April 12, 2025 • 46 mins
There are many scams, some to get your password(s), some just for money. Join us as Wolf tells everything he knows and together we discuss a new way to protect your online accounts.
Show notes:
Lists of login methods:
- https://testdriven.io/blog/web-authentication-methods/
- https://www.logintc.com/types-of-authentication/
Who implements Passkeys?
- https://www.passkeys.com/websites-with-passkey-support-sites-directory
- https://fidoalliance.org/passkeys-directory/
- https://www.keepersecurity.com/passkeys-directory/
The three things that come together to make passkeys:
- Using key pairs, like SSH: https://www.ssh.com/academy/ssh/public-key-authentication
- Biometric authentication, you're already used to it from your phone
- New User Interface "ceremonies"
Which password managers support passkeys?
- 1Password (our personal favorite)
- Bitwarden
- Dashlane
- Google Password Manager
- Keeper
- NordPass
- RoboForm
A little about password managers:
Almost any password manager is better than no password manager at all so do your research. Find the best one for you. Make sure it answers these questions:
- Does it run on all the platforms you care about?
- Does it have a pricing model you like?
- Does it use a cloud service, or not, or of your choice, in a way that you like?
- Does the password service itself have access to your keys?
- What kind of secrets can it keep?
- Passkey descriptions and implementation documents
- The FIDO alliance: https://fidoalliance.org/passkeys/
- Google (for developers): https://developers.google.com/identity/passkeys/developer-guides
- Apple (for developers): https://developer.apple.com/passkeys/
Wolf's top three personal digital security recommendations
- Use a password manager (it should support passkeys). See above.
- Once you create a passkey for a specific service; change your previous password. The new one should be generated by your password manager and you should never use it unless you absolutely must.
- Make sure your device is secure
- Use biometric authentication
- Have a strong password. Your password manager can generate one made from words. Easy to remember; hard to guess.
- Make sure you know how to force your device to require a password. You can be tricked or forced to authenticate biometrically. Law enforcement can't force you to reveal a password; and if you're careful, you can't be tricked out of it.
- Be aware of your surroundings. Bad actors can "shoulder surf" and get your password, or cameras. It's just like the old days at the ATM. You don't want a person right behind you to see your PIN.
Hosts:
Jim McQuillan can be reached at jam@RuntimeArguments.fm
Wolf can be reached at wolf@RuntimeArguments.fm
Follow us on Mastodon: @RuntimeArguments@hachyderm.io
Theme music:
Dawn by nuer self, from the album Digital Sky
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jim (00:05):
Welcome to Runtime Arguments.
This is a new podcast that myfriend Wolf and I are gonna put
on.
This is our first episode.
We're calling it episode zero.
Because we may or may not shareit with the outside world.
We will share it with ourfriends at least to get some
feedback.
See if uh see if they think whatwe're doing is worth doing.
(00:29):
My name is uh Jim McQuillen, andmy partner in this uh endeavor
is Wolf.
Say hello, Wolf.
Wolf (00:38):
Hello.
Jim (00:40):
That's Wolf.
Um we uh Wolf and I, we the theway this podcast came about,
Wolf and I meet for lunch everySaturday at a at a sushi place
uh just south of Ann Arbor.
Um every Saturday we sit downand we talk about everything.
And one Saturday, a couple ofmonths ago, we started talking
(01:04):
about, you know, this isinteresting stuff we talk about.
Wouldn't it make for a greatpodcast?
So here we are.
We're gonna try to take uh someof the conversations we have at
our lunch and uh put it into apodcast.
That's not to say we're sittingat lunch making this podcast.
Uh we're this is actually uhwe're doing this on a Saturday
and it's after we had lunch andwe've each gone back to our
(01:26):
respective homes.
Anyway, we're putting on thispodcast.
Um we call it runtime arguments,and the reason for that name is
often Wolf and I disagree aboutthings.
We uh we were just talking aboutit.
We we agree more than wedisagree, but we have different
(01:47):
ways of looking at things.
And uh that's that's what makesfor an interesting conversation.
He'll come at a problem one way,I'll come at it another way, and
we'll we'll sometimes meet inthe middle, sometimes uh uh each
continue protect in our ownseparate ways.
But uh it always makes for aninteresting conversation.
(02:09):
Uh so today uh we've got agreat, great conversation lined
up.
Uh Wolf, why don't you tell uswhat we're talking about today?
Wolf (02:18):
Uh well, one of the big problems uh on the web today is
authentication.
And what I mean by that is whenyou log in uh typically to a
website, but often there's anapp you can use instead on your
phone or or what have you thatlogs into the same service that
(02:41):
you would be if you werecontacting the website.
And the problem is how do youprove you're you?
Uh we have a great many methodsright now.
Uh a username and password.
There can be a one-time passwordwhere you type in a code that
your phone generates for you.
(03:02):
It can send you an email with alink you have to follow.
Um it can text you a number andyou have to type in the number.
There's lots of ways.
And there's lots of scams forpeople who are trying to steal
those ways so they canimpersonate you to get control
(03:23):
of your bank account or or whoknows what.
The idea is there's importantservices you want to access, you
want to be the only one toaccess them, and you have to go
through some procedure to proveyou're you.
Recently, there's been a new wayof authenticating.
(03:47):
Um, this new way is called passkeys.
It's not everywhere, um, it'sit's a very new technology, um,
and it's very interesting, andthat's what we plan to discuss
today.
Where did it come from?
How does it work?
What is it made of?
Why is it good?
Why is it bad?
(04:08):
Um, and will you encounter it?
And should you use it?
I think those are all questions.
Uh the way we're gonna do thisis I've been researching this
situation for a couple of weeks.
Um, so I have lots of answers,not all the answers, but I I
know some stuff, and the idea isJim's gonna ask me questions so
(04:32):
that at the end he's gonna knoweverything I know, and so will
you.
Jim (04:38):
Great.
Do you want to uh tell us alittle bit more about pass keys,
where they came from, how howbasically how they work?
Wolf (04:47):
Absolutely.
Pass keys are an uh integrationof three separate things.
To you, to a user, a passkeyjust looks like a dialogue pops
up when you start to connect tosomething and says, Hey, do you
want to use your pass key?
And you click one button thatsays yes, and that's it.
(05:10):
It's all over, you're connected.
Um so the user interface to apass key is simple, easy, and
great.
Um, the three things that cometogether to make this possible
are a very old technology calleduh public-private key uh
(05:33):
encryption.
This is something that has beenin use for a long time by people
who are computer savvy, uh,often to use uh a program called
SSH to connect to remotewebsites, to connect to remote
services, not websites, uh, buttypically uh servers and other
(05:55):
kinds of computers like that.
But it's not used much by peopleoutside of computer
professionals.
Second, things that your phoneor computer do, uh biometric
identification, fingerprintscanners, uh facial recognition
scanners, um your phone knowswho you are, and modern phones
(06:18):
know who you are in the mostsecure possible way.
And finally, um, a brand newcollection of rules which in the
documents that describe anddefine pass keys are often
referred to as ceremonies forhow past keys should be created,
(06:44):
how they should be presented,how a user interacts with them.
Uh so it's the combination ofthese three things uh key pair,
umser interface, and biometricidentification.
Those three things go togetherto make up this idea of pass
(07:08):
keys.
Now the first thing you probablywant to know is are pass keys
better than what I'm using now?
Um and the most important thingI can say is yes, absolutely.
Pass keys are better than whatyou're using now.
They typically don't requiretwo-factor authentication, also
(07:28):
known as 2FA.
Um they're incredibly hard tosteal, they're very safe where
they're stored in your phone.
The secret password is only onyour phone, it's never presented
to you so that you can type itinto some attacker's dialogue.
It's never given away, it neverleaves your machine.
(07:51):
Um Passkeys, I think, I'm safein saying, are the future.
