WEBVTT

00:00:00.000 --> 00:00:02.940
Welcome to the Deep Dive. If you're joining us

00:00:02.940 --> 00:00:05.740
right now, I want you to just take a second and

00:00:05.740 --> 00:00:08.560
think about something that, well, something that

00:00:08.560 --> 00:00:10.660
probably frustrates you on an almost daily basis.

00:00:11.000 --> 00:00:13.019
Oh, I think I know where this is going. You definitely

00:00:13.019 --> 00:00:15.419
do. So you're sitting at your computer, you know,

00:00:15.439 --> 00:00:17.280
you're staring at your phone, trying to log into

00:00:17.280 --> 00:00:19.500
an account you haven't used in like a few months.

00:00:19.620 --> 00:00:22.600
Right. You type in your go -to password. The

00:00:22.600 --> 00:00:26.339
screen shakes. Incorrect. Yep. You try the variation

00:00:26.339 --> 00:00:29.899
with the capital letter. Incorrect. You try the

00:00:29.899 --> 00:00:33.659
one where you swapped an A for an at symbol.

00:00:34.039 --> 00:00:36.280
Incorrect again. That's the worst feeling. It

00:00:36.280 --> 00:00:40.060
really is. And finally, you know, defeated. You

00:00:40.060 --> 00:00:42.579
click forgot password, only to be told that your

00:00:42.579 --> 00:00:44.960
new password cannot be the same as your old password.

00:00:45.200 --> 00:00:47.600
It's just exhausting, isn't it? It's infuriating.

00:00:47.640 --> 00:00:49.899
That feeling is literally called password fatigue.

00:00:50.140 --> 00:00:52.619
And if you feel it, you are definitely not alone.

00:00:53.280 --> 00:00:56.500
So today we are taking a deep dive into a really

00:00:56.500 --> 00:00:59.140
comprehensive Wikipedia article detailing the

00:00:59.140 --> 00:01:01.740
mechanics, the history, and the future of something

00:01:01.740 --> 00:01:04.579
called passwordless authentication. It's such

00:01:04.579 --> 00:01:07.609
an important topic right now. It really is. Our

00:01:07.609 --> 00:01:10.750
mission today is to explore this massive technological

00:01:10.750 --> 00:01:14.709
shift that is finally killing the password, uncover

00:01:14.709 --> 00:01:18.189
how the underlying magic actually works, and

00:01:18.189 --> 00:01:20.469
figure out what it all means for your daily digital

00:01:20.469 --> 00:01:23.230
life. And it is a profound shift. Honestly, it's

00:01:23.230 --> 00:01:26.049
about time. We've been relying on a string of

00:01:26.049 --> 00:01:28.349
memorized characters to protect our entire digital

00:01:28.349 --> 00:01:31.859
lives. for decades now. Yeah. And the Wikipedia

00:01:31.859 --> 00:01:34.200
page we're looking at today paints a really clear

00:01:34.200 --> 00:01:36.939
picture of just how unsustainable that model

00:01:36.939 --> 00:01:39.159
has become. But more importantly, it outlines

00:01:39.159 --> 00:01:41.879
the actual mechanics of what comes next and what

00:01:41.879 --> 00:01:44.260
comes next is fundamentally different from anything

00:01:44.260 --> 00:01:46.239
we've used before. Right. And I want to kick

00:01:46.239 --> 00:01:48.480
things off by looking at the history here, because

00:01:48.480 --> 00:01:51.939
if you follow tech news at all, it feels like

00:01:51.939 --> 00:01:54.379
experts have been predicting the end of the password

00:01:54.379 --> 00:01:57.700
for my entire adult life. It's been a very long,

00:01:57.780 --> 00:02:00.349
very drawn. out death. It really has. I mean,

00:02:00.349 --> 00:02:03.049
if we look at the timeline, the notion that passwords

00:02:03.049 --> 00:02:05.489
should become obsolete has been circling in computer

00:02:05.489 --> 00:02:08.430
science since at least 2004. Wow. Two decades

00:02:08.430 --> 00:02:12.389
ago. Over two decades. Think about that. At the

00:02:12.389 --> 00:02:15.610
2004 RSA conference, which is this massive annual

00:02:15.610 --> 00:02:18.770
security gathering, Bill Gates famously predicted

00:02:18.770 --> 00:02:21.870
the demise of passwords. He stated very clearly

00:02:21.870 --> 00:02:23.770
that they just don't meet the challenge for anything

00:02:23.770 --> 00:02:25.830
you really want to secure. And he was completely

00:02:25.830 --> 00:02:29.439
right. But the tech world just kept making those

00:02:29.439 --> 00:02:31.879
same predictions year after year without much

00:02:31.879 --> 00:02:34.319
actually changing for the average person. Yeah,

00:02:34.360 --> 00:02:36.379
the follow through was definitely lacking. Exactly.

