PW - All Things FIDO (Panel + Q&A)

now i'm not gonna say i i i know christian but we have we have met a couple of times and we have talked online as well so just still have a certain idea on on on your how much of pain in the ass i can be asking questions i had dinner with him yesterday and also warned him that i like to do the difficult questions and andrew just walked straight into the trap on this one [Laughter] so back in norway at one of the universities there there's a biometrics lab that are rated as one of the best in the world and every time they are want to do a pound discussion they contact me because they say that i'm

really incredibly good at being the devil's advocate so i wanted to start out by saying that on my phone right now i'm actually looking at a couple of slides from someone named simon youssef son at a company called ubico and these slides are actually from passwords con in june 2011. oh wow in bergen norway where he was presenting the yubikey and very shortly after his talk i purchased my first yubikey and this is then 11 years old so my first question is for andrew what's taking you so long thank you um how much time do we have before the next session well for this session so a great question um you know i'd note that so fido alliance

for those of you don't know we're an industry body over 250 companies take part uh we're fortunate enough to have all the platforms involved uh yubico security key vendors service providers groups like that we're coming into our 10th year of existence so this is around 11 years ago that yubago had the idea of the yuba key um i actually think we've made remarkable progress with the fido's standards well i mean christian talked about web off then web authent is supported by dozens of leading brands hundreds of millions of consumers can log in re-authenticate without a password thanks to that what we're hitting though is a point of well that's good but to really take on

passwords and to have the same ubiquity as passwords we need to take on some of the same traits which is easy access ubiquitous access and ease of use and i could say like today every conversation i have about fino begins and ends with usability and so past you know pass keys first and foremost are more usable means of doing passwords authentication which allows us to hit our core goal of reducing industry reliance on passwords um so i think we've made good progress in 10 years actually the fact that we've seen such adoption every meaningful company is taking part in fido alliance there's no counter standard to fido because everyone understands that this is you know

fido is basically the ssl of user authentication um it's not it's not critical and i think we'd have the same approach and we'll have the same success as far as being embedded in every system service and platform out there um now in regards to yubiko and yuba key as christian was talking about before that's another form factor for doing you know fido authentication in fact i would say you know that will remain the gold standard from a security standpoint for fighter authentication there are certain use cases where a key you know will always be used that being said what is so exciting about passkey is the proposition of taking passwords out of play entirely for hundreds of

millions if not billions of consumers and if someone can't get excited about that i don't know what they're waiting for so to answer your question i think we're making good progress passkey stands to take us to the next level after this thank you um okay um [Music] tim fido u2f web authent pass keys can you explain this to my mom in like a sentence what is this stuff because my mom is really seriously not interested yeah i mean i think well you know what christian demoed um the way we explain it to folks is that you're using your screen lock on your device to sign in everywhere right that's ultimately the way we abstract it

away because the same tech on the device is being used and all of the all the api surface all that's completely abstract away from the user and that's why we believe having a term password pass key like password is so critical because all we need people to do is associate that as they can sign in the way we kind of thought about this was we're about 10 years into tap to pay right i think google wallet came out in 2012 apple pay was after right like most users know what that tap to pay icon means now whether it's a physical card tap or a phone we need that on the web we need that for apps so we need an icon and a

name that users just know oh all i have to do is you know i'm going to get prompted to to unlock my phone more or less to do this or my device i want to thank you that i i think [Music] up until a year ago we we weren't quite ready with this experience yet because we were always thinking a user will have to know do i have a password do i have a pass key i have to make that mental decision and that was actually a big flaw right in the in the in the development of this it's like users don't know today if you have a security key you need to know you have a security

key because you need to have it present right the thinking with pass keys is everything is abstracted away like like with a password manager today you just go where you want to go you click into the field and whatever is available magically pops up and gets presented and until we really had that experience figured out i think this wasn't really ready for prime time but because we now have it we're hoping that it is yeah um okay uh christian um throughout the years i've seen all kinds of authentication schemes come up and fall down like dead flies in in seconds i've got to be honest i do have a certain level of faith in fighter web

offend but again i'm here for being the devil's advocate so i've seen facebook uh tried to push through vital on location a couple of years ago and one of the things i got fascinated when facebook was really pushing to have authentication is that after enabling 2000 authentication you would get a pop-up for like every time you logged in for a period of at least two weeks where they said you have unable to find a vacation would you like to turn it off and i was like wait what i do know people on facebook sorry i asked about this and they said well it's pretty simple pair when you have 1.5 billion users in the world

there are gonna be some people that are clueless absolutely clueless to what they just did so they they had to do that just to make sure that people at some level knew what they were doing apple have also tried to push the adoption of your authentication for your apple account google is pushing the advanced protection program will google when will you try to push the use of fido web or then onto users like to make it mandatory for let's say just a couple of million users just to see what happens that's a great question um i was looking for the meme but then i decided no i have too many tabs open on my browser i don't want to go there i

was looking for that meme with a guy riding the bike and then putting the stick into the wheel right i feel like that is what facebook was doing when they they tried to get like q factor authentication adapted and then giving users these options to keep turning things off oh honestly the question kind of twofold the first is google is on a journey to enable two-factor authentication managery for a billion users doesn't matter if you want it or not you're going to get it and i mean apple is already into a certain extent done some of that stuff on the icloud side right today it's very very hard if you have an icloud account it's hard to

