S10E5 | Beyond Plug-and-Play: Smarter Auth Security | Kim Maida - The Angular Plus Show

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:08):
Welcome to the Angular plus Show. We're app developers of
all kinds share their insights and experiences. Let's get started.

Speaker 2 (00:21):
Hello and welcome back to another episode of the Angular
Plus Show. I am Laura Newsome. I'm one of your
hosts today. With me today I have j Bell. How's
it going? Jay?

Speaker 3 (00:34):
Amp to be here.

Speaker 4 (00:34):
I'm like a little sick or the last couple of
days sound a little bit different. I'm signing on a
losenge good old Fisherman's friends, so that keeps the costs.

Speaker 2 (00:44):
Your voice just got deeper, so just it's more like
lumber like you're like leaning into that, like.

Speaker 4 (00:50):
The like Northern Canada, except I'm not Northern Canada and
just northern North America.

Speaker 2 (00:55):
But you could go to Northern Canada right in, and
so that's what matters. I also have Brian with me today. Brian,
how's it going.

Speaker 3 (01:05):
I'm doing well. I'm excited to be here.

Speaker 2 (01:07):
Yes, as am I because today we have a wonderful guest.
Our guest today is Kim Miida. Kim, how are you today?

Speaker 5 (01:14):
I am doing well, so thanks for having me.

Speaker 2 (01:17):
Nice nice now, I'm Kim. You've been in the Angular
community longer than me, so hopefully people have met you,
but for the listeners who have not met you before,
would you like to introduce yourself?

Speaker 5 (01:29):
Sure? So, my name is Kim Maida.

Speaker 6 (01:31):
I am the senior director of Developer Relations at Fusion Off. Currently,
a lot of my time in devrell and also the
time while I've been in the Angular community has been
authentication and identity and access management related stuff. So that's
probably if anybody has seen me anywhere, I was probably

(01:52):
talking about that. And yeah, it's been it's been a
hot minute since I did like production level Angular development,
but I'm still very much involved in sort of the
front end scene, in authentication and authentication standards and all
of that type of stuff.

Speaker 2 (02:10):
I always appreciate that there are people who kind of
like spend their lives in that realm so that I
can then go learn the new production a killer stuff
and trust the work is being done on the authentication
authorization front for me, so so I don't want to
have to figure no. I mean, like, I think the

(02:32):
lesson I learned very well was never roll your own
and just use a service. So so, Kim, Uh, before
you were at fusion Off, you spent, like you said,
lots of time in the off world. So tell us
a little bit about fusion off.

Speaker 6 (02:50):
So, fusion off is an identity provider that we differentiate
ourselves from a lot of the other things, Like I
have worked for Octa, I have worked for off zero.
One of the first questions that I asked when I
joined fusion off was, how is hugeon off different from
Like there's ever since all zero got acquired for six
billion dollars, there's been a lot of off startups I

(03:13):
think hoping for for that, you know, that kind of payout.
But given that there's so many of them now, you know,
one of the first questions I asked is, like, how
is fusion all different? Like why why would I want
to represent this versus clerk or stitch or you know,
any front end like any of the other ones out there.
And essentially the difference is that we are downloadable. So

(03:35):
it's basically like on prem by default. If you want
to get on.

Speaker 3 (03:40):
Right a big library, isn't it, Yes, yes, yes, yeah.

Speaker 6 (03:45):
But if you want on prem with like the other
ones are sas. So if you want on prem with SAS,
you gotta have a sales call, like god knows how
much money it's going to cost, but for Fusion OFF
it is free to download and host yourself. And we
also have like a cloud a cloud service, but it's
also not quite the same as the SAS services because

(04:07):
it is dedicated infrastructure, so you have your own like
single tenant instance, you're not sharing resources with all of
the other people who are using the cloud providing service.
So we different to ourselves fairly substantially in those respects.
And we're also very like developer centric, so the whole

(04:31):
thing is pretty API driven. It can be one of
those things is a little bit daunting for people who
do expect to just sort of sign up for a
thing and then stick it in SDK and magic. It works
because it's more it gives more power and freedom to developers.
Like the entire API. You can anything you can do

(04:54):
in the admin you can do with the API. But
it means that the kind of technical work one rons
for implementing are a little bit higher than some of
the other providers. But if you, for example, like you mentioned,
don't roll your own. If you are coming from rolling
your own then you really liked that amount of control,
then something like Fusion AV will take care of like

(05:15):
the hard parts, but still give you a really high
level of control, and so I really I really liked
those things as being different from from some of the
other places that I've worked and other stuff that I've tried. Yeah.

Speaker 3 (05:28):
The other thing that's interesting is it's been around a while.
I remember meeting Brian uh Puntarelli. Is that the guy? Yeah, yeah,
I remember meeting Brian Heaths from Denver and back in
the day I lived in Denver and we'd roll and
kind of some of the same text circles and stuff,
and so I got to meet him, and I think
even maybe even helped with an angler thing if like

(05:50):
I don't know what version of anger it was, I
don't even know. But they've also they're like a very
stable I think if Fusion oths is kind of a
very stable, profitable business compared to maybe not that again
pros and cons, but maybe compared to like more of
a startup SaaS offering like you're talking about. I think
that's also in my mind anyways, a comparison. I don't

(06:13):
know if that's is that true or yeah, I guess,
I don't know. I just it is so like, yeah, yeah,
and it's more enterprise y in that way, right, I mean,
it's a it's a jar, and you can bring it
in and you can deploy it and containerize it in
all your own stuff, and you can run with it,
and you don't like you're not like dealing with customer
support and sas and and plan levels. I mean maybe

(06:36):
you still have planned levels or whatever. But like it
seemed like it was really targeted towards enterprise, which I
think actually lines up really well with a lot of
the folks probably listening to the podcast. So I think
just another shout out. I guess it's the other in
my mind, I kind of differentiator of Fusion off from
some of the other folks out there.

Speaker 5 (06:53):
Yeah.

Speaker 6 (06:54):
Yeah, for sure. It's a it's a stable company. We
have been around for quite a while. The co founders
have actually kind of cut their teeth in, you know,
production offerings, using with a product called Queen Speak, which
was for it was for the gaming community, so you know,
to to kind of monitor chats and stuff and make.

Speaker 3 (07:15):
Sure that's right, to look for naughty words.

Speaker 7 (07:18):
Yes, and Jay Jay, I'm so sorry I looked down
when he's down.

