About Passkey

KALM-150x150"

Ready for a passwordless life? Tom explains how Passkey will get us there and why it’s coming sooner than you think and later than you’d like.

Featuring Tom Merritt.

About the FIDO Alliance.
About Public Key Cryptography.

MP3

Please SUBSCRIBE HERE.

A special thanks to all our supporters–without you, none of this would be possible.

Thanks to Kevin MacLeod of Incompetech.com for the theme music.

Thanks to Garrett Weinzierl for the logo!

Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit

Send us email to [email protected]

Episode transcript:

I just figured out passwords and now they’re switching to passkeys!
And supposedly you just tap a thing on your phone and you’re in?
How is that even secure?
Confused? Don’t be.
Let’s help you know a little more about passkeys.

Passkeys are the hope for our passwordless future. They’re based on FIDO 2 from the FIDO Alliance.
FIDO stands for Fast Identity Online and the alliance includes Amazon, Apple, Google, Meta, Microsoft, Samsung, Intel, Qualcomm PayPal, Wells Fargo, US Bank, Visa 1Password, LastPass, RSA. the list is rather long but I think that gives you the flavor. It’s big tech companies, security provider’s chip makers and banks.
The FIDO alliance develops FIDO 2 as an open standard in cooperation with the World Wide Web Consortium or W3C.
I did an entire episode on FIDO 2, which aims to increase authentication security, but here’s the short version. FIDO 2 gives you single multi factor, meaning it doesn’t require a password. FIDO 2 is probably most familiar to folks in corporate enterprises that use things like Yubico’s Yubikeys. They’re the little USB dongles you insert or tap to provide a second factor.
Many of you may NOT be familiar with those and that’s the reason FIDO 2 hasn’t spread faster. As much as it would be great if everyone bought something like a Yubikey, most people just aren’t going to do that. And until you get most people to do it, sites aren’t going to want to pay developers to redo their authentication system.
That’s why you see it in a corporations right? The company CISO just makes everybody use the yubikey to log in. The devs have to implement it because every employee int he company is going to sue it. Also because the CISO told them to do it.
In the wider world you need a diverse array of websites and device manufacturers to support it AND a bunch of consumers who adopt it. And consumers won’t adopt something unless it’s easy.
So we’ve been in this holding pattern for awhile, waiting for adoption by devs who are waiting for adoption by consumers who are waiting for easy implementation which requires adoption by devs and now I’m dizzy.
But passkey seems about to get us off this merry-go-round. Because passkey is designed to be easy while also being secure.
Passkey is an implementation of FIDO 2, but instead of making you get another thing, like a USB key, it uses the devices you already have. They sort of turn your device into the yubikey.
Here’s how creating a passkey works.
Let’s say you have an iPhone and you’re using Chrome. You go to a website, let’s say passkeys.io. It probably will ask you for an email address. The email address is not necessary for passkey to work. So you can go ahead and give it a fake one or a spam one if you want. However the email address is likely going to be used for account recovery in case you lose the phone that has all your passkeys. So you might want to use a working email address.
After you enter the email address, you press “Set up passkey.” It then prompts you to use with whatever you use to protect your devices overall security. It could be FaceID, could be a fingerprint scanner. Maybe it’s a nice complex PIN. Let’s say it’s a fingerprint scan. Press your finger on the fingerprint scanner on your device and you’re in. That’s it. You just created a secure account.
Yep! WAY easier than enter a password twice, oh you don’t have enough character oh you didn’t use special characters. None of that. No adding it to the password manager. Email address. Create passkey. Fingerprint scan. Done. In the background your OS has stood the passkey securely and may be syncing it with other devices.
And you gave precious little to the company you created the passkey for! It knows whatever email you gave them and has created a token to match with your passkey in the future. It has NOT stored your passkey. An attacker cannot steal your password from the company because the company doesn’t have it.
The next time you go back to sign in on that same iPhone, you’ll just choose “Sign in with passkey,” swipe your fingerprint and you’ll be signed in.
But ah you say. What if I want to sign in on my Windows machine using the Edge browser?
Go to passkeys.io on Edge and select sign in with passkeys. Your passkey isn’t on that device so it gives you the option of using a QR code. Scan the QR code with your phone and the synced passkey tells the website that it’s you and logs you in on the Edge browser.