turn off two factors to get an icloud account right there was never an explicit moment where i turned 2fa on my icloud account but it's been there for as long as i can remember and that's a conscious choice in the conscious decision they made we're doing the same thing i think we just publicized it we've enabled it for i think 150 million users you go look at the google blogs uh google two-factor like you'll see some uh stuff that we've said about like successfully testing this out like we we took 150 million users we've enabled 25 authentication for them we looked at their account health over like a six month period and see what happened can

they still log in can't they log in okay i will say i'll i'll cover this with that was like a pretty good group of users we pick right they have recovery options there's other things that's good about their accounts that made us want to go and pick them but it worked out and we're definitely on a journey to get two-factor authentication in general to more users now let's talk about web author the reason why my counterparts in google on the account side is so excited about web authentic you can sell level 10 as a usability benefit right you can't it's hard to sell two-factor as a usability benefit right it really is purely a security

benefits don't care they're like you should keep me safe they're really angry at you when you let someone else get into their account but for the most part they don't want to deal with it right they're more angry if you lock them out i mean that's obviously the worst right so lockout is bad getting someone else to their account bad and then of course for the rest of it they don't want to deal with it the way that we're thinking about positioning web of n is exactly what we've seen in that in that banking demo you'll sign into your google account one day and you'll just get a message that says hey you happen to be

on a device with a biometric sensor like you can have a fingerprint face or whatever do you want to use that to make your signing process easier in the future and then the user says yes now they have a pass key now that is that is the experience that we're thinking about for google accounts that is the experience that actually um many apps have been have been you know pushing users towards for the last almost decade right if you log into your chase or bank of america or whoever like into your banking app today that's the way that the app up sells you hey you want to use biometrics in the future i mean i'm not always a fan of the

exact user experience and how slick it is but what we want to do is make it extremely easy for users and have the value proposition center around usability and ease of use and not around security of course it's massive for security but that's not what users i think in general really care that much about sort of tempting to to ask tim the same question i i can't really remember seeing microsoft doing a very significant very visible push for 200 to the identification but uh are you planning to sort of push fighter web off and on to us and is that going to be voluntary or by false i'll take one little brag we were the first of the three to allow you to

remove your password completely that was about a year ago and that's been wildly successful yeah we were certainly thinking about the day when we would mandate 2sv um and that would be most likely to be a pass key or security keys um so it's certainly top of mind this is a as christian mentioned right this is a journey this these releases that you're going to see very shortly this is not the end right we're going to constantly improve and you know it's it's going to be you know it's going to be realistically about 12 to 18 months before you know we can really start to push this on these big accounts yeah andrew i mean

what are you doing from from fighter line centrally to sort of like i don't know can you ask all the members of fighter alliance to push this stuff at the same time so we get the maximum attention to it oh yeah i'm going to do that yeah so a couple points here so first of all i think the questions are fascinating because to me they're all about usability the question to tim the question about your mom or whoever might be my mom is incredibly difficult on this your mom but like it's always your mom or whatever it is but you know it's that that proverbial person but it's all about usability and to that person it's it's like

you know apple has done a great service of the industry by introducing touch id and apple basically consumerized user authentication with touch id and people are so accustomed now to using biometrics that's the expectation of user experience the facebook experiment with trying to mandate uh two-factor authentication and sticking the stick and the smoke that's usability challenge and these are not technical challenges so again as i said before pretty much every conversation i have about fido these days begins and ends with usability which was not the case 12 months ago it was about security um and all the benefits of usability actually have obviously security implications as well they have uh bottom line benefits and top line benefits too

and so to your question of can we just make people do this well no we can't but the fact of the matter is you know on may 5th of this year we had a press announcement with apple google microsoft and fido alliance where all three platforms announced their commitment to support this vision of past keys and you know we can't do much better than that right and all three platforms are going to support this starting with ios and mac os this year following with android and windows over the next 12 to 18 months so i think that as that endpoint support becomes more and more prevalent we will see the service providers you know go towards pass keys and

there's a lot of discussions right now about how and when and why they need to do it to be clear as tim just pointed out like this is a technology in development right so the technology is mature right it will be it's already out in ios and beta form right now but like any new technology it does need to iterate it will iterate based on market feedback based on market forces and we're taking you know that feedback's happening organically and also through the alliance itself so that pass key over time will become more and more um you know better tuned and also fit all market demands one other point that we're doing inside of fido alliance you know we're not just

hearing about usability we're actually embracing it as a standards organization to everything we do so we have a ux committee we have a ux system coming into place looking at user experience at every step of the way across our specifications and across the outputs so pass key will be front and center but we're also looking at things like ux for security keys and other deployments of photo authentication how can we again the usability is a very good point i do have a t-shirt today a friend in israel avid called security digger sektiga on twitter he has a rule avid's rule he says security at the expense of usability comes at the expense of security it's a really good one

um is fido you know is it easy for normal people just to get started or do we actually have to do any kind of training to get them stuck with this i mean again back to my mom can she figure this stuff out without any kind of training at all because training is a cost so let me talk about the user perspective then turn over to tim and christian talk about the you know the developers perspective so one month in again is a remarkable um api and it's built in every browser and anyone could basically deploy it today for you know use of platform authenticators that being said um you know we heard from service providers