Speaker 6 (07:29):
He's sick, sick, I was it was either I couldn't
pick up Kim of course, I'm sorry.

Speaker 2 (07:37):
Dude's I don't have a horrible potty mouth when I'm
not on the podcast.

Speaker 4 (07:43):
Our cooky from a company just like this that got
acquired by Microsoft.

Speaker 3 (07:46):
So don't worry.

Speaker 4 (07:47):
We're I'm already being moderated at work by our CLO.

Speaker 3 (07:50):
So it's okay. Cool, Yeah, cool, cool, that's great. Sorry,
I literally to go to the bus. You can always
throw it to the bus. It's okay.

Speaker 6 (08:00):
One of the fun things to me that I was
surprised by and interested in was one of the side
effects of them having come from the gaming community originally
with clean Speak, was that Fusion off has more presence
in the gaming community pretty much any other place that
I've worked at with off stuff. And I think the

(08:21):
on prem stuff really, like the downloadable really kind of
plays really well into that. And so you know, we
get to go to like GDC and Games Common and
things like that, and that sounds terrible.

Speaker 2 (08:33):
Yeah, so boring to be here.

Speaker 3 (08:38):
This is a total side question. How's the game industry doing?
Like what is it looking like over there? For like,
I mean we're all on in the web space. What's
it looking like in the game community for like job
and AI and like I mean obviously like huge changes
I would think as well, Right.

Speaker 6 (08:52):
I don't, I don't actually know because since my specialty
is more on the website like.

Speaker 5 (08:59):
In the game.

Speaker 6 (09:00):
Yeah, but yeah, I imagine. I imagine it's you know,
pretty shaken up by that. But from the events that
I have gone to there actually presently hasn't been like
a whole lot of things that I saw around AI.
But that might have just been like I went to,
you know, specific things that didn't talk about that because

(09:20):
I had the opportunity to go and good really that
I play so be.

Speaker 3 (09:26):
Really interesting, like I have. I am not in the
gaming development space, but I gotta imagine generative VII or
generative AI is going to play a big role in that,
just in terms of like games being drastically like dynamic, right,
I think about like old school I don't know, like
you know, you're programming like NPC characters, you've got like

(09:47):
the end of the map type of stuff. I mean,
like Trail that was terrible, talk about you never know
when you're gonn lost in like some like Utah Realm
for like, and it just keeps generating endlessly.

Speaker 4 (10:05):
And you're like I like loosens a whole new disease
and you're like, I've never heard of that.

Speaker 3 (10:11):
What I'm talking about jet. Yeah, anyways, let's get back
on topic. Very interesting. That's really cool, Kim. I'm really
eager to hear more about kind of fusion and kind
of what are some of the changes that you've seen
in OFF in the last couple of years. I feel
like on this podcast we usually like we dip our
toes back into like the OFF pool every year or two.

(10:33):
So I think maybe for the listener it would be
good to just kind of get like.

Speaker 2 (10:36):
A little bit important.

Speaker 8 (10:38):
It's super important, but we think we a lot of
us differ, right, and so but it's good to like understand,
but yeah, give us like maybe a high level update,
like from your side of things in the last year,
kind of what are some of the things that are
changing in OFF.

Speaker 5 (10:52):
Yeah.

Speaker 6 (10:52):
So it's I think a lot of it basically is
just kind of security related. And then I'm like, we
have the whole track of AI authorizing agents and that
type of thing. But even if you put that aside,
OAF too was written like over a decade ago, and
so if you think about that, and then you think

(11:13):
about how much progress technology makes just month by month.
You realize pretty quickly that something that's over ten years
old is probably you know, not exactly going to work
in every scenario that has come up now. So, you know,
the standards bodies that have been continually putting out new

(11:34):
best practices and they've been adding RFCs, and it it is,
you know, we're working our way towards OAS two point one,
which is essentially a off plus all of the new
best practices and RFC's have been added after. But it
becomes you know, a challenge for users because even if
somebody's like, oh, yeah, like I do know how AF

(11:54):
two works, if you didn't also know about x y
z RFCs it'll come out since then and x y
z best current Practices and all of that type of thing,
then it's very easy to still be a little bit behind.
And there's there's just been kind of more of a
an emphasis on just the keeping everything protected side, like

(12:22):
tokens and artifacts and stuff like that that you know
just wasn't in the original aspect. Also because you know,
as time goes by, attacks get more sophisticated, like attackers
learned to you know, they look for implementation weaknesses. There's
always things that people do that aren't you know, maybe

(12:43):
the most current or the most secure, and attackers have
gotten very good at finding those things and taking advantage
of them.

Speaker 5 (12:52):
I mean we saw it is an arms race.

Speaker 2 (12:54):
Right, Yeah, we saw the NX breach, and that was like,
that was just you know, like, I guess there was something.
There was something in their code that allowed somebody to
run a Bash script which would then install on your machine,
which would then search your machine for credentials.

Speaker 5 (13:13):
And oh I didn't I didn't even I didn't know
about this.

Speaker 3 (13:19):
Supply supply.

Speaker 4 (13:21):
Yeah, there's only two since then chalk and debug also
go compromise.

Speaker 3 (13:26):
Like two days, I didn't know about chalk.

Speaker 2 (13:28):
Yeah, I mean you're correct, you are correct. Yeah, we
just posted somebody posts about it at work. Yeah yeah,
like the last week. Yeah, Like the exploits are just
you know, it's it is. It's like, I mean, there's
a reason why we hire people that are good at
breaking into systems to be like, you know, the good

(13:49):
guys trying to break into your system. Yeah. Like but yeah,
the I mean, because it is hard to stay on
top of all of that and and so having like yeah,
it's a scary space, honestly to be in.

Speaker 6 (14:05):
And that I think that's actually one of the things
I really like about it. Like I've done Devrell for
things that weren't off, and I keep coming.

Speaker 5 (14:13):
Back to it. I think because I like the stakes.

Speaker 6 (14:18):
The fact that it's critical infrastructure really dials me into
needing to be correct, needing to be able to explain
things really well in a way that people can take
advantage of it and understand without getting kind of overwhelmed
with all of kind of the low level details.

Speaker 2 (14:36):
Yeah, there's so many. I'm like, it's when somebody starts
talking about tenants and then multi tenancy and blah blah blah.
You're just like, wait, what, like what do I need
to But where do I need?