00:02:36.400 --> 00:02:40.360
Like in 2012, Matt Honan, a journalist at Wired,

00:02:40.479 --> 00:02:43.400
suffered this incredibly famous massive hacking

00:02:43.400 --> 00:02:45.979
incident. Oh, I remember that one. Right. Hackers

00:02:45.979 --> 00:02:47.860
basically daisy chained his accounts together

00:02:47.860 --> 00:02:50.360
and he subsequently wrote a piece declaring that

00:02:50.360 --> 00:02:52.539
the age of the password had come to an end. Which

00:02:52.539 --> 00:02:56.180
was a bold claim at the time. Very. In 2013,

00:02:56.360 --> 00:02:59.659
you had Google executives echoing the exact same

00:02:59.659 --> 00:03:02.439
sentiment. Heather Adkins, their manager of information

00:03:02.439 --> 00:03:04.740
security, said passwords were done at Google.

00:03:04.860 --> 00:03:08.780
Done. Just like that. Yeah. And Eric Gross, the

00:03:08.780 --> 00:03:11.659
VP of security engineering there, stated that

00:03:11.659 --> 00:03:14.560
passwords and simple bearer tokens were no longer

00:03:14.560 --> 00:03:17.139
sufficient to keep users safe. It was like everyone

00:03:17.139 --> 00:03:19.099
agreed the ship was sinking, but we all just

00:03:19.099 --> 00:03:20.960
stayed on board anyway. There was definitely

00:03:20.960 --> 00:03:23.819
a consensus among security professionals, but

00:03:23.819 --> 00:03:26.000
putting it into practice was entirely different.

00:03:26.139 --> 00:03:28.379
People were so eager to declare the password

00:03:28.379 --> 00:03:30.740
dead that they sometimes got a bit ahead of themselves.

00:03:31.060 --> 00:03:33.300
They really underestimated the sheer momentum

00:03:33.300 --> 00:03:36.039
of legacy systems. Which brings up an absolutely

00:03:36.039 --> 00:03:38.819
hilarious story from the article, but one that

00:03:38.819 --> 00:03:41.960
serves as a huge cautionary tale. Oh, the WSJ

00:03:41.960 --> 00:03:45.659
guy. Yes. In 2014, Christopher Mims, writing

00:03:45.659 --> 00:03:47.719
in the Wall Street Journal, boldly proclaimed

00:03:47.719 --> 00:03:50.789
that the password was finally dying. he was predicting

00:03:50.789 --> 00:03:53.289
that device -based authentication was the immediate

00:03:53.289 --> 00:03:55.250
future. Which he was right about, eventually.

00:03:55.449 --> 00:03:58.090
Sure, eventually. But to prove his point, to

00:03:58.090 --> 00:04:00.069
really show his absolute confidence in the security

00:04:00.069 --> 00:04:02.689
of his mobile device, he purposefully published

00:04:02.689 --> 00:04:04.789
his own Twitter password for the whole world

00:04:04.789 --> 00:04:07.490
to see. Which, from a security standpoint, is

00:04:07.490 --> 00:04:09.710
always going to be an incredibly risky strategy,

00:04:09.889 --> 00:04:11.930
no matter what tech you have backing you up.

00:04:12.349 --> 00:04:15.629
Bold is one word for it. He wanted to prove that

00:04:15.629 --> 00:04:18.829
device based authentication, specifically the

00:04:18.829 --> 00:04:21.509
two step verification tied to his phone, would

00:04:21.509 --> 00:04:23.649
save him. And how did that work out for him?

00:04:23.750 --> 00:04:27.120
It completely backfired. By revealing his password

00:04:27.120 --> 00:04:29.720
to the public, hackers didn't necessarily get

00:04:29.720 --> 00:04:31.620
into his account right away, but they triggered

00:04:31.620 --> 00:04:35.079
endless authentication requests. Oh, no. The

00:04:35.079 --> 00:04:37.779
ensuing chaos and the constant barrage of text

00:04:37.779 --> 00:04:40.439
messages meant he was forced to change his actual

00:04:40.439 --> 00:04:42.500
physical cell phone number. I mean, you have

00:04:42.500 --> 00:04:44.620
to laugh, but that sounds like a nightmare. He

00:04:44.620 --> 00:04:46.920
literally had to publish a follow up commentary

00:04:46.920 --> 00:04:49.100
piece about what he learned from the disaster.

00:04:49.459 --> 00:04:52.620
It perfectly illustrates the gap between the

00:04:52.620 --> 00:04:55.769
theory of a passwordless future. And the messy

00:04:55.769 --> 00:04:58.110
reality of trying to live in it too early. Even

00:04:58.110 --> 00:05:01.350
in 2014, Aviva Leighton from Gardner was quoted

00:05:01.350 --> 00:05:03.610
saying that passwords were dead a few years ago.