like hey this is really exciting but like there's some wonky stuff happening with like os prompts and browser prompts and like we don't know if this is being how do we deploy this as we actually did our first ux study last year we hired a external ux firm we had a ux we had a committee led by you know not your typical standards walks but by ux and design leads from companies like visa and apple and intuit and jpmorgan chase who helps scope a study the three-part study of both um moderated unmoderated testing of people actually trying to enroll and leverage a platform authenticator to log in to a site supporting web authen and we

learned so much from that and it's fascinating watching users do things like try to use touch id on a macbook to log into if it ditches bank site and watching like this focus group someone being like wait a second like why does it want my fingerprint and why is this bank with my fingerprint and why do they want this and so what we learned is that there's a lot of education that needs to happen about like hey first of all your fingerprints not leaving but also all the user flows they're in and most of the design stuff that we figured out was not about iconography and colors and stuff like that it's about terminology and getting information across

effectively and letting people know what's happening and like selectively disclosing information as they go along to help walk them through the entire user journey from being primed to enroll for a web app then for your account on through to login and customer support and stuff like that so there's a lot of science behind this and we're trying to take that on as a body and then making these guidelines freely available to anyone to use which they are today and they are being utilized uh usability studies on this before we move on to christian just an additional follow-up on last one usability studies in the us fine i'm from norway and i will make the claim there are

social and cultural differences between well different cultures uh different countries across borders across nations everything have this been tested out in european countries has been tested out in germany which are just a tad more privacy concern than anyone else in the world i just want to ask that before android artists i will say we're seeing statistically significant difference in in pass rates users being able to pass this and looking at different jurisdictions so absolutely there is definitely differences that we see in ways that we need to approach that yeah okay uh anything more to add to this you know how to do you want to talk about the developer side but we can go to the technical side as

well it's a good point yeah i mean i mean even just high level for developers right all of everything that you saw um today was very minor tweaks to the existing 502 web app then stack right we the the autofill is literally adding a new tag to a username field the cross device thing is not something you as a relying party or website have to implement that's all handled by the platform all that magic is handled um at that c-tap layer that christian uh mentioned client authenticator protocol um and so one thing that we think is different here is that we have a very very clean specific use case now right which when all these specifications came out

right there was you know if you've ever read any spec right you know they're they're very hard to read right no matter how hard we know how hard we try to to to make them easier to read and i'm one of the people who write some of them um they're just they're too big they're hard for a developer to pick up and so what's unique here is you know the goal that we have for some new developer resources is that if a developer that has a site that the only reason they added sms otp or email magic link was because they're you know they were told you know passwords are fishable and we can't have that they

should be able to go to the site and implement pass keys without ever picking up the web authentic right that's the goal right like we never we may not even link to it that's what we're thinking and that that would that didn't that really wasn't possible before because there's just when you when you start looking at a spec like that there's so many different use cases it's addressing and we really have a very clean very boxed in use case here that applies to nearly everyone and the other dimension to it is we didn't have any good libraries at the time right there were some like reference implementations but again they served either not enough use

cases or too many use cases there's a one one specific library called simple web authent that is already ready for all this pesky stuff we found a bug in it last week it was fixed in two days right we have amazing libraries that no one has to go write this stuff themselves anymore and we think that that's a that's a big change from the first go-around with trying to get folks to implement this and when why do i then have developers telling me that implementing this stuff is difficult no i and i think it was and i think what we're hoping is because we have kind of a big a big package now that can be

whether it's the sdk whether it's the docs everything should be ready to go and and much easier to implement and dive into initially than it was before and that's from microsoft's perspective it's easy yeah these resources are actually a collaboration between fidel and the three companies so okay sure that's certainly my perspective but i i think i think the dots aren't being connected quite yet and that is definitely i mean i'm i'm talking to internal business development relationship folks on google this week finally where we're saying all right we can now take a breather most of the technology pieces are now there and we're on our journey and by the way apple mentioned that by the end of the

year they want to have their releases out we're on the same time frame right so um on the android side by the end of this year we're sincerely hoping that we have a release out there that is not only ready for testing but is actually ready for developing and deploying against so so uh many of the things that i've that i've shown i mean all of the stuff that i showed is a real live running code right nothing there was mocked up it was real code um it was you know behind some flags and experiments but but but the pitch is these things should be ready by the end of the year um there there should not be a reason

why developers you know can't get access to that and then on the other side get access to the resources but like i said about the dots i don't think developers know that you can go and look at this great new library over here and you should be looking at this docs error here people google web of then they get to the spec and they're like what the hell is this and i think that that really is something that we need to address so back to my business folks it's like we want to try and make it easy like if we can get relationships started with the developers and i mean that includes the top 100 apps but it includes also all of

the long tail like how does someone pick this stuff up the last thing i'll add is um whereas we need to make sure there is messages for developers or messaging for developers i think we've already lost if we need to pitch this to end users right if we need to go pitch the value proposition like today with security keys you need to take an action you need to buy one then you need to go and navigate on a website and look for multi-factor options and look for security keys if this is the way that the web design is going to be deployed it'll be a huge failure in my opinion right web of n should be deployed the

