10-24-25 *INTERVIEW* Andrew Shikiar Talks Passkeys: A Solution to Password Insecurity - The Ross Kaminsky Show

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
I want to do something completely different. And I was

(00:01):
supposed to have my next guest on the show a
few days ago, and I screwed up a time zone
conversion and messed him up. But he agreed to come
back to the show, which I very much appreciate. And
you know, I'm a tech nerd, and you also know,
from time to time, just as something bordering on a
public service announcement, I'll tell you stuff on the show

(00:22):
when there's been some huge hack or a vulnerability found,
and I'll tell you, hey, you should really go, you know,
update this or update that, or get this or that
patch that kind of thing. And one of the things
that's going on in the world these days is that
online security is becoming less and less reliable in the
sense of bad guys getting smarter and smarter, more hacks

(00:45):
of websites stealing passwords, As AI starts getting bigger, as
computers start getting more powerful, you maybe we'll see more
brute force hacks of passwords. Especially one day when we
get to quantum computing, your password will probably be close
to worthless. Other things that you will need to do
in order to be able to protect yourself online. So

(01:05):
joining us talk about this in the macro and also
with a very specific solution called pass keys.

Speaker 2 (01:12):
Is Andrew Shikiar.

Speaker 1 (01:13):
Andrew is executive director and CEO of the Fido Alliance
that is Fast Identity Online. Andrew, thanks so much for
being here, and did I butcher your last name.

Speaker 3 (01:26):
Or asse? You nailed it, and thanks for having me.

Speaker 2 (01:27):
I appreciate it all right, very very glad to do it.

Speaker 1 (01:29):
So we got about nine minutes, so I want you
to just follow up first before we start talking about
pass keys and all this other stuff. Elaborate on anything
you want to say about what I said regarding online
security becoming more difficult.

Speaker 4 (01:46):
No, I think you're you're a spot on. The tricks
continued to grow, the attackers continue to get more sophisticated,
and so it's kind of a game of whack mole.
But the common theme here is that you know, passwords
have been as security plague for decades now, and attackers
continue to try to exploit passwords to take over accounts

(02:06):
and do all sorts of damage. So that remains a
problem statement in my view, and we want to move
people away from passwords as quickly as possible.

Speaker 1 (02:16):
Okay, So one of the things that I've seen pop
up a lot on my various websites and apps, you know,
on on on eBay, on all kinds of other things.
They'll say, do you want to create a past key?

Speaker 3 (02:30):
Now?

Speaker 2 (02:31):
I guess what we should jump into first year is
what is a past key?

Speaker 1 (02:35):
And then and then we'll talk about how do they work?
And how do you set them up? And and and
what are the optimal ways to do it?

Speaker 2 (02:41):
So what is a pass key?

Speaker 4 (02:44):
Yeah, a pass key is alternative to a password that's
way easier to use and and and way more secure.

Speaker 3 (02:50):
How do they work? And here's here's kind of an analogy.

Speaker 4 (02:54):
Think of past keys as like an encrypted lock and
key which you need to match precisely for you to
sign in. So the lock sits on with the service,
so with the app or the website, and the key
is a private key that only you have. For you
to use your key, you need to verify yourself to
your device, all right, So if you're using a phone,

(03:15):
it's probably going to be a biometric so a face
scan or fingerprint scan or something like that. As soon
as you do that, your key can then talk to
the lock and sign you into things. Now, the big
difference here between that and passwords is that there's no
way to steal my pass key or there's no way
to fake my pass key. Passwords are inherently weak because
they can be stolen, they can be guessed, they can

(03:37):
be spoofed. You know, if with pass keys as simply
isn't possible.

Speaker 1 (03:41):
So I'm just trying to brainstorm this for a second.
I guess one of the keys to the past key
is that I'm not sure I'm thinking about this right,
but it would It needs to be done on a
device that is known to be your device, I guess.

Speaker 2 (03:58):
Because a password.

Speaker 1 (03:59):
You know, a bad guy could go into an internet
cafe in Bangkok and type in your password. I what
I was trying to think about is for a lots
you know, lots of people are on social media and
their faces are everywhere, so somebody could easily grab your
face and potentially use that to full of biometric But

(04:20):
I guess that wouldn't work unless they actually have your
device to fool the to use that on. Right.

