Passkeys in WordPress: Why the Time Is Now

Kathy Zant (00:00):
Timothy Jacobs, you’re here with me. I am so excited to see

Timothy Jacobs (00:04):
You. It’s great to see you too. Kathy, how are you? I’m doing awesome.

Kathy Zant (00:07):
Awesome rebrand.

Timothy Jacobs (00:09):
It is a cool fall day. It’s good yet. We’ve got a new brand that launched a couple of weeks ago. It’s things are going on. I, I’ve just been on vacation for a week. I’m well rested. The world didn’t blow up.

Kathy Zant (00:21):
Amazing. Did you go somewhere?

Timothy Jacobs (00:22):
No, I didn’t, uh, stuck it out in New York City, but I was thinking about it, but it, it just didn’t come to fruition this time.

Kathy Zant (00:29):
I, I don’t know if you know this, but a lot of people go to New York City for vacation. .

Timothy Jacobs (00:34):
Yeah. It, it is a destination that it is on the list of, Hey, what are the spots I want to go to? I was thinking about going up to Canada, but, uh, I hurt my foot and I didn’t wanna like go walking everywhere. I’m a true New Yorker who, you know, walks and takes the bus. I, I don’t drive. I don’t know any of that stuff. And I don’t know if I’m actually up at this point for doing it, doing a train trip to Montreal and walking around Quebec and doing all that kind of stuff is, ah, we’ll save it for the new year

Kathy Zant (00:59):
Though. That does sound beautiful and amazing. Yes. But it sounds like you had a nice Yes,

Timothy Jacobs (01:04):
I was looking forward to it. Yeah, I, I had a nice vacation in my head when I was looking at, oh, I could go here and go to this hotel and go to this place, and oh, this is also pretty, but next time, maybe when I get the VR headset and when the VR headset comes out, I could have just gone virtually on my vacation.

Kathy Zant (01:19):
There you go. There you go. One of these days they’ll perfect that technology to the point where I’ll actually believe in it and actually go on vacations with it . But at this point, I am here for the, I can touch it, I can feel it. I’m flying somewhere type of vacation.

Timothy Jacobs (01:36):
The wind is actually in your hair and the smell of, uh, beautiful countryside is actually present.

Kathy Zant (01:42):
Yeah. And somebody’s bringing me a margarita or at least a pina colada . That’s gotta happen.

Timothy Jacobs (01:48):
Yeah. I, I don’t know how well you can really sip nice drinks by a beautiful view when you’re in a a VR headset. I think if you try that too much, you’re gonna knock your headset all over your face and drink all over your clothes and it’s just a very poor combination.

Kathy Zant (02:01):
Yeah, definitely. Oh, we can always hope someday, right? , these youngins will figure it out.

Timothy Jacobs (02:06):
Technology marches on.

Kathy Zant (02:08):
All right. We are here to talk about vacations are always fun to talk about, but I wanna talk about like all of this fun stuff. iThemes is now solid, solid security. There’s a lot of new things with the product, but I’ve been really excited about passkeys for the year and I owe all of that like a hundred percent of that to you because you came to the Ithe team when I was working with everybody over there, and it was just amazing. I was like, yeah, I get this, I understand this. We know this stuff. This is public, private key encryption. This is amazing, interesting, cool stuff. And you brought, you were the genesis of bringing that WordPress and I wanna talk about that.

Timothy Jacobs (02:47):
Passkeys are awesome, aren’t they?

Kathy Zant (02:50):
They’re so cool. They’re so cool. And we’re starting to see it like trickle out more into other websites that are offering it to their users and to other implementations. Um, and that is so exciting to see, and I am just so grateful that, first of all, that you turned me onto it, that you brought it to WordPress and that this whole new way of authentication is showing up for it. But for, for those people who do not know what pass keys are, why don’t you give us the TLDR of what Passkey actually are and why I got so excited about it.