way that biomedical authentication works today which is as a matter of course when you're just interacting with the product there should be an upsell it should be easy to understand in plain language one to two sentences at most and it should start working no one should go digging through settings to enable an account for web authentic because that already means you need this cognitive kind of understanding of how things interact but that is not the way that we're thinking right and one example of this there's a there's a very large retailer in the us which we're super excited they rolled out web authentic but guess what their login page says signed in with web authent like that's what the button says

yeah like what who knows what that means right like as a user that's right they were first right no and that's what i mean we are super happy they implemented it but that that highlighted a market problem which we was the reason we needed a generic term like pascal but you said that you know people will just google for web authent and then they find the standard and they will say you know what the hell is this exactly i well you're the owners of the search engine so i assume something could be done we don't have control over the search engine results remember but yes yeah it's just living his own life so yeah but one one side effect which i think is

good like inside phyto alliance like the like within what three weeks after we started using the term pass key we didn't hear web off then again everyone was saying past keys so that's a nice thing hopefully people are actually finding the pesky resources not web yeah i mean to be clear we actually invested in uh creating kind of a consumer brand option for fido so we had sign in with phyto buttons which is i still think better than simon's web off then whatever so the market but the market didn't accept it which is fine you know and we have a mark with that but we put it out there as a straw man the market didn't accept

it and that's fine you know but we understood there needs to be a name for something right and so we do think that pasqui as a noun will be that name yeah but but that's what i want to i want to i mean the reason why we're here is like i want to also put it out to the room here the folks here are the like this is our ambassadors like hopefully like help us in getting the word out like resources and developer efforts and libraries like i mean that is really what we need we can put forth like our perspective and and you know collectively maybe our three organizations but um we will really only

have success if this is like i was like a grassroot efforts between everyone involved and the the experts in this area kind of like using the technology making it their own and releasing their own artifacts like that is how we get success here i think anyone in the audience would like to ask questions well but that i didn't have to ask that question any developers that are thinking about implementing web both then but they would like to ask a couple of questions on you know how do i do this or if you find it difficult raise your hand yep okay i can't hear you hi i'm a developer i i read a little bit about uh fido on

the web as a lot i'm gonna go and give it a try on a demo and that kind of drowned in the commentation it was like a month and a half ago i was like oh my god i'm not going anywhere here so i i think you guys doing a great job but maybe make it easier for the developers that would be great but uh and also i'm very happy that you guys came here but i'm missing one uh big actor it would be nice if apple was here too to get some bit of people checked twitter and like like it it's not anything but like we're still in a position where it's hard for folks to

travel and things like that but we're still in a pandemic yeah yeah but uh when you say we want people to collaborate maybe we should be giving people like the idea of community like the final community so people feel like they can so that's actually so the the actually the the the developer resources that i'm talking about which will end up being passkeys.dev will be the website once it's live that's actually being driven by a community group in the w3c called the web authentication group which maybe we'll need to rename the pesky adapter but that is actually anyone you know anyone can join we meet every two weeks and actually it's myself and matt miller

from cisco who is actually we're actually taking the output of that group feedback resources and building out this developer resource center so please i can i can uh yeah if you google web thing community adoption group it'll come right up that's another thing web off and it's a bad word yeah no i know and that's what i'm saying we probably need to rename it yeah yeah that's an artifact of the past i guess but that is but we are we do have a i would say a pretty good sense of community in that group there's also there's also a uh where's this thing it's also a fido dev uh mail list if you're if you're onto issues so pretty

it's not a super vibrant group but there there is a fido dev google group that you can mail to if you run the issues as well yeah next hello i just had one question to make sure i'm understanding the security model around the pass keys right so the web authent u2f more specifically i guess is a very decentralized security model right the private key doesn't leave the security token concept right this is now a switch over to the credentials are essentially being managed by the vendor right so there is a shift there i think mentally that we need to make sure we're okay with or we're thinking about the implications of that is that an accurate way to capture it

yeah i don't know i i mean let me give you my my perspective on this right so so uh yes to a certain extent i think i think we were trying to figure out in which way what are different ways in which we can address this right um the the challenge around every single time you buy a new device we're gonna know you're gonna be up quick right and that's essentially what happens in the current model and that's also what happens to the physical authenticator when you lose that authenticator you're so dead right so now we recommend get you i mean okay that's maybe for like for folks who's like well let's go bye i mean that's

fine but in a general consumer adoption thing we looked at what already has traction and what attraction is password managers right also not the level of traction we really want them to have but but they have traction and it's because of synchronization we then looked at what is the best kind of like line that we can weave through here which is like don't place this as files on disk like have the os like kind of mediate the access to them there are certain additional security properties but you're right it looks if you squint at it it looks a little bit more like federation than what werewolf and used to look it still isn't quite federation

because it's still a direct two-party relationship right it's between the authenticator and the developer yes there is another third party like meddling here in the middle now which is doing the synchronization but if you think about it google has a thousand folks that is purely tasked with making sure that bad guys don't get into good use of google accounts right you're now leveraging if you're if you're using pass keys in this way you're essentially leveraging the fact that we're already have all that protection and all that investment and making sure only the right users get access to the right google accounts you're leveraging that no it might be that you have a particular use case