Speaker 4 (04:28):
Yeah, that's exactly it. That's exactly it. So think of
it as you know, you need to be in possession
of this right like you're of a key. You need
to be in possion of this, so there's no way
like a lot of damage your tax attacks are being
done remotely, like you say, someone's stepping on the internet
cafe halfway across the world and entering your password or
getting your password from you or things like that. But
pass is it's all about possession, right. You need to

(04:49):
be in possession of your device, and you need to
you verify yourself again using the biometric typically to that device,
you know based on who you are. And so since
you need to be in possession of it, the only
way to take your pass key is to physically be
with you, all right, So I.

Speaker 3 (05:04):
Can't force it.

Speaker 4 (05:04):
If someone puts a gun to your head and makes
you sign into something, I can't stop that. But we
can stop Are they really damaging remote attacks? Which, by
the way, you're only growing and sophistication and scale with AI. Right,
so maybe everyone's seeing more spam better spam. In fact,
you're probably missing spam that is spam because you don't
even realize it.

Speaker 3 (05:23):
This threat, that the social engineering threat.

Speaker 4 (05:25):
Being generated at AI is only getting worse, and so
the imperative to these pass keys is only growing in lockstep.

Speaker 2 (05:32):
Okay, so I don't know. I don't know much about this.

Speaker 1 (05:35):
The past keys that I'm aware of are your face
and your fingerprint, what else?

Speaker 2 (05:41):
What other things are can be past keys?

Speaker 3 (05:44):
Yeah, so passkey is actually the key itself.

Speaker 4 (05:46):
So how you verify yourself to your device is what
you're talking about, right, So you can use whatever you
do to unlock your device is what you just sign in.

Speaker 3 (05:52):
Think with that way and you unlock me.

Speaker 4 (05:54):
Most people unlock your phone dozens of times a day,
you know, My kids do like dozens of times a minute.
It feels like, uh, And so whatever you're doing to
unlock your phone is what you do to sign in.
So if it's face ID, that's what you do. If
it's a pin code on your device, which is only
on your device, it's a pin code, that's what you're doing.
So you're you're well, you're doing that to allow your
passkey to sign in.

Speaker 1 (06:15):
Okay, So the computer I use most is a desktop
at my home that does not have a camera and
does not have a fingerprint reader. Now I could buy
a USB fingerprint reader and run that cable up to whatever.
But so are you saying that what I could do
is create.

Speaker 2 (06:31):
A pass key?

Speaker 1 (06:32):
That is the same pin that I use to log
into that computer.

Speaker 3 (06:37):
Yeah. Yeah, so a couple of things you could do
on your on your computer.

Speaker 4 (06:40):
So if you have Windows, Windows Machine, if Windows Hello,
that typically allow you to use a pin or a
biometric to sign in. That pin is local. That's a
key thing to understand by the pin. I know, it's
kind of confusing, like your ATM pin.

Speaker 3 (06:51):
That's not going out over any network. It's a very
local thing so it can't be stolen.

Speaker 4 (06:55):
But yeah, so you guys said Windows alow also very
common like password man Andrews out there like one password
and Nash laying bitwoard and companies like that. They support paskis, right,
So if you have that set up, you know, all
you're doing is that can mand your paskis as well
across your PC and your phone and things like that.

Speaker 3 (07:12):
And last but not least, the other thing you can
do in.

Speaker 4 (07:14):
That scenario is if you have a pass key, you
know for an app, say on your phone, you can
do it kyr code where the pass comes up on
your screen.

Speaker 3 (07:25):
You can use a passkey on your phone to sign
into that. So I do that.

Speaker 4 (07:29):
Often for like, here's one use case for that is
like Shopify Shopify as pass keys.

Speaker 3 (07:34):
I often for myself buying, buying something around them for.

Speaker 4 (07:36):
Like one of my kids, and then check out Shopify
and ask you for a passkey. Right, I never I
never enrolled, you know, sign up with this merchant. I
have the passky in my phone and I shoot it
and I'm signing in just a one time signing with
that pass key.

Speaker 3 (07:48):
It's your pasky. You know it's a key, so it's.

Speaker 4 (07:52):
With you on your device or you know you have
you have multiple pass keys for service, but only you
can verify yourself to that.

Speaker 3 (07:58):
So you know.

Speaker 4 (07:59):
Our goal is to make it as flexible and usable
as possible, which means having some redundancy in ways that
you can actually use your pass keys.

Speaker 1 (08:07):
We're talking with Andrew Shikyar, who was executive director and
CEO of the Fido Alliance Fast Identity Online Alliance.

