PW - Passkeys: Where we started and where we're going

and just uh stay put because now we are heading straight for christian brown from google to talk about pas keys and after that we're also doing the uh panel on all things fido where we have both fido alliance we have microsoft and we have google up here if you have any questions related to that you can ask that while we go ahead with the panel discussion you can tweet at me if you want on twitter and i will ask the question anonymously on your behalf but prepare your questions for that and while chrysalis getting ready i can do some of my old jokes like my ex-wife is probably the woman in the world who knows most

against her password about passwords against your own will a pin walks into a bar and the bartender says what you're too short to be here obviously yeah um i i i have a little uh thing with christian um i was doing passers-con in stockholm in 2018 i was incredibly happy to see that christian from google submitted the talk he wanted to come and talk about fido stuff and being the person i am i was thinking about well so christian is coming to talk about fido and uh you know i've been up and down talking about fido before as well so i figured how to best welcome christian to scandinavia to stockholm and sweden so i created a t-shirt

uh saying what do we still have in 10 years from now passwords or web or then so we have a 10 year bat between the two of us luca buys a beer for the other one what do we still have in 10 years from now christian i'm really looking forward to hear about pasquis where we are and where we are going fantastic thank you um let me see if i can make the lapel mic work i like to walk around [Music] and here we go all right there we have something perfect uh let's see if we can click on this one all right let's do it like this do you let me know if it slips

down and then we'll we'll figure that out during the presentation thank you for the warm welcome per um i'm christian uh i'm a product manager at google and i've been working on fido and weboven related initiatives for almost a decade now this is the year i feel like i said that every year now this really is the year and i think what i'm going to try and do here is go through um a little bit of background on like what we've been doing you know i think the presentation is officially titled like you know where we are where we've been and where we're going um and then we'll lead into a q a with a panel where some

of my other colleagues on the fighter side will join me um if folks have any any questions and we can have a healthy discussion uh before we get into that though i just want to make sure that i have my logistics figured out i am planning to do a live demo which is always a lot of fun especially for the people in the audience when it doesn't work um so i think we're good i think we've got everything ready and when we get to that part of the presentation hopefully we should be able to to do that without too much trouble uh i'm gonna plug this in two just gonna make sure don't wanna set up

my keyboard no and hopefully we should be good to go all right excellent cool um can folks still hear me if i'm walking around here no let me clip this on my t-shirt up here let's see if that's better that's okay folks in the back all right excellent great okay um so again i'm christian and we're gonna be talking a little bit about pass keys today so let's start with why we're doing this work right what is the reason why we got involved in this in the first place um back in 2009 um google suffered a um an attack uh very similar actually to what has happened just two or three days ago with some other vendors um basically

google got phished right um there was a phishing email phishing message someone clicked on it uh gave away credentials and hey you know someone got into the system um and that same thing happened recently and it still happens and it really is because passwords are so incredibly easy to fetch right it is so trivial in tricking a user into revealing their secret data the thing that is supposed to make them unique so easy for them to reveal that to you know some other resource um and and to be quite honest it's much easier to set up a website and exploit phishing than it is to exploit you know uh i guess the in inherent protection in systems today

that come as a result of malware protection right um if we think back like a number of years ago if you look at this graph right back in 2012 2013 2014 the way that you would pop someone is by getting malware on their system um no one does that nowadays right for two reasons fishing is super easy to pull off and secondly operating systems have become much better at isolation um and just in general at keeping bad and unwanted software out apple app store is one way uh you know very curated uh google play store kind of similar and even on other desktop operating systems the operating systems have become much much much better at ensuring that bad

software and unwanted software stays out so phishing is the one thing that we want to protect against uh back to the the short history here 2009 uh you know this stuff happened and we vowed that we don't want phishing and credential phishing to ever be a problem for google enterprise users or google internal users again um and that's really where our journey the google journey started um towards the stuff that i want to talk about here today which is uh fido and and pass keys and web authent um so we wanted to find a solution to this problem so a bunch of different companies got together right this isn't an exhaustive list this is a