Timothy Jacobs (03:22):
Absolutely. So passkey are the quest to kill the password. And so like any introduction to passkey requires us to think a little bit about why passwords are awful. And I think we all know why passwords are awful. We, we still see, hey, what are the most popular passwords? And they’re terrible. And people still get, they have their password formula, quote unquote, where they change a character and it, it’s, I have my favorite password that has these five characters plus Amazon plus Chase, plus Wells Fargo plus eBay, et cetera. And we have these attacks where attackers compromise one of those sites. They get a list of a hundred thousand passwords and they start trying them in all these other sites and people wind up with their accounts compromised. Um, and so we’ve invented kind of all of these technologies over the past decades, really things like two-factor authentication, password managers to try and alleviate some of these pain points with passwords. And the problem is that people don’t use them. We use them. You and I, we’ve been using them for years. But it’s tricky to teach people, Hey, use a password manager, break away from your favorite password.

Kathy Zant (04:34):
And I, I use two-factor authentication, but I know the two of us, we, we’ve seen enough things where we know we have to, right? But we’re like 28% of the population that actually uses two-factor authentication. And even still, even though I know I still hate it, I still despise it. It’s just like another thing for me to have to do. I just wanna get my job done, I wanna be done, I wanna go to the beach, right?

Timothy Jacobs (04:58):
It’s terrible there. There’s tweets about people, but like how much time of my life have I wasted on two factor authentication I was placing, now I’m gonna lie a little bit. I’m gonna say I was placing an order, but in fact I was looking to, uh, cancel my subscription, but I was trying to log into an e-commerce site and it was prompting me for a two factor code by email and it took 10 minutes to arrive if I was trying to place an order on that site. That is a horrific user experience. You wanna have two factor because , you don’t want your amazon.com account to get compromised or things like that. But that purchase experience sucked for me because I was being prompted for a two-factor code and of course they didn’t support TOTP based authentication and things like that. So I had a really awful user experience with two-factor.

(05:44):
So yeah, it’s the people who use it, we’re in the minority and the ones of us who do use it, we also don’t like the user experience. It is not a good user experience. My favorite thing though is that two factor, even TOTP based two-factor isn’t just a end all be all to security. There’s this really cool project called Evil Engine X. And what Evil X does is it sets up a proxy to a website and it puts all of the website that you’re visiting through an Engine X proxy. And to the user, it looks like you’re interacting with a real site because as far as you can tell, you are, and you can see these awesome demo videos of people walking through, logging into microsoft.com with two factor authentication, the make sure your picture is the one that looks right, make sure the website looks real and it’s a hundred percent real. It it’s a perfect replica of microsoft.com. The only difference is that the domain name is slightly different. And we know that teaching people to read every single character domain name and understand what’s the safe one is not a good bet. And if you have two factor there and you go through the flow, the attack is gonna intercept your two-factor code, forward it on to microsoft.com and your account’s compromised. So even two factor is not a perfect security measure.

Kathy Zant (07:01):
It is not, it’s not at all. And you go into SMS two-factor authentication, and I love to read a good security story and I have read some sim swap attack stories, especially like in the crypto space that are just crazy that someone could be so targeted that someone could go to the at and t store and pretend to be someone who’s got a ton of cryptos and get a phone with and get their number ported over to a different SIM card and then basically take over that person’s email, their crypto everything just because of that sim swap. Crazy stuff like that. Authentication is a big problem. Not to mention brute force attacks. And you put, you have so many stats on this, like brute, the brute force attacks, the background noise of the internet, especially towards WordPress sites. That’s huge, isn’t it?

Timothy Jacobs (07:53):
It’s constant. It is definitely one of the largest contributors to sites getting compromised is still just people doing hundreds and hundreds of attacks often with credentials that are known of a few subsets of possibilities. It can be difficult to, on a site, you, you put it behind CloudFlare, you put it behind in one of the security plugins out there, and attackers aren’t gonna be able to try 10 million passwords. But when they’re working down a list, if here are all the passwords that you’ve ever used on a site, it’s a lot easier because we don’t do a good job of coming up with things that are perfectly random on our own. So yeah, it is tricky out there. And yeah, particularly with crypto gives a whole new financial incentive. I think we learned about this attack probably in earnest, I think it was like Matt Nan’s Twitter account years and years ago where attackers wanted to get his MAT username or something like that and they went after him, but now it’s everyone with a crypto wallet that’s got tens of thousands of dollars in it. Ah, it’s perfectly semi untraceable currency that we can steal. Yay .