Speaker 2 (08:15):
All Right, so I want you to red team this
thing with me.

Speaker 1 (08:19):
If you were trying to hack into one of my things,
and you tried to get in and asked for a
pass key, what are the possible ways you, as a
as a bad guy, might be able to get through that.

Speaker 3 (08:35):
I would have to physically come to your house and
steal your device.

Speaker 2 (08:38):
Really, even with a pin one, even if it.

Speaker 3 (08:41):
Was for me to.

Speaker 4 (08:43):
I'd have to come to your I'd have to come
to your device and answer your pen. I'd have to
be in possession of your device to do this. Right,
there's no there's this physically, no way so that it
stops all these remote attacks. That's that's the beauty of this, right.
It is like, so, you know, scalable attacks, remote scaleable attack,
that's a scourge of the Internet. That's what's breaking our economy. Okay,
we're stopping those full stop with past us.

Speaker 1 (09:03):
Okay, I I think I think I'm understanding you now,
So tell me if I've got this right. And this
is more of a more of a technological question. So
the key, So let's just imagine, for example, that I
do a pass key using the using a pin that
I use to get into my desktop computer. And let's

(09:27):
say it's a four digit pin, which would be easier
to figure out than a twelve character password a four
digit pin. But Okay, what I think you're saying is
that the pin itself is not the key, but rather
the computer is the key, or some some message that

(09:49):
the computer might send is the key, and so all
the PIN is doing is is releasing the key into
the lock rather than being the key itself. So knowing
my pen does not solve my past key, is that right?

Speaker 3 (10:08):
Yeah? I couldn't. If I know your PAN and I'm
sitting here in La and you're in Denver, I can't.

Speaker 4 (10:13):
I can't do anything about it unless I get to
your house, break into your house, enter the PIN on
your laptop or your PC, and go to that site. Right,
There's no way to fake it. And that's what the
private technically speaking, is called the private key.

Speaker 3 (10:25):
You know, the private key.

Speaker 4 (10:25):
You have to sit on your device or in a
device cloud, all right, so these things. A nice thing
about pass is also is that if I un't roll
a pask you say on Apple, because across all my
Apple devices immediately or across all my Android devices, so
you know, or one path where these password managers, you know,
wherever you have these services, your PASKI can be. But
you still need to be in possession of a device,

(10:46):
and you still need to verify yourself to that device.

Speaker 2 (10:48):
Okay, we're just about out of time. Quick question here.

Speaker 1 (10:50):
Yeah, when we get to the world of quantum computing
where there will be a computer that could brute force
figure out anybody's password and not that long a period
of time. Will they be able to somehow brute force
attack a pass key.

Speaker 3 (11:07):
No, they can't break pass keys.

Speaker 4 (11:08):
No, But there's you know, there's some post quantum algorithms
that we're building into our protocols, So you have to
wear aware of this, like working with NIS, the GUST
government and other kind of research agencies to make sure
that as post quantum algorithms emerge, we can wrap those
into kind of FIDO protocols so that the passis are
protected with post quantum algorithms as well.

Speaker 1 (11:27):
Wow.

Speaker 3 (11:28):
So yeah, you're right, you're right to put this on
people's radar.

Speaker 4 (11:31):
But I think you know your listener is the number
one thing to do is like, hey, look where I
can use a passkey?

Speaker 3 (11:35):
Do it.

Speaker 4 (11:35):
I'm still using a password. Make sure that it's backed
up in a password manager and things like that.

Speaker 1 (11:39):
Yeah, and use different passwords for different sites, and don't
use easily guessable passwords, and especially for important sites. Right,
Like if you've got three different sites where you, you know,
buy candy bars, that's not the biggest deal, but don't
use the same password for two different banks, and don't
use password one, two three as your password for anything.
And I do love these password managers. I use one

(12:01):
called last pass and I've loved it for a long time.

Speaker 2 (12:04):
Andrew, where can folks learn more?

Speaker 3 (12:07):
You know, I'd say go to your favorite service provider.
I mean, you mentioned like eBay.

Speaker 4 (12:10):
My company is like Amazon, Microsoft, Google, Apple, PayPal, you know,
you name it. They all support pasky, So check out,
you know, go to these different sites see if they
support passy's using to sign in, And I'd start there.

