Join us for our latest IBA Friday session! In this episode, we are joined by Mike Engle, 1Kosmos CSO, to discuss passkeys.

Video Transcript
Robert MacDonald: All right. Hello everybody. It's Rob. Welcome to our IBA Friday this, what's the date today, this Friday, the 18th of August. It's hard to believe this summer is almost over. I am flying a little bit solo today. My buddy Javid, unfortunately was unable to join us today, but it's okay. I got somebody even better to replace him. I got Mike Engel along for the ride today. Mike, how are you doing?

Mike Engle: Doing great. Doing great. Yeah, you're not solo. Let's do this thing.

Robert MacDonald: Yeah, exactly. So today everybody, we're going to talk about passkeys and I'm sure everybody has heard the word, everybody's heard the term. It's like the new buzzword in the security space. But what I wanted to do today is bring in Mike to kind of talk to us a little bit about what they are and where they're used and how people are using them and how they could be used, all that great stuff. So Mike, I'm going to put you on the spot. What are passkeys?

Mike Engle: Passkey what?

Robert MacDonald: Yeah, exactly, what? You're breaking up.

Mike Engle: Yeah, I got to go. Bye. Yeah, no, it is a very confusing topic. Everybody knows about FIDO and it's been around since 2013, all kinds of providers embracing it. But passkeys came out really guns blazing last year. And then what really gave it steam was the big tech giants. Apple, Google and Microsoft made all kinds of announcements. Passkeys, we got it, right? And that happened last year. And subsequently what the FIDO Alliance did, because there was so much traction around it, is they embraced the term passkey just to describe any FIDO passwordless credential. So we're going to get into the weeds on that because there's different types of passkeys now. So it used to be there was kind of the old FIDO way, and then there was this passkey thing, which is supposed to be letting it be more flexible that we'll talk about. So now passkey is any passwordless FIDO credential, and then the devil's in the details on the differences that we can get into here.

Robert MacDonald: Yeah, and we're going to try to touch on some of that today. So from a passkey perspective, now, I think you've kind of already alluded to this, but who can use them in any sense? I know it's a FIDO authenticator, so basically anybody can, but when they originally announced them, what was the target for who can use these things?

Mike Engle: Well, so FIDO keys really in the early days were targeted towards a very strong form of 2FA, really non-copyable phishing resistant. And then it became a passwordless experience. So username, password, FIDO became just FIDO, which is great. It's actually a multi-factor experience with kind of a single touch. So really anybody can use them. If you have a Bank of America account today, you can use the legacy form, username, password, FIDO key. But you're seeing more organizations in the consumer world start to try to embrace them. So for example, if you go to Home Depot or the Kayak travel website or eBay, it'll pop up and say, "Let's do this password list with FIDO."

So it's for any consumer. And it's also of course for any enterprise too, that wants to do it for their own people. It's just that you have different considerations for them.

Robert MacDonald: Okay. So I guess the big question is are they secure?

Mike Engle: They are. Yeah, they're very secure from a technology implementation perspective. So behind the scenes there's a private key. That private key goes somewhere in the user's possession. That's what makes it really secure. Without that, the key, the hash, the password is in a centralized server and that's where all our password problems from the past dozens of years have come from. So it's secure in that you're giving it to somebody and it's in their control. It's hard to get that away from a user and or phish it out from them, et cetera.

Robert MacDonald: Okay. And then so you've kind of talked a little bit about what they are. Give me a couple of use cases. I know you said that Kayak and Home Depot, and I think you said maybe Bank of America is using them. Give me some use cases in terms where organizations could stand these things up and authenticate users with them.

Mike Engle: So again, making sure we're on the right class of user. So the consumers, because we all have these consumer devices and these are very passkey friendly, and really I'll talk about the new capability of passkeys. It's something called... It's not roaming but synced, a synced passkey. So going back for years, I'm going to do a little bit of history, but passkey was bound to an individual device, or a FIDO key was bound to an individual device typically; an authenticator or your platform, your browser, your phone. And if you went to another device, you had to reregister, which means going back to your, you guessed it, username and password.

Robert MacDonald: That's right.

Mike Engle: And then setting up the password list there. So kind of defeated the purpose of portability. So then, this was the big announcement last year, now that private key can roam between your other devices. So imagine I'm on my Mac here, I got a Mac downstairs, I set it up here, I can use it down there. Usability goes through the roof. That's great. Now, as you know, in the enterprise password side, they want to really control the endpoint, the authentication, keys to the kingdom are one authentication away. They are not going to be comfortable, for the most part, with that key floating between different devices. So there's other considerations when we get into the enterprise side. It's still very usable and there's a whole working group instead of papers that came out about how to use FIDO in the enterprise that we can touch on here.