00:05:03.730 --> 00:05:06.949
And now they're more than dead. But as Christopher

00:05:06.949 --> 00:05:09.509
Mims found out the hard way, pronouncing something

00:05:09.509 --> 00:05:12.009
dead does not magically build the infrastructure

00:05:12.009 --> 00:05:14.850
to replace it. Right. Which brings up the obvious

00:05:14.850 --> 00:05:17.680
question. If we've known passwords were a liability

00:05:17.680 --> 00:05:21.199
since 2004, what exactly was holding up that

00:05:21.199 --> 00:05:23.879
infrastructure? Why are you and I still using

00:05:23.879 --> 00:05:26.240
them today to log into our bank accounts? That

00:05:26.240 --> 00:05:28.839
is the million -dollar question. And there was

00:05:28.839 --> 00:05:31.579
actually a brilliant 2012 study by Bono and his

00:05:31.579 --> 00:05:34.139
colleagues that explains this delay perfectly.

00:05:34.399 --> 00:05:36.699
What did they find? They systematically compared

00:05:36.699 --> 00:05:39.720
web passwords to 35 competing authentication

00:05:39.720 --> 00:05:43.300
schemes. They evaluated all of them based on

00:05:43.300 --> 00:05:46.600
usability, security, and deployability. What's

00:05:46.600 --> 00:05:48.379
fascinating here is that their analysis showed

00:05:48.379 --> 00:05:50.399
most of these new schemes were actually better

00:05:50.399 --> 00:05:52.360
than passwords when it came to security. Makes

00:05:52.360 --> 00:05:54.100
sense. And some were even better on usability.

00:05:54.480 --> 00:05:57.639
But every single one of those 35 schemes was

00:05:57.639 --> 00:06:00.339
worse than passwords on deployability. Deployability.

00:06:00.519 --> 00:06:03.579
So basically, how easy it is for a company to

00:06:03.579 --> 00:06:06.579
actually roll it out to millions of users. Precisely.

00:06:06.800 --> 00:06:09.379
Think about those alternative schemes back then.

00:06:09.980 --> 00:06:12.699
Some involved carrying around grid cards. Oh,

00:06:12.759 --> 00:06:15.279
I hated those. Or plugging specific hardware

00:06:15.279 --> 00:06:19.240
tokens into USB ports. Or using early clunky

00:06:19.240 --> 00:06:22.459
biometric scanners. Imagine a massive international

00:06:22.459 --> 00:06:27.240
bank trying to mail physical USB tokens to 20

00:06:27.240 --> 00:06:29.279
million customers. Teaching them how to use them.

00:06:29.379 --> 00:06:31.399
And handling the customer service calls when

00:06:31.399 --> 00:06:33.990
they break. It's a logistical nightmare. Right.

00:06:34.069 --> 00:06:36.170
The sheer cost of retraining customer service

00:06:36.170 --> 00:06:38.610
reps, rebuilding mobile apps from scratch, mailing

00:06:38.610 --> 00:06:41.649
out physical devices, the marginal security benefit

00:06:41.649 --> 00:06:43.870
just wasn't worth the millions of dollars it

00:06:43.870 --> 00:06:46.310
would cost to do it. Exactly. The authors of

00:06:46.310 --> 00:06:48.290
the study concluded that these alternative methods

00:06:48.290 --> 00:06:51.509
only offered marginal gains over passwords. And

00:06:51.509 --> 00:06:53.550
those gains simply weren't enough to reach the

00:06:53.550 --> 00:06:56.370
necessary activation energy to overcome the massive

00:06:56.370 --> 00:06:58.769
transition costs. Activation energy. I like that.

00:06:59.100 --> 00:07:01.899
Yeah, it's incredibly expensive and complicated

00:07:01.899 --> 00:07:05.120
to change how the entire internet logs in. That

00:07:05.120 --> 00:07:07.439
lack of activation energy is the best explanation

00:07:07.439 --> 00:07:10.240
for why we've been waiting so long for the funeral

00:07:10.240 --> 00:07:12.980
procession for passwords. Okay, let's unpack

00:07:12.980 --> 00:07:15.560
this. What exactly is the technology that is

00:07:15.560 --> 00:07:18.379
finally providing that activation energy? What

00:07:18.379 --> 00:07:21.660
is passwordless authentication at its core? Because

00:07:21.660 --> 00:07:23.160
I think a lot of people just assume it means

00:07:23.160 --> 00:07:24.860
checking a box so your web browser remembers

00:07:24.860 --> 00:07:27.420
your password for you. It is completely different

00:07:27.420 --> 00:07:29.879
from a password manager or a saved browser state.

00:07:30.019 --> 00:07:32.759
Right. At its core, passwordless authentication

00:07:32.759 --> 00:07:36.959
is a method where a user logs into a system without

00:07:36.959 --> 00:07:40.120
entering or even having to remember any knowledge

00:07:40.120 --> 00:07:42.860
-based secret. There's no string of text to memorize.

00:07:43.019 --> 00:07:44.939
Not at all. None. Instead, the implementation

00:07:44.939 --> 00:07:47.439
asks you for a public identifier like your email

00:07:47.439 --> 00:07:49.319
address or your phone number. And then you complete

00:07:49.319 --> 00:07:52.420
the process by providing a secure proof of identity

00:07:52.420 --> 00:07:55.759
through a registered device or token. And the

00:07:55.759 --> 00:07:57.959
secret sauce making this possible is something

00:07:57.959 --> 00:08:00.560
called public key cryptography infrastructure.