Speaker 1 (12:22):
I got so many listener questions that we scrambled because
I didn't have Andrew's phone number myself. We scrambled, and
he's back, as you heard from a Rod's Bumper music.
So Andrew, thank you for doing this on not just
short notice, but no notice.

Speaker 3 (12:37):
I appreciate it. My pleasure off absolutely.

Speaker 1 (12:40):
Okay, So we got a little over four minutes here,
and I just want to go through a bunch of
listener questions that came in while we were talking and
just sort of give me the give me the shortest.

Speaker 2 (12:52):
Responsive answers that you can.

Speaker 1 (12:54):
All right, okay, and I'm just gonna let's see I'm
just gonna start scrolling here and look, I'm just going
to go from from oldest to newest in terms of these,
If I'm using a pass key for my logins, does
that mean I can't log into one of my accounts
using someone else's computer.

Speaker 3 (13:14):
It does not mean that.

Speaker 4 (13:15):
So if you have a pass you for an account
and you're on someone else's computer, that's where that it
may shoot like you can. Usually there's an option to
use a pask you on another device. So in that case,
you'll pop a QR code and if you shoot that
QR code with your phone and you can sign in
with your passkey kind of like you sign in like
on a share computer. I got a hotel or something
like that, you just don't, you know, install a PASKI there.

(13:37):
So it actually allows you to securely sign into your
account without establishing an account on that person's device.

Speaker 1 (13:43):
Okay, so you would, but you would have to have
your device with you in order to make that work.

Speaker 4 (13:50):
Yeah, if I got a friend's house, od's army to
have my phone with me, right, Yeah, but exactly that
that cross device sign in QR code sign in requires
you to have a mobile device with you.

Speaker 1 (14:00):
Why, next listener question, why is a pass code better
than a code texted to you?

Speaker 4 (14:06):
So a passkey is better than a code texted to you?
A code text to us no different than a password.
It's just a shorter lived password. Literally, OTP means one
time pass code or password. Attackers and fishers are getting
by those things to them. You know, if I'm trying
to take over your account, you enter a password, they

(14:27):
put it in the real site, The real site sends
you an OTP. You entered it into the attackers site,
they pass it on the real site, and boom, they're
in your account. You think you're in your account, but
they're actually in your account. So OTPs are also fishable
by attackers. Not to mention, not a great user experience.

Speaker 2 (14:43):
Let's see, does this mean you have to enable cookies?

Speaker 3 (14:48):
No, this says no bearing on cookies.

Speaker 2 (14:51):
Let's see.

Speaker 1 (14:51):
Here's here's a skeptical listener. Pass keys are bs. It
only shows who you are. It doesn't indicate what you know,
like a pass I'm not entirely sure I get that,
but you probably understand what he's trying to say.

Speaker 2 (15:04):
Do you want to respond to that?

Speaker 4 (15:06):
Yeah, that's exactly the point. You know, relying on what
you know has gotten us into this mess. Right, So
it's not just you who knows this. Your your secret
often is you know on the dark web. There's billions
of passwords and even m pathword combinations on dark web
that can buy for pennies, probably including.

Speaker 3 (15:21):
That gentlement that person's passwords, right indeed, And what.

Speaker 4 (15:23):
Do you know of the problem that we have? What
you are is what we need to rely on to
make things more secure.

Speaker 2 (15:29):
Right exactly.

Speaker 1 (15:29):
And then so for this listener who says that you know,
it only shows who you are, Showing who you are
is actually the important thing. Showing what you know is
a much less important thing because these days anybody can.

Speaker 2 (15:40):
Know what you know. Does this next listener question, Does.

Speaker 1 (15:44):
This have any intersection at all with with VPNs as
a security measure?

Speaker 3 (15:52):
No, it does not, like totally adjacent technology.

Speaker 1 (15:55):
What if somebody has cloned your phone.

Speaker 3 (16:01):
I'm not sure how someone can clone a phone.

Speaker 1 (16:05):
Well, it's in all the James Bond or all the
spy movies. They they walk by or they go into
your office and they grab your phone and they put
a little thing in it, and they clone your phone,
and they have your phone and it's in like all
the spy stuff these days.

Speaker 4 (16:18):
Yeah, So if that's if that's possible, that again, that
means someone actually has to physically be in possession of
your device.

Speaker 3 (16:23):
So we're really trying to stop the remote attacks.