Kathy Zant (08:49):
Yeah. And with finalized transactions, that can’t be reversed, right? Oh, this is amazing.

Timothy Jacobs (08:54):
It it, it’s a very juicy target. It sure is. But yes, so that leads us to passkey, which have been this technology that has been, it, it’s something that’s been explored for years. The kind of like technical name underneath it is what’s web auth? And this is a project that was born out of the Phyto Alliance. And so these are the people who have been working on the web authentication space for years. And this really is like a decade in the making and what all these tech companies have come to the understanding of is that trying to teach users how to use all of these tools is just too difficult that trying to change user behavior in that way is really hard. But we have this magic, this public key private key authentication that we know solves a lot of these problems. The promises that the user experience , you can’t tell an end user, Hey, go to your terminal, generate a private key, generate a public key, run this command to run some signature stuff whenever you wanna log into a website that that would never be feasible. So the brilliance of pass keys and web Authentic was bringing that public key, private key technology to end users in a way that is really easy for them to use and they don’t really need to understand the technological underpinnings,

Kathy Zant (10:07):
But the technological underpinnings have been around and have been tried and tested for a really long time. And this is the way, well, it’s the way Bitcoin kind of works the same way, right? As well as PGP. Like if you wanna send a secure email, somebody puts their private key someplace that’s available, you take that, that or that public key and you make that available to someone. And if you have somebody’s public key, you can send them a message that only the person with the private key can decrypt. So we know that this technology is pretty tried and tested.

Timothy Jacobs (10:39):
Exactly. It’s a tried and tested methodology. It it if public key private key authentication breaks, we’re also using h losing http s, this is online banking. It underpins the entire financial systems that we all use every day to transfer money and make payments and purchase all the things in our WooCommerce stores. It is very much a key technology to the web. But yeah, I would say public private key authentication kind of fits the bill of what we want because what are the things we want? We want something that users don’t need to think about. There’s nothing for a user to memorize. So that’s one of the things that public key and private key authentication gives us. The other thing we want is we don’t want there to be something that attackers can steal. So we describe these attacks where an attacker compromises one site, steals their list of their usernames and passwords and then they’re able to pivot.

(11:29):
They can say, okay, you have this password, maybe use this weak provider that didn’t have all of their security in a basket. You’re some online forum, some gaming company, something like that. But your password is very similar to what you use at a bank. And so an attacker is able to compromise that gaming website, that forum, find that password there and then try it on your bank account and get into your site with public key and private key. There’s nothing for the attacker to steal. The only information that you give to a website is your public key and that’s public,

Kathy Zant (12:00):
Right? And if somebody gets in, say if there’s a site and you have authenticated with that site and an attacker gets in there, they have a collection of public keys, maybe they can assign that and say, okay, this is the email address that has this public key, but other than that, it’s meaningless, right?

Timothy Jacobs (12:17):
Yeah, it’s meaningless. And even for sites that really want to be privacy preserving, they don’t need to collect your email address. You can just get into that site with just your public key. They have a kind of concept of user nameless authorization with pass keys. And so for most sites we have a username, we have an email that’s associated with ’em because that’s just like how it works. You place an order, you want your receipt, but for the sites that really want a privacy preserving method of authentication, they can actually do that with pass keys, which is even cooler that they don’t have to have anything else in that database table. It can just be a list of user IDs and public keys.

Kathy Zant (12:52):
Yeah. And those user IDs could be like the primary key of that user in the database. User id. Number 43 has this public key and that means nothing to anyone. And if they’re not storing IP addresses, it’s almost anonymous, right? Yeah,

Timothy Jacobs (13:06):
Exactly.

Kathy Zant (13:07):
Yeah, that’s really cool. So this pass keys are really taking web, the whole methodology, it’s taking public private key encryption and it’s giving it to my mom, in a way that she can use it. How does it actually work for, and someone who isn’t going to be able to understand the underpinnings of the technology, how does it work for a normal user?