00:08:02.160 --> 00:08:04.779
Now, I know the word cryptography sounds intimidating,

00:08:04.879 --> 00:08:06.939
but let's break it down into an easy analogy

00:08:06.939 --> 00:08:09.339
for you listening. Please do. Imagine you're

00:08:09.339 --> 00:08:11.980
moving into a new apartment building. You go

00:08:11.980 --> 00:08:14.779
to the front desk, and the building manager installs

00:08:14.779 --> 00:08:18.439
a very specific padlock on your door. That padlock

00:08:18.439 --> 00:08:21.300
is your public key. Okay. It lives out in the

00:08:21.300 --> 00:08:24.240
open on the remote server, the website, or the

00:08:24.240 --> 00:08:26.759
app you're trying to access. But the only thing

00:08:26.759 --> 00:08:29.040
in the universe that can forge the specific physical

00:08:29.040 --> 00:08:32.259
key to open that padlock is a unique keymaker

00:08:32.259 --> 00:08:34.899
machine that you keep locked safely inside your

00:08:34.899 --> 00:08:37.580
house. That keymaker is your private key. That

00:08:37.580 --> 00:08:39.559
is a great way to visualize it. And if we expand

00:08:39.559 --> 00:08:41.720
on that analogy, we can see exactly why this

00:08:41.720 --> 00:08:44.080
is so much safer than passwords. How so? Well,

00:08:44.100 --> 00:08:46.740
in a traditional password system, a version of

00:08:46.740 --> 00:08:49.039
your secret password has to live on the company's

00:08:49.039 --> 00:08:50.940
server so they can check it against what you

00:08:50.940 --> 00:08:52.840
type in. It's like the building manager keeping

00:08:52.840 --> 00:08:55.320
a giant box of exact copies of everyone's house

00:08:55.320 --> 00:08:57.940
keys. Wow. Yeah. If the manager's office gets

00:08:57.940 --> 00:09:01.139
robbed, the thief has the keys to every single

00:09:01.139 --> 00:09:04.559
apartment. The ultimate honeypot. Exactly. But

00:09:04.559 --> 00:09:07.539
in public key cryptography, The server only ever

00:09:07.539 --> 00:09:10.899
holds the public padlock. If a hacker breaches

00:09:10.899 --> 00:09:13.379
the server, all they get is a giant database

00:09:13.379 --> 00:09:16.379
of locked padlocks. They are totally useless

00:09:16.379 --> 00:09:19.440
without the private keymaker. And the keymaker,

00:09:19.600 --> 00:09:21.700
in our analogy, never leaves your personal device.

00:09:22.019 --> 00:09:24.580
Never. It stays securely buried in the hardware

00:09:24.580 --> 00:09:27.940
of your PC, your smartphone, or an external security

00:09:27.940 --> 00:09:30.779
token. Right. And the only way to fire up that

00:09:30.779 --> 00:09:33.299
private keymaker machine inside your device is

00:09:33.299 --> 00:09:36.409
to prove you are actually you locally. The article

00:09:36.409 --> 00:09:38.610
details how you access that private key using

00:09:38.610 --> 00:09:41.190
two main categories of factors. Right. The ownership

00:09:41.190 --> 00:09:43.389
and inheritance factors. Exactly. The first category

00:09:43.389 --> 00:09:45.470
is ownership factors. This is something you have.

00:09:45.529 --> 00:09:47.870
So your physical cell phone, a smart card or

00:09:47.870 --> 00:09:50.450
an OTP token. Which stands for one time password.

00:09:50.590 --> 00:09:52.789
Like those little key chain fobs that generate

00:09:52.789 --> 00:09:56.149
a new six digit code every 60 seconds. Right.

00:09:56.590 --> 00:09:58.809
And the second category is inheritance factors.

00:09:58.929 --> 00:10:00.409
This is something you are. We're talking about

00:10:00.409 --> 00:10:03.210
biometric identifiers, fingerprints, retinal

00:10:03.210 --> 00:10:06.169
scans, face recognition, or voice recognition.

00:10:06.549 --> 00:10:09.309
Some advanced designs even factor in your behavioral

00:10:09.309 --> 00:10:11.789
patterns. Really? Like what? Like your typing

00:10:11.789 --> 00:10:14.190
cadence, how you physically hold your phone,

00:10:14.289 --> 00:10:16.990
or your geolocation. The defining rule is simply

00:10:16.990 --> 00:10:19.450
that absolutely no memorized passwords are involved.

