In this episode of “Unmute Presents,” hosts Michael and Damashe delve into the world of passkeys. They discuss the technology’s advancements, its security benefits, and the implications for users across various platforms. Whether you’re new to passkeys or looking to deepen your understanding, this episode is a must-listen.
00:04.650 –> 00:27.590
Welcome back to the fourth Thursday of Unmute Presents, where we talk about security, the latest and what’s happening, and how you can keep you, your family and customers all safe by making smart choices. I love that phrase. I don’t remember who told me that. Make smart choices. Damasi, you’re here today to talk about making smart choices with not using a password.
00:28.010 –> 00:53.200
Yes, I am. So today we’re going to be talking about pass keys, which we’ve touched on this before, but I just kind of wanted to do a review of pass keys for everyone because they’re out now. Like they’re around. They’re in several places. Several services allow you to now use a pass key to sign in. So I want to talk about a quick review of what they are and where we’re using them and a few things to be aware of.
00:53.570 –> 00:59.680
Yeah, pass keys are super exciting, so remind listeners what is a pass key.
01:00.050 –> 02:54.130
So I’m going to skip the extremely technical parts of what a pass key is and what makes them work for the purpose of this conversation and just basically explain what’s going to happen when you’re using them. So instead of you typing in a password to access an account, once you have set up a pass key for that account, you would in most cases type in your username, and then you’re going to be prompted in some way to authenticate for your login. So the username is to help identify your account, and then they’ll see that your account has pass keys set up. And whether this is on your phone or your computer with touch id or face id or typing in a pin or something of that manner, it just kind of depends on your device, first off, but that gives you a quick way to log in. This is secure. There’s nothing to leak out. The important things on a technical level to be aware of is there is a private key on your device that you are authenticating from, and there is a public key that the web servers that you’re signing into with a pass key holds. It does not matter if they make a mistake at some point in the future and lose your public key or not lose, but leak your public key out to the Internet because it’s not going to get anybody anything. And your pass keys are different across each website. So my Google passkey cannot be used actually, my Google Pass key for my workspace account cannot be used to authenticate to my@gmail.com account because, you know, that’s not how that works. They’re separate. There are separate keys for everything. So this makes people more secure in a lot of ways because it removes that oldness of like, oh, you always got to make sure you use a separate password. Well, you’re no longer having to remember a password, just keep up with your device.
02:55.690 –> 03:12.010
And you had some concerns when you first learned about pass keys related to getting those pass keys from one device to another. And you’ve also been playing with iPhone and Android. Have you solved that problem yet? And how has that experience been?
03:12.160 –> 06:11.460
So there are currently some solutions out there that will sync your pass key. So I’m still a one password user, one password if I set up a pass key in one password. So using the one password app to store that pass key, those are available to me everywhere on each device, and I’ve used them on iOS, macOS, Windows and Android. So it’s nice if you are using Bitwarden, they now are also syncing pass keys with their web extension. So if you’re logging in on the web, I’m assuming this also works on mobile. For sure, it looks like it works on desktop. Those options are there within a operating system or a ecosystem would probably be a better way to say it. Apple with their iCloud keychain will sync your pass keys across devices. So I have a couple set up in iCloud. They’re available to me on the Mac, they’re available to me on my iPhone. We have not tested if anybody listening has used the iCloud keychain setup app for Windows at all and can verify whether or not this works. That would be great. Not certain if they. I don’t see why they wouldn’t, but I can’t tell you for sure that they do work on windows with icloud keychain. I just know the app is there. And since it fills your passwords, it seems logical to me that it would also bring your pass keys along inside of your Google account. If you’re using the Google Password manager in Chrome, then those will sync across your Chrome instances as well as being available to you on Android. I don’t know how you would get those out on iOS, so it’s still fragmented in the way that I was concerned about it being fragmented in a lot of ways. You’re either using a password manager to provide that syncing or you’re within an ecosystem in a lot of cases. So whether that’s Google and Android and Google Chrome or Apple with iCloud, as far as I know, because I’m not a full time Windows user and I don’t really use any know backed services for the most part. I know you can set up a pass key on a Windows machine. I’m not sure if there’s any mechanism provided by Microsoft for syncing those across your different Windows devices at all. One piece of good news is all of these companies that joined the Fido alliance, which is kind of where all of this is coming from, which is why it’s a standard that everybody’s using the same kind of setup. They are actively working on a safe, secure way to export a pass key from one operating system or syncing service and be able to import that into another. At last check. For me, there’s no spec release for this just yet, but they are actively working on that as a part of the implementation of pass key. So it’s coming.