Speaker 4 (16:25):
If someone's you know, steals your device and has access
to your pass code and your butt you know, and
if you're using a pin, that that is a scenario
where someone can get into your pass stealing your device, yeah,
and nentwering your device unlock that that would be possible,
which is why it's important to have a complex screen
on lock and ideally using a biometric on your phone.

Speaker 2 (16:47):
Okay, so let's just stick with this for a second.

Speaker 1 (16:49):
We're running out of time here, but let's we'll move
away from cloning your phone and stick with stealing your phone.
So what if, Andrew, what if you use your face
to unlock your phone, and your faces out there on
the internet, like on the about us page of the
organization you're involved with, and then I steal your phone
and I print your picture and I use my printed

(17:13):
picture to unlock your phone.

Speaker 2 (17:15):
Now, now have I gotten pasted any benefit to a
pass key?

Speaker 1 (17:19):
That's the first question, and the second question is what
can you do to disable that past key and start
over with past keys when you find out that someone
has stolen your phone.

Speaker 3 (17:32):
Yeah, so two things and two great questions.

Speaker 4 (17:34):
First of all, like most biometric sensors needs livency detection, right,
so just having a picture in my face like my
like my iPhone, for example, requires certain lighting characteristics, certain
things about me showing them a live person that a
picture simply.

Speaker 3 (17:48):
Doesn't pass a test on.

Speaker 4 (17:49):
Okay, we have a certified biometric program that requires you know,
a high level of performance that would that would not
meet that performance.

Speaker 3 (17:56):
You can always I revoke your.

Speaker 4 (17:58):
Pass keys, you can go back to a site depending
on what you know, you can you can you can
manage your paskis, revoke your paskis, resete your paskis if
you need to in that in that eventuality.

Speaker 3 (18:09):
When you recover your account.

Speaker 4 (18:10):
All right, So if someone steals your you know, someone
does steal your phone, or you're worried about your passis,
you can always manage them and revoke them or reset
them on other devices.

Speaker 1 (18:18):
Okay, this is a very narrow question. We're just about
out of time, but let's just go one or two
more real quick? Can I use a pass key on
a secure municipal company laptop. So I guess like a
business you know, you got some business laptop and it's
got a lot of security, can use pass key there.

Speaker 4 (18:33):
That's a great question. I really depends on the company,
on the company settings. Oftentimes, if they shut down things
like Windows low, you would need to do that kind
of that cross device signing that we're talking about, you
know where it may pop up a key RCA and
you can use your phone to sign into it.

Speaker 2 (18:47):
Last question, I think that i'll have time for.

Speaker 1 (18:50):
Do you have an opinion what you should do when
apps ask about remember this device?

Speaker 3 (18:58):
Yes, yeah, generally you should. If it's if it's your device,
you should do that. Say.

Speaker 4 (19:02):
What they're doing is making sure it's a trusted device.
If it's if I'm on your device, no, right, If
it's your own personal device, it's a good thing to
do because it's trusting doing what's called a binding, and
they know it's a trusted device, so when you come
back to it next time, there's a higher confidence that
that's actually you.

Speaker 1 (19:16):
Is that a form of past key or is that
something different?

Speaker 3 (19:20):
These are different.

Speaker 4 (19:22):
It's adjacent again, but it's something that a lot of times,
like a bank or your service writer wants to know,
like have confidence in that device, all right, that this
is actually Andrew on his device. By saying it's trusted,
that's me taking a step to build confidence and the
signals they're getting.

Speaker 2 (19:37):
All right. That's all we got time for.

Speaker 1 (19:39):
Andrew sheik Are is executive director and CEO of the
FIDO Alliance that stands for Fast Identity Online FI d
O alliance dot org. Thanks for doing this on no
notice at all, Andrew, that was great. I appreciate it
and my great questions.

Speaker 3 (19:52):
Thank you all all right.

Speaker 2 (19:53):
My listeners appreciated too,

All Episodes

10-24-25 INTERVIEW Andrew Shikiar Talks Passkeys: A Solution to Password Insecurity

Episode Transcript

The Ross Kaminsky Show News

Popular Podcasts

Stuff You Should Know

Crime Junkie

The Breakfast Club

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}10-24-25 *INTERVIEW* Andrew Shikiar Talks Passkeys: A Solution to Password Insecurity

Episode Transcript

The Ross Kaminsky Show News .css-1q01m3q{margin:0 0 -2px 0;}

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Crime Junkie

The Breakfast Club

All Episodes