00:10:19.980 --> 00:10:21.919
Which brings up a really important distinction

00:10:21.919 --> 00:10:23.940
that I know trips people up, because when you

00:10:23.940 --> 00:10:27.559
hear things like a hardware token or a biometric

00:10:27.559 --> 00:10:30.879
scan, people immediately think of multifactor

00:10:30.879 --> 00:10:33.659
authentication or MFA. Oh, sure. You know, when

00:10:33.659 --> 00:10:35.860
you type in your password and then the bank texts

00:10:35.860 --> 00:10:39.159
you a six digit code. So if passwordless authentication

00:10:39.159 --> 00:10:42.360
relies on just one factor, like a face scan to

00:10:42.360 --> 00:10:44.820
speed things up. does that mean we're sacrificing

00:10:44.820 --> 00:10:47.120
the security we used to get from multi -factor

00:10:47.120 --> 00:10:49.700
authentication not necessarily that is a very

00:10:49.700 --> 00:10:52.159
common confusion traditional multi -factor authentication

00:10:52.159 --> 00:10:54.779
is typically used as an added layer of security

00:10:54.779 --> 00:10:57.580
on top of a password you use your memorized secret

00:10:57.580 --> 00:11:00.879
and then you use a token passwordless authentication

00:11:00.879 --> 00:11:04.460
by definition removes that memorized secret entirely

00:11:05.019 --> 00:11:08.059
Now, sometimes it does use just one highly secure

00:11:08.059 --> 00:11:10.919
factor like a biometric scan on your phone to

00:11:10.919 --> 00:11:13.000
authenticate your identity locally, which makes

00:11:13.000 --> 00:11:15.279
it much faster for the user. But there is a holy

00:11:15.279 --> 00:11:17.620
grail combination here, isn't there? Passwordless

00:11:17.620 --> 00:11:21.740
MFA. Yes. Passwordless MFA is when the flow requires.

00:11:22.200 --> 00:11:24.700
absolutely zero memorized secrets, but still

00:11:24.700 --> 00:11:27.399
demands multiple non -knowledge factors. Can

00:11:27.399 --> 00:11:29.299
you give an example? Sure. For instance, requiring

00:11:29.299 --> 00:11:31.299
something you have like a hardware security key

00:11:31.299 --> 00:11:33.700
physically plugged into your computer port and

00:11:33.700 --> 00:11:35.960
something you are like a fingerprint scan on

00:11:35.960 --> 00:11:38.759
that same physical key. Ah, I see. When implemented

00:11:38.759 --> 00:11:41.840
correctly, that provides the highest possible

00:11:41.840 --> 00:11:44.700
level of security, completely circumventing the

00:11:44.700 --> 00:11:46.480
vulnerabilities of human memory. Here's where

00:11:46.480 --> 00:11:48.519
it gets really interesting. Let's put this into

00:11:48.519 --> 00:11:51.450
practice for the listener. Imagine you are setting

00:11:51.450 --> 00:11:54.029
up a brand new account today, entirely without

00:11:54.029 --> 00:11:56.590
a password. What is actually happening behind

00:11:56.590 --> 00:11:59.230
the scenes during that digital handshake? There

00:11:59.230 --> 00:12:01.669
are two phases to this playbook, registration

00:12:01.669 --> 00:12:05.950
and login. Walk us through phase one, the registration.

00:12:06.370 --> 00:12:08.730
Let's say you go to a new website and click register.

00:12:09.690 --> 00:12:12.090
You put in your email. The server immediately

00:12:12.090 --> 00:12:14.669
sends a registration request down to your device.

00:12:15.309 --> 00:12:17.350
Let's say it's your smartphone. Got it. When

00:12:17.350 --> 00:12:20.100
your phone receives that request, it sets up

00:12:20.100 --> 00:12:22.700
a method for authenticating you locally. It might

00:12:22.700 --> 00:12:25.259
prompt you to set up a fingerprint scan or a

00:12:25.259 --> 00:12:27.399
facial recognition profile right then and there.

00:12:27.539 --> 00:12:30.019
So your biometric data is staying securely on

00:12:30.019 --> 00:12:32.080
your phone, not going to the website's servers.

00:12:32.340 --> 00:12:34.340
Exactly. The website never sees your fingerprint.

00:12:34.580 --> 00:12:37.620
Once your phone knows it's you, the device generates

00:12:37.620 --> 00:12:39.700
that public -private key pair we talked about.

00:12:39.759 --> 00:12:42.100
The padlock and the keymaker. Right. Your phone

00:12:42.100 --> 00:12:44.500
then takes the public key, the padlock, and sends

00:12:44.500 --> 00:12:46.419
it up to the server for all future verification.

00:12:47.149 --> 00:12:49.370
The private key stays buried securely inside

00:12:49.370 --> 00:12:52.289
the hardware enclave of your phone. Registration

00:12:52.289 --> 00:12:55.250
is complete. No passwords created. Seamless.

00:12:56.710 --> 00:13:00.149
Okay, so phase two is the login. A week later,

00:13:00.210 --> 00:13:01.809
you come back to the site and want to get into

00:13:01.809 --> 00:13:03.940
your account. You type in your email address.

00:13:04.220 --> 00:13:07.179
Yep. The server sees your email, finds your public

00:13:07.179 --> 00:13:10.120
padlock in its database, and sends an authentication

00:13:10.120 --> 00:13:12.559
challenge down to your phone. Exactly. Essentially,

00:13:12.679 --> 00:13:14.860
the server is sending a complex math problem

00:13:14.860 --> 00:13:17.799
and saying, I have this padlock. Prove you have

00:13:17.799 --> 00:13:19.980
the key maker that fits it. And to prove it,

00:13:20.039 --> 00:13:22.340
you just look at your phone. The facial recognition

00:13:22.340 --> 00:13:26.080
scanner proves your identity locally. That successful

00:13:26.080 --> 00:13:29.340
scan unlocks your private key inside the device.

