Thought Leadership

"Passkey" is Great Branding

Written By
Published On
Jul 1, 2022

Informal security chat with Founding Engineer Nelson Melo and our host Marketing Empress Reece Guida about passkey announcements from Microsoft, Google, and Apple.

Transcription

Reece

Hello, and welcome to "Hot Takes." Today it's a little lonely because Jason and HP, couldn't be here, but you got me, Reece, the marketing guru, and...

Nelson

Hello, Nelson, Founding Engineer.

Reece

That was smooth. I liked that. So today Nelson and I are going to react to a very exciting and long overdue announcement in the security industry, but also just consumer experience, I guess. Passkeys, they're here and I'm pissed that we at Beyond Identity didn't come up with that name first.

Nelson

Do you believe how good it is?

Reece

It's so good. Password, private key. It's a portmanteau and I just love that, I just love it so much. But, yeah, I'm mad that I didn't think of it first. That's fine. So, Nelson, I feel like this has been a long time coming, it's long overdue. What was your reaction to this news?

Nelson

So the funny thing is Apple kind of showed their hand last year at WWDC with it, and they said, "Passkeys we're gonna be their implementation of a platform authenticator." They didn't give much details into how it's gonna actually do roaming authentication, and if they're going to have them on multiple devices, or if they're gonna create one per device and try to figure that part out. But, yeah, and I think it's finally getting to a point where they're all going to come up with their own version of it, and Google will have passkeys, and Microsoft will have passkeys. It'll be interesting.

Reece

So when Apple did that low-key, ooh, passkey thing a year ago, do you remember there being a reaction or a buzz on Twitter, or was it just Apple saying a buzzword and then moving on to the next cool thing?

Nelson

Very subdued. I think there was some tweeting and people in the Apple ecosystem were like, "Oh, cool, let me go play with this thing." But I don't remember a big to-do like this year. And I think Google also had announcement, or a talk about passkeys at "Google I/O" this year, which compounds. I didn't see anything from Microsoft, but I know they've been working on it too.

Reece

Yeah. And, you know, it's not surprising at all that Microsoft, Google, and Apple are the ones that are, you know, kind of charging through the darkness into a bright new future. We are as well for what it's worth, but what do you think about the Big Tech overlords being the ones to herald us into this new era? Do you think that it's just gonna be like a monopoly and their narrow use of the technology in a consumer space? How do you see others interpreting this moment in history because it is historic? What do you think this means for people in their everyday lives?

Nelson

If HP was here, I think he'd say something to the effect of passkeys as you're just about maximizing usability of cryptographic identities. And however, you can do that and not use shared secrets, it's just good for everybody. But then if you just end that bunkering that on just Big Tech and close ecosystems, that just going to be largely incompatible with what companies are trying to do.

If you have a fleet of Macs, and a fleet of Windows, and Android, and iOS devices, does it really serve you well if everybody has its own implementation of the same thing? And then the usability aspect of that. If I'm trying to log into a Google Chrome on Windows, an app that's running there, and all I have is an iPhone, can I really come up with a better way that's just not scanning a QR code? Is there a way to make those things work together?

Reece

Yeah, that's a good point. And, you know, most people tend to get locked into ecosystems, right? I have my Apple Watch, my iPad, my Mac, and my iPhone, but I think there are also people out there, especially technologists, they have different devices running on different operating systems. And, you know, a lot of people will work from a PC but have an iPhone. And I see that, you know, having some complexity be introduced.

Maybe those big three providers will find a way to play nice with each other. I doubt it, that just seems fundamentally un-American to me. And kind of like what you were saying earlier like it seems to be very much a thing for consumers logging into applications to help them live their lives. But in a work context, I just feel like password management is so much harder and more unideal because it has to be stricter.

You have to protect your Cloud apps and resources, you have to make sure that the right person is getting to the right thing from the right device, blah, blah, blah. And I just don't really see this announcement of passkeys, ALA, Google, and Apple, doing much to solve that. And I feel like if we're really going to lead a revolution, it has to be comprehensive, it has to be every second of your life. Not just when you get off of work and you order some food off of Seamless to your tiny New York apartment.

