Siegfried, deploy!

Why Passkeys are the future

Bleech

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 6:43

The future is passwordless! Learn all about Passkeys, the technology set to replace traditional passwords. The best part?! You can start using them today! We'll show you how.

Highlights
00:00 Why passwords are bad
01:12 Demo: Passkey registration
02:05 The technology & security options
03:11 Multi-device compatibility
04:07 Demo: Passkey login
05:01 Sharing Passkeys
05:29 Business applications
06:09 How to use them today

Links
- Passkey Demo: https://www.passkeys.io/
- Passkey Directory: https://passkeys.directory/

More from Bleech
Blog Posts (WordPress Development)
Flynt (WordPress Starter Theme)
VRTs (Visual Tests for WordPress)
Siegfried, deploy! (YouTube Channel)

Why passwords are bad

Steffen

There will be a time when we will wonder how we ever use passwords , and pass keys are the beginning of the end of passwords .

Dominik

Honestly , I don't really know anything about pass keys .

Steffen

Let me introduce you to that . Pass keys are an alternative concept to passwords . Let's first talk about the problem with passwords . Passwords tend to be insecure because we mostly imagine new passwords and not everyone's really great at this . They're replayable , because when someone steals your password , they can just use it an infinite amount of times , unless you're using two-factor authentication . Then also , they are stored on a website . It can be reverse engineered , and the worst part of it is that one of the biggest factors of hacking actually is social engineering , where you just try to convince someone to simply give you your passwords , and one of the most well-known things is phishing . Right , when you send someone an email , it looks like that email form your service provider , but actually it's not , and people just enter their passwords and pass keys kind of solve all these problems and , on top of what I really love about it , it's a much , much nicer use experience . So I'm excited .

Steffen

What's the solution

Demo: Passkey registration

Steffen

? Pass keys how do they work ? Maybe I should just show it by going on this example website , passkeys . io . I don't have an account here , so let me just create my account with my email address and I'll click Save a pass key . It will ask me what kind of device I want to authenticate with so either my computer or it could also be my iPhone or an Android phone and then create a pass key for this device . What this will do is it will actually create a private key on my computer . This private key will be protected by biometric data , in a sense that my computer asked me to authenticate myself with my fingerprint or with Face ID . It will not actually save this biometric data , but still it's a second layer of protection . So I need to authenticate myself and then it will send a public key to the server and the server will save this public key . And now I'm registered

The technology & security options

Steffen

already , right ? So the server has the public key .

Steffen

I have a private key and , technically like , the server sends a challenge to my device that I need to sign with my private key , and then it sends back that signature or whatever it's called , and then authenticates with the server . So this has a huge advantage that there's actually no password saved on the server , right ? It's more like SSH keys , where you also do have a private key and a public key . Do you need this biometric data ? There are multiple options when you are asking people to register or authenticate from a server side . You can also say I don't require it or it's like my preferred method . So there are different levels of security that you can ask for as a password provider , but typically the most convenient type of pass keys and still very secure one is where you can create multiple pass keys . They will be saved to your key chain of your device and then the password manager will even sync this private key . So once you have this pass key on your desktop , you can also log in with your mobile device .

Dominik

So it basically means like

Multi-device compatibility

Dominik

, if you have all Apple devices , you're pretty good to go right . If you have an Apple desktop and like an Android phone , I am sure that it will be a little more complicated right .

Steffen

I heard that this is what they want to work on . For example , if you try to create a pass key on your Safari browser on the Mac , it even asks you there if you would like to use your Android device to register , because right now you can use it across multiple devices already . Let me show that . Let me like create a new pass key , but this time I want to use a phone or tablet , and then it will show me here a QR code . I can then scan that with my phone and then I can create a pass key on my phone right In an Apple native way , or did you need to install an app for that ?

Steffen

No , that's absolutely native . That's a native password manager . I didn't have to do anything and now I have this pass key on my device . And now let me sign out

Demo: Passkey login

Steffen

and let's have a look at the login experience and say sign in . And now I can either directly sign in with the pass key from my computer and all I have to do is like click , continue , authenticate and I'm in , like I don't even need to enter a username . This is just like one click sign me in and it's like confirm and you signed in .

Steffen

Now let's log out again and sign in with my phone . So let's assume this was on a computer of my friends and I can still say sign in , use different device , use phone or tablet . And then I will again scan this QR code and then on my device it will ask me if I want to sign in with this passkey that is saved on my phone , actually , and then it will authenticate on the desktop computer . But once I'm logging out of that computer there's no relationship . No password ever was saved on this computer . Wow .

Dominik

Yeah , that's super nice Questions . Yeah , yes , go ahead .

Sharing Passkeys

Dominik

What about sharing passkeys with other people ?

Steffen

It's possible . For example , on iOS you can share your passkeys through the password manager , but you can also use AirDrop to share your passkey with someone else . You cannot send it via email because that will be insecure , kind of . It's really more like almost like a physical key . You create keys , you can create duplicates of keys and so on , so it's just the key . It's just like a much more secure type of key than a password

Business applications

Steffen

For personal use .

Dominik

this is awesome . What about in a business context ? We use a password manager in our company . Right , it's one password . Do they support passkeys ? Yes , Can you use them , store them in one password and put them in a vault where multiple people have access to ?

Steffen

Absolutely , you can create them , store them there and when you go to the website , one password will pop up . Hey , these are your four accounts for this website . Which one do you want to use ? You tap it and then you're signed in and one password is currently working on a solution to actually log into one password with the passkey .

Dominik

That would be super nice , because I always hate the master password right . It seems like I need to also switch to passkeys .

Steffen

Absolutely and like seriously

How to use them today

Steffen

. This is going to be the future of passwords and actually there are quite a few providers who support this already . There is this website , passkeys . directory , I think . It's provided by one password and shows you all the providers that support passkeys already .

Dominik

Now I'm really interested in how to get this to work with WordPress and also how we can say all the websites that Bleach develops are accessible with passkey . I guess we can talk about this in the next episode .

Steffen

Absolutely Thanks .