couple of names uh of folks that's part of this thing called the fido alliance and i'm sure folks in this audience have probably all about the photo alliance it's a bunch of us that came together and we said hey we want to solve this problem uh we have this phishing problem we have usability problems we've got other problems we want to you know band together and we want to try and address this uh problem going forward and what we came up with is something called and in the next slide you'll see a little bit of a different explanation of this but we came up with something called web of n web authentication uh and it's w36 w3c worldwide web

consortium specification that allows developers or web developers to interact with security hardware and security implementations on platforms and we'll talk a little bit more about what that means in a second but basically there's the world wide web consortium um who has the specification for a lot of this work and then there is the fido alliance which is the organization um in which a lot of us operate together and and and kind of like came up with some of the work that ultimately led to the specification in the w3c and a different a representation of how that work and how these things are related to this graphic here essentially you have fido and fighter 2 502 it's kind of like this

overarching thing this umbrella uh you know terminology that sits at the top and then inside of fido 2 you have a web specification which is how a developer would interact with fido's stuff um you know if you write a website essentially you'll deal with whatever is in the w3c webothen specification uh that's kind of like on the right hand side here um and then if you are a vendor that makes physical security keys right that's stuff that we'll talk about in a second that's part of what we've done in fido physical security keys was the first instantiation of uh fido hardware and of the solution this phishing resistance solution which we'll talk about but essentially if you're an authenticator

vendor um then you deal with the standard that sits under the fido alliance which is called ctap client to authenticator protocol for most of us in this room if you're not an authenticator vendor if you're not interested in making physical keys you can ignore most of the parts on the left there but what is way more interesting is recently we've decided that not only will we under the fido umbrella be supporting physical external security keys things that a user has to buy and carry and that they can use to authenticate but we will also support built-in authenticators so stuff that's already inside of the platform that can make the platform act and get all the

benefits of a fido authenticator um these are things like fingerprint sensors uh the screen unlock of the device face recognition so there's a lot of this technology that has been in devices ever since the advent of the iphone 5s i guess which is the first real consumer device with a fingerprint on it i mean before that we had some desktop and laptop systems but it never really took off this is the first time that it became mainstream and when we saw that we were like hey it would be cool to allow developers to get access to that hardware with all of the features and all of the benefits that fido authentication provides so we'll talk about that

so if we look at a quick timeline here right we started off with the physical removable security key back in 2009 when google had our issues when we said hey we never want to get fished again we um designed a protocol which is basically what ended up becoming u2f together with some other folks that were business and fido but u2f universal second factor was the first instantiation of fido and that is where you use a physical device most of the time a usb device that has some key material on it when you want to sign into a system you present this key material and then the way that the protocol is constructed the the uh authentication sequencing is is

phishing resistance so it means even if you're tricked into going to a website that's not really the real google or the real microsoft or the real facebook the security key will not reveal its secret and that was kind of like one of the big benefits of of moving into the spider world because if you look at other forms of multi-factor authentication um pretty much none of them except for smart cards have the inherent phishing protection that fighter devices have so fighter devices brought back in the blue kind of side on the left it brought um phishing resistant multi-factor authentication to the masses into the web but we still needed users to go and buy physical security keys and you know

we knew that that had a a very limited kind of like usable segment there um and then we went on and we said well it's really cool now that the iphone 5 has fingerprint sensors and androids fingerprint sensors and nowadays on laptops and other devices uh we have like windows hello which is a mechanism for doing biometrics on the device what if we could tie that same technology into fido um and we can essentially expand from only users who buy physical keys to a world where anyone that has a hardware that has these capabilities can also benefit from resistant fido as kind of like an additional factor we'll talk about that in a second so

that's kind of like stuff that we've done back in 2017 2018 um lately we've added support for other uh you know purpose build flows for example there are certain types of financial services regulation that came out in europe in the u.s we see a lot of specific type of credit card transaction security that's needed stuff called 3d secure so we were working together with these other bodies essentially in saying what can we do to take fido support that we have and bring it to more and more use cases so not traditional authentication but other types of specialized authentication flows as well for example payment flows um and and you know that was all great but we still had a problem we still have