Robert MacDonald: So you said that these keys, they float. So I can store that key and then use it on another device. Now I've seen some password managers out there saying that, "Hey, we can store your FIDO key, your passkey, and then you can share it." So talk to me a little bit about that because I'm assuming that's not going to go over well on the enterprise side right now. Your wife or my spouse or your significant other, whatever, you want to share the login, you can do that, but that to me sounds like you're sharing passwords all of a sudden. No?

Mike Engle: It's sharing the authentication, yeah. So sometimes you may want to do that. It'd be nice to share your passkey to the Home Depot site with your wife so that she can not have to create her own account or call you up for the password. So that's a good use case. And so some of the controls on the enterprise side that you can do is restrict the number of devices that you can use. So you really want to have device attestation, what they call it a device bound passkey. So imagine if that key is limited to only working on your phone, or you're the only one with the YubiKey, now it's much harder, almost impossible for your wife to do that unless you hand her your phone and whatever. That's a whole different level of-

Robert MacDonald: It's a whole other animal. Yeah, exactly.

Mike Engle: So the synced passkey, great for consumer, and they're even saying it's great for enterprise when the alternative is a username password.

Robert MacDonald: True.

Mike Engle: So if I have my iPad, my iPhone, my two iPhones, whatever, and all those work, they're saying that that's still better than a username and password that can be guessed, coerced, whatever. And I kind of agree with that. But when you have username password 2FA, that's where it gets into how much do you want to trust the synced passkey. And then maybe you want to just use device bound passkeys and restrict it to one registration at a time.

Robert MacDonald: That makes sense. Okay, so we're running up on time. So looking at it from a 1Kosmos perspective, we do FIDO, we do lots of different FIDO authentications. How do we support these pass keys and what does that look like from our perspective, just for people listening in?

Mike Engle: Yeah, so when you put our FIDO solution in the mix, it becomes really easy for developers to just drop a couple lines of code into any application and we take care of the rest. So the way it's done most successfully in the consumer world is you authenticate the way you do today, Home Depot username, password, and you pop up a very nice warm, fuzzy, smiley face headed screen that says, "Would you like to go passwordless?" So we'll take care of that for you, detect if the browser can do it and do all these others, a lot of devil in the details for that to work right, and enable it. The next time they come to log in, it'll just say, "Hey, do your touch ID, face ID, windows alone. It's that easy.

So we take the heavy lifting of learning how to do this stuff, and on top of that, we provide those rules that you can implement depending on the risk of the application. So you don't have to build that stuff into downstream somewhere else.

And then the third big benefit is when you want that passkey to work across different applications at the same company, so mortgages, checking, private wealth, trading, a lot of times they have different usernames, passwords and all that stuff, you can have that passkey work across all those properties. So it's almost like you created your own single sign-in leveraging this new technology because our server is making it really easy for that stuff to float within your own organization.

Robert MacDonald: So you said FIDO, any type of FIDO authentication is a passkey. What are the different types of FIDO authentication or passkey authentications do we support here at 1Kosmos?

Mike Engle: Yeah, we support not only FIDO, of course FIDO is what's going to make passwordless go mainstream, but so if you want to enable your Apple passkey or your Google Android passkey or just a browser, we make that as any option that you can put into your configuration. So for example, to demonstrate, I can log in with the 1Kosmos app, which has amazing Zero Trust biometrics and Fort Knox. But then because I demo, I came in and said, "Let's add my Apple passkey as option two." If I lose my phone, all I need is any of my Apple devices to get into my 1Kosmos mail as an example. So we support all the, what they're called, platform authenticators. We support any type of FIDO authentication, like the YubiKeys and other types of devices.

Robert MacDonald: The Windows Hello touch sensor, the Mac touch sensor, all that kind of stuff.

Mike Engle: Yeah, exactly.

Robert MacDonald: Okay, cool. All right Mike, I appreciate you shedding some light on passkeys because it's been a pretty hot topic. You see people calling, organizations calling them all kinds of different things. There's enterprise passkeys, there's passkeys, I don't know, they're calling them all kinds of crazy things. But at the end of the day, I think you cleared up a lot of the confusion at least that I had around what they are and how they work and who supports them. So I appreciate it and we look forward to having you on again.

Mike Engle: Looking forward to it. Thank you.

Robert MacDonald: All right, have a good weekend. Thanks everybody. That's another IBA Friday, and we look forward to seeing you again in about two weeks or so. Talk to you again soon.