The future is passwordless! Learn all about Passkeys, the technology set to replace traditional passwords. The best part?! You can start using them today! We'll show you how.
Highlights
00:00 Why passwords are bad
01:12 Demo: Passkey registration
02:05 The technology & security options
03:11 Multi-device compatibility
04:07 Demo: Passkey login
05:01 Sharing Passkeys
05:29 Business applications
06:09 How to use them today
Links
- Passkey Demo: https://www.passkeys.io/
- Passkey Directory: https://passkeys.directory/
More from Bleech
Blog Posts (WordPress Development)
Flynt (WordPress Starter Theme)
VRTs (Visual Tests for WordPress)
Siegfried, deploy! (YouTube Channel)
The future is passwordless! Learn all about Passkeys, the technology set to replace traditional passwords. The best part?! You can start using them today! We'll show you how.
Highlights
00:00 Why passwords are bad
01:12 Demo: Passkey registration
02:05 The technology & security options
03:11 Multi-device compatibility
04:07 Demo: Passkey login
05:01 Sharing Passkeys
05:29 Business applications
06:09 How to use them today
Links
- Passkey Demo: https://www.passkeys.io/
- Passkey Directory: https://passkeys.directory/
More from Bleech
Blog Posts (WordPress Development)
Flynt (WordPress Starter Theme)
VRTs (Visual Tests for WordPress)
Siegfried, deploy! (YouTube Channel)
There will be a time when we will wonder how we ever use passwords, and pass keys are the beginning of the end of passwords.
Dominik:Honestly, I don't really know anything about pass keys.
Steffen:Let me introduce you to that. Pass keys are an alternative concept to passwords. Let's first talk about the problem with passwords. Passwords tend to be insecure because we mostly imagine new passwords and not everyone's really great at this. They're replayable, because when someone steals your password, they can just use it an infinite amount of times, unless you're using two-factor authentication. Then also, they are stored on a website. It can be reverse engineered, and the worst part of it is that one of the biggest factors of hacking actually is social engineering, where you just try to convince someone to simply give you your passwords, and one of the most well-known things is phishing. Right, when you send someone an email, it looks like that email form your service provider, but actually it's not, and people just enter their passwords and pass keys kind of solve all these problems and, on top of what I really love about it, it's a much, much nicer use experience. So I'm excited.
Steffen:What's the solution? Pass keys how do they work? Maybe I should just show it by going on this example website, passkeys. io. I don't have an account here, so let me just create my account with my email address and I'll click Save a pass key. It will ask me what kind of device I want to authenticate with so either my computer or it could also be my iPhone or an Android phone and then create a pass key for this device. What this will do is it will actually create a private key on my computer. This private key will be protected by biometric data, in a sense that my computer asked me to authenticate myself with my fingerprint or with Face ID. It will not actually save this biometric data, but still it's a second layer of protection. So I need to authenticate myself and then it will send a public key to the server and the server will save this public key. And now I'm registered already, right? So the server has the public key.
Steffen:I have a private key and, technically like, the server sends a challenge to my device that I need to sign with my private key, and then it sends back that signature or whatever it's called, and then authenticates with the server. So this has a huge advantage that there's actually no password saved on the server, right? It's more like SSH keys, where you also do have a private key and a public key. Do you need this biometric data? There are multiple options when you are asking people to register or authenticate from a server side. You can also say I don't require it or it's like my preferred method. So there are different levels of security that you can ask for as a password provider, but typically the most convenient type of pass keys and still very secure one is where you can create multiple pass keys. They will be saved to your key chain of your device and then the password manager will even sync this private key. So once you have this pass key on your desktop, you can also log in with your mobile device.
Dominik:So it basically means like, if you have all Apple devices, you're pretty good to go right. If you have an Apple desktop and like an Android phone, I am sure that it will be a little more complicated right.
Steffen:I heard that this is what they want to work on. For example, if you try to create a pass key on your Safari browser on the Mac, it even asks you there if you would like to use your Android device to register, because right now you can use it across multiple devices already. Let me show that. Let me like create a new pass key, but this time I want to use a phone or tablet, and then it will show me here a QR code. I can then scan that with my phone and then I can create a pass key on my phone right In an Apple native way, or did you need to install an app for that?
Steffen:No, that's absolutely native. That's a native password manager. I didn't have to do anything and now I have this pass key on my device. And now let me sign out and let's have a look at the login experience and say sign in. And now I can either directly sign in with the pass key from my computer and all I have to do is like click, continue, authenticate and I'm in, like I don't even need to enter a username. This is just like one click sign me in and it's like confirm and you signed in.
Steffen:Now let's log out again and sign in with my phone. So let's assume this was on a computer of my friends and I can still say sign in, use different device, use phone or tablet. And then I will again scan this QR code and then on my device it will ask me if I want to sign in with this passkey that is saved on my phone, actually, and then it will authenticate on the desktop computer. But once I'm logging out of that computer there's no relationship. No password ever was saved on this computer. Wow.
Dominik:Yeah, that's super nice Questions. Yeah, yes, go ahead. What about sharing passkeys with other people?
Steffen:It's possible. For example, on iOS you can share your passkeys through the password manager, but you can also use AirDrop to share your passkey with someone else. You cannot send it via email because that will be insecure, kind of. It's really more like almost like a physical key. You create keys, you can create duplicates of keys and so on, so it's just the key. It's just like a much more secure type of key than a password For personal use.
Dominik:this is awesome. What about in a business context? We use a password manager in our company. Right, it's one password. Do they support passkeys? Yes, Can you use them, store them in one password and put them in a vault where multiple people have access to?
Steffen:Absolutely, you can create them, store them there and when you go to the website, one password will pop up. Hey, these are your four accounts for this website. Which one do you want to use? You tap it and then you're signed in and one password is currently working on a solution to actually log into one password with the passkey.
Dominik:That would be super nice, because I always hate the master password right. It seems like I need to also switch to passkeys.
Steffen:Absolutely and like seriously. This is going to be the future of passwords and actually there are quite a few providers who support this already. There is this website, passkeys. directory, I think. It's provided by one password and shows you all the providers that support passkeys already.
Dominik:Now I'm really interested in how to get this to work with WordPress and also how we can say all the websites that Bleach develops are accessible with passkey. I guess we can talk about this in the next episode.
Steffen:Absolutely Thanks.