this adoption problem where fido was kind of like for a minority uh fighter was for users with physical security keys fido was for users or developers who um really added fido as an additional option over and above passwords but it wasn't really closer to getting us rid of passwords completely it was still one more option you could use if you think back to the biometric authentication you have in your phone today right if you have a banking app on your phone most of the time you open the banking app uh you know you sign in with your username and your password and then you up step into biometric authentication the next time you come back now you can use your fingerprint

but the moment you buy a new device you're back to password authentication so you're never getting rid of passwords you're really adding biometrics and adding capabilities in order to make authentication easier and more user-friendly but you're not getting rid of the security downsides of having a password attached to that particular account and that's really where pass keys came in which isn't really a a different specification or a different technology it is taking what we have in fido and web within and applying it in a certain way where we can actually finally start hopefully getting rid of passwords completely and me winning that bet with per and getting a bunch of beer so let's talk a

little bit about that in a second here security keys the fob this is the use case we had first right users go sign in somewhere you type your username you type your password you pull out your security key you plug it into the drive and hey you're magically authenticated not really a you know a better user experience than using passwords uh you one can argue that it's maybe better than you know having to use sms otp in terms of usability or better than having to use push because it's easy and the device is already maybe in your usb port and you just tap it but it was definitely an improvement in security but it wasn't really an improvement

usability and it certainly didn't get us closer to getting rid of the usability issues regarding passwords um platform authenticators is the thing we did next you know as we can see here we saw these things start to appear in more and more devices fingerprint sensor on laptops phones uh you know laptops there on the left-hand side in terms of the of the camera you know facial recognition um and with that we were able to build some interesting web experiences and this is a gif that should play there we go you should see this uh working here this is for example you can see we're on a website right you're on accounts.google.com and you're trying to do something where we need

additional assurance that it's you in the past we would have asked you to enter your google password here we say just touch your fingerprint on the system and we'll authenticate you not really that groundbreaking because apps were able to do this you know since the iphone 5s but finally with web authent we brought these experiences to the web so we allowed web developers to also make use of the inherent technology built into these platforms and we had a bunch of relying parties or developers supporting these flows paypal had some implementations ebay had some yahoo japan entity docomo and google and a bunch of others um so actually um i saw an email this morning uh a colleague of mine um sent

me a screenshot of a yahoo us account that actually has a similar functionality here as well so now i can probably start removing the jp designator there under the yahoo side because it looks like we're still seeing more and more adoption of this type of of workflow but like i said this is a usability improvement right it's not necessarily a security improvement if your finger is wet as jim said earlier you still get the fallback right you can cancel out of this flow and always opt for still typing your password there is no reason why you can't go back to that what we wanted with fido and ultimately with webothen is we wanted to move

beyond the password we want to end up with accounts that don't have passwords they might not even have usernames so the big question is how do we get from here which is where we were into that role and that's really what we'll be talking about here so we had a problem with fido adoption as i said right problem is usability right limited consumer awareness and usage of security keys um you know i can tell you about the statistics there but as you can imagine it's not like we see all google users using security keys i mean we can't even get all the users to use usb so i mean and there's there are certain types of

uh initiatives and things that we have where we're trying to push more users to take more ownership of account security but it's hard when that entails physically buying something and carrying yet another device so we have that challenge second one is uh you know challenges with platform authenticators a second factor um even as a first factor like i said we never got rid completely of the password we just gave you another option and it's great to have more options but that doesn't really change the security paradigm of the security model all that much um and then the last one as i said like high barrier to adoption for users who need to opt-in to usb i mean we

can't even get used to opt-in to sv how do we up them into using technology that entails an additional step or two or three steps and you know having to carry around physical devices and all sorts of other stuff so these were the problems and these were really the final limits back before we started uh in in this uh engaging in this pass key uh rel um so what is masking well pesky is a password replacement that is safer easier and faster to use passkey isn't the brand it's not supposed to be capitalized it's now it's like passwords right you just say hey i have a password i have a pass key um the idea here is