Um they're significantly betterin all ways than every
authentication scheme we haveright now.
So that's my introduction topass keys.
Um What do you want to know,Jim?
Jim (08:11):
You spent some time in the last several weeks setting up
pass keys uh for the variousservices that you use.
Do you want to tell us about oneof those adventures?
Wolf (08:22):
Absolutely.
Um the first thing to know isthat a passkey only ever
communicates, authenticates,targets one service.
So for instance, you might havea passkey that logs you into
(08:42):
Microsoft.
I'm gonna talk about some otherthings having to do with how you
store your side, but in thesimplest case, where it's you
and a phone and Microsoft,there's only one copy of the
complete pass key on your sidein your phone.
(09:05):
Microsoft only has half.
They have the public half, whichis not secret at all.
Anybody could have it.
It happens that only Microsofthas it, because Microsoft is the
only company you use thisspecific pass key to talk to.
Now there's a safer way to dothis, and that is if your phone
(09:29):
is actually part of some kind ofcloud account.
Um, for instance, uh Androidphones have Google, iPhones have
iCloud.
Um, it may be that yourpasswords are stored someplace
safe inside your phone, and thenusing end-to-end encryption so
(09:52):
that no one can ever see them isuh transmitted to the cloud
where it can be shared with theother devices that know you are
you by uh facial recognition orfingerprint ID or whatever it
might be.
So that's the second level.
Um using the cloud as providedby your device.
(10:17):
And the third level, um, if youare concerned about being locked
into one ecosystem, forinstance, is at the very top
level using a password manager.
Um I happen to use iPadOnePassword, and one password
knows about pass keys and has uha cloud component where you can
(10:45):
be running one password on anyof your devices, whether it's
your Windows machine or your Macor your Linux box or your iPhone
or your Android, whatever itmight be.
You're logged into the sameOnePassword account.
The OnePassword people can'tlook into your OnePassword
(11:06):
account, they can't ever seeyour pass key.
But no matter what which machineyou're on, you have that one
pass key.
Um, so that's how it works forme.
In the one device case, uh, butyou at so no cloud and no
password manager, but youactually have a desktop and a
(11:28):
phone.
When you talk to Microsoft,you'll have a separate pass key
on the desktop.
Um it has the same target, thesame service in mind.
It's thinking of Microsoft, andit won't ever offer uh a passkey
(11:48):
authentication, this particularpass key, to any service other
than Microsoft as you know them.
But it's a totally differentpasskey for two different
devices, but it's the same U andit's the same Microsoft.
Um so this is how my adventurebegan.
(12:09):
Uh first I started looking intowhat do I need to do to make a
pass key, and is it the rightthing for me?
Is it better?
Um the thing that I've mostlybeen using uh up until now has
been um my username and then uma one-time password as presented
(12:34):
from one one password.
It it keeps what it calls aTOTP, time-based one-time
password.
Um, and it can present that tothe uh typically website that
you're trying to log into andidentify you as as you.
Um that turns out to be a prettygood way.
(12:59):
It can be fished from you.
Somebody can make a uh web pagethat looks to you exactly like
the Microsoft web page, and youput in your user ID and your
password, and then the secondfactor is your TOTP, and they
(13:21):
catch it, and they relay thatonto the real Microsoft.
They've tricked you, they knewthey know your TOTP that's good
for another minute or 30seconds, something like that,
but they log in as you, and thenthey can do whatever they want
to your Microsoft resources.
So I don't like that.
Another specific thing that Ihate and am forced to do by some
(13:47):
services is they have a secondfactor, and that second factor
is SMS.
The problem with SMS, when I saySMS, what I mean is you log in
with your password, and thenthey immediately text you a
secret code that's good for 15minutes or something like that.
(14:07):
And when you receive that secretcode at the phone number they
already have on file for you,you enter that secret code into
a text box on the web page.
Um there's uh two ways this canbe spoofed.
One, the way I just talkedabout, like you would do with a
(14:27):
TOTP, but the other is there's athing called uh sim swapping.
And if you are important enough,if maybe you've got some giant
crypto wallet, or you're apolitician, or somebody
important, um, it may be worthan attacker going to the phone
(14:51):
store or calling the phoneservice, pretending to be you,
and with a lot of effort gettingthem to duplicate your SIM for
them so their phone now getsyour calls.
Um so what happens is theyalready know your password
(15:14):
because they've somehow gottenthat from you, they've scammed
it, phished it, whatever.
They use the password, but nowthey've got your phone and they
get your text messages, they canuse the SMS uh service to enter
the second factor.
And boom, they're in control ofthe resources at the other end
of that authentication.
You know, your Microsoft Azureaccount or whatever thing you're
(15:37):
trying to use, your bank.
Um I hate SMS because it's notencrypted end-to-end, and sim
swapping is incredibly easy.
All you have to do is fool alow-paid customer service
(15:57):
employee at the phone company,Verizon or ATT or whatever.
They get some training, but theyare not uh sufficiently um
incredulous about people tryingto get replacement sims or new
sims or whatever.
(16:17):
They just don't know who theattackers are, so it's pretty
easy to trick them.
And I learned that past keys arenot subject to any of these
problems and don't need secondfactor.
I was looking to see if theywere better and or easier than
what I was using, and they are.
(16:40):
So because I use one password,it has a feature called
Watchtower, and Watchtower inone pat in one password tells me
what services I connect to thatoffer passkeys where I'm not
using them.
And so I started going throughthem in order of importance um
(17:02):
and making pass keys.
Now, the innovation in pass keysis not the encryption.
The uh key pair um encryptiontechnology has been around for
decades.
It's not the biometricidentification.
Your phones have been doing thatfor five, ten years.
(17:23):
Um the innovation in pass keysis the workflow, the user
interface.
And so what I learned as I wasusing passkeys, as I was
creating them and storing themand putting them in the right
place and naming them and usingthem to connect, is that they're
(17:47):
easy.
Um, when you get to a servicethat wants you to use a pass
key, um, it presents a dialogueuh in concert with your client,
whatever software is on yourside of the connection.
So your phone or um your webbrowser presents a dialogue
(18:09):
saying, you could have a passkey here.
Would you like to?
And if you push the yes button,you get a pass key.
You don't have to enter anyinformation, you don't have to
um do anything, it justgenerates a pass key, and
whatever thing the web browseror your password manager or the
(18:33):
operating system, whatever pieceof client software presented
that dialogue to create a passkey, whatever did that, stores
it in the most secure waypossible on your device, and
that's the end of it.
All you had to do was click abutton that said yes.
(18:55):
And after that, um, let's sayit's a week later and you want
to get into Microsoft, you gothere, it presents a um name and
password field, and then up inthe corner of your screen,
either your web browser or yourOS or your password manager,
whatever you used to create thatpass key, um that client
(19:19):
software recognizes that you'retrying to contact a service for
which you have a pass key.
And so it brings up a littledialogue, a little button that
says, Would you like to log inwith a pass key?
And you click yes, and thenyou're in.
That's all there is.
Um it's easy, it's safe, and itwas based on technologies I
(19:46):
already understood and used foryears.
So um I switched over to it.
Now it's not um it's a it's anit's a new.
Combination of things to makethis facility pass keys.
So not every service offers it,not every password manager knows
(20:10):
how to handle it, not every webbrowser knows what to do.
You can't use it everywhere.
But it's good, it's better thanwhat we have.
And so I'm using it every placeI can.
Um and that is my initialexperience with it.
Jim (20:27):
That leaves me with so many questions.
Um, first of all, uh uh uh I'llsummarize what you said.
Um briefly.
Uh uh we've we've got multipleways of logging into sites out
on the internet.
Uh the old traditional simpleway, the username and password.
(20:47):
We've been doing that for yearsand years and years.
Uh the next level up would be atwo-factor authentication
method, like SMS or email, whereyou enter your username, you
enter your password, and theysend you a code.
