Join Robert MacDonald and Javed S. for IBA Friday!

In this episode, they will be joined by 1Kosmos’ Co-Founder and CSO, Michael Engle, to discuss the expanded support of the FIDO Alliance standard and what this means for the future of passwordless.

IBA Friday 5/20/2022 from 1Kosmos on Vimeo.

Video Transcript
Robert MacDonald: Yeah. Yeah. It's crazy. Let me turn on focus for an hour. So you guys got any plans for your long weekend?

Javed Shah: Nothing much.

Mike Engle: Yeah. No, I do. Have you ever seen the movie Dexter, the series?

Robert MacDonald: Yes.

Mike Engle: I'm just kidding. That's just supposed to be ...

Robert MacDonald: So I think we might be live, so you might not want to finish that sentence.

Mike Engle: No, no, just kidding. I was thinking about using that on ...

Robert MacDonald: Yeah.

Mike Engle: No, just it's supposed to be hot here in New Jersey in the 90s, so I'm going to try to find some water. We'll see how that goes.

Robert MacDonald: Fair enough. Let me see if we are-

Javed Shah: You are live, Robert.

Robert MacDonald: I think we're live. It says custom livestreaming service live. Let me ask Maureen, like we always do. We're live. Yes, we are live. Hi, everybody. The usual ramblings here of trying to figure out whether or not we're live. Welcome to another IBA Friday. I'm here with my buddy Javed. Javed, how are you?

Javed Shah: I'm good. How are you all? Hey, Robert. Hey, Mike.

Robert MacDonald: Yeah, we've got a special guest today. So we've got Mike Engel. Mike, tell us who you are and what you do here.

Mike Engle: Yeah, so I'm Mike from New Jersey, co-founder here at 1Kosmos. Official title is Chief Strategy Officer, which means I do whatever it is that's not being done at the time, but focusing on our go-to market strategy and all that stuff. And super excited to be here with or without an IPA.

Robert MacDonald: Yeah. So this is your first IPA IBA Friday. It's usually just Javed and I rambling on about things, but today we're going to be a little bit more structured because we've got the co-founder. We've got to be on our best behavior.

Javed Shah: I'm nervous. If you notice, it makes me sweat.

Robert MacDonald: Exactly. I know, right? We got a pressure. It'll be good. So what we wanted talk about today was the FIDO2 announcement that happened back on Password Day, May 5th. I don't understand why we're celebrating passwords, but whatever. So on that day, Apple, Google, Microsoft announced that they've committed to supporting a passwordless sign-in across mobile, desktop and browser platforms over the next coming year or two. So to you, Mike, being you're kind of an expert in this area, I know it's kind of a loaded question, but what does that mean specifically?

Mike Engle: Yeah. Well, first of all, putting out Password Day on May 5th is completely wrong. It's Cinco de Mayo, right? And now I don't know whether to go get a margarita or try to go passwordless.

Robert MacDonald: That's true.

Mike Engle: It's not right. They could have done ... May the fourth is taken, right? May the fourth.

Robert MacDonald: That's right.

Mike Engle: I guess they're out of days.

Robert MacDonald: Yeah, maybe. Maybe.

Mike Engle: But I think stepping back, some people haven't heard of FIDO besides the name for common dogs. What it stands for is Fast Identity Online. It's a nonprofit that was formed in the early 2010s, I believe 2013. A bunch of tech companies came together to figure out how to get rid of passwords. So it stands for Fast Identity online, and if you have usernames and passwords involved, that's one of the key tenets of our company is that means you don't have identity. So it's very near and dear to us. The goal of FIDO is to get rid of passwords, and it's been evolving over the past, going on 10 years, and it's starting to get popular.

And the challenge with FIDO has always been, you set it up in one place, but then you can't go use it somewhere else. So this announcement on Cinco de Mayo was that now, soon, it's in process, but you'll be able to use your FIDO in multiple places after you set it up one time. So that's very exciting. Imagine walking up to any website and logging in without a password because you set it up three weeks ago, anywhere.

Robert MacDonald: Interesting. So I mean, the way we kind of do that, or the way they're kind of handling that, not kind of, the way they're doing a passwordless, even though they're using passwords for users not to remember, is that you can either store them in the browser or you could use maybe a password manager or something like that. But what this is doing is something completely different. So you're going to be able to use a device or something on your laptop or system to be able to authenticate. Do you have maybe an example of what that looks like?

Mike Engle: Yeah, all the above. So if there's a password involved, and that's password managers, and I love password managers. I have over 1,200 passwords in my password vault. So I counted them the other day because I exported them and just wanted to verify they're all there. They're great because now you have at least a master level of security, but there's still a password under the hood.

What FIDO does is uses public private key cryptography instead of a password. So it creates a secret and gives you a safe way to secure that secret that is not susceptible to somebody getting or man in the middling or intercepting. So yeah, now you can set up a secret on your local machine and I can show you what that looks like here out in the wild on a website and not have a username and password at all. So imagine if there just wasn't one, then it would be easier for you and harder for the bad guys.

Robert MacDonald: Fair enough. So just quick question, when you downloaded those 1,200 passwords, when they're all the same, does it matter?

Mike Engle: Oh, yeah. Yeah. So the [inaudible 00:06:00].

Robert MacDonald: You use the same one over and over again. You know it, I know it.

Javed Shah: Thanks, Robert.

Mike Engle: It's human nature, right? And just putting a one, two, three, four at the end when they make a change.

Javed Shah: Yeah. Question is why was it thinking about passwords on Cinco de Mayo?

Robert MacDonald: Yeah, that's a good point. That's a good point.

Javed Shah: Be alone. I'm just kidding.

Robert MacDonald: Exactly. All right, so I think you had an example. Do you want to share your screen or something to show us how works?