In the future once support is fully implemented it will get easier. Bluetooth LE from Windows can directly notify your iOS or Android phone of the login request through an encrypted tunnel. You see that notification on your phone. So you pick up your phone and unlock it.
OK so what happens if you lose your phone? One hedge against that is if you have multiple devices. You can store your passkeys on a laptop and a phone. Apple, Microsoft and Google provide end-to-end encrypted syncing of passkeys across devices. But there’s also good old account recovery by email which is why you want to give a working email along with your password. Right now account recovery is so much more secure than passwords that some sites only log you in by sending you an email. Keeping your email account secure is quite important of course and will continue to be so. And it will be important to have multiple ways to securely log in to your email. So you’ll want passkeys on more than one device.
In a world of passkeys you’ll need multiple ways of getting to your email of course, but also you’re device security becomes paramount. Unlocking a laptop or phone will serve the same step as entering a password used to. This will take some education for people who use insecure passwords on their devices. However, to steal passkeys will still require physical access which is much more secure than passwords are now. Still, best practice is to make sure you have a sufficiently complex PIN backing up face or fingerprint.
Is this really more secure? The full details are in our episode on FIDO 2 but think of it this way.
Right now, you might try to be secure by using a password manager to create a long complex password and store it in an encrypted vault. You then use another long complex password to unlock the vault and access the password for a website and enter it there. Then if you are using MFA you open an app generating codes and type a code in separately. Every one of those steps is phishable. Somebody could be tricking you into entering the password or the MFA code into the wrong box at the wrong time. It can happen to the most careful among us.
With Passkey, unlocking your device replaces unlocking your password manager. Except the password is an encrypted key much more complex than any your password generator would generate, and is automatically sent directly to the site requesting it. That site combines it with its token to validate it’s the right account and authenticate you. (See our episode on Public Key Cryptography to understand how this works securely)
Since during that process, you didn’t have to type anything anywhere there’s no chance it gets typed into the wrong place. Since only the site you’re trying to log into can make use of that key, there’s no risk of sending your passkey to the wrong location. To intercept the key and try to use it to pretend to be someone would require breaking some incredibly strong encryption. And there is no password stored by the site! So there is no password database to breach.
So where can you use passkeys?
Many browsers support it including Chrome on ChromeOS, Windows and macOS, Microsoft Edge on Windows and macOS and Safari on MacOS.
Apple started supporting passkeys in iOS 16, iPadOS 16 and macOS Ventura
Google supports passkeys in Android as of October 2022 and ChromeOS in beta with full support in 2023.
Windows will support passkey in 2023.
Passkeys are supported by PayPal, eBay, WordPress and a growing list of websites.
And here’s where a lot of folks see downside. In pursuit of the mass market of consumers passkey does leave folks out. If you’re on Linux you can use Fido 2 like a yubikey but you may not be able to use passkey, without also using a Mac, iOS, Android or Windows device.
That may make you upset and I get it. Passkey is meant to be the mass market version of FIDO 2 so it runs on the mass market platforms. Thankfully FIDO 2 is an open standard so passkey can be extended to other platforms, it’s just going to take someone doing the work.
But remember that even if you’re using the mass market platforms the keys are always stored locally. Their cloud services are used for sync not storage and are end-to-end encrypted. That may or may not make you feel better but it’s not as egregious as managing the keys for you.
So can we ditch passwords? Not yet.
By the end of 2023 all the operating systems will fully support it along with the major browsers and more websites will as well. At that point users will need to update their operating systems and start learning what passkey is and decide if they trust it. But we’re close. Within a couple of years we should start seeing passkeys become common and passwords less so.
In other words, I hope you know a little more about passkey.