Speaker 6 (14:47):
That's a distinction, right, Like that's as engineers, we all
suffer from the curse of knowledge, or like we all
know a lot about something and we want to tell
everybody else about this super indepth knowledge we have of
this thing.

Speaker 5 (15:01):
But do people need to know that?

Speaker 9 (15:03):
Like?

Speaker 5 (15:03):
Probably not.

Speaker 6 (15:04):
Everybody needs to know it to the depth that you know,
you might know your particular area of expertise and so
being able to find that sweet spot where you tell
people what they need to be successful, but not so
much that they get overwhelmed and and they're.

Speaker 2 (15:21):
Just like Lippo dump on them for hours of a party.
But like nobody likes that.

Speaker 4 (15:26):
Not everyone needs to be a subject matter expert.

Speaker 3 (15:28):
Yes, yes, that's.

Speaker 4 (15:29):
Just not how the work world. Like the majority of
people do not need to be subject experts. Signs that
mat are experts and all the tools that they use.

Speaker 2 (15:39):
Yeah so yeah, okay on that topic, what so for
an individual contributor, what do you think are the most
important concepts of OFF that they need to understand?

Speaker 6 (15:51):
I think just knowing kind of the basics of like
what is authentication even referring to and then what is
authorization and what is the difference between the two, Where
like authentication is login, it's about proving that you are
who you say you are, and authorization is about branding
or denying access to resources. And I hear people get

(16:11):
two mixed up pretty often, but at a like a
very base level understanding that you know, the login part
is the off part and then accessing APIs and you
know this person should be able to access these researchers,
this person shouldn't. That's authorization you are versus what you
can do, yes, exactly exactly. And then I think being

(16:34):
able to sort of recognize strengths and weaknesses in the
providers like this is something that's a little it's maybe
a little bit more in depth, so like you would
really only kind of need to know more about that
if you are the one who's in charge of like
choosing the provider and implementing that type of thing. But

(16:54):
I think as we've evolved and more and more providers
have appeared on the market, there are some that are
standards based, and there are some that do a bunch
of proprietary stuff, and there are some that are like
mostly standards based, but they had they you know, their
schema isn't like the ooth to schema for Jason web Tooken,
So if you migrate a way or two one of those,

(17:16):
you're going to have to like change all of the
data in the way that it's structured. And I think
knowing those things is something that's just useful for people
to understand, so that they understand the implications of like
taking your homegrown system and putting it in something else,
or you know, going from one system to a different

(17:38):
system and that type of thing, And I do think,
you know, it's useful to know the very very basics
of a.

Speaker 5 (17:45):
Like what is the Jason web Tooken? What is it?

Speaker 6 (17:47):
What can you do with it? Like what how should
you protect it? That type of thing, because a lot
of the providers leave some of that up to the implementer.
And when when those things are in your hands, those
are the things that you do need to care about, Like,
you don't need to know how you know a Jason
web Tooken is signed. You don't need to know what
the authorization server does in order to like issue it.

(18:10):
Like you can get away with not being cognizant of
that and just trusting the provider to take care of it.
That is totally fine, And I actually recommend that most
people don't like either trying.

Speaker 5 (18:20):
To learn all of this.

Speaker 2 (18:21):
I think, aren't there ways that you can make your
your Jason your job like not protected. I went to
some talk given by a person from O OFF that
was basically like, if you like, if you do like,
there was a way to make it so that you're
you could actually get two parts of the job without

(18:42):
or replace parts of the job. But anyways, this is
a whole different story.

Speaker 6 (18:45):
But well, anything that is basically this is relevant to
front end apps and a public clients is what they're called.
So anything that basically can run on the user's device
or in the user's browser and isn't like centralized on
a server somewhere. So mobile apps, desktop apps, front end
apps are you know, an instance is running in your

(19:05):
browser anytime you have something that is public like that,
whatever you put in that is accessible in some way.
And for like JavaScript stuff, it's all cross eight scripting, right,
Like you can access local storage that way, you can
access anything in that that way.

Speaker 5 (19:22):
So it's more about.

Speaker 6 (19:23):
Reducing the surface area for attacks in that case, because
there's not actually like necessarily ways that you can be
one hundred percent sure that this thing can't be accessed
by anything else if it's in a public place. Yeah,
So reducing the surface area, I think is one of
the things too that has become very pertinent as time

(19:44):
has gone by. I remember when I first started talking
about off like when I first got a job in it,
and I think the big thing then that we were
telling people was like, don't put your jots in local storage.
And you know, obviously that's still there true, but now
it's you know, it's store them in memory.

Speaker 5 (20:03):
How do you refresh them? How often do you do that?

Speaker 6 (20:06):
Are their additional things that can help you ensure that
tokens are coming from the right place, you know, like
like demonstrating proof of possession and things like that. So
like there's been a lot of advancements there, but in
a public app, there's just it's the things you put
in there. I think being aware of how vulnerable they

(20:26):
are is something that implementors need to be conscious of
because once it's in your public app, the provider, you know,
has limited ability to protect it on your behalf. But
that you know, we're creating more and more things that
will help with that so that even if it gets stolen,
the attacker still can't use it meaningfully. And that's kind

(20:48):
of how the providers are are tackling that particular scenario
because there's not really a way to put them in
public apps and have them be like completely unreadable or unobtainable.
So it's more like how do you stop people from
doing anything with them once they have them?

Speaker 4 (21:04):
Right?

Speaker 2 (21:04):
Right? Yeah, it's I remember working for jobs where I
was literally told to just send the authorization from the
front end to the back end, and the back end
was just gonna trust what the browser sent. And I
was like, yeah, no, we're not going to do that.

Speaker 5 (21:20):
That's very it was.

Speaker 2 (21:22):
It was scary because they're like, well, not, no one's
going to know what to do with that. I'm like, yeah,
I'm not really worried about our employees. I'm worried about
like somebody's nephew getting on. Like it's usually not your
employees that well maybe they are, but yeah, they already
have access.

Speaker 6 (21:39):
It is funny though, like one of the things that
kind of thinking about gaming has introduced into just my
way of thinking about this too, was that there are
scenarios where you don't want to add a bunch of
security that's going to hinder people's ability to like interact
with your product really rapidly.

Speaker 5 (21:58):
Yeah, but you do that under specif circumstances.