I'm not saying you have a tiny apartment Nelson, I'm just being like, creating a narrative here. And I feel like, you know, not to brag, but I feel like that's something we're working towards at Beyond Identity. We're thinking about people in all aspects of life. We're thinking about developers too, and just trying to get rid of that terrible password experience.

We're definitely gonna use the word passkey to describe what we're doing and, you know, how do you see us fitting into this larger narrative? It's so easy to focus on those big three providers, but, you know, I think that we're doing something important that's being neglected. And as somebody who's building for us, how does that make you feel at this point in history? I'd be proud.

Nelson

Yeah. But I kind of love the focus that this announcement and the whole passkey thing is bringing into just authentication using different primitives. I think shared secrets are clearly not the way to do authentication anymore.

Reece

No way.

Nelson

And if you have interest in communities that are building towards authentication with different primitives, like public-private key pairs, then that's just going to spill into every aspect of not only consumer experience, but also enterprise, so that's really good. But hopefully, we get to a place where we're not locked into huge silos, and then our credentials are non-movable. Not because it's technically impossible to do, but because someone decided that we're just gonna build for our thing and not that anybody else use it. That will be a sad place to be.

Reece

Yeah. At that point, it's kind of like, "Well, what's the point of this revolution if it doesn't touch every aspect of my life and make that easier?" Yeah.

Nelson

Hopefully someone builds enterprise great passkeys, and consumer great passkeys, and make sure they provide an experience that it's focused on user experience, it uses those cryptographic identities, but the custody of the credential is on your devices no matter which device that is.

Reece

Yeah. That's like real ownership and it takes the whole idea of a digital wallet to the next level. You know, like FIDO has existed for a while. Why do you think it took this long? I mean, if I worked at FIDO, I'd be feeling pretty validated right now. But it just kind of, maybe it's because we're working in this space, it befuddles me that others haven't caught on or thought about this, and, yay, it's good to see the brands that everybody knows and loves doing it, but like, are you surprised by how long it took to get here? Because I am. These standards have been around for a long time.

Nelson

Yeah. But standards take a long time for people to pay attention I think. It's been what, seven, eight years since FIDO has been doing WebAuthn, and first U2A, and then became WebAuthn and CTAP, and three or four years since WebAuthn and CTAP have been full-blown standards. I think it's a matter of people paying attention, and companies like these getting behind it and showing with their marketing, and their support on browsers, and application SDKs, that you can use them. So it's a fun time to be in authentication I think.

Reece

It is. I feel like I'm at the gold rush. So, you know, it's taken a while for those to get adopted. Do you think there's a lag now? You know, these companies have gone out with a big marketing splash. Okay, we're gonna do this thing. What's your timeline in terms of people actually using this technology? Because I had expected, "Oh great, the announcement was made, where's the little popup on my iPhone that's gonna let me start using this?" And it's not there. And I know that was mentioned at the Worldwide Developer Conference. So, of course, there'd be a lag, but how long do you think the lags gonna be exactly?

Nelson

I think early adopter developers did, the kind of folks that watched WWDC and Google I/O. Those people are going to start playing with it immediately. Is so interesting. And then I think it's gonna be a couple years before he makes it into consumer apps, just because it has to go through the normal cycle of adoption and product, understanding what it is, and how to use it, and what the benefits are. And it's gonna be I think a couple of years, but hopefully, in those two years, that the technology matures enough, that you're not forced to just build for each platform and you have someone that can give you a better way to cover everything.

Reece

I wonder who that would be. I feel like the name starts with Beyond...

Nelson

Hint, hint.

Reece

Who? Okay. So let's close out this episode with a fun game. Pretend that you have to come up with a name for passkeys, but you can't say passkey. So I'll come up with mine. Wallet key, what's your name for it, Nelson?

Nelson

Oh, man, putting me on the spot. What about Digital key? It's very creative.

Reece

Oh, no. Digi key.

Nelson

Digi key.

Reece

Oh, wait. That sounds a lot like UB key, but it's cute. It's, oh, it's a little Digi key. Okay, Nelson, you know, I better watch out, you might steal my job in marketing. I think you've gotta bright future there.

Nelson

No way.

Reece

Well, thanks for your perspective on all things passkeys. It's an exciting time for us and everybody else I think. And I'm looking forward to seeing what the future holds. So if you guys liked this episode, let us know in the comments, like, and subscribe, or if you hated it, please let us know, too. Thanks everybody.