06:12.070 –> 06:35.402
If I choose to use a pass key, I don’t lose access to using my password. I think that was a big concern of mine when I first started hearing about that was do I lose it? And no, as of right now, at least with some services. What has your experience been that you can use a password and or a pass key?
06:35.536 –> 06:36.630
Yeah. So password.
06:36.710 –> 06:38.010
Password or a pass key?
06:38.080 –> 07:15.320
Yeah, passwords are still going to be available. I don’t foresee passwords going away anytime soon simply because we’re not yet at a point that all of those concerns, my concerns are concerns held by the FiDo alliance as well, hence the reason they’re working on ways to export and be able to migrate and kind of manage your own pass keys across different devices. But also, not everybody’s on pass can. We’re going to talk about a couple of places that we’re using them, but there’s a lot more. It’s easier to tell you what I am using than it is to tell you who does not have passkey support.
07:15.690 –> 07:40.400
Yeah, definitely. I am using it on Google for my Google workspace. And once I started to use it there, I’m like, this is nice. I need to start setting it up in more places. Now I’m guilty. I think Google workspace and would something like sign in with Apple specifically be like passkeys? Because the flow is kind of similar.
07:40.770 –> 08:56.466
The flow is similar, but it’s using two different technologies. So sign in with Apple. Sign in with Google is basically Google or Apple is acting as your authentication service to say, yes, this person is a real person. Here’s their information that they choose to share, but they get a token. So that’s using, you know, that’s why those things have been around for a while. We’re seeing Apple pop up in more places for signing in, though. I was trying to sign in somewhere the other day and it’s like, sign in with Apple. I’m like, that’s not a thing over here for me. But yeah, that’s using Oauth. There are some weird implementations that I have seen where I authenticate with one service. So GitHub, this actually happened for me with GitHub because GitHub is one place that I’m using passkeys. I authenticated to one service with my GitHub account, was not signed in or had not signed into that browser. With my GitHub account at that, you know, I had to log into GitHub and then had to do the passkey there. So you will see that. But it doesn’t mean that the account you’re logging into has Passkey support. It just means the authentication method that you’re choosing to use happens to support passkeys and you have them configured.
08:56.658 –> 09:13.034
So right now I’m using it only on Google then, because the rest of those are Oauth, where else I’m using it, where are you using it? And then I can give you a resource, if you don’t have it, where you can go find more places to use passkeys.
09:13.162 –> 10:31.640
So I have set up passkeys on my workspace account as well as well as my free@gmail.com account, GitHub. As I just mentioned, where else am I using passkeys? I have them kind of sort of set up on Paypal for my personal Paypal account. And at the time I could be wrong, but at the time my memory tells me because I haven’t tried to sign in from the computer in a while. The way it is is one of these weird implementations, right? PayPal lets me use a pass key on my mobile device, on my iPhone, and it just uses face id and login. Boom. On the computer, not a thing, not happening. I kind of feel like Amazon put me in the same position because I did set up pass keys in my Amazon account. However, one, their implementation is I use a pass key to sign in, but because I had two factor on prior to pass keys existing, they want the six digit code. And I’m like, I don’t think this should work this way, but let’s see, anywhere else I might be using Pass, I think those may be the only places I’m currently using them. And mostly for me know, logging in and out of Google or logging into Google and GitHub, I think.
10:32.410 –> 10:42.440
Do you use pass keys for Apple? I didn’t know you could do it there. How do you sign in with a pass key with Android as well? Or is that one of those cases you have to use the.