Speaker 6 (22:00):
Right, Like in a game, you know, hopefully it's not
storing like a ton of super personal information or confidential information,
and if it's not, then yeah, maybe you don't need
multi factor off because that is probably maybe gonna lose
you a little bit of business because people are like, well,
this is a pain in the ass, so like log
into and I don't want to bother. So there are

(22:23):
scenarios where it is okay to you know, be a
little bit less secure, but it's basically the rule is
basically like if you don't want things stolen, like this
is this is what you do.

Speaker 5 (22:35):
But if you're.

Speaker 6 (22:36):
Using things where off is only used for convenience but
not security, then yeah, like you don't care if things
get stolen, so you you could potentially not do some
of some of the things that you know, we tell
people to do if they have business critical applications. I
think like an example would be and if there's a

(22:58):
lot of sites and apps and stuff where you can
do things anonymously, or you can have an account and
it'll just like save the things you did or something
sure like URL shorteners and that type of thing, like
all that stuff is going to be public anyway, and uh,
you could shorten your ls without an account, or you
could shorten them and have an account and have a
list of the ones that you've made.

Speaker 5 (23:19):
Yeah, so things like that.

Speaker 6 (23:21):
It's you know, it's not super significant if stuff gets stolen,
So maybe you want to choose convenience over you know, security,
that will be potentially a detriment to a user experience,
and I think that's very true with some of the
gaming stuff, because gamers.

Speaker 5 (23:37):
Want to they want to play the game. They don't
want to be like stuck in an off cycle, right.

Speaker 2 (23:42):
Right, right. Well, and then there's Angular already has a
lot of like built in security stuff as far as
like it's not going to let you you'd have to
intentionally allow it to do things like put unsave HTML
on your page and stuff like that. So there's decisions,
and I think every language is kind of that way,

(24:04):
or most frameworks I know in dot net, like you
could intentionally make it put malicious code or allow it
to do that. And so I think it's just always
understanding that if you find yourself doing something where you're
disabling some security feature built into a framework, that you
really need to understand what you're opening up. Because even
if you don't have like a critical app, you don't

(24:24):
want it to be able to run malicious code on
people's machines.

Speaker 6 (24:28):
So yeah, and that's just a fact.

Speaker 9 (24:32):
Good morning, You know that moment when your coffee hasn't
kicked in yet, but your slack is already blowing up
with hey did you hear about that new framework that
just dropped.

Speaker 3 (24:41):
Yeah, me too.

Speaker 9 (24:43):
That's why I created the Weekly Depth Sproove, the newsletter
that catches you up on all the web def chaos
while you're still on your first cup. Oh look, another
anger feature was just released, and what's this typescript's doing
something again? Look also through the poor request and change
slot GRAMA. So you don't have to five minutes with

(25:06):
my newsletter on Wednesday morning, and you'll be the most
informed person in your standard. That's better the Weekly Desperate
because your brain deserves a gentle onboarding to the week's
tech mathness. Sign up at Weekly Brew dot deth and
get your dose of deaf news with your morning caffeine.
No hype, no clickbait, just the updates that actually matter.

(25:28):
Your Wednesday morning self will thank you.

Speaker 5 (25:31):
Yeah.

Speaker 6 (25:31):
I like the idea of like secure by default, but
with places where you could make a deliberate choice to.

Speaker 2 (25:39):
Not do something.

Speaker 6 (25:40):
But the default isn't to be insecure, and then you
have to add things to like that's that's eating, yes,
and that's changed right, Like we used to have to
do all of this work and frameworks and you know,
any tool we used to add security, and now it
is coming more around being the frameworks and the providers

(26:03):
and all of these things give you security out of
the door, and then if you don't want that, you
have to make a conscious decision.

Speaker 2 (26:10):
So yeah, yeah, absolutely, Okay, So one question I had
from earlier is what are so we talked about how
Fusion auth runs on prem by default, and a lot
of the other providers are SaaS. What do you see
as the benefit of running on prem.

Speaker 6 (26:27):
So it's especially good in if you need high levels
of security. So we also do air gapping so you
can have a completely isolated network. It's really good for
you know, government, banking, insurance, anything that has a lot
of you know, personal information. It also can be really
good in Europe for like GDPR and additional comply places

(26:50):
situations where you have additional compliance regulations. And you know
a lot of companies are like, we want to own everything.
We want it all on our own infrastructure, even if
we don't need to be extra extra secure for some reason.
Just having the ability to run on prem because they
want to use their own infrastructure is actually like m
already straight out of the gate, but.

Speaker 2 (27:11):
They I already own the infrastructure, and so it doesn't
make sense to then also pay for cloud service if
like we have a server we can run this on, Like,
why would you spend money?

Speaker 6 (27:21):
Well, I think like the the other thing about SaaS
is most most of the SaaS providers are multi tenants,
so you're sharing infrastructure with everybody else, and if somebody
else suffers a security breach, that can affect you. And
if you're in your own isolated instance, whatever happens to
other people, it's not going to impact you.

Speaker 2 (27:41):
Yeah, And the cloud providers like they pretty much tell
you that. Like one of the things when you do,
like if you go through a WS certification, one of
the things they tell you is that, like we provide
you the infrastructure, but you have to actually protect your
part of the infrastructure.

Speaker 6 (27:56):
Yeah, like you have to take extra steps because they're
they're because it's shared infrastructure, they're just not able to
do that for you.

Speaker 2 (28:03):
Yeah, which makes sense. Yeah, Yeah, I know that. We
we have government contracts and they almost always require air
gaps deployments.

Speaker 4 (28:17):
Yes, that's why, like dove Cloud exist or Dove Cloud,
and I'm sure GCP and as you're both have their
own gove Cloud equivalents.

Speaker 2 (28:24):
But m hm, So okay, so we've talked a little
bit about AI. What are I feel like it's this
whole new level of threat as well for like off providers,
what are some of the like do you feel like
it's a has been a huge impact to the off

(28:45):
provider industry, like dealing with AI. Do you feel like
like the threats are coming faster? Maybe that's a weird question.

Speaker 6 (28:52):
Yeah, but no, it's a good question, but the answer
is nuanced. I think is is what's happening. I think
they're they're if you go online and like search for
you know, things that have happened recently that have to
do with AI security. Like an example, Asana fairly recently

(29:12):
they something about their AI wasn't authorized properly and so
customers had access to other customers data and people put
a lot of proprietary stuff in ASN it's a project
management tool, so that that is a huge problem, right,
Like you've just exposed tons of private things to other

(29:34):
people on who are running on the same platform because
you were maybe getting ahead of yourself with the rollout
of your AI and you didn't stop and think like, oh,
this needs very careful authorization for very specific things and
you know as as just one example, there's a bunch
of other examples now too, and it's kind of like

(29:56):
the adoption rate.