Get started with Device360 today

"Passkey" is Great Branding

Download

Informal security chat with Founding Engineer Nelson Melo and our host Marketing Empress Reece Guida about passkey announcements from Microsoft, Google, and Apple.

Transcription

Reece

Hello, and welcome to "Hot Takes." Today it's a little lonely because Jason and HP, couldn't be here, but you got me, Reece, the marketing guru, and...

Nelson

Hello, Nelson, Founding Engineer.

Reece

That was smooth. I liked that. So today Nelson and I are going to react to a very exciting and long overdue announcement in the security industry, but also just consumer experience, I guess. Passkeys, they're here and I'm pissed that we at Beyond Identity didn't come up with that name first.

Nelson

Do you believe how good it is?

Reece

It's so good. Password, private key. It's a portmanteau and I just love that, I just love it so much. But, yeah, I'm mad that I didn't think of it first. That's fine. So, Nelson, I feel like this has been a long time coming, it's long overdue. What was your reaction to this news?

Nelson

So the funny thing is Apple kind of showed their hand last year at WWDC with it, and they said, "Passkeys we're gonna be their implementation of a platform authenticator." They didn't give much details into how it's gonna actually do roaming authentication, and if they're going to have them on multiple devices, or if they're gonna create one per device and try to figure that part out. But, yeah, and I think it's finally getting to a point where they're all going to come up with their own version of it, and Google will have passkeys, and Microsoft will have passkeys. It'll be interesting.

Reece

So when Apple did that low-key, ooh, passkey thing a year ago, do you remember there being a reaction or a buzz on Twitter, or was it just Apple saying a buzzword and then moving on to the next cool thing?

Nelson

Very subdued. I think there was some tweeting and people in the Apple ecosystem were like, "Oh, cool, let me go play with this thing." But I don't remember a big to-do like this year. And I think Google also had announcement, or a talk about passkeys at "Google I/O" this year, which compounds. I didn't see anything from Microsoft, but I know they've been working on it too.

Reece

Yeah. And, you know, it's not surprising at all that Microsoft, Google, and Apple are the ones that are, you know, kind of charging through the darkness into a bright new future. We are as well for what it's worth, but what do you think about the Big Tech overlords being the ones to herald us into this new era? Do you think that it's just gonna be like a monopoly and their narrow use of the technology in a consumer space? How do you see others interpreting this moment in history because it is historic? What do you think this means for people in their everyday lives?

Nelson

If HP was here, I think he'd say something to the effect of passkeys as you're just about maximizing usability of cryptographic identities. And however, you can do that and not use shared secrets, it's just good for everybody. But then if you just end that bunkering that on just Big Tech and close ecosystems, that just going to be largely incompatible with what companies are trying to do.

If you have a fleet of Macs, and a fleet of Windows, and Android, and iOS devices, does it really serve you well if everybody has its own implementation of the same thing? And then the usability aspect of that. If I'm trying to log into a Google Chrome on Windows, an app that's running there, and all I have is an iPhone, can I really come up with a better way that's just not scanning a QR code? Is there a way to make those things work together?

Reece

Yeah, that's a good point. And, you know, most people tend to get locked into ecosystems, right? I have my Apple Watch, my iPad, my Mac, and my iPhone, but I think there are also people out there, especially technologists, they have different devices running on different operating systems. And, you know, a lot of people will work from a PC but have an iPhone. And I see that, you know, having some complexity be introduced.

Maybe those big three providers will find a way to play nice with each other. I doubt it, that just seems fundamentally un-American to me. And kind of like what you were saying earlier like it seems to be very much a thing for consumers logging into applications to help them live their lives. But in a work context, I just feel like password management is so much harder and more unideal because it has to be stricter.

You have to protect your Cloud apps and resources, you have to make sure that the right person is getting to the right thing from the right device, blah, blah, blah. And I just don't really see this announcement of passkeys, ALA, Google, and Apple, doing much to solve that. And I feel like if we're really going to lead a revolution, it has to be comprehensive, it has to be every second of your life. Not just when you get off of work and you order some food off of Seamless to your tiny New York apartment.