that this is a word which the industry can kind of coalesce around it's not an apple brand it's not a google brand it's not a microsoft brand it's not a fido brand it is just a pass key which is very very similar to a password and hopefully in the user's mind um we can start to create this concept of yesterday i used passwords today and tomorrow i'm going to be using a pass key and and we can start to um essentially help users with the user journeys and the changes in user behavior that will be needed to support the transition to keys and that's what we'll be talking about here for the next couple of minutes

so the capabilities that we get um and i stole these slides shamelessly from andrew's deck thank you andrew um so the the capabilities that you get in a pass key world what is different from wimbledon yesterday and fido to pass keys today well the first one is remember that problem that i said you know it's great if you have an app and you type in your username and your password and it up steps you into biometrics but the problem is tomorrow when you buy a new device you're right back to typing your password again well what if we can remove that restriction what if we can give you a fido key the moment that you register your biometric

for a certain app let's say i open my bank of america take an example i open my bank of america app on my phone i open the bank of america websites on my phone or my laptop i sign in with my credentials username password and they give me a fido key pair um i didn't go into that details i'm assuming that folks you kind of like have a basic understanding of what's going on beneath you know the the layers of fido but essentially when you get a fido when you do a fighter registration when you register your security key or whether you register your platform authenticator your fingerprint sensor or your facial recognition on a certain website or to an app a

public private key key pair gets created the private key stays on the device and the public key goes to the website right so that's kind of like how fido works back in the day earlier on fido private keys were protected on the device only when you have a physical security key the private key is on the device it stays there when you register it on your phone or your laptop the fido private key stays on the laptop what if that restriction didn't exist what if we could take that private key that you have on your phone and we could replicate it to all your other devices that you own as well kind of almost like

what a password manager does today right password manager wouldn't be super you know useful if it only ever kept your password on one device and you couldn't get it off right password manager is useful because your passwords are available wherever you need to use it so what if we take that property when we apply it to phyto keys so when you register a fido key and you make a new photo key for a service on your phone we're able to take that fido key and replicate it and bring it to other devices that you own as well now of course if you're a studio you'll immediately say well how do we know you own those other devices what if it's an

attacker and that's the type of thing that we want to get to later in our in our panel session but essentially if we're able to know that you own two or three other devices let's just proactively go and put your fido keys on there as well what that means and what that looks like is when you move and you buy a new device you go buy a new phone you never have to fall back to typing a password ever again you'll just continue to use your biometric your face your fingerprint your screen unlocked and that gets you access into that particular service without ever having to fall back to passwords ever again it's basically make fido as ubiquitous and available as

passwords there are some caveats to this but we can get into that uh in in the in the later session the second thing is um well what happens if you're on a device and you just don't have your fido credentials there and this is the typical password problem right the password manager problem i think i heard earlier folks saying like you know i have this issue where i want to sign in on my television or i want to sign in on a friend's computer i have to retype my passwords for my password manager into the keyboard there are special characters a huge pain in the ass like how do we solve that problem well the way that photo solves it is we

developed a local protocol that allows two devices to talk to one another over local proximity using a specialized bluetooth protocol so essentially the use cases i want to sign in on my television i want to sign in on my friend's laptop i go to their laptop i click on the website they want to sign into i bring my phone close enough together which has my final pass keys close enough together to their machine i tap the account i want to use and magically i'm signed in no retyping of credentials totally fishing resistant because everything that is fighter related still stays intact and my credential actually never goes to my friend's machine only the signature that

allows a once used sign-in actually goes to their machine over this local proximity protocol because it's not via the cloud because it's local proximity based we get all of the inherent phishing protection that you get out of fido in this particular protocol as well and these two things is basically the only difference between what we had in old fido and what we have a new pass keys its fighter credentials with the ability to synchronize and the ability to be exercised remotely using these proximity protocols that we've now defined and that most popular operating systems have stated that they will adopt so we have support for this uh whether you're using android to a mac device or whether using an