where excuse me even that level isn't good enough you need to take responsibility of your own you know i i guess like uh direction here and if that's what you want to do there are certain things in the specification that allows you more granularity where you don't have to rely on synchronization i will say use that with caution because that what that will mean is when the user changes to a new device they're gonna have to start over and unless you have a good story there and i and i think that's another i didn't want to get into that because that's kind of like where some of the viewpoints between like what google's doing microsoft doing and apple doing differs

a little bit it's like how much of that control do we give developers and how much of that of control do we give developers in the initial release we're very worried that this might go away where the usability suffers because of a perceived security look at per shirt right i mean that's exactly that right we we shouldn't all be trying to dial this up to 11 because of some perceived risk and then in the meantime usability software no one uses the technology so i i'm being a little vague here but i just want to mention yes you're taking a new like a new uh anyway i'll stop talking on this but i'll say you are you aren't

taking another uh um you know an initial dependency but i think it's a net positive and not a net negative yeah i'd say the same thing so one had a point i want to make is so it does change phyto security posture fundamentally but i want to point out this was not done without a lot of deliberation and a lot of conversation internally it wasn't done flippantly or without a lot of a lot of a lot of conversation ultimately as christian said it's the greater good right so our goal fido's mission since day one has been to reduce reliance on passwords and this stands to do that taking again passwords out of play for so many

consumer use cases um that we decided that this change is is worth it and that being said also there are ways to work on this spec you can you can actually still using passkey allow for some device-bound characteristics additionally you know for specialized use cases enterprise i.t highly regulated use cases and so on so forth fido security keys will still be the default go-to approach and that won't change and just um one other important thing right um the pass keys in your account will be intend encrypted right so that's an encrypted blob to google microsoft and apple they're entering encrypted like other indent encrypted data so yes we manage how they get down to the device but you

have to unlock them right and analyze your policies um yeah so i was i was wondering what um what are the um what have you been discussing regarding um account recovery um when it comes to this and like the issues with vendor lock-in that arise as a result of putting the authentication in the device that's a great question i'll try and briefly just answer this in case you know some of my colleagues here also want to get in but i i think um you're absolutely right this this this again hinges on the fact that like with many other user data like you you have data there is data now that's sitting somewhere and you need to like with any

other data it's your data right you need to have the ability to get that data out of the ecosystem if you ever want to move somewhere else we definitely recognize that um you know how we do that in a secure way with passwords it's kind of like a little easier because we all know passwords are like effie and you know you have other second factors but like i said if we want past keys to be something where you don't necessarily need a second factor now suddenly that bar is high right and what do you do now apple and google have both said i mean apple has their white paper on essentially how the passkey mechanism

works they also have the one i call you know keychain encryption google will do the same thing right so we will also like like them said like it's going to be end to end encrypted um we're already they're very very similar to ike like keychain um firstly you need access to the google account now we are driving we're trying to drive a multi-factor adoption of google accounts um by default right and that's not an accident that is that is part of the foundation what you really need for this to be successful right it doesn't help to say pass keys is good a second factor but then the recovery is a single factor thing that someone can just guess right

so that needs to be solved number one the second thing that needs to be solved is or the second thing that we're doing is similar to apple um just having access to the account is not enough um you also need to have access to some other information the information that apple chose the information that google is choosing to do is you need to know how to unlock one of the devices that was previously part of your call it sync fabric like whatever that local lock screen that's actually used as a derived key for as part of the end-to-end encryption mechanism that we use um so we think mandatory like usb which we're trying to like drive in plus that factor

plus all the other additional i mean i had a slide that i didn't show here but like if you think about it over 99.9 of automated attacks where an attacker has your correct google password will block we won't allow them in because there are so many other things that we know about attackers and where they come from and how they look so all of that benefits are there and on top of that we then layer the 2sv we layer the the additional like screen unlock so we think we have a very a pretty strong and a pretty robust system if after that you say no no i still need additional security for my use cases there are

things in the spec that enable that but i think for most relying parties we're hoping that that where we've set the bar is essentially where we'd like to where we'd like to keep it i'll get in front of one question just briefly by also saying we're not saying this has to be keys always stored in apple or it has to be keys always start in google that is our initial implementation but we are very much of the opinion that we need to do what we've done with password managers and we need to make an open user choice right if you want to use a credential called credential manager password manager a third-party one we need to allow for good pluggable

architectures to make that possible but you can imagine how much more complex that decision tree now is for a relying party or a developer because google end-to-end encrypts does password manager xyz end-to-end interrupt what is their security properties when it comes to account recovery so all these things have to be taken into account um we think we have solutions but we would actually love to have a separate conversation about those kind of things with folks providing password managers and credential managers so that we can design the system in a way that makes sense for developers and for users and even in the short term right if you if you look at i would recommend looking at some of the

apple's demos right apple's done a fantastic job about merging like you can have your pass keys in icloud keychain but using lastpass for your passwords and they all come up in the same ui and you just pick which one you want to use right so there's also the convergence there in i would say what is the short term until we have a fully pluggable model where you can punch your pass keys over to lastpass or whatever password you want yeah so uh questionnaire from twitter what is fido doing to continue to provide high security authentication with the introduction of pass keys that are lower security loan security i take offense but i will i think i think we kind of hit on that