00:13:29.580 --> 00:13:31.759
And then? The device then takes that private

00:13:31.759 --> 00:13:35.220
key and uses it to solve the math problem, digitally

00:13:35.220 --> 00:13:37.240
signing a response to the server's challenge.

00:13:37.480 --> 00:13:40.740
It stamps the response with an unbreakable cryptographic

00:13:40.740 --> 00:13:43.320
seal of approval. Right. It sends that digitally

00:13:43.320 --> 00:13:45.840
signed response back to the server. The server

00:13:45.840 --> 00:13:48.059
uses the public key you gave it during registration

00:13:48.059 --> 00:13:51.600
to verify the digital signature. The math checks

00:13:51.600 --> 00:13:54.909
out. The signature is validated. And boom, access

00:13:54.909 --> 00:13:56.809
granted. And it all happens in milliseconds.

00:13:57.169 --> 00:13:59.429
It's incredibly fast. You just look at your phone

00:13:59.429 --> 00:14:02.409
and you are logged in. So why is this suddenly

00:14:02.409 --> 00:14:05.549
happening now? If that 2012 Bono study said we

00:14:05.549 --> 00:14:07.629
lacked the activation energy to make companies

00:14:07.629 --> 00:14:11.169
change, what shifted to suddenly spark this revolution?

00:14:11.690 --> 00:14:13.850
It was a convergence of massive technological

00:14:13.850 --> 00:14:17.049
advancements and cultural shifts. First, you

00:14:17.049 --> 00:14:18.769
have the proliferation of biometric devices.

00:14:19.110 --> 00:14:21.789
A decade ago, fingerprint scanners were expensive

00:14:21.789 --> 00:14:24.740
peripherals. Now they're standard. Today, almost

00:14:24.740 --> 00:14:27.120
everyone walks around with a high -definition

00:14:27.120 --> 00:14:29.419
fingerprint or facial scanner in their pocket

00:14:29.419 --> 00:14:33.059
via their smartphone. Second, business culture

00:14:33.059 --> 00:14:35.419
has shifted. People are used to biometrics now.

00:14:35.519 --> 00:14:37.600
True. And with the rise of decentralized remote

00:14:37.600 --> 00:14:40.120
workforces, companies desperately need better

00:14:40.120 --> 00:14:42.799
security than an employee sticking a Post -it

00:14:42.799 --> 00:14:44.700
note with their password on a home office monitor.

00:14:45.159 --> 00:14:47.639
The Wikipedia article also highlights open standards

00:14:47.639 --> 00:14:51.159
as a huge catalyst, things like FIDO2 and WebAuthn.

00:14:51.179 --> 00:14:52.919
Oh, absolutely crucial. And I want to make sure

00:14:52.919 --> 00:14:54.799
we define these because they are so important.

00:14:55.039 --> 00:14:57.980
FIDO stands for Fast Identity Online, and FIDO2

00:14:57.980 --> 00:15:01.200
is essentially an overarching architecture. WebAuthn

00:15:01.200 --> 00:15:04.730
is the specific web API. It basically means developers

00:15:04.730 --> 00:15:07.210
don't have to custom build a secure fingerprint

00:15:07.210 --> 00:15:09.450
scanning interface for every single website.

00:15:09.730 --> 00:15:13.190
They just call the WebAuthn API and your internet

00:15:13.190 --> 00:15:15.370
browser handles the heavy lifting with your operating

00:15:15.370 --> 00:15:18.470
system. Major players like Microsoft and Google

00:15:18.470 --> 00:15:21.110
are backing these universal blueprints. It is

00:15:21.110 --> 00:15:24.110
a total game changer. When the underlying operating

00:15:24.110 --> 00:15:26.450
systems and browsers natively support the protocols,

00:15:26.769 --> 00:15:29.509
that deployability hurdle from the 2012 study

00:15:29.509 --> 00:15:31.929
finally gets cleared. It provides the activation

00:15:31.929 --> 00:15:35.789
energy. Yes, Lee. For example, on June 24, 2020,

00:15:36.210 --> 00:15:38.870
Apple Safari announced that Face ID and Touch

00:15:38.870 --> 00:15:41.370
ID would be available as a WebAuthn platform

00:15:41.370 --> 00:15:44.149
authenticator. That was a massive domino falling.

00:15:44.289 --> 00:15:47.389
Huge. It meant millions of Apple users suddenly

00:15:47.389 --> 00:15:49.830
had the hardware and the software to go passwordless

00:15:49.830 --> 00:15:52.649
overnight. The activation energy was finally

00:15:52.649 --> 00:15:55.120
here. So what does this all mean? Obviously,

00:15:55.220 --> 00:15:57.019
for you, the listener, it means a much better

00:15:57.019 --> 00:15:59.759
user experience. No more password fatigue. No

00:15:59.759 --> 00:16:01.600
more arbitrary rules about needing a special

00:16:01.600 --> 00:16:03.759
character, a capital letter, and a number. No

00:16:03.759 --> 00:16:05.740
more mandatory password renewals every 90 days.