I'm not saying you have a tiny apartment Nelson, I'm just being like, creating a narrative here. And I feel like, you know, not to brag, but I feel like that's something we're working towards at Beyond Identity. We're thinking about people in all aspects of life. We're thinking about developers too, and just trying to get rid of that terrible password experience.

We're definitely gonna use the word passkey to describe what we're doing and, you know, how do you see us fitting into this larger narrative? It's so easy to focus on those big three providers, but, you know, I think that we're doing something important that's being neglected. And as somebody who's building for us, how does that make you feel at this point in history? I'd be proud.

Nelson

Yeah. But I kind of love the focus that this announcement and the whole passkey thing is bringing into just authentication using different primitives. I think shared secrets are clearly not the way to do authentication anymore.

Reece

No way.

Nelson

And if you have interest in communities that are building towards authentication with different primitives, like public-private key pairs, then that's just going to spill into every aspect of not only consumer experience, but also enterprise, so that's really good. But hopefully, we get to a place where we're not locked into huge silos, and then our credentials are non-movable. Not because it's technically impossible to do, but because someone decided that we're just gonna build for our thing and not that anybody else use it. That will be a sad place to be.

Reece

Yeah. At that point, it's kind of like, "Well, what's the point of this revolution if it doesn't touch every aspect of my life and make that easier?" Yeah.

Nelson

Hopefully someone builds enterprise great passkeys, and consumer great passkeys, and make sure they provide an experience that it's focused on user experience, it uses those cryptographic identities, but the custody of the credential is on your devices no matter which device that is.

Reece

Yeah. That's like real ownership and it takes the whole idea of a digital wallet to the next level. You know, like FIDO has existed for a while. Why do you think it took this long? I mean, if I worked at FIDO, I'd be feeling pretty validated right now. But it just kind of, maybe it's because we're working in this space, it befuddles me that others haven't caught on or thought about this, and, yay, it's good to see the brands that everybody knows and loves doing it, but like, are you surprised by how long it took to get here? Because I am. These standards have been around for a long time.

Nelson

Yeah. But standards take a long time for people to pay attention I think. It's been what, seven, eight years since FIDO has been doing WebAuthn, and first U2A, and then became WebAuthn and CTAP, and three or four years since WebAuthn and CTAP have been full-blown standards. I think it's a matter of people paying attention, and companies like these getting behind it and showing with their marketing, and their support on browsers, and application SDKs, that you can use them. So it's a fun time to be in authentication I think.

Reece

It is. I feel like I'm at the gold rush. So, you know, it's taken a while for those to get adopted. Do you think there's a lag now? You know, these companies have gone out with a big marketing splash. Okay, we're gonna do this thing. What's your timeline in terms of people actually using this technology? Because I had expected, "Oh great, the announcement was made, where's the little popup on my iPhone that's gonna let me start using this?" And it's not there. And I know that was mentioned at the Worldwide Developer Conference. So, of course, there'd be a lag, but how long do you think the lags gonna be exactly?

Nelson

I think early adopter developers did, the kind of folks that watched WWDC and Google I/O. Those people are going to start playing with it immediately. Is so interesting. And then I think it's gonna be a couple years before he makes it into consumer apps, just because it has to go through the normal cycle of adoption and product, understanding what it is, and how to use it, and what the benefits are. And it's gonna be I think a couple of years, but hopefully, in those two years, that the technology matures enough, that you're not forced to just build for each platform and you have someone that can give you a better way to cover everything.

Reece

I wonder who that would be. I feel like the name starts with Beyond...

Nelson

Hint, hint.

Reece

Who? Okay. So let's close out this episode with a fun game. Pretend that you have to come up with a name for passkeys, but you can't say passkey. So I'll come up with mine. Wallet key, what's your name for it, Nelson?

Nelson

Oh, man, putting me on the spot. What about Digital key? It's very creative.

Reece

Oh, no. Digi key.

Nelson

Digi key.

Reece

Oh, wait. That sounds a lot like UB key, but it's cute. It's, oh, it's a little Digi key. Okay, Nelson, you know, I better watch out, you might steal my job in marketing. I think you've gotta bright future there.

Nelson

No way.

Reece

Well, thanks for your perspective on all things passkeys. It's an exciting time for us and everybody else I think. And I'm looking forward to seeing what the future holds. So if you guys liked this episode, let us know in the comments, like, and subscribe, or if you hated it, please let us know, too. Thanks everybody.