Usually it's a six-digit code,they'll send it to you either
through an SMS text message orto your email account.
(21:10):
Then you look at your messageprogram and get that six-digit
code, and you plug it in to thefield on the screen, and that
gets you logged in.
That's how they figure you arewho you say you are.
And then the third way that Wolfjust spent 10 minutes outlining
was passkeys.
Um I I'm gonna make a point thatyes, there are levels of
(21:33):
security here, right?
Username and password is notvery secure.
It's easy to get around,especially when non-technical
users create a password that'snot very strong.
They don't have a concept ofwhat a strong password is.
And you know, obviously,probably the most common
password out there is password,or maybe password with an
(21:56):
exclamation mark after it, uh,something like that.
Those that's not secure at all.
Um, SMS Wolf talked about howinsecure that is.
I want to make an argument thatit's way better than the first
way.
Yes, it's not as secure as passkeys, but it's an order of
magnitude better than a simpleusername and password.
(22:19):
So don't feel bad if that's youronly way of doing it.
Don't feel bad if that's the wayyou've been doing it with a text
message.
I do it at lots of sites.
Uh I have been switching over topass keys, though.
And I I understand that passkeysare much more secure.
Um Wolf made the point that yes,if you're a politician or if
(22:39):
you're somebody of importance,um you want the absolute most
secure because somebody logginginto your account and doing
things as though they are youwould really be a serious
problem.
So, yes, past keys are wonderfulthat way.
You said that they're like I I Idon't know if you actually said
(22:59):
this, you and I said thisearlier.
They're like SSH keys.
Because SSH is built on publicprivate key pairs.
When I use SSH, I try to alwaysgenerate an SSH key pair.
I keep the private key on mysystem, and I copy the public
key to the remote system so thatthe next time I log in, I can
(23:22):
just log in and it doesn't evenask me for a password because it
it has my public key, I have myprivate key, the two of them
together make a hole and itallows me in.
One more point I wanted to make.
We are counting on the fact thatour phone knows who we are,
(23:43):
right?
So let's say you've got a phoneand you've got a pass key set up
on it for you to log intoMicrosoft Azure, right?
So what if somebody else getsyour phone?
Don't they have that private keynow?
You have to have some secure wayof authenticating to your phone,
(24:05):
right?
Whether it's biometrics or asecure password or something.
Absolutely right.
You have to count on that phoneguaranteeing that you are who
you say you are.
Uh somebody else could grab thatphone, hold it in front of your
face, and they're authenticatedto the phone, and they're in.
(24:26):
And that's yeah, that's nostronger than a username and a
password, right?
Uh so we have to watch out forthat.
Uh obviously, I made the point.
They are the passkeys are muchmore secure than than uh any
other two-factor authenticationmethod, or just a simple
username and password.
My concern is you've got thisprivate key on your phone, and
(24:51):
you're using it to log intothese sites with pass keys, and
you lose your phone.
Now what do you do?
Wolf (25:00):
So this is a specific point I've thought about quite a
bit, and it's a problem thatpeople care about and talk
about.
Um at the lowest level of thosethree possibilities that I
talked about.
I talked about one device, Italked about one device and a
backup cloud, and I talked aboutum using a password manager, a
(25:26):
password manager that has somekind of cloud storage.
So if you have one device andsecure storage and no cloud, and
you lose that device, and youhaven't configured any other way
(25:46):
to authenticate yourself to thatservice, for instance, um a
one-time password or some kindof credentials uh that you can
use with customer service.
If you haven't done that,absolutely no one can help you.
Um I mean, this might be as badas you lose everything that was
(26:11):
there that was connected to you,and you have to make a brand new
account.
Past keys are exactly like um uhany of these end-to-end
encrypted cloud services whereyou have a special key on your
(26:32):
phone that makes sure you canunderstand what's on the cloud
service.
Uh a thing I have experiencewith, not bad experience, but uh
just I know about it and haveused it, is if you have an
iPhone and you have iCloud andyou have turned on um the extra
(26:54):
level of encryption, Appledoesn't have that key.
Apple can't get into uh yourbackups.
If you lose that phone, you havelost all your photos.
Apple absolutely cannot help youget them back.
So, this is a problem.
(27:15):
One device, one pass key, nobackups, you're done.
It's bad.
Um that is why I am using apassword manager.
Um, that way I've got the passkey in in a cloud uh and I can
put it on a new new device.
Jim (27:34):
Ah, good point.
So you're using uh, as you said,one password.
You could be using Google'spassword manager or Microsoft's
authenticator or uh Apple uhrecently came out with a new
password uh manager like lastyear for the iPhone for iOS.
(27:55):
Those will all store your passkey private keys.
Wolf (28:01):
I know some of them do, yes.
I don't know for a fact that allof them do.
Jim (28:06):
Well, I know the Apple one does, and I think the Google one
does, and I think the I stronglysuspect the Google one does.
Yeah, if they don't, they willsoon, right?
Um but you need another deviceto store that inform to to sync,
right?
Um I I I'll I'll tell you a veryquick story.
Two years ago, I was visiting myfriend Scotty up in Winnipeg,
(28:29):
Canada.
Uh we went out one night, Idropped my phone.
I didn't lose it, I dropped it,cracked the screen badly, and uh
immediately I was horrified.
Not because it would cost me alot of money to get the screen
replaced, which it did, but Iwas out of town for a week, and
(28:51):
that was my method ofcommunicating with my life back
here in the States.
Uh I I I used Google for email,uh, and uh and currently I'm
using a passkey for that, but Iwould have been in trouble
trying to uh connect into my mywork systems, uh into my email,
(29:13):
into my bank, into my life.
Uh the the screen was cracked,but the phone was still usable.
Of course, I was worried aboutlike slicing my finger as I slid
it across, but the phone wasusable, so I was safe.
But had I dropped it a littleharder, or had I lost it, I
would have been in trouble.
(29:34):
Uh, and I think that's about thetime I switched over to one
password so that I could syncall of my passwords between my
laptop and my desktop and myphone so that I'm I'm not
completely locked out.
Um but you made another commentabout having an alternate way to
(29:54):
get in.
If you lose your phone, uh youshould have a backup method for
authenticating.
The problem is now you've gotsomething less than pass key to
authenticate with.
Let's say it's SMS two-factor asyour backup method.
(30:15):
What's to stop somebody elsefrom using your backup method to
get in?
You're no longer secured by thatpasskey.
Wolf (30:22):
Okay, I have two things to say about that.
Um one is a possibly uh moresecure method than anything
except passkey, and the other isthe idea that um, first of all,
do not make up a password onyour own.
(30:45):
Um if you made it up out of yourown ideas and thoughts, and
maybe you specifically made upone that would be easy for you
to remember, you're wrong.
That password is wrong.
If you want a password, and youmight, you should let your
(31:06):
password manager generate it foryou.
Sure.
And there's many levels and manyways to get a password that's
the right kind of password.
Um for most of my accounts, I dohave a password that I try not
(31:28):
to use.
If I come to a dialogue thatsays, please enter your
password, well that's a problem.
My concern is that window mightbe a trick.
Maybe somebody's trying to getmy password.
So there's two ways people canget your password.
One is by tricking you to tellthem, and one is by guessing it.
(31:52):
Um I use complicated, long, hardto remember passwords generated
by my password manager, so theguessing part is out.
I try never to enter them into afield, so the tricking me part
is out.
Why do I never enter them into afield?
(32:12):
Because I'm using passkeysinstead.
So if you have a pass key, maybenow is the time to get a
password manager to generate youa hard to remember password that
it stores securely but managesto share it with your other
(32:32):
devices in the cloud that younever enter until you absolutely
have to.
So they don't trick you, andthey can't guess it.
Passwords are not as good aspass keys, but if you follow
those rules, um they might makea good backup.
