down in time,
it didn't obliterate my passkey and make me go back to some other method.
It's like, hey, Adam gets a chance to try later.
They can use all the blessed ways you've tested, tried, put out there.
That's the reason Passage exists, right?
Exactly.
A hundred percent.
Okay.
What's next then?
How do people use Passage?
Yeah. So it's free to sign up. Developers can just go to passage.onepassword.com.
Check it out. You can sign up, start building apps with it. We have a few different options
and ways to do it. We have a Discord you can join if you want to chat with us.
But our goal is to just let you go build stuff. You don't have to talk to us or anything like
that if you don't want to. If you're just a regular user, you know, like Adam, you were saying this is you've only
used a passkey one time basically on Home Depot. We also have a fun website called passkeys.directory
where we have a big list of all the websites that have passkeys. So if you haven't used passkeys yet,
go check it out. You'll probably find a site that you've used before and you can actually go
at a passkey and like see what it's like for the first time. And I think especially as developers,
once you see that, like, of course you want to give that to your users. And so I think it kind
of helps to see it in action. A lot of the different user flows we've talked about are
kind of confusing when you're just talking out loud, but once you see it happen for real,
I think it just clears a lot of things up. It also looks like there is a fair number of repos on GitHub.
I'm sure if you go out and you're using Rails,
there's probably somebody who's laid some groundwork for Ruby on Rails.
If you're using Next.js, there's probably some people
who've laid some groundwork for Next.js.
Even just the past, he's topic on GitHub has 54 public repositories.
So I think there's probably a lot of resources, a lot of tools,
a lot of starting places where folks can get started with this
on their particular platforms.
Yes, tons of open source repos, libraries, examples,
lots of good places to get started.
And a lot of these are actually called web authents still.
So maybe the word Passkeys is just burgeoning, but not quite there, especially on older implementations
that maybe you don't want to use directly,
but can just be your inspiration
if you're going to hand roll something.
I would love to see how it works
inside of our Elixir and Phoenix framework,
like to do it by hand or to do it with Passage
and maybe even compare the two differences.
I think that'd be super cool.
But yeah, lots of resources.
We'll definitely link up those things
in the episode show notes.
Anything else?
Anything left unsaid that we haven't asked you
or talked about, Anna?
Adam, you had one,
you were talking about like your mobile military ID
or something like that that you use at Home Depot, right?
This reminded me of a really cool thing
that is kind of post-pass keys, right?
It's probably like a while out still, but I think it's the future.
And it's a really cool thing to think about called verifiable credentials.
And it's basically mobile, like verified mobile IDs and things like that.
And so letting you like store your verified military ID in your wallet, like in your iPhone
wallet or in your one password and using that to like verify over the internet without you having to like scan your phone all the time. And it's like, it's kind of,
it's very much similar to like a passkey type of protocol. It's sort of like the next evolution
of that and like something that's kind of coming after passkeys. And I think it's cool how there's
just so much exciting, like identity based new technology coming out in the next
few years.
I think it's just a lot of cool stuff to make your life easier on the internet.
And the fact that you brought that up just kind of reminded me of that.
Yeah, for sure.
They make me do it every single time.
Every, every time.
Yeah.
So yeah, whatever could make that easier.
It'd be great.
Yeah.
They have it built into their site, though.
It's like I have to authenticate with Home Depot.
They're getting so much press this time around.
I was looking on passkeys.directory, too.
And, you know, sure enough, Home Depot is listed there.
There, you're really closing the loop.
So, so many Home Depot mentions on this show.
I can't wait to see the transcript.
It's going to be amazing.
So nothing left unsaid.
No directions for our listeners.
Obviously, go to check out Passage.
Where's the best place to find resources or just to learn?
Is it Passage in your Slack or Discord or different places?
How can developers get educated on Passkeys at large?
Yeah, so we can definitely help as much as possible.
We have a lot of resources on our website.
There's also a great resource called passkeys.dev that is i think largely the fido alliance along with tim capali from microsoft
has put together a lot of developer focused resources just about webauthn and passkeys
that's really really great that's the other one that comes to mind passkeys.dev we'll link all
these up as jared mentioned in the show notes anna thank you for schooling us
on literally schooling us on pass keys we had no idea i had no idea jeremy i've had a half of an
idea at least it sounded like it i did i had about a half maybe a third of an idea just i just can't
believe you're a lows fan gosh i just said that just despite you oh of course that's right i forget
that you have to be against what i'm for i I always do that. I just take the other side.
Well, you're so for it.
I just feel like we need
a balance on here.
It's orange.
I like Menards.
Okay.
Do you guys have that?
No.
I don't know what that is.
Ace.
We like Ace around here.
Ace is the place.
Ace is a good place
for just like,
if you have to have
like the most obscure bolt
or like, you know,
some weird shaped nut
and you gotta just buy
one of them, you go to Ace, you pay like 17 cents.
They always have it. Ace.
Brought to you by hardware stores.
All of them.
Who would have thought?
Well, thanks, Anna. It's been awesome.
Yeah, this was fun. Thanks, guys.
Okay, this is 100%
serious. Okay,
I'm a big fan, as you can probably tell from this episode.
I'm a big fan of Home Depot, okay?
Nothing wrong with Lowe's necessarily.
My brother-in-law works at Lowe's.
I got no ill feelings to anybody or the company, Lowe's.
But my choice, my personal choice, is Home Depot.
Okay, so if you work at Home Depot, if you're in the engineering department at Home Depot,
hook us up.
Make a connection.
I'd love to have Home Depot sponsor this show.
I would wear an orange shirt.
And if you know me personally, you know that I'm a black, grayscale person.
I don't wear orange or purple or pink.
I wear black tones all the time, okay?
So I'm a grayscale kind of guy, but I'd wear Home Depot orange, okay?
So if you're there, get in touch.
Sorry about that.
I had to do it.
I had to do it because I'm a fan of Home Depot.
But hope you enjoyed that show with Anna Poblitz.
Pass Keys, is this the future of passwordless?
Is this where we're going?
Is this what's getting us there?
Let us know in the comments.
The link is in the show notes.
We want to hear from you.
I want to give a big shout out to our friends and our partners at Fastly, Fly, and TypeSense. And also to the mysterious, the wonderful, the awesome,
Breakmaster Cylinder.
We love you, Breakmaster.
And of course, to you, our listeners, we love you too.
Thank you for listening to the show.
Thank you for tuning in all the way to the very end
to hear me rattle off all the thanks, all the praise,
all the announcements, all the what's next.
Speaking of what's next, Adam Jacobs, System Initiative, next week on the show,
launching System Initiative. So cool. But that's it. This show is done. Thank you for tuning in.
We will see you on Friday.