"Passkey" is Great Branding

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Informal security chat with Founding Engineer Nelson Melo and our host Marketing Empress Reece Guida about passkey announcements from Microsoft, Google, and Apple.

Transcription

Reece

Hello, and welcome to "Hot Takes." Today it's a little lonely because Jason and HP, couldn't be here, but you got me, Reece, the marketing guru, and...

Nelson

Hello, Nelson, Founding Engineer.

Reece

That was smooth. I liked that. So today Nelson and I are going to react to a very exciting and long overdue announcement in the security industry, but also just consumer experience, I guess. Passkeys, they're here and I'm pissed that we at Beyond Identity didn't come up with that name first.

Nelson

Do you believe how good it is?

Reece

It's so good. Password, private key. It's a portmanteau and I just love that, I just love it so much. But, yeah, I'm mad that I didn't think of it first. That's fine. So, Nelson, I feel like this has been a long time coming, it's long overdue. What was your reaction to this news?

Nelson

So the funny thing is Apple kind of showed their hand last year at WWDC with it, and they said, "Passkeys we're gonna be their implementation of a platform authenticator." They didn't give much details into how it's gonna actually do roaming authentication, and if they're going to have them on multiple devices, or if they're gonna create one per device and try to figure that part out. But, yeah, and I think it's finally getting to a point where they're all going to come up with their own version of it, and Google will have passkeys, and Microsoft will have passkeys. It'll be interesting.

Reece

So when Apple did that low-key, ooh, passkey thing a year ago, do you remember there being a reaction or a buzz on Twitter, or was it just Apple saying a buzzword and then moving on to the next cool thing?

Nelson

Very subdued. I think there was some tweeting and people in the Apple ecosystem were like, "Oh, cool, let me go play with this thing." But I don't remember a big to-do like this year. And I think Google also had announcement, or a talk about passkeys at "Google I/O" this year, which compounds. I didn't see anything from Microsoft, but I know they've been working on it too.

Reece

Yeah. And, you know, it's not surprising at all that Microsoft, Google, and Apple are the ones that are, you know, kind of charging through the darkness into a bright new future. We are as well for what it's worth, but what do you think about the Big Tech overlords being the ones to herald us into this new era? Do you think that it's just gonna be like a monopoly and their narrow use of the technology in a consumer space? How do you see others interpreting this moment in history because it is historic? What do you think this means for people in their everyday lives?

Nelson

If HP was here, I think he'd say something to the effect of passkeys as you're just about maximizing usability of cryptographic identities. And however, you can do that and not use shared secrets, it's just good for everybody. But then if you just end that bunkering that on just Big Tech and close ecosystems, that just going to be largely incompatible with what companies are trying to do.

If you have a fleet of Macs, and a fleet of Windows, and Android, and iOS devices, does it really serve you well if everybody has its own implementation of the same thing? And then the usability aspect of that. If I'm trying to log into a Google Chrome on Windows, an app that's running there, and all I have is an iPhone, can I really come up with a better way that's just not scanning a QR code? Is there a way to make those things work together?

Reece

Yeah, that's a good point. And, you know, most people tend to get locked into ecosystems, right? I have my Apple Watch, my iPad, my Mac, and my iPhone, but I think there are also people out there, especially technologists, they have different devices running on different operating systems. And, you know, a lot of people will work from a PC but have an iPhone. And I see that, you know, having some complexity be introduced.

Maybe those big three providers will find a way to play nice with each other. I doubt it, that just seems fundamentally un-American to me. And kind of like what you were saying earlier like it seems to be very much a thing for consumers logging into applications to help them live their lives. But in a work context, I just feel like password management is so much harder and more unideal because it has to be stricter.

You have to protect your Cloud apps and resources, you have to make sure that the right person is getting to the right thing from the right device, blah, blah, blah. And I just don't really see this announcement of passkeys, ALA, Google, and Apple, doing much to solve that. And I feel like if we're really going to lead a revolution, it has to be comprehensive, it has to be every second of your life. Not just when you get off of work and you order some food off of Seamless to your tiny New York apartment.

I'm not saying you have a tiny apartment Nelson, I'm just being like, creating a narrative here. And I feel like, you know, not to brag, but I feel like that's something we're working towards at Beyond Identity. We're thinking about people in all aspects of life. We're thinking about developers too, and just trying to get rid of that terrible password experience.