iphone to a windows device these protocols are implemented in a standardized way so that it's not a vendor lock-in it works basically essential well it works doesn't matter what what platform you own as long as it's a fairly modern platform and again we can talk about the exact versioning there um these types of experiences is what we enable um so you know here's an experience on windows for example user goes want to sign in somewhere um sends a prompt to the phone again it's not a prompt via the cloud it's a prompt to the system on android here it's also not to an app it's to the android system and it allows you to then unlock in this case using

your face here um pick the account you want to use and then over the local proximity protocol we then let the device know that yep the user has authorized this login they can go ahead and they can continue uh you know down this down this track um cross device cross ecosystem you know one mobile device can boost up another ecosystem or another device which is essentially um how we get away from the issue of having the user you know retype long strings and if you retype a long string you can make it error and type it into a phishing website and whatever none of that is is is in effect here because everything is essentially

automated between these two systems and there's a handshake so access a new app using mobile device to sign in and then the thinking is if you use your mobile device to sign in on a new system if that's your system if that's not your friend you can create a brand new pass key on that system that signs you into the account so tomorrow if you come back on your windows machine you don't have to grab your phone again because that would be painful right you can now just on your windows machine show your face touch your fingerprint whatever you need to do and then get you back into that same service in an easier way so no need

to fall back um you know to using your phone every single time that you want to log on on devices that you own and devices that you trust so with this let's look at a quick demo if i can make this work um this is always a little bit tricky but i'm going to try my best let's open this guy up here and essentially what i want to do is i want to show the the experience that i just you know talk you guys through i want to show that experience in real time um on my android device so let's see if we're able to make this work if everything works you should see my

phone screen there in a second cool okay so that's always good if that part works so that is just my android phone that i have here right so i'm going to take you through a typical experience of a user here using pass keys and essentially it goes like this user goes opens their browser and they hit you know their favorite banking website in this case i have this fictitious bank called tribank uh i've never dealt with pass keys in my life ever before this is my first time doing that so what will happen is the system says hey do you want to sign in ignore the signing with a pass key button at the top for the moment let's just talk

about the or space at the bottom right so this is a user never dealt with fast keys ever before first time ever they're gonna go in they're gonna type oh sorry let's refresh this make sure everything works yep user goes types username types password and hit the sign in button right now what will happen in the background is the system will detect the tribank server side system will detect on a device that supports baskets that's a silent detection mechanism we've added and it'll offer the user the option to create what's called the passkey so there's an explicit passkey creation moment that takes place i'm going to say yep create me a passkey system ui kicks in and says hey do you

want to pass me i say yeah sure i want one here's a little bit of metadata about the pass key pass keys contains an icon it contains a you know a display name it contains a username a bunch of information and it also tells me they're down at the bottom that this pass key will be synchronized to my google account in the future so if i sign into android on any other device i will actually be getting those pass keys on that device as well and then lastly i need to do a user gesture here touch my fingerprint and that creates my opacity so now that i have a pass key on my phone next time i come back to tribank

either on this phone or on any other phone that's signed into that same google account all i have to do is either now know that i have to hit the sign in with a pass key button but we know most users won't so we've decided to also integrate pass keys with the autofull system on the particular device that we're on so if the user were to click into the account name field here which is what i'm going to do rather than allowing me to type it'll come up and say hey you've got a pass key do you want to use that and i'm going to go yeah sure i'm going to use my pass key click it touch my

fingerprint and at this point i should instantaneously be signed into the account now i mean up until this point that still makes a lot of sense um one other cool thing that i didn't say is once i made a pass key on the web the same pass key is also usable in an app so if i download the tribank app from the google play store i can now open the tribank app i can hit sign in with a pass key here i can click on that exact same passcode i created over on the web and because the app and the website is linked using asset linking i can go and just touch my fingerprint and amazingly be signed into