Resetting AI Models and Our Expectations – DTNS 4406

We look at all the work still being done with OpenAI’s GPT-3 large language learning model including its spin-offs. And we compare streaming video to all the alternatives and share what could be the best options for you if you want to cut-the-cord and what you should expect.

Starring Tom Merritt, Sarah Lane, Justin Robert Young, Roger Chang, Joe

MP3 Download

Follow us on Twitter Instgram YouTube and Twitch

Please SUBSCRIBE HERE.

Subscribe through Apple Podcasts.

A special thanks to all our supporters–without you, none of this would be possible.

If you are willing to support the show or to give as little as 10 cents a day on Patreon, Thank you!

Become a Patron!

Big thanks to Dan Lueders for the headlines music and Martin Bell for the opening theme!

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods Jack_Shid and KAPT_Kipper on the subreddit

Send to email to [email protected]

Show Notes
To read the show notes in a separate page click here!


Disney te ayuda a envejecer – NTX 262

Rappi facilita entregas de pequeños comercios, Google apoyará a la Red Internacional de Verificación y Disney trabaja en el envejecimiento facial.

MP3

Puedes  SUSCRIBIRTE AQUÍ.

Noticias:

-Google liberó la aplicación Glass Enterprise Companion en su Play Store
-Rappi incorporó la función de “quick commerce” en México, con la cual tiendas pequeñas y medianas podrán ofrecer sus productos en la plataforma y hacer entregas en menos de 15 minutos
-LastPass reveló que un usuario no autorizado pudo acceder a un servicio de almacenamiento en la nube de un tercero, obteniendo ahí acceso a “elementos de la información de sus clientes”
-YouTube y Google anunciaron la creación de un fondo de 13.2 millones de dólares para la Red Internacional de Verificación de Hechos, con lo que busca apoyar a 135 organizaciones de revisión de datos, con presencia en 65 países.
-Investigadores de Disney publicaron un artículo llamado “Envejecimiento facial listo para usarse en efectos visuales” que detallan su nueva Red de Envejecimiento Facial, o FRAN, una red neuronal que automatiza el proceso de cambio digital de edad a un actor. Disney dice que es un “método práctico, completamente automático y listo para usarse en producción”.

Análisis: Envejeciendo con inteligencia artificial

Puedes apoyar a Noticias de Tecnología Express directamente en este enlace.
Gracias a todos los que nos apoyan. Sin ustedes, nada de esto sería posible.
Muchas gracias a Dan Lueders por la música.

Contáctanos escribiendo a [email protected]

Show Notes
Para leer las notas del episodio en una ventana aparte, ¡haz click aquí!

Disney Details Automatic Re-Aging Tech – DTH

DTH-6-150x150Disney details FRAN for production-ready automatic re-aging, LastPass discloses another data breach, and Twitch releases Shield Mode.

MP3

Please SUBSCRIBE HERE.

You can get an ad-free feed of Daily Tech Headlines for $3 a month here.

A special thanks to all our supporters–without you, none of this would be possible.

Big thanks to Dan Lueders for the theme music.

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods, KAPT_Kipper, and PJReese on the subreddit

Send us email to [email protected]

Show Notes
To read the show notes in a separate page click here.

You Don’t Need to Be Big, Like Twitter, to Survive – DTNS 4405

We check out the reviews for the Amazon Scribe and Sarah compares it to her experience with the Remarkable2. Plus trade nerd and DTNS listener, James Thatcher, gives us the details on what’s keeping solar panels and other electronic goods from China delayed at US ports. And Elon’s recent moves at Twitter have people reconsidering their social media options.

Starring Tom Merritt, Sarah Lane, Scott Johnson, James Thatcher, Roger Chang, Joe.

MP3 Download

Follow us on Twitter Instgram YouTube and Twitch

Please SUBSCRIBE HERE.

Subscribe through Apple Podcasts.

A special thanks to all our supporters–without you, none of this would be possible.

If you are willing to support the show or to give as little as 10 cents a day on Patreon, Thank you!