Timothy Jacobs (13:33):
Yeah, so it depends a little bit on your platform. Um, but more or less it follows the same flow. I go to a website and uh, I create my account. When I create my account, uh, for websites that are making this the best flow possible, I don’t even have to add in a password. They’re just gonna say, Hey, oftentimes I love it when they do this, they say, do you wanna log in with Face ID or Touch id? They identify that you’re on iOS device or if you’re on an Android device, they’ll say, do you wanna log in with Android’s Touch ID system? Or they’ll say, do you wanna log in with Windows? Hello? Things like that. Yeah. And the user says yes. And basically a prompt is gonna come up in your device that says, Hey, do you want to register for this site using a passkey?

(14:12):
And it’ll typically include some text that says, Hey, Passkey are synced across all of your accounts. They’re synced across all of your iPhones, all of your iOS devices, they’re synced across your Google accounts, things like that. And at that point you usually do a thumb to the thumbprint reader take a picture of your face with a face ID scan or things like that. And what that process is doing is it is taking you and authenticating you with your phone. The phone doesn’t send a picture of your face, your thumbprint, any of that private data to the website. So this window comes up and then the next time you wanna log in, it’s gonna say, Hey, do you wanna log in with Face id, touch id, et cetera. You’re gonna again press your thumbprint to a phone and you’ll say, Hey, you’re in welcome back. And that’s really the entirety of the experience.

(14:56):
You don’t need to think about, oh, do I open up a password manager and store this over here? Do I take this and write it down? Do I need to stop and think during this process of coming up with a strong password for this new site? None of those things. It really can be a seamless flow. And I think some of the best flows makes this the primary login flow and don’t even need to mention the technical underpinnings of passkey. They can just say, Hey, you’re creating a pass key. But the real thing you’re asking the users, do you wanna log in? Yeah, with face Id, touch id. And that’s a pattern that we already understand as users, if you’re using an iOS device, Android devices all the time, you’re logging into and creating accounts just using Face ID and touch id. So I think it’s a pattern that users are more familiar with

Kathy Zant (15:40):
And it’s becoming more and more as, as I know Apple, those first place I saw is Apple using it for my Apple id. And so when you had shown it to the iThemes team and were like, Hey, this is something that’s really cool. I’m like, I’ve seen that I’ve used that’s familiar. And then just it was that thing of I didn’t know what it was, I just knew that was the easy way to log in and it was incredibly simple. And it’s more secure, right? Because it’s what can get hacked here, what where, I mean there’s always gonna be a vulnerability and eventually some hacker’s gonna find a way to do something crazy and it’s gonna make a great story. But why does this make logging in more secure?

Timothy Jacobs (16:19):
Yeah, so there are two big things. One is the, you don’t have a password. So we’ve talked about all of the weaknesses with passwords going on that people can’t come up with strong ones, et cetera, et cetera, et cetera. The other big thing is phishing attacks. When you’re using a pass key, you can’t be tricked into giving up your pass key. And I think this is really key when you’re using a password manager even, you might go to a website and you say, okay, here’s the login form. It looks exactly like Microsoft’s login form. I’m gonna type in my username and password. You might wonder to yourself, why is it that my password manager didn’t autofill this? But if you’re anything like me, you run into that on a daily basis with sites that don’t actually work with a password manager. So we’re so used to just copying and pasting our username and password into a login form that looks correct with passkey, that step doesn’t happen.

(17:10):
There is no way that I can say, oh, I think I’m logging into this site. Let me go find my pass key. Let me go find the private key and generate a signature. How do I trick the user into doing this? The browser protects you. The browser says, are we actually on the correct URL the same way that we have things like cores, for those of you who are familiar with that, where different URLs have access to different things, basically your pass key is locked down to a specific URL, so the browser is in charge of keeping that safe. And browsers are way better than humans at making sure that chase.com is actually chase.com and not chase.com with an E with a very weird DIA critic that no one can see on any reasonable font size, right? So the browsers are taking care of that for you. So it’s those two things I think is that one, this is provably you. Uh, you’ve authenticated with your touch id, your face id, any of those signatures. There’s like biometric things with your device. You’re not submitting a password and you can’t be tricked into giving up your password. I lied. That’s three things. It’s those three things that make pass keys so much better than passwords.

Kathy Zant (18:19):
And then there’s the also the question of giving a password if, if for people who are using the same patterned password, I have so many stories of just family members that are just like, what? Why did you think this was a good idea? But I, I feel for them

Timothy Jacobs (18:36):
clients even. Yes, ,

Kathy Zant (18:39):
Yes.