my app as well so whether i create the pass key on the web or the app doesn't really matter they're usable in both places and then as a last um kind of little add-on to the demo is let's quickly show how the experience would work for a user that's on a friend's machine um so i'm going to sign into tribank on my buddy's machine over here and what i'm going to do is i'm going to go to the tri bank website to make sure it's online there we go and i'm not going to type in my username and password here i'm simply going to say sign in with a passkey the system will detect that i don't have

any pass keys yet for triband so it's going to tell me to scan this qr code now the qr code is necessary just to let these two devices know that they want to be talking to one another if you have another five laptops and two phones in the audience here we don't want my phone to accidentally talk to your laptop so it's kind of like a disambiguation thing where i want to make sure this laptop and this phone talk to one another over bluetooth i'm going to say use pass key there is no explicit pairing everything is handled by the protocol so i say yep i allow these devices to talk to one another the pass key i created earlier in my

demo is now available on my phone i pick it touch my fingerprint and at that point in time i should be magically signed in on my laptop here on the left and as i said earlier because i don't have a pass key on my laptop yet the website will offer me to create a local one so next time i come back to tri-bank i don't have to grab my phone so i'm going to say yeah sure make me another pass key on my laptop i can use my fingerprint because this laptop is one of those that's equipped with a fingerprint sensor so i'm going to touch my fingerprint and now i have yet another pass key for this website on

my laptop so if i ever come back to this website on my laptop here i can just click sign in with a pass key touch my fingerprint no phone needed pick the credential that i want to use and instantly i will be signed into the account um i promise i'm almost done we'll go quick recap and then i will make time for the for the panel here let's just look at a quick recap here so what did we see here well the first one is user info is stored on the authenticator on the registration right remember i had this promo where the website said hey do you want a pass key at that point in

time i create the credential on the device it's called the discoverable credential which means metadata about the credential is associated with it on the device which means i don't need to type usernames anymore i don't need to type passwords all of that information is now associated and stored on the on the particular authenticator on the platform so next time i open that website up the system can prompt me for all of my stored credentials i simply pick the one i want to use click on the one do my fingerprint scan and amazingly i'm signed it as i said the synchronization happens if i own more than one device and they're all signed into the same

into the same account we get synchronization now here's a little caveat synchronization doesn't happen like in password managers between chrome on windows to chrome on android to chrome on mac no no for fido we want platform support so pass keys only sync in between ecosystems owned by the same vendor so on android my pass keys made on android only sync to other android devices it doesn't sync anywhere else passkey is made on mac os sync to ipad os and they sync to ios all part of the apple ecosystem passkeys from android does not sync to ios if i want to sign in on my mac device using an android phone i need to use the cross

device bluetooth flow that we saw the qr code scan flow that's how i get my pass keys or the sign-in mechanism between devices of different ecosystems and the reason why we went for that is we wanted the security properties of hardware bound and stored keys that's stored directly inside of the system we did not want to have the the same issues where the private keys is perhaps just stored in a file on disk so malware can get to it we wanted the assurance of having these keys protected by the hardware which means passkey keys also inherently get away from other forms of multi-factor if i have a pass key i don't need sms otp i

don't need google authenticator i don't need push authentication pass keys solve two authentication factors in one single step the possession of the key and the way to unlock it is enough to get access to a pass key which should then account for both authentication factors in one fell swoop that's the other reason we wanted to go down the the pass key route here with the protection uh last slide i promise is and then of course the integration with autofor we don't think it's going to be successful if we have to train users to go and find a button like this on a page so we actually don't think that a button like this should even be on a page for the next five

years we should have integration fast keys directly in the autofill system so that together with your passwords we just show you available pass keys you click on it and you can sign in and if you don't have a pass key available you can always go passkey from a different device which allows you to pair a different phone bring it to this in proximity and then use the passkey from another device to sign in on the device that you currently own and that you're currently on um that is it i know i am one minute over um any questions i guess we can get into lots of questions afterwards thank you christian all right i i do know i have tons of questions but

that's why we are doing the pal uh now so andrew and tim can also come up and join me on stage um and um well short round of applause for christian first of course [Applause]