00:16:05.980 --> 00:16:07.860
Thank goodness. But for the companies we interact

00:16:07.860 --> 00:16:10.899
with, the benefits are astronomical, right? The

00:16:10.899 --> 00:16:13.379
benefits for organizations are staggering, primarily

00:16:13.379 --> 00:16:16.620
in two areas, security and operational cost.

00:16:17.419 --> 00:16:19.639
Passwords are universally acknowledged as the

00:16:19.639 --> 00:16:21.860
weak point in computer systems. Because we're

00:16:21.860 --> 00:16:24.139
terrible at making them. Right. Because people

00:16:24.139 --> 00:16:26.590
suffer from password fatigue. They reuse the

00:16:26.590 --> 00:16:28.990
same password across multiple sites. They share

00:16:28.990 --> 00:16:31.149
them with coworkers. They pick easily guessable

00:16:31.149 --> 00:16:35.190
words. Password 123. Exactly. This leads to massive

00:16:35.190 --> 00:16:37.490
security breaches through techniques like password

00:16:37.490 --> 00:16:40.330
cracking or spraying where attackers try common

00:16:40.330 --> 00:16:42.809
passwords across thousands of accounts at once.

00:16:43.330 --> 00:16:45.809
Removing the password removes the top attack

00:16:45.809 --> 00:16:49.409
vector entirely. And the IT costs. I can't even

00:16:49.409 --> 00:16:51.549
imagine how much money companies spend just helping

00:16:51.549 --> 00:16:53.809
employees reset forgotten passwords on a Monday

00:16:53.809 --> 00:16:57.100
morning. It is a massive drain. With passwordless,

00:16:57.200 --> 00:16:59.740
IT teams are no longer burdened by setting complex

00:16:59.740 --> 00:17:02.519
password policies, constantly monitoring the

00:17:02.519 --> 00:17:05.400
dark web for leaked credential databases, or

00:17:05.400 --> 00:17:08.079
running massive help desks dedicated entirely

00:17:08.079 --> 00:17:11.119
to reset requests. That's a huge savings. Plus,

00:17:11.119 --> 00:17:13.019
because the credentials are tied to a specific

00:17:13.019 --> 00:17:16.200
physical device or a biometric attribute, you

00:17:16.200 --> 00:17:18.240
get much better visibility of credential use.

00:17:18.440 --> 00:17:20.880
People can't just share a login massively with

00:17:20.880 --> 00:17:22.960
the whole department, which makes access management

00:17:22.960 --> 00:17:26.019
significantly tighter. OK, I have to play devil's

00:17:26.019 --> 00:17:28.420
advocate here. Go for it. This all sounds like

00:17:28.420 --> 00:17:32.779
a beautiful, frictionless tech utopia, but nothing

00:17:32.779 --> 00:17:35.920
is perfect. What is the catch? Because there

00:17:35.920 --> 00:17:38.119
has to be a drawback to ripping out the foundation

00:17:38.119 --> 00:17:40.579
of the Internet. If we connect this to the bigger

00:17:40.579 --> 00:17:43.720
picture, the transition is still incredibly challenging.

00:17:44.319 --> 00:17:47.180
The article explicitly points out operational

00:17:47.180 --> 00:17:51.000
and cost related. Right. While it saves money

00:17:51.000 --> 00:17:53.119
in the long term, the initial implementation

00:17:53.119 --> 00:17:56.680
costs are a major hindering factor for many potential

00:17:56.680 --> 00:17:58.859
users right now. Yeah. You are talking about

00:17:58.859 --> 00:18:01.079
ripping out the foundation of an existing active

00:18:01.079 --> 00:18:03.819
directory or user database and replacing it.

00:18:03.900 --> 00:18:06.519
That sounds expensive. It is. Sometimes it requires

00:18:06.519 --> 00:18:08.819
deploying additional hardware to users who don't

00:18:08.819 --> 00:18:11.279
have modern smartphones, like those OTP tokens

00:18:11.279 --> 00:18:14.180
or specialized security keys, which costs a significant

00:18:14.180 --> 00:18:16.359
amount of money up front. And you have to train

00:18:16.359 --> 00:18:18.579
everyone. People have spent 20 years learning

00:18:18.579 --> 00:18:21.160
how to type in a password. Now you have to teach

00:18:21.160 --> 00:18:24.220
both the IT teams and the end users a completely

00:18:24.220 --> 00:18:28.099
new paradigm. Exactly. The expertise needed to

00:18:28.099 --> 00:18:30.859
manage a massive public key infrastructure is

00:18:30.859 --> 00:18:32.779
entirely different from managing traditional

00:18:32.779 --> 00:18:35.920
password databases. The adaptation curve for

00:18:35.920 --> 00:18:38.849
IK administrators is steep. And user education

00:18:38.849 --> 00:18:42.269
takes time and patience. But the scariest drawback

00:18:42.269 --> 00:18:44.809
for you and me, the everyday user, is what is

00:18:44.809 --> 00:18:46.849
referred to as the single point of failure. Yeah.