Mike Engle: Yeah. Yeah. So I pulled this up. One of my favorite first adopters of FIDO passwordless is eBay. Anybody who has an eBay account, I think anybody can log in and do this. So what happened here is I just authenticated into eBay using my username password. And so maybe a 2FA was enabled and it pops up and says, would you like to go passwordless? This is a FIDO presentation or their implementation of FIDO.

When you say yes, it's reaching out to your local device, iPhone, Android, Windows, Mac are the main ones and saying, I'd like to use your biometrics. So you'll see here, check this out. Here is my Windows hello popping up. You don't normally see this when you log into your average website. So it's setting up a secret now between eBay and this local machine that can't be intercepted by somebody. The next time I come to eBay, I simply just click sign in with my fingerprint and I'm in. That's a really cool experience. You could see why that could get mass adoption if it were done right.

Robert MacDonald: Yeah, absolutely. Absolutely. So that to me, Javed, sounds familiar.

Javed Shah: Yeah.

Robert MacDonald: Have we not been doing that for a while, guys? Tell me a little bit about, it sounds like that's kind of what we've been doing for the last three plus four years.

Javed Shah: Yeah, absolutely. Our focus has been interoperability for such a long time. So FIDO is just one of the things to associate to go passwordless. But I guess this whole idea, since this is an IBA is to inject identity into the mix, right? FIDO is never an identity spec by any sort, but I guess our push has always been it's, you are the same person everywhere, but is your experience still, is it a compatible experience across platforms, devices, security keys, platform authenticators, my goodness, biometrics. So that's the journey of as a background, right, Mike?

Mike Engle: That's right. Yeah. What's missing from this process is a strong identity under the hood, and that is one thing we make very easy for organizations to do with their users. And the FIDO alliance is working on that too. So we're working with them to help in those identity based authentication aspects as well.

Robert MacDonald: So at the end of the day, what it looks like is where the market is going is kind of where we've already been pioneering, although we're going to inject identity and things like that. But at the end of the day, it sounds like passwords are finally coming to an end. No?

Mike Engle: Yes, by next May 5th on the next Cinco de Mayo that's it. No more passwords.

Robert MacDonald: No more password days? In the beginning-

Javed Shah: The beginning of the end, Robert. The beginning of the end.

Robert MacDonald: Password. Remembrance Day or Password-

Mike Engle: Memorial, yeah.

Robert MacDonald: You can say memorial. I don't know.

Mike Engle: Burial. Yeah.

Javed Shah: Don't do that.

Robert MacDonald: That's funny.

Javed Shah: You can't use passwords in acronyms anymore. You ought to remember those then.

Robert MacDonald: Yeah. Yeah, yeah. All right. Well, listen, that's great, Mike. I appreciate you coming in and just quickly talking about the FIDO announcement and how that works and what that looks like and what that means to users going forward. I mean, at the end of the day, while we've already been doing this, what this does is it kind of brings, I don't want to say credibility, but it builds an awareness in terms of what we've already kind of discovered or have been talking about over the last little bit and brings it to the masses to some degree. Right?

Javed Shah: Yeah. This-

Mike Engle: Yes. Javed Shah: Part of the-

Mike Engle: Yeah. Please go on, Javed.

Javed Shah: This is fully rehearsed. Part of the conversation has to be the developer experience for this, Robert. Right? We keep talking about, hey, you can log into a website, you can touch ID, face ID and you're in, but developers want to bring that experience to their end users as well across different app platforms. The website is not the only property you'll ever go to access a service. Potentially you would be accessing that service from an app. So I think this is where the one cosmos push towards really, really wrapping a developer friendly journey around FIDO is really important as well, right? Exposing those APIs, initialize once, use any time and try out the end user journey before you even write one line of code. I think is worthy of mention the Devex side of things.

Robert MacDonald: That's right. Yeah, because we've talked about Devex a couple times now.

Mike Engle: You're going to make me do it, aren't you? You're going to make me?

Javed Shah: Yes, yes. That's the point.

Mike Engle: So yeah, what Javed's team has done is really amazing is they make FIDO super easy for a developer to implement on any website. And so you see here, it's as simple as a demonstration right here out in the wild is register a FIDO device and then use it just like you saw me doing in production on eBay. And under the hood, all the developer stuff is there for people to consume. And because a FIDO server, I don't know a whole lot of details about the underlying how you make a server. I know the mechanics and the cryptography, but is not that easy, so we make it really easy. Is that a fair statement, Javed?

Javed Shah: Yeah, absolutely. And right over here, this is a demo trial ready experience. You could literally provide a username, whatever, J Doe, set up a platform authenticator. If you're hooked up, if this is from a laptop, which does offer some sort of a touch ID interface, you can register live right here. And the address bar there gives you our in production demo site, which you can, any viewer can go do that right now. Once you're registered, you can enter the same username to trial that end-to-end flow literally right from this page. Right? And the idea is that all of the documentation attached to the Devex portal that we have describes to you what APIs you need, how do you initialize them, and just take you through the whole journey. It's pretty cool.

Robert MacDonald: Awesome. And that's at, right?

Mike Engle: That's right.

Robert MacDonald: Perfect. All right, guys, that's another IBA Friday. Mike, thank you for coming.

Javed Shah: Thanks, Mike.

Robert MacDonald: This is your first, it certainly won't be your last, I promise you that.

Mike Engle: All right.

Robert MacDonald: We appreciate you coming and taking the time with us today, and we'll talk to you again soon. Have a good day.

Mike Engle: Thanks everybody.

Robert MacDonald: Have a great weekend everybody, and enjoy those IPAs.

Mike Engle: You too.

Javed Shah: Take care. See you next week. Bye. We're back.