(32:54):
Now, just for completeness sake,I want to discuss a thing that I
use, um, and that is a hardwaresecurity key.
Now, this is a key, it's notunlike a pass key in that you
are the one with the secret, andit's a physical object.
(33:16):
Um people can't steal theauthentication ability from you
over the web.
They have to have this device.
I think my security key isgreat, but I will say a couple
things about it.
First of all, it's not forordinary people.
Uh a regular person who justwants to get on a website, a
(33:38):
security key has an awful userinterface.
It requires you to grab your keyring or wherever you keep it,
slide it into a USB port or holdit near an NFC reader, uh, touch
a button.
It is a huge annoyance, andyou've got to have one.
In fact, uh because you mightlose one, you've got to have
(34:00):
two.
Do I think security keys are agood way to log in?
Um if again, it depends on yourthreat model.
If you're an importantpolitician or an actor or
somebody with a huge cryptowallet, your threat model might
say you need uh hardwaresecurity key level of
(34:23):
protection.
And yet, pass keys are betterthan hardware security.
These uh hardware securitycompanies, they are working with
and looking for ways toincorporate pass keys into their
connection methodology, intotheir schemes.
(34:46):
So they don't want to beirrelevant.
Um, they have made a goodproduct.
I have them, I use them, I likethem, but where I can use a
passkey, I use a passkey.
Jim (35:00):
I think that's a great description of what pass keys
are and how to use them.
I I do have one more questioncoming from the other side of
passkeys, and that is I Idevelop sites for my customers.
I don't develop a lot of sites,but I develop some very
important services for mycustomer.
How do I incorporate passkeysinto that so that they can so
(35:24):
that the users of those sitescan use a passkey to log in?
Have you gone down that path tofigure that out?
Wolf (35:31):
I absolutely have.
And I have bad news.
Implementing either side of passkeys, the client side or the
server side, is a lot of work.
And it's a lot of work you haveto do right.
It's like any other kind ofcryptography.
(35:51):
Um, if you're a developer, youknow that a rule is you should
not write your own encryption.
You should find a well-tested,well-vetted, understood, open
source, probably encryptionlibrary.
Um for the parts of um passkeys, there already exist
(36:17):
libraries in many languages.
Uh not enough, and there aren'tenough implementations yet.
But if you're doing something inC or C or Rust, um there is
something that is going to helpyou a great deal.
But to make all of this stuffsmooth for the user, there's a
(36:40):
lot of ceremonies, as they callthem, that you have to
implement.
A lot of conditions, uh thingsthat don't just occur to you.
Um for instance, when someonelogs in uh and you don't even
know who it is yet, um, you haveto figure out which pass key is
(37:02):
the right thing and if youshould even ask for a pass key.
Uh what if they have gone toolong without touching anything,
they've idled and timed out, andthey are now disconnected, but
they want to reconnect withtheir pass key.
That's a different situationthan just an ordinary first-time
(37:23):
login, and you have to accountfor that.
Um there are documents, uhpasskeys are all um let me get
to my web page here.
Uh passkeys are under theumbrella of um some passkey
(37:48):
implementation places.
I think it's passkeys.dev.
I think that's the the placewhere passkeys start.
I have to look around.
But um they provide documents,pointers to code, libraries that
can help you, descriptions ofall the cases and ceremonies
(38:09):
that you have to implement.
The bad news is there's a lot todo.
It's super easy for the user,but it's super hard on the
implementer.
Uh I believe it's absolutelyworth it.
If you spent time in your uh appor website or what have you that
you implemented putting intwo-factor or whatever, and you
(38:32):
remember that was challenging,but what a win that was for your
users.
This is the same thing, uh,except times ten.
It's ten times as much work, um,but there are libraries for you,
and the result for your user isabsolutely the right thing to
(38:54):
do.
The user is more secure, it'seasier for them, they're
happier, you don't have to storeanything secret.
If you get um hacked orwhatever, there's a nothing for
the attacker to take from youthat will let them compromise
the user.
Um it's all good.
(39:15):
It's just hard.
Jim (39:17):
Alright, well, hopefully as time goes on, there will present
itself an open source library,or maybe it's already there,
that we can use uh to offer passkeys to our users.
Uh uh I want to get to thatpoint where I can do that.
(39:38):
I'm not sure I have thebandwidth right now to spend all
the time on that, but I I dowant to offer that in the
future.
Um I I think everything you'vecovered is really interesting.
What I think I'd like to leavefor the listener now is a a
short um best practices.
(39:58):
Uh uh Paragraph, let's say.
Can can you can you just sort ofgo over quickly uh if you want
to have a good secure login umquickly, what do we do?
Wolf (40:14):
Alright.
I have recommendations.
These are what I tell all myfriends.
Um my in-laws don't listen, butthis is what I say.
The number one thing you shoulddo is you should use a password
manager.
I have a favorite, but youshould look and decide what is
(40:37):
the best one for you.
I happen to like one password,make sure you include that in
the things you look at, but usea password manager, have it
generate your passwords forthings, have it remember the
right things, and make sure it'savailable on all your devices.
The second thing I would say isfor the devices, especially the
(41:00):
ones that you're going to carryaround with you, make sure that
that device is itself secure.
On my device, it needs face IDto get into it.
If I'm in a situation where I amconcerned that someone might
(41:20):
grab my phone and force me toshow my face, for instance, if
my phone was confiscated byborder crossing patrol,
whatever, uh, or stolen bysomeone at a bar.
I don't go to bars, I'm old.
But if any of those situationsarose, I usually on my phone I
can hold down the power buttonfor a certain amount of time,
(41:42):
and what happens is I can't openthe phone with face ID.
I have to type in the passwordfor the phone.
My password for my phone isincredibly long.
Um so, and I don't type thatpassword in in front of anyone.
I think that shoulder surfing,that's a thing you need to watch
(42:04):
out for.
So, number one is passwordmanager.
Number two is make sure there'sauthentication on your phone.
And on my particular phone, Iwant to add one more thing.
Um, my password manager, whichoffers up uh the answers to
(42:24):
these questions, it has its ownseparate uh test for biometric.
When I try to get a password outof one password, um, I have to
show my face again.
Um that one time that opens thephone wasn't enough.
Um and it only will allow myface for a certain span of time.
(42:47):
I think I've got mine set for 14days.
If 14 days goes by, uh you haveto re-enter your password
manager's main password.
Um, my password manager'spassword is even longer than my
phone's.
Um a thing I would say aboutpasswords is some passwords you
(43:11):
have to remember.
You have to remember thepassword to your phone, you have
to remember the password to yourdesktop, and you have to
remember the password to yourpassword manager.
So the i the thing I think isgood is something that you'll
find in an old XKCD, is insteadof some random collection of
(43:33):
letters, numbers, andpunctuation, um you can use a
sequence of randomly selectedwords.
Again, don't do this yourself.
Ask your password manager togive it to you, to make one up.
Um all password managers oughtto be able to do this and do it
(43:57):
well.
Uh probably four um individualwords that are un unrelated to
each other uh are good enough.
Um all it happens that on mineum they're all lowercase,
there's no punctuation, they'reseparated by space, and there's
lots of ways you could do this.
Mine's not four words, it'sseven words.
(44:20):
But and so, well, you can tellI'm paranoid.
But that's the basic idea.
Um password manager, secure yourdevice, whatever device that is,
and be aware of yoursurroundings is the third thing.
Um there if you follow the rulesI've already given, you're not
gonna be tricked on the web.
(44:42):
They're not gonna guess yourpassword.
So that gets to where theyobserve you uh by shoulder
surfing or whatever it might bein a bar.
Just like we used to beconcerned when we were at the
ATM, is somebody right behind melooking at my four-digit code?
Um, you still need to be awareof your surroundings.
(45:03):
So that is my advice.
Jim (45:05):
Excellent.
Thank you very much.