We're definitely gonna use the word passkey to describe what we're doing and, you know, how do you see us fitting into this larger narrative? It's so easy to focus on those big three providers, but, you know, I think that we're doing something important that's being neglected. And as somebody who's building for us, how does that make you feel at this point in history? I'd be proud.

Nelson

Yeah. But I kind of love the focus that this announcement and the whole passkey thing is bringing into just authentication using different primitives. I think shared secrets are clearly not the way to do authentication anymore.

Reece

No way.

Nelson

And if you have interest in communities that are building towards authentication with different primitives, like public-private key pairs, then that's just going to spill into every aspect of not only consumer experience, but also enterprise, so that's really good. But hopefully, we get to a place where we're not locked into huge silos, and then our credentials are non-movable. Not because it's technically impossible to do, but because someone decided that we're just gonna build for our thing and not that anybody else use it. That will be a sad place to be.

Reece

Yeah. At that point, it's kind of like, "Well, what's the point of this revolution if it doesn't touch every aspect of my life and make that easier?" Yeah.

Nelson

Hopefully someone builds enterprise great passkeys, and consumer great passkeys, and make sure they provide an experience that it's focused on user experience, it uses those cryptographic identities, but the custody of the credential is on your devices no matter which device that is.

Reece

Yeah. That's like real ownership and it takes the whole idea of a digital wallet to the next level. You know, like FIDO has existed for a while. Why do you think it took this long? I mean, if I worked at FIDO, I'd be feeling pretty validated right now. But it just kind of, maybe it's because we're working in this space, it befuddles me that others haven't caught on or thought about this, and, yay, it's good to see the brands that everybody knows and loves doing it, but like, are you surprised by how long it took to get here? Because I am. These standards have been around for a long time.

Nelson

Yeah. But standards take a long time for people to pay attention I think. It's been what, seven, eight years since FIDO has been doing WebAuthn, and first U2A, and then became WebAuthn and CTAP, and three or four years since WebAuthn and CTAP have been full-blown standards. I think it's a matter of people paying attention, and companies like these getting behind it and showing with their marketing, and their support on browsers, and application SDKs, that you can use them. So it's a fun time to be in authentication I think.

Reece

It is. I feel like I'm at the gold rush. So, you know, it's taken a while for those to get adopted. Do you think there's a lag now? You know, these companies have gone out with a big marketing splash. Okay, we're gonna do this thing. What's your timeline in terms of people actually using this technology? Because I had expected, "Oh great, the announcement was made, where's the little popup on my iPhone that's gonna let me start using this?" And it's not there. And I know that was mentioned at the Worldwide Developer Conference. So, of course, there'd be a lag, but how long do you think the lags gonna be exactly?

Nelson

I think early adopter developers did, the kind of folks that watched WWDC and Google I/O. Those people are going to start playing with it immediately. Is so interesting. And then I think it's gonna be a couple years before he makes it into consumer apps, just because it has to go through the normal cycle of adoption and product, understanding what it is, and how to use it, and what the benefits are. And it's gonna be I think a couple of years, but hopefully, in those two years, that the technology matures enough, that you're not forced to just build for each platform and you have someone that can give you a better way to cover everything.

Reece

I wonder who that would be. I feel like the name starts with Beyond...

Nelson

Hint, hint.

Reece

Who? Okay. So let's close out this episode with a fun game. Pretend that you have to come up with a name for passkeys, but you can't say passkey. So I'll come up with mine. Wallet key, what's your name for it, Nelson?

Nelson

Oh, man, putting me on the spot. What about Digital key? It's very creative.

Reece

Oh, no. Digi key.

Nelson

Digi key.

Reece

Oh, wait. That sounds a lot like UB key, but it's cute. It's, oh, it's a little Digi key. Okay, Nelson, you know, I better watch out, you might steal my job in marketing. I think you've gotta bright future there.

Nelson

No way.

Reece

Well, thanks for your perspective on all things passkeys. It's an exciting time for us and everybody else I think. And I'm looking forward to seeing what the future holds. So if you guys liked this episode, let us know in the comments, like, and subscribe, or if you hated it, please let us know, too. Thanks everybody.