right so yeah i also disagree with low on security for all the reasons that we just talked about so there's a difference thank you twitter user yes but i think yes it's a different model and again i think that um you know i like to say that fido can address address a whole range of use cases right so again if you know we have a very robust certification program we actually certify authenticators at different levels uh to protect you know to verify that a physical authenticator protects against malware attacks or brute force attacks or hardware attacks you know so if that's your use case you can use one of these certified authenticators for that i think again the base level fido

security key uh will remain you know the default go to for you know high security profile use cases now beyond that again i think the the security properties of pesky are not weak they're not weak at all and there's you know in fact i was talking this morning uh with the head of authentication at a major uh bank in the us i was like hey how are you guys looking to pass key what do you think about this how do you feel about the security posture his point is like andrew that's a bunch of he's like the gap between what i'm doing now which is sms otp and what i get with passkey the the bar has risen so much from that

right so maybe there's some use cases where like a high transaction or certain scenarios where i want to get added data or added bullet points in that case you know i could take capacity as just a single signal feed it into my risk engine and do other sorts of step up or other sorts of data to make sure that's a secure authentication but ultimately pasca raises the bar so high from the default means of authentication today that i don't think it's fair to say it's a weak security approach so i i have two i have two quick questions um i think a lot of people's concern when they're talking lower security is in comparison to what the 502 does right

now which i i do prefer the 502 model i recognize the failings and like well now you've got to register on every site um but the quick question is one of the fundamentals of 502 originally was the key existed on the device and it would never surrender it for any reason how do you know a key hasn't been cloned off like is it possible for a key to get cloned off maybe you authenticated it through some um you know you didn't realize what the page is showing you click something and then there's a clone out there that you're not aware of and that key is there is there any way to revoke credentials um so that's the first question i i mean i

i'll let other folks also answer this i think that michael said that for them i'll just quickly mention that i mean remember um the qr code flow and all these things it's not actually your private key ever that goes over the only time that that will happen is when the user decides to sign in to an like to a new ios device to a new mac os device like in the apple ecosystem or to a new android device where where there is like okay maybe when you can kind of con drive this like this control deck where like you know the user thinks they're giving a google credential credentials to like a phishing site and then the bad

guy runs an emulator at the back that looks like a real android device and they use that to pull the credentials down i mean we have a lot of um technology and signals around are we dealing with real legitimate devices or not so i think everything there feeds into our decision on whether or not we want to allow the credential syncing to come down to the device um if a user does let's say let's say i mean you convinced me on your android phone to type my credentials in there type my previous screen unlocking everything and now all my credentials are on that particular device let's say that's the attack that we're talking about right

okay now my credentials are there i've got two options when i if i realize it i hope i do at some point um i can either go and i can go to you know settings and i can go and sign out that device which essentially then invalidates the pass keys like almost like a remote wipe right i can go do that or i can go to the various accounts for which i hold pass keys but but this is the difference in let me kind of take an analogy right i lose my wallet can i call one number to just block okay sure can i can i can i block my entire wallet or do i have to call

all five credit card companies do i have to call up all five credit card companies that's not great you have that option with passengers you can go to the sites and individually revoke the basket on that device but i would say mostly you would just go and like remove the account off the device which immediately wouldn't validate all the passwords so just to clarify on that um each each device has a unique credential that there's some mechanism that it authenticates with like it it's either a signing chain or are they all sharing it in the android world there is some uniqueness that can be used as part of the risk detection um not all platforms

support that mechanism but there is something to die back onto there is caveats there but but there is a capability right but just just to answer more specifically if i have an android phone and an android tablet signed in the same google account it is the same credential on both devices okay so if i revoke it from tribank both of those devices lose access right okay just like a security key today and then the other question was because everything on like say a yubikey now is done locally and the way the mechanism works the low-level mechanism you can do two-factor authentication or even passwordless with um outlinking a lot of information on what sites you're

doing stuff like that what type of like metadata analysis could google facebook or anyone in the phyto alliance be now open to because they're involved in the syncing process is it as limited as like there's no change right because the pass keys tied your account are intend encrypted right so there's no change in that model [Music] so right now we're definitely encrypting all the private keys um to encrypt the metadata has issues regarding the way that we rendered it on the usability side so the mechanism that will work today metadata won't be encrypted but there is also no mining or anything of that but but technically that's something that we could add or that's something that if you choose to use a

different provider in the future that they might provide for usability reasons we encrypt the private degrees and not the metadata today but that's something that there's for no reason other than just there's a usability constraint on that for us yeah i have a question regarding dual security keys uh i've implemented a couple of these bubbles and sites and tried to do the password okay hello okay eat the ac yeah much louder put it in my mouth yeah i developed a lot of this uh or i'm an early adopter and i tried to implement a lot of this what i felt lacking in the documentation or the implementation for before is like the support for dual security case so i want