Speaker 5 (29:58):
I guess if you look at.

Speaker 6 (29:59):
The news or if you're LinkedIn or something like, you're like,
oh my god, everybody in the world is launching AI
agents now and we all have to make sure we,
you know, have this in our product. That's actually not true.
Like if we look at like our customers and I
went to, you know, our se team, and I said,
I would love to know, like what our customers are

(30:20):
asking for around AI, like are they trying to secure agents?

Speaker 5 (30:24):
Like what are they doing? And they were like, well,
for the.

Speaker 6 (30:26):
Most part, people haven't, Like our customers haven't asked for
that because it's not as much of like a huge
thing that literally everybody in the world is trying to do.
Like you would think that that would be the case
from just looking at like the wave and the hype,
and it's not actually the case. So there's the companies

(30:48):
that are big and are trying to do it, like
they need to be a little more careful like and
this is kind of gets back to what I was
talking about before we started, which is like the all
of the standards and things around securing AI are in development,
so it might benefit you to wait a little bit

(31:11):
until the standards are out there and you know, they're
ratified and we feel good about certain things before you
just start trying to get ahead of everybody else and
roll out something and then yeah, all your customers private
data to other customers.

Speaker 2 (31:27):
I feel like we've seen a lot of like big
announcements like here's this cool thing we're going to do,
and then like you know, it's like years later, you know,
not years later, but months later, and like nothing has happened,
and I know behind the scenes, a lot of it
is probably like, oh wait, we got to make sure
that we can secure this data. We've been very, very
careful at Cisco because obviously, you know, the network that

(31:49):
people are running on is vulnerable, and so anytime we've
released any AI tool like it, it has to go
a little bit slow because we have to make sure
that what we're releasing doesn't expose anything that can give
somebody a door to get into your network.

Speaker 4 (32:06):
Yeah, prototyping things is wildly fast right now. Prototyping AI
applications is insanely fast. That's not where all the work is.

Speaker 6 (32:15):
No, yeah, and I you know, I'm sure that most
people in general hopefully would agree that rather be a
little bit later to the game than be the headline
on my computer.

Speaker 5 (32:29):
Has been exposed.

Speaker 2 (32:32):
Yeah. Yeah, it's especially if you're a smaller company. I mean,
like I worked for this very small company and it
was like, we are one data breach away from being
out of business, whereas a larger company is like, whoop,
see we had a data breach. Here's a free subscription
to your credit watch thing and bye bye, you know
where it's like smaller companies, it's like data breach. Sorry,

(32:53):
I'm not your customer anymore, you know, Right, So, yeah,
it makes a lot of sense to be very careful
because there are just there's ways to exploit AI to
get it to do things that you know, it like
a like a normal person wouldn't do.

Speaker 6 (33:10):
But also it's about access, right, because we have all
of these tools and we want like agents to be
able to do things like organize your email or you know,
look at your project management and give you like a
list of your tasks for today, and if you don't
authorize that properly, and the agent has access to everybody's email,

(33:31):
you know, what happens or if the agent is able
to kind of leak somebody else's stuff into yours, and
you know that that's what was happening at Asana, then
you have to make sure that you're still doing everything
to make sure that whatever the agent is doing on
your individual behalf it only has access for you to

(33:52):
see your own stuff and not giving you access to
other people's stuff.

Speaker 2 (33:58):
All right, So you will be at ng COMP. I
will believe this episode is going to air like right
before that. So what will you be talking about en
g COMP?

Speaker 6 (34:10):
I Am going to talk about architecture, but architecture in
relation to auths, So like I'm going to talk about
back end for front end and why you know it's
the most secure option for architecting, especially when you're thinking
about what to do about auth and authorization. And then

(34:31):
I'll be talking about two other architectures. These are basically
all from a draft in that came from the standards
body around. You know, how should apps be architectured for
varying levels of security for browser based applications specifically, So

(34:52):
a lot of you know, the architecture stuff is actually
going to be talking about the back end because the.

Speaker 5 (34:57):
Most secure way to do AUTH.

Speaker 6 (34:59):
Is to put in the back end, and that's just
a fact. But there's a few different ways to do it,
and they all have trade offs, yeah, and different levels
of complexity. But so I'm basically going to go through
the different architectures tell people, you know, here's the trade offs,
here's the here's the benefits that you get. Here's the

(35:21):
steps that you would do to implement this. You know,
choose what's appropriate for your situation, and here's the specific
situations where you might want one or the other.

Speaker 2 (35:32):
Yeah.

Speaker 5 (35:32):
Yeah, that's that's going to be most metal.

Speaker 2 (35:35):
I'm excited to hear that talk. I know that you
know right now, I'm on a really big team. There's
a bunch of people that work on the architecture, so
I weigh in some. But it's not like it's not
like I'm working at a really small company. But I
mean I have worked at small companies where it's like, Okay, Laura,
you're one of two developers and y'all need to architect

(35:55):
a secure system for us, and it's overwhelming to sort
of understand the and way through those.

Speaker 6 (36:01):
So and I think like even if you aren't in
a situation where you are in charge.

Speaker 5 (36:06):
Of, like the architecture.

Speaker 6 (36:08):
The talk should still be useful to people, especially for
people who are using providers, because the different providers actually
use these different architectures too, so knowing how they work
will help you to look at a provider and say, oh,
they're using token mediating back end, or you know, or
they're using browser based off the you know, in the client,

(36:30):
and then you can assess, like, when you're looking at
the providers, should I just use their SDK they're front
an SDK, is it secure enough for my knees? Or
do I need to like maybe use their client libraries
and their API and make something that is a little
bit more secure than the SDK is offering. Or if
I choose this SDK, I should do these things on

(36:51):
top of it. So I'm hoping that even for people
who aren't building architecture themselves, once they see the talk,
they'll be able to look at the stuff that they've
got and recognize the patterns that are being applied, and
then they can be informed about, you know, kind of
what the implications in it.