"Passkey" is Great Branding

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Informal security chat with Founding Engineer Nelson Melo and our host Marketing Empress Reece Guida about passkey announcements from Microsoft, Google, and Apple.

Transcription

Reece

Hello, and welcome to "Hot Takes." Today it's a little lonely because Jason and HP, couldn't be here, but you got me, Reece, the marketing guru, and...

Nelson

Hello, Nelson, Founding Engineer.

Reece

That was smooth. I liked that. So today Nelson and I are going to react to a very exciting and long overdue announcement in the security industry, but also just consumer experience, I guess. Passkeys, they're here and I'm pissed that we at Beyond Identity didn't come up with that name first.

Nelson

Do you believe how good it is?

Reece

It's so good. Password, private key. It's a portmanteau and I just love that, I just love it so much. But, yeah, I'm mad that I didn't think of it first. That's fine. So, Nelson, I feel like this has been a long time coming, it's long overdue. What was your reaction to this news?

Nelson

So the funny thing is Apple kind of showed their hand last year at WWDC with it, and they said, "Passkeys we're gonna be their implementation of a platform authenticator." They didn't give much details into how it's gonna actually do roaming authentication, and if they're going to have them on multiple devices, or if they're gonna create one per device and try to figure that part out. But, yeah, and I think it's finally getting to a point where they're all going to come up with their own version of it, and Google will have passkeys, and Microsoft will have passkeys. It'll be interesting.

Reece

So when Apple did that low-key, ooh, passkey thing a year ago, do you remember there being a reaction or a buzz on Twitter, or was it just Apple saying a buzzword and then moving on to the next cool thing?

Nelson

Very subdued. I think there was some tweeting and people in the Apple ecosystem were like, "Oh, cool, let me go play with this thing." But I don't remember a big to-do like this year. And I think Google also had announcement, or a talk about passkeys at "Google I/O" this year, which compounds. I didn't see anything from Microsoft, but I know they've been working on it too.

Reece

Yeah. And, you know, it's not surprising at all that Microsoft, Google, and Apple are the ones that are, you know, kind of charging through the darkness into a bright new future. We are as well for what it's worth, but what do you think about the Big Tech overlords being the ones to herald us into this new era? Do you think that it's just gonna be like a monopoly and their narrow use of the technology in a consumer space? How do you see others interpreting this moment in history because it is historic? What do you think this means for people in their everyday lives?

Nelson

If HP was here, I think he'd say something to the effect of passkeys as you're just about maximizing usability of cryptographic identities. And however, you can do that and not use shared secrets, it's just good for everybody. But then if you just end that bunkering that on just Big Tech and close ecosystems, that just going to be largely incompatible with what companies are trying to do.

If you have a fleet of Macs, and a fleet of Windows, and Android, and iOS devices, does it really serve you well if everybody has its own implementation of the same thing? And then the usability aspect of that. If I'm trying to log into a Google Chrome on Windows, an app that's running there, and all I have is an iPhone, can I really come up with a better way that's just not scanning a QR code? Is there a way to make those things work together?

Reece

Yeah, that's a good point. And, you know, most people tend to get locked into ecosystems, right? I have my Apple Watch, my iPad, my Mac, and my iPhone, but I think there are also people out there, especially technologists, they have different devices running on different operating systems. And, you know, a lot of people will work from a PC but have an iPhone. And I see that, you know, having some complexity be introduced.

Maybe those big three providers will find a way to play nice with each other. I doubt it, that just seems fundamentally un-American to me. And kind of like what you were saying earlier like it seems to be very much a thing for consumers logging into applications to help them live their lives. But in a work context, I just feel like password management is so much harder and more unideal because it has to be stricter.

You have to protect your Cloud apps and resources, you have to make sure that the right person is getting to the right thing from the right device, blah, blah, blah. And I just don't really see this announcement of passkeys, ALA, Google, and Apple, doing much to solve that. And I feel like if we're really going to lead a revolution, it has to be comprehensive, it has to be every second of your life. Not just when you get off of work and you order some food off of Seamless to your tiny New York apartment.

I'm not saying you have a tiny apartment Nelson, I'm just being like, creating a narrative here. And I feel like, you know, not to brag, but I feel like that's something we're working towards at Beyond Identity. We're thinking about people in all aspects of life. We're thinking about developers too, and just trying to get rid of that terrible password experience.