Uh having a password manager iscrucial.
Uh so if you do lose your phoneor drop your phone and break it,
um, for instance, I could havegone to the Apple store and
bought another phone, log intoit, and install OnePassword, and
type in my incredibly longpassword into one password to
(45:29):
unlock all of my otherpasswords, then I would be back
in business.
So thank you.
Uh I I think at this point, Ithink we covered our topic
pretty well.
Uh I want to thank everybody ifif you've listened this far, I
want to thank you for listening.
Uh I I don't know yet what thefrequency is going to be, how
often we're going to do thesepodcasts.
(45:50):
I think we'd like to do themevery couple of weeks or so.
Uh we're taking you on a journeywith us as we figure this out.
Uh I look forward to doing morepodcasts.
And uh again, thank you for forcoming.
Wolf (46:04):
I uh I want to add that um our plan is for the topics we
discuss that um will sort ofalternate between who does the
research.
So hopefully in our nextpodcast, we find a topic where
Jim learns everything and I askthe questions.
Jim (46:24):
Yes, I I I'm looking forward to that.
I've got some ideas, and uh I Ithink it'll make for
entertaining uh uh listening.
So again, thank you for coming.
Wolf (46:34):
Thanks, everybody.
Welcome to Runtime Arguments.
This is a new podcast that myfriend Wolf and I are gonna put
on.
This is our first episode.
We're calling it episode zero.
Because we may or may not shareit with the outside world.
We will share it with ourfriends at least to get some
feedback.
See if uh see if they think whatwe're doing is worth doing.
(00:29):
My name is uh Jim McQuillen, andmy partner in this uh endeavor
is Wolf.
Say hello, Wolf.
Wolf (00:38):
Hello.
Jim (00:40):
That's Wolf.
Um we uh Wolf and I, we the theway this podcast came about,
Wolf and I meet for lunch everySaturday at a at a sushi place
uh just south of Ann Arbor.
Um every Saturday we sit downand we talk about everything.
And one Saturday, a couple ofmonths ago, we started talking
(01:04):
about, you know, this isinteresting stuff we talk about.
Wouldn't it make for a greatpodcast?
So here we are.
We're gonna try to take uh someof the conversations we have at
our lunch and uh put it into apodcast.
That's not to say we're sittingat lunch making this podcast.
Uh we're this is actually uhwe're doing this on a Saturday
and it's after we had lunch andwe've each gone back to our
(01:26):
respective homes.
Anyway, we're putting on thispodcast.
Um we call it runtime arguments,and the reason for that name is
often Wolf and I disagree aboutthings.
We uh we were just talking aboutit.
We we agree more than wedisagree, but we have different
(01:47):
ways of looking at things.
And uh that's that's what makesfor an interesting conversation.
He'll come at a problem one way,I'll come at it another way, and
we'll we'll sometimes meet inthe middle, sometimes uh uh each
continue protect in our ownseparate ways.
But uh it always makes for aninteresting conversation.
(02:09):
Uh so today uh we've got agreat, great conversation lined
up.
Uh Wolf, why don't you tell uswhat we're talking about today?
Wolf (02:18):
Uh well, one of the big problems uh on the web today is
authentication.
And what I mean by that is whenyou log in uh typically to a
website, but often there's anapp you can use instead on your
phone or or what have you thatlogs into the same service that
(02:41):
you would be if you werecontacting the website.
And the problem is how do youprove you're you?
Uh we have a great many methodsright now.
Uh a username and password.
There can be a one-time passwordwhere you type in a code that
your phone generates for you.
(03:02):
It can send you an email with alink you have to follow.
Um it can text you a number andyou have to type in the number.
There's lots of ways.
And there's lots of scams forpeople who are trying to steal
those ways so they canimpersonate you to get control
(03:23):
of your bank account or or whoknows what.
The idea is there's importantservices you want to access, you
want to be the only one toaccess them, and you have to go
through some procedure to proveyou're you.
Recently, there's been a new wayof authenticating.
(03:47):
Um, this new way is called passkeys.
It's not everywhere, um, it'sit's a very new technology, um,
and it's very interesting, andthat's what we plan to discuss
today.
Where did it come from?
How does it work?
What is it made of?
Why is it good?
Why is it bad?
(04:08):
Um, and will you encounter it?
And should you use it?
I think those are all questions.
Uh the way we're gonna do thisis I've been researching this
situation for a couple of weeks.
Um, so I have lots of answers,not all the answers, but I I
know some stuff, and the idea isJim's gonna ask me questions so
(04:32):
that at the end he's gonna knoweverything I know, and so will
you.
Jim (04:38):
Great.
Do you want to uh tell us alittle bit more about pass keys,
where they came from, how howbasically how they work?
Wolf (04:47):
Absolutely.
Pass keys are an uh integrationof three separate things.
To you, to a user, a passkeyjust looks like a dialogue pops
up when you start to connect tosomething and says, Hey, do you
want to use your pass key?
And you click one button thatsays yes, and that's it.
(05:10):
It's all over, you're connected.
Um so the user interface to apass key is simple, easy, and
great.
Um, the three things that cometogether to make this possible
are a very old technology calleduh public-private key uh
(05:33):
encryption.
This is something that has beenin use for a long time by people
who are computer savvy, uh,often to use uh a program called
SSH to connect to remotewebsites, to connect to remote
services, not websites, uh, buttypically uh servers and other
(05:55):
kinds of computers like that.
But it's not used much by peopleoutside of computer
professionals.
Second, things that your phoneor computer do, uh biometric
identification, fingerprintscanners, uh facial recognition
scanners, um your phone knowswho you are, and modern phones
(06:18):
know who you are in the mostsecure possible way.
And finally, um, a brand newcollection of rules which in the
documents that describe anddefine pass keys are often
referred to as ceremonies forhow past keys should be created,
(06:44):
how they should be presented,how a user interacts with them.
Uh so it's the combination ofthese three things uh key pair,
umser interface, and biometricidentification.
Those three things go togetherto make up this idea of pass
(07:08):
keys.
Now the first thing you probablywant to know is are pass keys
better than what I'm using now?
Um and the most important thingI can say is yes, absolutely.
Pass keys are better than whatyou're using now.
They typically don't requiretwo-factor authentication, also
(07:28):
known as 2FA.
Um they're incredibly hard tosteal, they're very safe where
they're stored in your phone.
The secret password is only onyour phone, it's never presented
to you so that you can type itinto some attacker's dialogue.
It's never given away, it neverleaves your machine.
(07:51):
Um Passkeys, I think, I'm safein saying, are the future.
Um they're significantly betterin all ways than every
authentication scheme we haveright now.
So that's my introduction topass keys.
Um What do you want to know,Jim?
Jim (08:11):
You spent some time in the last several weeks setting up
pass keys uh for the variousservices that you use.
Do you want to tell us about oneof those adventures?
Wolf (08:22):
Absolutely.
Um the first thing to know isthat a passkey only ever
communicates, authenticates,targets one service.
So for instance, you might havea passkey that logs you into
(08:42):
Microsoft.
I'm gonna talk about some otherthings having to do with how you
store your side, but in thesimplest case, where it's you
and a phone and Microsoft,there's only one copy of the
complete pass key on your sidein your phone.
(09:05):
Microsoft only has half.
They have the public half, whichis not secret at all.
Anybody could have it.
It happens that only Microsofthas it, because Microsoft is the
only company you use thisspecific pass key to talk to.
Now there's a safer way to dothis, and that is if your phone
(09:29):
is actually part of some kind ofcloud account.
Um, for instance, uh Androidphones have Google, iPhones have
iCloud.
Um, it may be that yourpasswords are stored someplace
safe inside your phone, and thenusing end-to-end encryption so
(09:52):
that no one can ever see them isuh transmitted to the cloud
where it can be shared with theother devices that know you are
you by uh facial recognition orfingerprint ID or whatever it
might be.