Speaker 2 (37:10):
Yeah, and also like just being able to speak intelligently
when like I have an error and it feels like
it's in this layer like being able to understand the
architecture of the stack that you're working in well enough
to when you have a problem, kind of understand how
to troubleshoot it. I think that is a skill, especially

(37:31):
on a large team where maybe you feel disconnected from
that process. But it's nice to be able to ask
questions that are relevant, you know, like give the details
that you need to be able to solve your problems
and stuff. So I think it sounds like a really
I'm excited for you talk. I'm really excited to see
that for the listeners. If you haven't got your tickets yet,

(37:52):
you should do that because they're still on sale. And
then also the conference is great at posting talks on
YouTube afterwards, so definitely check out Kim's talk.

Speaker 5 (38:03):
I'll be speaking at jas confol Oh yeah.

Speaker 2 (38:05):
Same Actually, so what's your jas comp talk? Is it
the same one?

Speaker 5 (38:11):
It's basically the same thing.

Speaker 2 (38:13):
Nice. Nice. So if you go, if you get tickets
to both, you can go both days.

Speaker 6 (38:18):
Well, probably don't want to because you'll just kind of
get the same thing.

Speaker 5 (38:22):
Well, maybe you know what, repetation minutes longer, so it
will be a little bit more thorough.

Speaker 2 (38:28):
Wait, how much longer is the JAS comp.

Speaker 5 (38:30):
They're thirty minutes versus twenty minutes.

Speaker 2 (38:32):
Okay, yeah, so I think I need to cut down
one of my talks.

Speaker 6 (38:35):
Cutting down is so hard, though, like it's harder to
make it talk longer.

Speaker 5 (38:39):
It is so hard to cut it down.

Speaker 6 (38:41):
Yeah.

Speaker 2 (38:42):
Yeah, they just realized it's a lot to cut it.

Speaker 10 (38:45):
Yeah.

Speaker 2 (38:46):
Yeah. Oh so the talk I'm giving it Jay's comp
is an hour long and I.

Speaker 6 (38:50):
Oh, okay, and then wait and then you need to
get it down to in half.

Speaker 5 (38:56):
Yeah, that's it'll be fine.

Speaker 2 (38:58):
It'll be really fine talk suspass I can do that.

Speaker 4 (39:02):
Actually, people would be like, I don't know what I
was learned.

Speaker 5 (39:08):
Well, then you watch the talk on YouTube and you
play it back down instead of like two 's like
most people.

Speaker 2 (39:14):
Exactly, it's like very little value to be in the
audience extra value, don't.

Speaker 11 (39:22):
Great great conference value properly there, Kim, I have a question, Well,
I have.

Speaker 3 (39:33):
A couple of questions. But we've already talked a little
bit about the AI stuff. But I'm curious just in
terms of like one of the things that's obviously changed
in the last couple of years is past keys and
I was just wondering if you could speak a little
bit too past keys and what that means for kind
of front end engineers and where some of the advantages
or disadvantages and the implementation kind of around that. Yeah,

(39:57):
something that you could speak to or not.

Speaker 6 (39:59):
Yeah, So past keys I think that everybody should have.
I mean, okay, like within reason, but the fact that
you don't have to remember a password is just huge
and people there's so many problems with passwords, and when
you make people create these super long, complicated passwords, they

(40:19):
create one and then they reuse it for everything, right,
and that is just not a thing that is okay
to do, especially with the rate that breaches happen these
days and things like that. And past keys are using
like public key topic crypt I can talk cryptography in
order to essentially generate a keypair so that the provider

(40:43):
of the pass key, which could be your browser, it
could be your password manager, will create, you know, the
the private key, and it'll store the private key, and
then it will supply the private key and you can
use the the public key to actually access the service
like that you're trying to get into. And in this

(41:05):
way it can do all of that in a secure
way and you can provided information like a like biometrics
or like a pin and or you know, the ubikis
things like that where it's super easy for you, it's
still secure and you don't have to remember anything and

(41:26):
that that is huge like to me and and plus
all like so many computers these days have touch id
in that type of thing. Honestly, don't think like good
reasons not to do it. If you're using aswords as
like a provider, but also using a provider like an

(41:46):
off provider. Most of them, all of them probably now
support pass keys, so it's it's simple to implement.

Speaker 5 (41:55):
You don't need to get intimidated by the cryptography parts
and all of that type of thing.

Speaker 3 (42:00):
It's handled for you pretty much handled by the client library.
So you're a developer today and you're choosing kind of
what methods to implement, Well, it's going to be like
links like one time click links or whatever that is,
like an email flow or a magic link, or maybe

(42:21):
a text message or SMS approach or a past D approach.
What are some of the kind of pros and cons?
What do you recommend to people? Like what's the yeah
kind of what's the best approach today.

Speaker 6 (42:34):
So in general, when you're proving who you are, you
want to provide either something that you know, something that
you are, or something that you have.

Speaker 5 (42:45):
So the passwords is all something that you know.

Speaker 6 (42:50):
Even if you don't know their passwords, they use a
password manager, and the using something like something that you
are is just so much safer than something that you
could know but other people could also know it, and
you know, like other people don't have your fingerprint, other
people don't have your face. That's it's just something that

(43:13):
is going to make sure that you are the only
person who can do it, and that it has become
a lot more normalized too, which I love. I hate passwords.
I wanted to go away forever, and I hope everybody
else wants them to go away forever too.

Speaker 3 (43:29):
Yeah, is there any advantage still in using like magic
links or I.

Speaker 6 (43:34):
Mean, you can still be better than passwords because you Yeah.

Speaker 5 (43:39):
In that case, you're using something that you have.

Speaker 6 (43:42):
So it's you have access to like your email account
or whatnot, and that's what you or your your phone number,
and that's what you're using in order to prove who
you are. Of course, it's not as safe as using
like something you are rather than because somebody could.

Speaker 3 (44:01):
Still anybody else can get them.

Speaker 5 (44:02):
Yeah.

Speaker 3 (44:03):
Yeah, they hack your email and now they can forgot
password and there they go. Interesting. Okay, Yeah, I was
just curious, like, obviously if there's not a lot of
costs to the to the customer in terms of like implementing,
seems like choosing something like pass keys is kind of
like the top tier today. It sounds like, but.

Speaker 6 (44:23):
You want to have also for convenience, Like people love
it because do is use their fingerprint or their face
and yeah, that is way better than typing in a password.
And I still to this day find websites that have
disabled pasting into password fields. You can't have your password manager,

(44:43):
and it is the most frustrating.