00:18:46.970 --> 00:18:50.250
Think about it. Your entire digital life is now

00:18:50.250 --> 00:18:52.829
inextricably tied to a physical device. Yeah.

00:18:52.910 --> 00:18:54.470
What happens if you're on a boat and you drop

00:18:54.470 --> 00:18:56.509
your phone in a lake? Or it gets stolen on the

00:18:56.509 --> 00:18:59.170
subway? Or you simply go to the store and upgrade

00:18:59.170 --> 00:19:01.549
to a new model? That's a real concern. If your

00:19:01.549 --> 00:19:03.829
phone holds all the private keys, you are suddenly

00:19:03.829 --> 00:19:05.609
locked out of your entire digital existence.

00:19:06.250 --> 00:19:08.349
It creates a very real logistical nightmare,

00:19:08.569 --> 00:19:11.529
particularly with implementations that rely heavily

00:19:11.529 --> 00:19:14.430
on one -time passwords or push notifications

00:19:14.430 --> 00:19:17.849
to specific cellular device applications. If

00:19:17.849 --> 00:19:20.410
that physical device is broken, lost, or replaced,

00:19:20.990 --> 00:19:23.349
re -establishing your secure identity without

00:19:23.349 --> 00:19:26.150
a fallback password can become a major headache.

00:19:26.369 --> 00:19:28.390
Because if you can easily bypass the device,

00:19:28.549 --> 00:19:30.910
then hackers can too, so the recovery process

00:19:30.910 --> 00:19:34.210
has to be difficult. Precisely. The user essentially

00:19:34.210 --> 00:19:37.279
loses the keymaker machine. Proving who they

00:19:37.279 --> 00:19:39.339
are from scratch might involve using physical

00:19:39.339 --> 00:19:41.000
recovery codes they were supposed to print out

00:19:41.000 --> 00:19:43.519
and hide in a drawer or undergoing a painstaking

00:19:43.519 --> 00:19:45.920
identity verification process with customer support.

00:19:46.099 --> 00:19:48.740
Sounds brutal. It is deliberately difficult by

00:19:48.740 --> 00:19:51.440
design to prevent account takeovers, but it is

00:19:51.440 --> 00:19:53.660
incredibly frustrating for the legitimate user.

00:19:53.859 --> 00:19:57.539
It is a huge shift in how we handle our own security.

00:19:57.740 --> 00:20:00.079
And that perfectly wraps up our journey today.

00:20:00.670 --> 00:20:02.710
We have looked at the long, stubborn history

00:20:02.710 --> 00:20:05.609
of the password, the sheer frustration and legacy

00:20:05.609 --> 00:20:08.150
infrastructure that kept it alive for so long,

00:20:08.329 --> 00:20:11.309
and the cryptographic magic, the public and private

00:20:11.309 --> 00:20:14.049
keys, the inheritance and ownership factors that

00:20:14.049 --> 00:20:16.349
are finally paving the way to a passwordless

00:20:16.349 --> 00:20:18.730
future. It's a whole new world. It really is.

00:20:18.890 --> 00:20:22.150
Thanks to open standards like FIDO2 and WebAuthn,

00:20:22.329 --> 00:20:25.990
we are, at long last, escaping the era of memorized

00:20:25.990 --> 00:20:28.769
secrets. This raises an important question, and

00:20:28.769 --> 00:20:31.019
it is something profound. to consider as we make

00:20:31.019 --> 00:20:33.559
this transition. What's that? For decades, your

00:20:33.559 --> 00:20:36.259
digital identity was fundamentally based on something

00:20:36.259 --> 00:20:39.900
you knew in your mind, the secret code. But if

00:20:39.900 --> 00:20:42.460
our entire digital existence is now shifting

00:20:42.460 --> 00:20:44.299
to something we have like a physical smartphone

00:20:44.299 --> 00:20:46.819
or something we are like our literal physical

00:20:46.819 --> 00:20:49.759
biology, what happens when those physical things

00:20:49.759 --> 00:20:52.920
break or lost or fundamentally change? Yeah.

00:20:52.980 --> 00:20:55.140
In a passwordless world, you can't just close

00:20:55.140 --> 00:20:57.740
your eyes and dream up a new secret code. The

00:20:57.740 --> 00:21:00.220
concept of losing your keys has suddenly become

00:21:00.220 --> 00:21:02.660
a profoundly physical problem in a digital world.

00:21:02.819 --> 00:21:05.240
That is heavy. Something for you to think about

00:21:05.240 --> 00:21:07.240
the very next time your phone scans your face

00:21:07.240 --> 00:21:10.019
to let you read your email. Thank you for joining

00:21:10.019 --> 00:21:12.299
us on this deep dive. Keep questioning the tech

00:21:12.299 --> 00:21:14.299
you use every day, and we will catch you next

00:21:14.299 --> 00:21:14.660
time.