So that's the second level.
Um using the cloud as providedby your device.
(10:17):
And the third level, um, if youare concerned about being locked
into one ecosystem, forinstance, is at the very top
level using a password manager.
Um I happen to use iPadOnePassword, and one password
knows about pass keys and has uha cloud component where you can
(10:45):
be running one password on anyof your devices, whether it's
your Windows machine or your Macor your Linux box or your iPhone
or your Android, whatever itmight be.
You're logged into the sameOnePassword account.
The OnePassword people can'tlook into your OnePassword
(11:06):
account, they can't ever seeyour pass key.
But no matter what which machineyou're on, you have that one
pass key.
Um, so that's how it works forme.
In the one device case, uh, butyou at so no cloud and no
password manager, but youactually have a desktop and a
(11:28):
phone.
When you talk to Microsoft,you'll have a separate pass key
on the desktop.
Um it has the same target, thesame service in mind.
It's thinking of Microsoft, andit won't ever offer uh a passkey
(11:48):
authentication, this particularpass key, to any service other
than Microsoft as you know them.
But it's a totally differentpasskey for two different
devices, but it's the same U andit's the same Microsoft.
Um so this is how my adventurebegan.
(12:09):
Uh first I started looking intowhat do I need to do to make a
pass key, and is it the rightthing for me?
Is it better?
Um the thing that I've mostlybeen using uh up until now has
been um my username and then uma one-time password as presented
(12:34):
from one one password.
It it keeps what it calls aTOTP, time-based one-time
password.
Um, and it can present that tothe uh typically website that
you're trying to log into andidentify you as as you.
Um that turns out to be a prettygood way.
(12:59):
It can be fished from you.
Somebody can make a uh web pagethat looks to you exactly like
the Microsoft web page, and youput in your user ID and your
password, and then the secondfactor is your TOTP, and they
(13:21):
catch it, and they relay thatonto the real Microsoft.
They've tricked you, they knewthey know your TOTP that's good
for another minute or 30seconds, something like that,
but they log in as you, and thenthey can do whatever they want
to your Microsoft resources.
So I don't like that.
Another specific thing that Ihate and am forced to do by some
(13:47):
services is they have a secondfactor, and that second factor
is SMS.
The problem with SMS, when I saySMS, what I mean is you log in
with your password, and thenthey immediately text you a
secret code that's good for 15minutes or something like that.
(14:07):
And when you receive that secretcode at the phone number they
already have on file for you,you enter that secret code into
a text box on the web page.
Um there's uh two ways this canbe spoofed.
One, the way I just talkedabout, like you would do with a
(14:27):
TOTP, but the other is there's athing called uh sim swapping.
And if you are important enough,if maybe you've got some giant
crypto wallet, or you're apolitician, or somebody
important, um, it may be worthan attacker going to the phone
(14:51):
store or calling the phoneservice, pretending to be you,
and with a lot of effort gettingthem to duplicate your SIM for
them so their phone now getsyour calls.
Um so what happens is theyalready know your password
(15:14):
because they've somehow gottenthat from you, they've scammed
it, phished it, whatever.
They use the password, but nowthey've got your phone and they
get your text messages, they canuse the SMS uh service to enter
the second factor.
And boom, they're in control ofthe resources at the other end
of that authentication.
You know, your Microsoft Azureaccount or whatever thing you're
(15:37):
trying to use, your bank.
Um I hate SMS because it's notencrypted end-to-end, and sim
swapping is incredibly easy.
All you have to do is fool alow-paid customer service
(15:57):
employee at the phone company,Verizon or ATT or whatever.
They get some training, but theyare not uh sufficiently um
incredulous about people tryingto get replacement sims or new
sims or whatever.
(16:17):
They just don't know who theattackers are, so it's pretty
easy to trick them.
And I learned that past keys arenot subject to any of these
problems and don't need secondfactor.
I was looking to see if theywere better and or easier than
what I was using, and they are.
(16:40):
So because I use one password,it has a feature called
Watchtower, and Watchtower inone pat in one password tells me
what services I connect to thatoffer passkeys where I'm not
using them.
And so I started going throughthem in order of importance um
(17:02):
and making pass keys.
Now, the innovation in pass keysis not the encryption.
The uh key pair um encryptiontechnology has been around for
decades.
It's not the biometricidentification.
Your phones have been doing thatfor five, ten years.
(17:23):
Um the innovation in pass keysis the workflow, the user
interface.
And so what I learned as I wasusing passkeys, as I was
creating them and storing themand putting them in the right
place and naming them and usingthem to connect, is that they're
(17:47):
easy.
Um, when you get to a servicethat wants you to use a pass
key, um, it presents a dialogueuh in concert with your client,
whatever software is on yourside of the connection.
So your phone or um your webbrowser presents a dialogue
(18:09):
saying, you could have a passkey here.
Would you like to?
And if you push the yes button,you get a pass key.
You don't have to enter anyinformation, you don't have to
um do anything, it justgenerates a pass key, and
whatever thing the web browseror your password manager or the
(18:33):
operating system, whatever pieceof client software presented
that dialogue to create a passkey, whatever did that, stores
it in the most secure waypossible on your device, and
that's the end of it.
All you had to do was click abutton that said yes.
(18:55):
And after that, um, let's sayit's a week later and you want
to get into Microsoft, you gothere, it presents a um name and
password field, and then up inthe corner of your screen,
either your web browser or yourOS or your password manager,
whatever you used to create thatpass key, um that client
(19:19):
software recognizes that you'retrying to contact a service for
which you have a pass key.
And so it brings up a littledialogue, a little button that
says, Would you like to log inwith a pass key?
And you click yes, and thenyou're in.
That's all there is.
Um it's easy, it's safe, and itwas based on technologies I
(19:46):
already understood and used foryears.
So um I switched over to it.
Now it's not um it's a it's anit's a new.
Combination of things to makethis facility pass keys.
So not every service offers it,not every password manager knows
(20:10):
how to handle it, not every webbrowser knows what to do.
You can't use it everywhere.
But it's good, it's better thanwhat we have.
And so I'm using it every placeI can.
Um and that is my initialexperience with it.
Jim (20:27):
That leaves me with so many questions.
Um, first of all, uh uh uh I'llsummarize what you said.
Um briefly.
Uh uh we've we've got multipleways of logging into sites out
on the internet.
Uh the old traditional simpleway, the username and password.
(20:47):
We've been doing that for yearsand years and years.
Uh the next level up would be atwo-factor authentication
method, like SMS or email, whereyou enter your username, you
enter your password, and theysend you a code.
Usually it's a six-digit code,they'll send it to you either
through an SMS text message orto your email account.
(21:10):
Then you look at your messageprogram and get that six-digit
code, and you plug it in to thefield on the screen, and that
gets you logged in.
That's how they figure you arewho you say you are.
And then the third way that Wolfjust spent 10 minutes outlining
was passkeys.
Um I I'm gonna make a point thatyes, there are levels of
(21:33):
security here, right?
Username and password is notvery secure.
It's easy to get around,especially when non-technical
users create a password that'snot very strong.
They don't have a concept ofwhat a strong password is.
And you know, obviously,probably the most common
password out there is password,or maybe password with an
(21:56):
exclamation mark after it, uh,something like that.
Those that's not secure at all.
Um, SMS Wolf talked about howinsecure that is.
I want to make an argument thatit's way better than the first
way.
Yes, it's not as secure as passkeys, but it's an order of
magnitude better than a simpleusername and password.
(22:19):
So don't feel bad if that's youronly way of doing it.
Don't feel bad if that's the wayyou've been doing it with a text
message.
I do it at lots of sites.
Uh I have been switching over topass keys, though.
And I I understand that passkeysare much more secure.