We're definitely gonna use the word passkey to describe what we're doing and, you know, how do you see us fitting into this larger narrative? It's so easy to focus on those big three providers, but, you know, I think that we're doing something important that's being neglected. And as somebody who's building for us, how does that make you feel at this point in history? I'd be proud.

Nelson

Yeah. But I kind of love the focus that this announcement and the whole passkey thing is bringing into just authentication using different primitives. I think shared secrets are clearly not the way to do authentication anymore.

Reece

No way.

Nelson

And if you have interest in communities that are building towards authentication with different primitives, like public-private key pairs, then that's just going to spill into every aspect of not only consumer experience, but also enterprise, so that's really good. But hopefully, we get to a place where we're not locked into huge silos, and then our credentials are non-movable. Not because it's technically impossible to do, but because someone decided that we're just gonna build for our thing and not that anybody else use it. That will be a sad place to be.

Reece

Yeah. At that point, it's kind of like, "Well, what's the point of this revolution if it doesn't touch every aspect of my life and make that easier?" Yeah.

Nelson

Hopefully someone builds enterprise great passkeys, and consumer great passkeys, and make sure they provide an experience that it's focused on user experience, it uses those cryptographic identities, but the custody of the credential is on your devices no matter which device that is.

Reece

Yeah. That's like real ownership and it takes the whole idea of a digital wallet to the next level. You know, like FIDO has existed for a while. Why do you think it took this long? I mean, if I worked at FIDO, I'd be feeling pretty validated right now. But it just kind of, maybe it's because we're working in this space, it befuddles me that others haven't caught on or thought about this, and, yay, it's good to see the brands that everybody knows and loves doing it, but like, are you surprised by how long it took to get here? Because I am. These standards have been around for a long time.

Nelson

Yeah. But standards take a long time for people to pay attention I think. It's been what, seven, eight years since FIDO has been doing WebAuthn, and first U2A, and then became WebAuthn and CTAP, and three or four years since WebAuthn and CTAP have been full-blown standards. I think it's a matter of people paying attention, and companies like these getting behind it and showing with their marketing, and their support on browsers, and application SDKs, that you can use them. So it's a fun time to be in authentication I think.

Reece

It is. I feel like I'm at the gold rush. So, you know, it's taken a while for those to get adopted. Do you think there's a lag now? You know, these companies have gone out with a big marketing splash. Okay, we're gonna do this thing. What's your timeline in terms of people actually using this technology? Because I had expected, "Oh great, the announcement was made, where's the little popup on my iPhone that's gonna let me start using this?" And it's not there. And I know that was mentioned at the Worldwide Developer Conference. So, of course, there'd be a lag, but how long do you think the lags gonna be exactly?

Nelson

I think early adopter developers did, the kind of folks that watched WWDC and Google I/O. Those people are going to start playing with it immediately. Is so interesting. And then I think it's gonna be a couple years before he makes it into consumer apps, just because it has to go through the normal cycle of adoption and product, understanding what it is, and how to use it, and what the benefits are. And it's gonna be I think a couple of years, but hopefully, in those two years, that the technology matures enough, that you're not forced to just build for each platform and you have someone that can give you a better way to cover everything.

Reece

I wonder who that would be. I feel like the name starts with Beyond...

Nelson

Hint, hint.

Reece

Who? Okay. So let's close out this episode with a fun game. Pretend that you have to come up with a name for passkeys, but you can't say passkey. So I'll come up with mine. Wallet key, what's your name for it, Nelson?

Nelson

Oh, man, putting me on the spot. What about Digital key? It's very creative.

Reece

Oh, no. Digi key.

Nelson

Digi key.

Reece

Oh, wait. That sounds a lot like UB key, but it's cute. It's, oh, it's a little Digi key. Okay, Nelson, you know, I better watch out, you might steal my job in marketing. I think you've gotta bright future there.

Nelson

No way.

Reece

Well, thanks for your perspective on all things passkeys. It's an exciting time for us and everybody else I think. And I'm looking forward to seeing what the future holds. So if you guys liked this episode, let us know in the comments, like, and subscribe, or if you hated it, please let us know, too. Thanks everybody.

Book

"Passkey" is Great Branding

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.