to have my computer that has a dpm and such and also my security key that is attached to my keychain to be able to do this yeah co-opted login how are your thoughts about that so just to make sure i understand the question like like dual security keys [Music] so being able to use or need to use both at the same time for an authentication i mean that's technically already possible it's like a relying party choice it's kind of like almost like a workflow where the relying party today can make the decision and saying hey i need my criteria as a password plus a security key or my criteria is a security key plus sms otp or my criteria as two

security keys and that's something that is totally implementable uh from a workflow perspective on the relying party not something that the spec needs an easy change to teach you support uh yeah so my question kind of goes along with some of the questions that you had earlier and but my scenario is more of the sense of the user trying to recover their account when their devices lost stolen or no longer accessible they're traveling for business vacation whatever else they they have to resort to a machine at the hotel whatever to log in to access their information whether it's bank whatever else what is the user's option to be able to access our account when they don't have access to their uh

devices that's already been in the ecosystem super tough question probably the toughest one that anyone is asked today right and that is that is ultimately like how do i know it's the right user and it's not someone pretending to be the user in this exact scenario right um the the easy answer today is going to be you're going to need to prove to us that like it's you through something you will you know if if there is no signal if it's not coming from a known ip address or like a location or something that we know about you which is you know got many different types of signals um you know if in the future the

idea is that we remove passwords of google account so there will not be a password that will not be a signal that you can provide us anymore right because it's such a weak signal then the question is what can you provide us well maybe you can tell us about how you unlock your previous phone but then where are you going to tell that to us to the kiosk machine you know maybe that's okay but the question is also even if you can get into that kiosk machine we can't really make your pass keys usable from there because then that means they will be leaking onto the kiosk machine so it is a very this is a

very tough problem um we're kicking the count down the road a little bit where we say well if you can at least get access to like another phone like a new one or someone else's you can sign in there like then then maybe you can sing things down but it's it's very hard because it's it's clearly a usability issue but it is also such a big security issue if we let the wrong user in or sync their credentials to a shared terminal then we don't have a perfect answer for that today but that is a problem that users are already experiencing right now but i think one potential thing right so let's assume that their phone got stolen but their

laptop didn't we do have the ability to reverse that cross device flow it's just a little awkward right now turning your laptop to scan a qr code um that the protocol allows that right we just haven't enabled that experience so you could in theory use your laptop that didn't get stolen goes in your hotel room to get back into your google account by reversing the flow it's totally possible and apple's actually already supporting it for ipad and mac if you have nothing that we're stuck right you don't have access absolutely yeah hey uh yes thank you for your time by the way um how do you see uh onboarding working for first time log in

like say you had no relationship to that tri bank no account no nothing no existing account how do you see that working and can you complete that workflow without ever ever making a password that that's the goal right i would say i hope in the next 12 to 18 months we'll start to see the first truly passwordless accounts with passkeys right the way we see this right you you still probably have to capture name and email address and phone number and then maybe when you hit submit it invokes web invokes the api creates a pass key and away you go you're on your way so the password field is gone you never capture it password and there are there are

sites that already very small number but there are already sites that are doing that today but we hope the user experience will be much cleaner with us yeah and certain service providers are onboarding people without passwords today based on other proprietary data they might have like a telco for example has account information about them or other network api data they can use we're also inside the fido alliance we have we're doing some standardization work around identity proofing and verification which if we pull off which is you know very complex i think actually stands to have as much impact on the market and this whole problem as the authentication piece does but that's still pretty nascent um although we do have we'll

have our first uh doc-off requirements document out in the next uh next couple months okay um it's it's really good to hear that you're taking on such a skilled uh usability uh team uh to work on your usability because my primary worry is and then i get divorced what happened i i managed to set up all my devices but all of a sudden i am now gonna untangle myself from the complexity that i've just made am i able to do i understand this or what if i die what happens that's a good one for you yeah christian but one well no tim oh just like fashion value right i mean yeah i mean there's well

i'm not saying the problem is solved but it's very similar to what you already have with not a very good problem right yeah yeah i would agree with that that we're not we're not necessarily solving everything right these are not necessarily net new but that's part of iterating over time too right like we've already seen apple iterate on some of the digital legacy stuff that a lot that is thinking about that right so that's something we can enable over time as we start to think about what are the security implications of sharing a pass key right like all these different how do you pull that passkey back is it better you know one question we keep asking is it better

for me to send you my pass key for my netflix account or just have you add a pass key to my netflix account right these are these are the things we're starting to think about all around revocability and all these models netflix says neither yeah well yeah terms of service official yeah yeah yeah yeah netflix i think is very happy about passkeys now they are yeah yeah i just i have basically the same question about shared devices it's a really common use case our customers are commonly coming to i work at slack and they they want the ability to have check out personnel use the same ipad and have a secure experience logging and logging out yeah so that

that's actually so the one thing um you know christian's demo is really great showing the cross device flow where we step up and create you aposky on the local device the other flip side of that use case which we will heavily use in windows right the example i always use is a gate agent at the airport right you never want to create local pass keys on that terminal you always want to use the cross device flow so the shared device flow the shared device scenario is one where you will always want to use that cross device and never never even you may not even want to keep the relationship between that phone and that device it's completely ephemeral and in