Um Wolf made the point that yes,if you're a politician or if
(22:39):
you're somebody of importance,um you want the absolute most
secure because somebody logginginto your account and doing
things as though they are youwould really be a serious
problem.
So, yes, past keys are wonderfulthat way.
You said that they're like I I Idon't know if you actually said
(22:59):
this, you and I said thisearlier.
They're like SSH keys.
Because SSH is built on publicprivate key pairs.
When I use SSH, I try to alwaysgenerate an SSH key pair.
I keep the private key on mysystem, and I copy the public
key to the remote system so thatthe next time I log in, I can
(23:22):
just log in and it doesn't evenask me for a password because it
it has my public key, I have myprivate key, the two of them
together make a hole and itallows me in.
One more point I wanted to make.
We are counting on the fact thatour phone knows who we are,
(23:43):
right?
So let's say you've got a phoneand you've got a pass key set up
on it for you to log intoMicrosoft Azure, right?
So what if somebody else getsyour phone?
Don't they have that private keynow?
You have to have some secure wayof authenticating to your phone,
(24:05):
right?
Whether it's biometrics or asecure password or something.
Absolutely right.
You have to count on that phoneguaranteeing that you are who
you say you are.
Uh somebody else could grab thatphone, hold it in front of your
face, and they're authenticatedto the phone, and they're in.
(24:26):
And that's yeah, that's nostronger than a username and a
password, right?
Uh so we have to watch out forthat.
Uh obviously, I made the point.
They are the passkeys are muchmore secure than than uh any
other two-factor authenticationmethod, or just a simple
username and password.
My concern is you've got thisprivate key on your phone, and
(24:51):
you're using it to log intothese sites with pass keys, and
you lose your phone.
Now what do you do?
Wolf (25:00):
So this is a specific point I've thought about quite a
bit, and it's a problem thatpeople care about and talk
about.
Um at the lowest level of thosethree possibilities that I
talked about.
I talked about one device, Italked about one device and a
backup cloud, and I talked aboutum using a password manager, a
(25:26):
password manager that has somekind of cloud storage.
So if you have one device andsecure storage and no cloud, and
you lose that device, and youhaven't configured any other way
(25:46):
to authenticate yourself to thatservice, for instance, um a
one-time password or some kindof credentials uh that you can
use with customer service.
If you haven't done that,absolutely no one can help you.
Um I mean, this might be as badas you lose everything that was
(26:11):
there that was connected to you,and you have to make a brand new
account.
Past keys are exactly like um uhany of these end-to-end
encrypted cloud services whereyou have a special key on your
(26:32):
phone that makes sure you canunderstand what's on the cloud
service.
Uh a thing I have experiencewith, not bad experience, but uh
just I know about it and haveused it, is if you have an
iPhone and you have iCloud andyou have turned on um the extra
(26:54):
level of encryption, Appledoesn't have that key.
Apple can't get into uh yourbackups.
If you lose that phone, you havelost all your photos.
Apple absolutely cannot help youget them back.
So, this is a problem.
(27:15):
One device, one pass key, nobackups, you're done.
It's bad.
Um that is why I am using apassword manager.
Um, that way I've got the passkey in in a cloud uh and I can
put it on a new new device.
Jim (27:34):
Ah, good point.
So you're using uh, as you said,one password.
You could be using Google'spassword manager or Microsoft's
authenticator or uh Apple uhrecently came out with a new
password uh manager like lastyear for the iPhone for iOS.
(27:55):
Those will all store your passkey private keys.
Wolf (28:01):
I know some of them do, yes.
I don't know for a fact that allof them do.
Jim (28:06):
Well, I know the Apple one does, and I think the Google one
does, and I think the I stronglysuspect the Google one does.
Yeah, if they don't, they willsoon, right?
Um but you need another deviceto store that inform to to sync,
right?
Um I I I'll I'll tell you a veryquick story.
Two years ago, I was visiting myfriend Scotty up in Winnipeg,
(28:29):
Canada.
Uh we went out one night, Idropped my phone.
I didn't lose it, I dropped it,cracked the screen badly, and uh
immediately I was horrified.
Not because it would cost me alot of money to get the screen
replaced, which it did, but Iwas out of town for a week, and
(28:51):
that was my method ofcommunicating with my life back
here in the States.
Uh I I I used Google for email,uh, and uh and currently I'm
using a passkey for that, but Iwould have been in trouble
trying to uh connect into my mywork systems, uh into my email,
(29:13):
into my bank, into my life.
Uh the the screen was cracked,but the phone was still usable.
Of course, I was worried aboutlike slicing my finger as I slid
it across, but the phone wasusable, so I was safe.
But had I dropped it a littleharder, or had I lost it, I
would have been in trouble.
(29:34):
Uh, and I think that's about thetime I switched over to one
password so that I could syncall of my passwords between my
laptop and my desktop and myphone so that I'm I'm not
completely locked out.
Um but you made another commentabout having an alternate way to
(29:54):
get in.
If you lose your phone, uh youshould have a backup method for
authenticating.
The problem is now you've gotsomething less than pass key to
authenticate with.
Let's say it's SMS two-factor asyour backup method.
(30:15):
What's to stop somebody elsefrom using your backup method to
get in?
You're no longer secured by thatpasskey.
Wolf (30:22):
Okay, I have two things to say about that.
Um one is a possibly uh moresecure method than anything
except passkey, and the other isthe idea that um, first of all,
do not make up a password onyour own.
(30:45):
Um if you made it up out of yourown ideas and thoughts, and
maybe you specifically made upone that would be easy for you
to remember, you're wrong.
That password is wrong.
If you want a password, and youmight, you should let your
(31:06):
password manager generate it foryou.
Sure.
And there's many levels and manyways to get a password that's
the right kind of password.
Um for most of my accounts, I dohave a password that I try not
(31:28):
to use.
If I come to a dialogue thatsays, please enter your
password, well that's a problem.
My concern is that window mightbe a trick.
Maybe somebody's trying to getmy password.
So there's two ways people canget your password.
One is by tricking you to tellthem, and one is by guessing it.
(31:52):
Um I use complicated, long, hardto remember passwords generated
by my password manager, so theguessing part is out.
I try never to enter them into afield, so the tricking me part
is out.
Why do I never enter them into afield?
(32:12):
Because I'm using passkeysinstead.
So if you have a pass key, maybenow is the time to get a
password manager to generate youa hard to remember password that
it stores securely but managesto share it with your other
(32:32):
devices in the cloud that younever enter until you absolutely
have to.
So they don't trick you, andthey can't guess it.
Passwords are not as good aspass keys, but if you follow
those rules, um they might makea good backup.
(32:54):
Now, just for completeness sake,I want to discuss a thing that I
use, um, and that is a hardwaresecurity key.
Now, this is a key, it's notunlike a pass key in that you
are the one with the secret, andit's a physical object.
(33:16):
Um people can't steal theauthentication ability from you
over the web.
They have to have this device.
I think my security key isgreat, but I will say a couple
things about it.
First of all, it's not forordinary people.
Uh a regular person who justwants to get on a website, a
(33:38):
security key has an awful userinterface.
It requires you to grab your keyring or wherever you keep it,
slide it into a USB port or holdit near an NFC reader, uh, touch
a button.
It is a huge annoyance, andyou've got to have one.
In fact, uh because you mightlose one, you've got to have
(34:00):
two.
Do I think security keys are agood way to log in?
Um if again, it depends on yourthreat model.
If you're an importantpolitician or an actor or
somebody with a huge cryptowallet, your threat model might
say you need uh hardwaresecurity key level of
(34:23):
protection.
And yet, pass keys are betterthan hardware security.
These uh hardware securitycompanies, they are working with
and looking for ways toincorporate pass keys into their
connection methodology, intotheir schemes.
(34:46):
So they don't want to beirrelevant.
Um, they have made a goodproduct.
I have them, I use them, I likethem, but where I can use a
passkey, I use a passkey.
