Goodbye Passwords, Hello Passkeys What is passwordless and why it is the future Nick Hodges Dev Advocate Passage.id
A presentation at TechBash in September 2022 in Pocono Mountains, Pennsylvania, USA by Nick Hodges
Goodbye Passwords, Hello Passkeys What is passwordless and why it is the future Nick Hodges Dev Advocate Passage.id
Nick Hodges ● Developer Advocate at Passage ● Angular/Typescript ● Minnesota Sports Fan ● Lover of Pistachios ● https://passage.id/nick https://passage.id/nick 2
Passwords are… …sub-optimal Over 80% of all security breaches are the result of a compromised password 3
Why Are Passwords Suboptimal? ● They often aren’t complex enough ● They are frustrating for users ● They often get reused ● They often get shared ● The are phishable ● Password managers are no fun ● They don’t scale 4
So what is a developer to do? 5
Biometrics for the Win! Nothing for users to remember (or forget) No PII exposure or data breach due to weak passwords Two-factor authentication in a single quick step No sensitive data stored on the server User don’t have to switch context to email for magic link Cannot be phished 6
What’s up with WebAuthn ● ● ● ● Approved by FIDO and W3.org Supported by most major browsers Uses Public Key cryptography Leverages biometrics 7
WebAuthn Registration Process Hey! I want to create an account! Great! Send me a public key! Sure! Creating a key-pair just for you! Okay, here’s a public key just for you! Sweet! You are all registered! 8
WebAuthn Login Process I want to login now! Okay, sign this data with your private key Sure! Hang on one millisecond… Okay, here’s the signed data Nice, let me verify this… Yep! You check out! You are logged in! 9
Where do Passkeys fit in all of this? Microsoft, Apple, and Google all committed to supporting this system. 10
Passkeys are Sharable Secure Cloud Storage 11
Why is all this is beer ● ● ● ● No biometric information ever leaves the user’s device The Trusted Platform Model (TPM) chip does all the work Can’t be phished (or at least no one can conceive how…) Vastly better user experience ○ More conversions 12
Misconceptions ● ● ● ● ● “There is still a password backup” “It requires Bluetooth to login” “Lose your phone, lose your info” “The TPM can be cracked” “If you don’t have your phone, you can’t login” 13
Let me head o some questions… ● ● ● ● “What if I lose my phone?” “What if my biometric information is compromised?” “What if my physical biometrics change?” What else? 14
Give it a try this very minute! hps://passage.id/demo 15
Code https://github.com/passageidentity 16
About Passage ● Startup based out of Austin ● https://passage.id ● Support almost any web framework with a web component ● Just released a beta of our iOS SDK ○ https://github.com/passageidentity/passage-ios ○ More SDKs in work 17
Thanks! Nick Hodges Developer Advocate https://passage.id/nick @passagenick Slides: https://noti.st/nickhodges
19
20