10:45.050 –> 11:16.440
Know? That’s a good question that I really should have an answer for because I recently signed into an Android phone and I think I actually had to put in my password and then do standard two factor with my ubikey is what I recall having to do to get into Android. Now that may also be because I’m running a kind of forked version of Android too, so I’m not sure what Google is doing know base Android at the moment. I’ll let you know in a month or so.
11:18.250 –> 11:54.640
Yeah, paskis are interesting if you want to find a couple of places to check them out. I don’t know if you would agree with this, but I think it’s easiest for me at least to try it out and observe it. You’re not going to break anything by trying out a pass key, at least not in this stage. You’re going to have the ability to recover that account and still get into it, but if you start using it then it’s going to become part of your regular flow. And if you go to Passkeys directory, you can search for your favorite service or see a whole list of sites that appear to have passkey support.
11:55.090 –> 13:59.450
Yes, that is a good resource to look at to see what has it. And as you said, there’s nothing wrong with setting it up. Now do it for an account, see if you like it. Again, you always have the option to use a password. In some instances you actually have to take extra steps to say you want to use a pass key over the password implementation. Passwords are not going away anytime soon. Google for sure is kind of pushing people to more use pass keys, but the password is not going away anytime soon. So again, like Michael said, you can get into your account if the pass key isn’t going to work or for some reason you don’t have access to it, there’s always going to be an option there for you to switch to use your password, so definitely give it a try. Some caveats and we kind of touched on what I wanted to touch on as caveats, which is just be mindful that it may not always be available depending on how you chose to store your pass key. So for me, one password is where most of mine are. So I don’t really think about if it’s available on this device, because if I have a device that is mine, it’s going to have one password on it because otherwise I can’t do anything else. I can’t log in anything, but just be mindful of that. So if you set up a pass key for say your Google account on your iPhone and then you go to log into your Google account on windows, this is one of those instances where you may have to scan the QR code with your phone to do the authentication. So just be mindful of the different ways to use it. But there’s not a huge concern to me at this point in time that you’re going to lose access to an account because you don’t have a way to make use of a pass key because passwords are still ruling today. Take a look at Paskeys director and you’ll see there is a lot of stuff that is there, but none of us, I would be willing to bet good money, is using all of those services that are available there. You may be using a handful of those services that offer pass keys, which is probably a handful of what you ultimately have to log into on a regular basis.
14:02.900 –> 14:10.832
Yeah, and I’m at p now and only found one bank, so that right there says enough.
14:10.886 –> 14:48.430
Oh yeah, see, the banks are going to hold up the whole process. There’s going to be a lot of stuff. And even smaller websites, right? Agency sites or organization sites you sign into are not going to have pass key implementation yet because there are some tools out there. But there’s not a ubiquitous drop in method that says oh, turn my WordPress membership site into using Pass. There’s a plugin that you can use, but that’s one plugin that I’m aware of, which also comes with extra service costs. Because you’re not just paying for pass keys, you’re paying for a whole security suite. So those things are going to still shake themselves out over time.
14:50.240 –> 14:58.880
So do you think people should be aware, going into 2024 of anything before we wrap it up related to pass keys we haven’t covered?
14:59.540 –> 15:47.792
I would say just give them a try because you’re going to see more and more services using them. Some of the implementations may be a little weird. Google’s is pretty good. I like theirs. If you’re a GitHub user, definitely sign up with GitHub. I believe Microsoft accounts for sure support signing in with a pass. So it’s definitely worth giving it a try because it is going to be, I think the new authentication method that picks up now whether it takes over and completely removes passwords at some point in the future, that remains to be seen, simply because listen, we’re in 2023, going into 2024, and I still don’t have two factor in all of the places that I feel like I should have. Standard two factor. So we’ll see what happens, but definitely give it a try. It makes your login is much more fun and easier, I’ll tell you that much.
15:47.926 –> 16:00.370
Yeah, it does. Yeah, it does. Well, thanks Nozzie. And if you are interested in paskeys have questions or feedback, feel free to send an email to feedback at Unmute show.