some cases maybe even a security key is better than a phone there like tap the security key it personalized and then when you remove it and those are great examples of you know you know the question we got uh i think last night at dinner was like well this is this is a consumer feature right and the answer is it's targeted at very consumer-centric use cases but if you look at a front-line worker in a retail environment uh you know i can tell you as azure ad identity provider they're using sms sign-in this is instantly better and those are quote-unquote enterprise scenarios right so the gate agent use case same thing like what is what is better than using a fishable

mechanism or this phishing resistance thing that may or may not be on their personal phone or a managed device it's still better and in a better user experience less efficient yeah we shouldn't rule out passkey for the enterprise what's the azure date like 28 of your clients for using mfa yeah so we can move that up you know 10 20 percent by using pass keys that's that's a great thing and christian alluded to right we are we have added to the to the specifications options for enterprises or i hate the term enterprise work school higher security you could argue that like a twitter verified user is closer to an enterprise user than a consumer that's one example so where uh

you know there are there are mechanisms in the spec to to accommodate those that you'll start to see uh it so we are we're getting close to time i have to end this and there will also be a one hour break before we continue but again uh this one's for you first andrew um privacy in this i mean security is one thing privacy is part of security it is also something different so have you looked into if this pass keys fido web off and youtube or whatever you want to call it you should really look into standardizing stuff yeah on the privacy part of things have you looked into whether this technology will improve privacy or if it also introduces

new privacy difficulties for people in any way whatsoever like my friend cecilia asking well what about when i got get divorced is it suddenly harder to maintain good privacy as an example yeah that's a great question and this is the type of discussion we're having inside of fido alliance today so i'm not going to give you a really square answer on that we have a security and privacy working group that's looking at these issues coming up with the best kind of a canonical approach if you will for how one should implement pesky to um to adhere to fido's privacy principles that we've had since day one yep and so i think there's certainly already implications there's there's so

there's that conversation happening the other thing we do as a body actively is we engage with regulators um across the world to understand how you know phytoauthentication in our various forms fits in with current and emerging privacy and regulatory policies so i mean like any new technology that we introduce in alliance or elsewhere that impact user authentication we look at it closely inside the alliance and figure out you know how fido's best practices and specifications can meet you know the privacy needs so yeah one one thing that i'll and i'll speak specifically for microsoft on this um one thing that has come up in the past few months for us is thinking about how easy it is for users to use consumer

federated sign-in right passkey has the opportunity to remove the need to do consumer federated signing which has serious privacy implications right you're telling that identity provider everywhere you're signing in now on the enterprise side that's what people pay for right you're paying for federation you're paying to track employees because you need to enforce policy the consumer side they're doing it because it's easy so it's back to whoever asks the sign up flow if that sign up flow is as frictionless as as clicking sign in with x that i won't name i'm just kidding yeah i know we have it too technically no one uses it but um no no so if we can make that as

frictionless as possible um then you could make the argument that consumer federation with these big big identity providers could and maybe should go down significantly over time i'll say one thing for 30 seconds this is the other point right i think a lot of the a lot of the questions around like i mean there is a whole you know slew of use cases which i won't even go into because they're all super depressing but around you know whether or not users should get access and what happens when folks break up and like there's this whole and i think a lot of that isn't so much the protocol it's around the implementation of the protocol and that's good and bad because

that means hey the protocol is done but that also means the relying parties need to take ownership of those experiences themselves i know we're having discussions at google around like what does it mean to give someone access to you you know and rather than typing a google account password now you can just use the screen lock on the device what if that's a you know a spouse's device what if that's the shared kids tablet like how do i revoke that and i think we're trying to think through those and implement uh you know particular workflows but the the downside is that means every single relying party need to do the same thing and and i think that

can be tricky and i think we're gonna you know folks will get it wrong like i think you know we're better like but but i think we are absolutely trying to think through those use cases because we do realize that they are important and and use cases on this i i think that well i i know that cecilia myself we will most definitely be looking into the abusability aspects of this absolutely for the for the next weeks and months and years as well we are really interested in this stuff so it's interesting um we're getting very very close um i want the sales pitch for this because i'm based on me saying there is no risk analysis and there is

no business case justifying the removal of passwords so try me yeah give me this sentence i'm going to give you a hot date tell me i'm wrong i'm going to give you a hot take one how much is your sms cost your sms service how much do you pay per year i can tell you i'm not going to tell you what microsoft is we're talking millions of dollars across these companies for even just an sms based signup right that's not the primary reason but that's a hot take that often has come up in discussions is what do these other methods actually cost that are completely unnecessary if the primary factor is phishing resistant christian sales pitch i mean

i i haven't prepared this one but i guess my talking points here would be something along the lines of if you're not removing the password and you're making the password safer you're adding something adding something comes at the like you're immediately the moment you're adding you're you're you're taking you know you're making usability worse like that is just insecurity like whether there's something additive security is being made worse the only way where we can make usability better or keep it on par while adding the security protection is taking something away and what is the thing we can take away it's certainly not fido it must be i mean ergo it must be the password like that that is my

argument here to make i we need to talk more afterwards okay well uh that's it for for this discussion i'm really really incredibly happy that you come andrew christian and tim so thank you for having us thank you very much i'll be around the pool thing tonight so if i ask questions like outside so use the next hour to talk to them or do something else and we'll continue at five o'clock thank you