Speaker 3 (44:45):
Super annoying government Yeah yeah, banking, tax things, and you're
just like.

Speaker 2 (44:52):
My mom exclamation point.

Speaker 6 (44:57):
Yeah, it's so hard to like make sure that my
super long, complicated password is in my passage manager so
I don't have to remember it like it and then
it's like you have to type it.

Speaker 3 (45:09):
Yeah, it's just bad.

Speaker 4 (45:10):
They don't even let me paste my like the code
they text me into it. Disabled pasting on that field
to annoying passwords like really like I can't.

Speaker 2 (45:22):
Just like my favorite is when like my phone is
like do you want me to just paste this in?
I'm like yeah, it's like magic.

Speaker 5 (45:30):
Yeah, yeah.

Speaker 6 (45:31):
I love it when you get like the the SMS
links and then your site and it pops up and is.

Speaker 5 (45:37):
Like paste this. I just saw this in your messages.

Speaker 6 (45:39):
It's so great, Like you are so smart phone, I
don't even.

Speaker 3 (45:46):
It's nice. Yea auto deletes it too. Yeah, it's interesting
in that, you know to a certain extent, like there's
trade offs too, just in terms of the user and
kind of what they what they're looking for and that
they're what they're trying to accomplish. But past keys are
definitely the way.

Speaker 2 (46:02):
To go, so widely support it, and I think.

Speaker 3 (46:05):
They are, which I appreciate.

Speaker 2 (46:08):
A lot of contracts will require them. So if you're
trying to get a contract, especially with like a government
agency or some other agency that deals with private data
that they need to protect, they're going to demand that
you be able to enable those features for their users.
So it's important to know how to do it, and
it's nice that there are tools that make it easier.

Speaker 4 (46:31):
Yeah.

Speaker 6 (46:32):
Yeah, for sure, I feel like I remember like when
they first started being a thing, it was mostly like
people talking about things like Ubiki's. We had to have
like this physical thing and you had to pull it in.

Speaker 4 (46:48):
The fingerprints on.

Speaker 6 (46:51):
Yeah, like the with this other stuff has made it
so easy, and browsers support them too, so you don't
even need like a password man to be able to
take advantage of pass keys.

Speaker 2 (47:02):
I worked for a job or they needed to do
two factor authentication and they refused to. They would not
make their customer or their users use their own phone
to do things, and they wouldn't provide them a phone,
and they wouldn't provide them a ub key. So the
only way we could do it was emailing a link.

(47:26):
So I was like, why are we doing this?

Speaker 6 (47:30):
There's always a balance between security and user experience.

Speaker 3 (47:34):
That's what I was thinking of. Yeah, Like and even
in the game industry, like you're talking about like if
I'm I was thinking about the touch id thing right,
like super easy because I'm on my MacBook Pro all
day or whatever, and even if i had the lid
closed or you know what I mean, Like it's pretty
easy to like, Okay, sure, but if like I'm holding
a gain controller, uh, and I went off into like

(47:57):
a pass key, like I don't even know what that
looks like today, Like what if I have a twenty
five Like we talked about our long password, like random password,
and it's like okay, now log in the Xbox Live
of your Microsoft account and like, oh for.

Speaker 4 (48:11):
Ever, this is the worst experience ever because you have
to download the Microsoft the device and it works. I
just I just talked to.

Speaker 3 (48:19):
The dedicator app. Oh my god, Microsoft stuff. Okay, it's yeah.

Speaker 2 (48:23):
The literal I kids go through this all the time
because they have to enter passwords constantly. Yeah, with a
controllers and noa yeah, no one has figured out how
to make it easy. I mean like I'm glad that.

Speaker 6 (48:35):
Yeah.

Speaker 2 (48:36):
Like streaming services like Netflix and Hulu have finally started
putting up a q R R.

Speaker 6 (48:42):
S device grant, so I always it's archaic now when
they make me use my my controller to or or
my god forbid.

Speaker 5 (48:54):
My remote for my TV.

Speaker 2 (48:56):
Oh which flags behind the worst?

Speaker 3 (49:03):
It's not a quarity. They're just like.

Speaker 2 (49:07):
Used to just be the alphabet along the time.

Speaker 4 (49:12):
Anyway, one of those inces I use doesn't have the
whole QR code thing yet, so whenever I have to
like re log into it. It's me typing the past
like TV remote. All the other ones do it perfectly fine,
this one. Yeah you still type.

Speaker 3 (49:26):
Yeah, it has been nice, like the the evolution of that.
So I remember like traveling a lot and you go
like an Airbnb and you want to sign into your
Netflix and you're sitting there like, so the QR code, like,
would you call it device grant? I have not heard
that before. That makes sense.

Speaker 5 (49:44):
Grant that it uses in order to do that, to do.

Speaker 3 (49:47):
It still okay, got it? Yeah, that's really cool. But
I imagine in your space. Just as we're talking about
the past key stuff, it just got me thinking about,
like I'm surprised that like controllers don't have like a
fingerprint scanner on them or something.

Speaker 2 (49:59):
You Yeah, here you go, Brian, there's.

Speaker 3 (50:04):
Just throw my AI library hash brown in the in
the garbage. And you know, I think this is a
highly risky startup guy to like get into like authentication.
And yeah, not me, maybe Brian and Sony and.

Speaker 5 (50:26):
N but you you.

Speaker 6 (50:31):
Almost get it with device grant just because you would
actually log in on your device.

Speaker 3 (50:37):
Yes, you could like.

Speaker 6 (50:39):
On your phone to log in and it would it
would go to the TV or the console or whatever
makes sense.

Speaker 2 (50:46):
And then the thing you have to do when you're
at your hotel and you're tired and you're trying to
log into Netflix is not make a tired face at
your phone so it can't recognize.

Speaker 4 (50:54):
Yeah, the off the only glotcha is that I don't
trust mic or so have to be the one to
figure out a good user experience for another. They're not
the ones that should be doing that because they have
failed up until this point.

Speaker 6 (51:10):
There's so much irony in that too, right, Like they're
so established and they're so well adopted, and there's so
many smart people who work at Microsoft, and it is.

Speaker 4 (51:17):
But it's just it's the most frustrating flow. The ural
changes twelve to fifteen times as it bounces you around
different sites to figure out what loging portal you're supposed
to go to.