Become a Patron!

Big thanks to Dan Lueders for the headlines music and Martin Bell for the opening theme!

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods Jack_Shid and KAPT_Kipper on the subreddit

Send to email to [email protected]

Show Notes
To read the show notes in a separate page click here!


¿Quieres que Alexa te cuente un cuento? – NTX 261

Alexa te inventará historias, Disney adquiere BAMTech y se cancela el Smash World Tour 2023.

MP3


Puedes  SUSCRIBIRTE AQUÍ.

Noticias:
-Coinbase anunció que dejará de admitir a varias criptodivisas en su aplicación Wallet a partir del 23 de enero de 2023.
-Disney reveló que ahora posee el 100% de BAMTech, liquidando la participación de las Grandes Ligas al pagar $900 millones de dólares para comprar su parte.
-Los organizadores del torneo de videojuegos Smash World Tour para Super Smash Brothers de Nintendo, anunciaron la cancelación del campeonato y la gira planeada para 2023, a solicitud de Nintendo.
-Twitter actualizó la sección referente al COVID19 de sus páginas de transparencia para indicar que “a partir del 23 de noviembre de 2022, Twitter ya no aplica la política de información engañosa sobre COVID-19”.
-En Estados Unidos, Amazon lanzó una nueva función de “Crear con Alexa” para sus dispositivos Echo Show.

Análisis: Delegando la creatividad a las IAs

Puedes apoyar a Noticias de Tecnología Express directamente en este enlace.
Gracias a todos los que nos apoyan. Sin ustedes, nada de esto sería posible.
Muchas gracias a Dan Lueders por la música.

Contáctanos escribiendo a [email protected]

Show Notes
Para leer las notas del episodio en una ventana aparte, ¡haz click aquí!

Twenty-Five Twenty-One (104) – It’s Spoilerin’ Time 433

Next week: The White Lotus (206), Rick and Morty (609), Twenty-Five Twenty-One (105)

Email the show at [email protected]
Subscribe, get expanded show notes, and past episodes at Cordkillers.com

Support Cordkillers at Patreon.com/Cordkillers. If we get to 1850 patrons or $1850/episode, we can begin the Spoilerin’ Project and give you show-based Spoilerin’ Time feeds. Find out more and pledge here.

Download audio

Rick and Morty (608) – It’s Spoilerin’ Time 433

Next week: The White Lotus (206), Rick and Morty (609), Twenty-Five Twenty-One (105)

Email the show at [email protected]
Subscribe, get expanded show notes, and past episodes at Cordkillers.com

Support Cordkillers at Patreon.com/Cordkillers. If we get to 1850 patrons or $1850/episode, we can begin the Spoilerin’ Project and give you show-based Spoilerin’ Time feeds. Find out more and pledge here.

Download audio

The White Lotus (205) – It’s Spoilerin’ Time 433

Next week: The White Lotus (206), Rick and Morty (609), Twenty-Five Twenty-One (105)

Email the show at [email protected]
Subscribe, get expanded show notes, and past episodes at Cordkillers.com

Support Cordkillers at Patreon.com/Cordkillers. If we get to 1850 patrons or $1850/episode, we can begin the Spoilerin’ Project and give you show-based Spoilerin’ Time feeds. Find out more and pledge here.

Download audio

Yahoo Plans To Make Yahoo Finance a Retail Trading Platform – DTH

DTH-6-150x150Yahoo plans to make Yahoo Finance a retail trading platform, Amazon’s “Create With Alexa” feature brings Mad Libs to AI, and Apple diversifies its supply chain.

MP3

Please SUBSCRIBE HERE.

You can get an ad-free feed of Daily Tech Headlines for $3 a month here.

A special thanks to all our supporters–without you, none of this would be possible.

Big thanks to Dan Lueders for the theme music.

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods, KAPT_Kipper, and PJReese on the subreddit

Send us email to [email protected]

Show Notes
To read the show notes in a separate page click here.