Jim (35:00):
I think that's a great description of what pass keys
are and how to use them.
I I do have one more questioncoming from the other side of
passkeys, and that is I Idevelop sites for my customers.
I don't develop a lot of sites,but I develop some very
important services for mycustomer.
How do I incorporate passkeysinto that so that they can so
(35:24):
that the users of those sitescan use a passkey to log in?
Have you gone down that path tofigure that out?
Wolf (35:31):
I absolutely have.
And I have bad news.
Implementing either side of passkeys, the client side or the
server side, is a lot of work.
And it's a lot of work you haveto do right.
It's like any other kind ofcryptography.
(35:51):
Um, if you're a developer, youknow that a rule is you should
not write your own encryption.
You should find a well-tested,well-vetted, understood, open
source, probably encryptionlibrary.
Um for the parts of um passkeys, there already exist
(36:17):
libraries in many languages.
Uh not enough, and there aren'tenough implementations yet.
But if you're doing something inC or C or Rust, um there is
something that is going to helpyou a great deal.
But to make all of this stuffsmooth for the user, there's a
(36:40):
lot of ceremonies, as they callthem, that you have to
implement.
A lot of conditions, uh thingsthat don't just occur to you.
Um for instance, when someonelogs in uh and you don't even
know who it is yet, um, you haveto figure out which pass key is
(37:02):
the right thing and if youshould even ask for a pass key.
Uh what if they have gone toolong without touching anything,
they've idled and timed out, andthey are now disconnected, but
they want to reconnect withtheir pass key.
That's a different situationthan just an ordinary first-time
(37:23):
login, and you have to accountfor that.
Um there are documents, uhpasskeys are all um let me get
to my web page here.
Uh passkeys are under theumbrella of um some passkey
(37:48):
implementation places.
I think it's passkeys.dev.
I think that's the the placewhere passkeys start.
I have to look around.
But um they provide documents,pointers to code, libraries that
can help you, descriptions ofall the cases and ceremonies
(38:09):
that you have to implement.
The bad news is there's a lot todo.
It's super easy for the user,but it's super hard on the
implementer.
Uh I believe it's absolutelyworth it.
If you spent time in your uh appor website or what have you that
you implemented putting intwo-factor or whatever, and you
(38:32):
remember that was challenging,but what a win that was for your
users.
This is the same thing, uh,except times ten.
It's ten times as much work, um,but there are libraries for you,
and the result for your user isabsolutely the right thing to
(38:54):
do.
The user is more secure, it'seasier for them, they're
happier, you don't have to storeanything secret.
If you get um hacked orwhatever, there's a nothing for
the attacker to take from youthat will let them compromise
the user.
Um it's all good.
(39:15):
It's just hard.
Jim (39:17):
Alright, well, hopefully as time goes on, there will present
itself an open source library,or maybe it's already there,
that we can use uh to offer passkeys to our users.
Uh uh I want to get to thatpoint where I can do that.
(39:38):
I'm not sure I have thebandwidth right now to spend all
the time on that, but I I dowant to offer that in the
future.
Um I I think everything you'vecovered is really interesting.
What I think I'd like to leavefor the listener now is a a
short um best practices.
(39:58):
Uh uh Paragraph, let's say.
Can can you can you just sort ofgo over quickly uh if you want
to have a good secure login umquickly, what do we do?
Wolf (40:14):
Alright.
I have recommendations.
These are what I tell all myfriends.
Um my in-laws don't listen, butthis is what I say.
The number one thing you shoulddo is you should use a password
manager.
I have a favorite, but youshould look and decide what is
(40:37):
the best one for you.
I happen to like one password,make sure you include that in
the things you look at, but usea password manager, have it
generate your passwords forthings, have it remember the
right things, and make sure it'savailable on all your devices.
The second thing I would say isfor the devices, especially the
(41:00):
ones that you're going to carryaround with you, make sure that
that device is itself secure.
On my device, it needs face IDto get into it.
If I'm in a situation where I amconcerned that someone might
(41:20):
grab my phone and force me toshow my face, for instance, if
my phone was confiscated byborder crossing patrol,
whatever, uh, or stolen bysomeone at a bar.
I don't go to bars, I'm old.
But if any of those situationsarose, I usually on my phone I
can hold down the power buttonfor a certain amount of time,
(41:42):
and what happens is I can't openthe phone with face ID.
I have to type in the passwordfor the phone.
My password for my phone isincredibly long.
Um so, and I don't type thatpassword in in front of anyone.
I think that shoulder surfing,that's a thing you need to watch
(42:04):
out for.
So, number one is passwordmanager.
Number two is make sure there'sauthentication on your phone.
And on my particular phone, Iwant to add one more thing.
Um, my password manager, whichoffers up uh the answers to
(42:24):
these questions, it has its ownseparate uh test for biometric.
When I try to get a password outof one password, um, I have to
show my face again.
Um that one time that opens thephone wasn't enough.
Um and it only will allow myface for a certain span of time.
(42:47):
I think I've got mine set for 14days.
If 14 days goes by, uh you haveto re-enter your password
manager's main password.
Um, my password manager'spassword is even longer than my
phone's.
Um a thing I would say aboutpasswords is some passwords you
(43:11):
have to remember.
You have to remember thepassword to your phone, you have
to remember the password to yourdesktop, and you have to
remember the password to yourpassword manager.
So the i the thing I think isgood is something that you'll
find in an old XKCD, is insteadof some random collection of
(43:33):
letters, numbers, andpunctuation, um you can use a
sequence of randomly selectedwords.
Again, don't do this yourself.
Ask your password manager togive it to you, to make one up.
Um all password managers oughtto be able to do this and do it
(43:57):
well.
Uh probably four um individualwords that are un unrelated to
each other uh are good enough.
Um all it happens that on mineum they're all lowercase,
there's no punctuation, they'reseparated by space, and there's
lots of ways you could do this.
Mine's not four words, it'sseven words.
(44:20):
But and so, well, you can tellI'm paranoid.
But that's the basic idea.
Um password manager, secure yourdevice, whatever device that is,
and be aware of yoursurroundings is the third thing.
Um there if you follow the rulesI've already given, you're not
gonna be tricked on the web.
(44:42):
They're not gonna guess yourpassword.
So that gets to where theyobserve you uh by shoulder
surfing or whatever it might bein a bar.
Just like we used to beconcerned when we were at the
ATM, is somebody right behind melooking at my four-digit code?
Um, you still need to be awareof your surroundings.
(45:03):
So that is my advice.
Jim (45:05):
Excellent.
Thank you very much.
Uh having a password manager iscrucial.
Uh so if you do lose your phoneor drop your phone and break it,
um, for instance, I could havegone to the Apple store and
bought another phone, log intoit, and install OnePassword, and
type in my incredibly longpassword into one password to
(45:29):
unlock all of my otherpasswords, then I would be back
in business.
So thank you.
Uh I I think at this point, Ithink we covered our topic
pretty well.
Uh I want to thank everybody ifif you've listened this far, I
want to thank you for listening.
Uh I I don't know yet what thefrequency is going to be, how
often we're going to do thesepodcasts.
(45:50):
I think we'd like to do themevery couple of weeks or so.
Uh we're taking you on a journeywith us as we figure this out.
Uh I look forward to doing morepodcasts.
And uh again, thank you for forcoming.
Wolf (46:04):
I uh I want to add that um our plan is for the topics we
discuss that um will sort ofalternate between who does the
research.
So hopefully in our nextpodcast, we find a topic where
Jim learns everything and I askthe questions.
Jim (46:24):
Yes, I I I'm looking forward to that.
I've got some ideas, and uh I Ithink it'll make for
entertaining uh uh listening.
So again, thank you for coming.
Wolf (46:34):
Thanks, everybody.
Host
Jim McQuillan and Wolf
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by Audiochuck Media Company.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!