Speaker 6 (51:31):
Oh my god, yeah, oh my gosh. This is totally
a tangent. But recently I was trying to so my
son has our old Xbox three sixty and we were
trying I was trying to we have the Halo Master
Chief collection, and we learned that there is ODST Halo

(51:53):
three ODST Firefight that has the ability to have multiple
factions in the firefight. So we were like, oh, yes,
we'll just we oh, it's like it's like five dollars,
we'll just add it and we'll be able to do this.
It took me like three and a half hours to
do it, because first I had to when I Innate.

Speaker 5 (52:14):
When I turned it.

Speaker 6 (52:15):
Online, it was like, now you have to update you know,
fifty gigs of stuff. And then and then I was
trying to sign in, and oh my god, I don't
even remember like the the nightmarish flow of things that
I had to do in order to sign with the
right account, because like I was when paying, and it
was just I'm I kid, you.

Speaker 5 (52:36):
Not three and a half hours to like figure this out.

Speaker 2 (52:39):
I've been through this with my kids and I usually
it's because the passwords never got put in my password manager,
and so they're like, what's the password. I'm like, I
don't know. Nobody ever told me the passwords, so I
didn't put it in my password manager. So and then
I shut my door and I let them figure it out.

Speaker 5 (52:55):
Yeah.

Speaker 6 (52:56):
I was gonna say, well you just just put it,
make sure you put them in your password banner. But
maybe exonerating yourself from the situation is totally a valid Yeah.

Speaker 2 (53:03):
I gave them that, Like, I have a family account
on our password manager and nobody has signed up for it.
So I'm like, this is not my problem. I haven't
you all y'all's problem.

Speaker 6 (53:14):
Well, I think part of the really frustrating full if
I remember correctly, was that you can create an account
without a password, which is great, but the only way
to log in on the Xbox is to use a password.
So I had to go back into the account and
I had to be like, actually, I do want a
password and not to create one. And then I had
to you know, make it a long and complicated and

(53:36):
then I had to type it into the into the Xbox,
and it was.

Speaker 4 (53:39):
Just and at some point you might see you're trying,
and you're like, how did I get to outlook, I don't.

Speaker 5 (53:45):
Know, like auto create you email addresses on it?

Speaker 4 (53:50):
Like, yeah, yeah.

Speaker 5 (53:52):
I did get it working though, So that was accomplished.
What was that worth it? It was worth it. It
was actually worth it.

Speaker 2 (54:02):
That's good time. And hopefully you won't have to remember
how to do that for like another year or so.

Speaker 6 (54:07):
I sure hope not. I should have documented it. I
should have just like written on all the steps because.

Speaker 3 (54:17):
It to the Xbox.

Speaker 5 (54:19):
Password.

Speaker 2 (54:20):
Like your kid will remember that you knew how to
fix it last time, and so when it happens again,
they'll come to you.

Speaker 5 (54:27):
Yeah, yeah, and that does happen when you fix this thing?

Speaker 2 (54:32):
Like not really, but I actually don't remember that.

Speaker 5 (54:35):
I guess again.

Speaker 2 (54:41):
Oh yeah, well, Kim, thank you so much for joining
us today. Was there any like final thoughts you wanted
to leave our audience with before we sign off or
any call outs?

Speaker 6 (54:55):
I'm trying to make sure that anything I say relates
back to our actual conversation.

Speaker 4 (54:59):
You can be off time whatever you want, fight fight.

Speaker 3 (55:04):
So that's.

Speaker 6 (55:06):
My final thought is it's worth the three hours of
pain to get ODSC firefight if you're a Halo fan,
because you can mix the Sentinels of the Flood and
the Covenant into the firefight. I mean joking aside, though,
I think one of the kind of things that I
would want to leave people with is you don't have

(55:28):
to know everything about something to be effective with it,
but there are some things that it does help to know,
and being able to kind of figure out what those
things are can really just take your like, I know
this works. Knowledge to I know this works, and I'm
confident about it, and I think that that that matters,

(55:50):
and it can also kind of finding that balance protects
you from having to learn literally everything about it, yes,
but also keeps you sane cognitively.

Speaker 2 (56:00):
Yeah. Absolutely, that's excellent advice. And it's also great to
know that there are people in the community that you
can reach out to. And on that note, if somebody
wanted to reach out to you in the community, what
is the best.

Speaker 5 (56:13):
Place to do that these days?

Speaker 6 (56:15):
It's probably LinkedIn actually, yeah, so LinkedIn, Blue Sky and
Twitter to like some extent, but I spend more time
on LinkedIn than those platforms these days.

Speaker 2 (56:28):
Nice. Nice, well, Kim. I look forward to seeing you
again an Enngie COMF and js COMP, both in Baltimore.
I think js comp starts the fourteenth of October fifteenth, sixteenth,
somewhere around in.

Speaker 5 (56:42):
There something like that.

Speaker 2 (56:44):
Bengie Comps, it's the seventeenth and the eighteenth, so there's
still time to get tickets and if you miss the event,
you can catch up with us on YouTube. But thank
you so much for joining us today. Thank you for
taking the time out of your day. I'm really deed
to go learn more about fusion off and I just

(57:04):
appreciate that you are willing to share your knowledge because
obviously I don't have time to learn it all. So
it's great to have people and you shouldn't you shouldn't
have to And what you told me is I don't
have to learn it all. I just have to learn enough.

Speaker 5 (57:18):
So well, Kim, yeah, well thanks for having me.

Speaker 2 (57:24):
Absolutelyciate and so the listener, We'll catch you next time,
so bye bye.

Speaker 10 (57:32):
Hey, this is pressed Online. I'm one of the NGI
Champions writers. In our daily battle to crush out code,
we run into problems and sometimes those problems aren't easily solved.
Ng comp broadcasts articles and tutorials from NGIE champions like
myself that help make other developers' lives just a little
bit easier. To access these articles, visit medium, dot com,
forward slash, NGCOMMP.

Speaker 1 (57:54):
Thank you for listening to the Angular Plus Show, an
ji COOMF podcast. We'd like to thank our sponsors, the
ng KOMF organizers Joe Eames and Aaron Frost, our producer
Gene Bourne, and our podcast editor and engineer Patrick Kyes.
You can find him at spoonful ofmedia dot com

All Episodes

S10E5 | Beyond Plug-and-Play: Smarter Auth Security | Kim Maida

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

The Breakfast Club

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}S10E5 | Beyond Plug-and-Play: Smarter Auth Security | Kim Maida