Timothy Jacobs (18:39):
When I did client work, I get clients that are gonna email me this password. I’m like, okay, we need to have a conversation that you’re sending me your stripe.com password and it’s this,

Kathy Zant (18:50):
Yeah, let’s, yeah, let’s talk about . Obviously most users are their own worst enemies, but there are also other websites out there. You can’t, you have to trust wherever you’re typing in a password or pasting in a password that wherever you’re doing that, that website is going to care for that password. Even if it’s maybe it’s stored plain text in that database, you don’t know, maybe it’s just hashed in a very simple way that’s easy to reverse engineer. There’s no way to really trust the websites where we’re typing in passwords, right? So those sites can get hacked and if you are using the same pattern or using reusing passwords, God forbid those passwords get exposed on those sites. If those sites are using pass keys, if there is a way for them to do that, that also protects those site owners from their own issues. I don’t, I almost said Stu stupidity, but

Timothy Jacobs (19:49):
, yeah, it protects them from their own issues. I think there’s two big reasons as a site owner that you would wanna adopt this. I think one, you are protecting your users and you’re protecting their security. When a user, we see this all the time. We see my Facebook account got hacked or Instagram screwed up and they let an attacker into my account, no one blames themselves. When someone malicious gets into their Facebook account, their e-commerce account, all of that, they all expect that the platform would take care of it for them. Whether it is true or not, as people who offer websites to users, it is our responsibility to help them stay as secure as possible. And using passkey means that it’s far more difficult for an attacker to compromise their account, and that means they’re not gonna blame you. The other thing that I think though that is really cool is thinking through the purchase flows and login flows for customers.

(20:42):
I think this is actually easier than typing in a password faster than typing in a password faster than using a password manager with two factor authentication. We’ve seen this shift, I think in a lot of e-commerce setups over the last few years of going into what we call passwordless login or passwordless authentication where we’ve solved a few of these problems, right? We don’t let users type in a password. Instead they get a code that’s emailed to them or texted to them, and that’s how they authenticate with that site. But that process takes time. Now imagine a future though, where when a customer wants to make a purchase on your site and they’ve already been a customer, or you want to let them create a new account, the only thing they have to do is press the touch ID sensor on their phone or scan their face with face id.

(21:27):
You’ve delivered a much better purchasing experience to your customers as well by adopting technology like PAs keys. And we’re starting to see this all over the web, not just in the more geeky circles of internet websites. There is this awesome site maintained by one password called Passkey Directory, and it is basically, that’s it. Just do directory no.com, no nothing, passkey directory. And it provides a list of all these sites that have started to adopt passkey, and I bet the list is longer than you might think, and it includes some pretty standout names. I was surprised that Home depot.com has sies. They don’t refer to it as sies, but when I log into home depot.com now it says, okay, type in your email address and it says, okay, do you wanna log in with face id? And that is the preeminent way that I log into my Home Depot account and it takes a second for me to make a purchase.

(22:24):
Now I don’t need to wait for a code to get sent to my email and dig up switch apps, et cetera, et cetera, et cetera. I get into my Home Depot account with it. It’s also available on sites like eBay, PayPal, Google Accounts, now have them. This is really spreading across the internet and it is not just a hidden option under account settings, two factor authentication. Do you want enable PAs keys if you’re a geek? This is, let’s put PAs keys as the primary login and authentication mechanism in front of users to deliver them a more secure experience and a faster user experience. It

Kathy Zant (23:01):
Takes all that friction away from your customers doing actual business with you and using your services, using your products, being it. It embeds them with your, with your brand and I from as the security geek who’s also like the marketing lady. I think that’s amazing, right? This is where security becomes something that is not just something that we scare people into, you need to do these things, but hey, here’s a security thing that helps you create a better connection with your customers. And that is super cool.

Timothy Jacobs (23:34):
Yeah, I agree. I, I think it is taking, this is the first time I feel as a security community that we’ve had an argument that we can give to end users that isn’t just because I told you like that you, you, you should use two factor because I told you you should use uh, strong passwords because I told you because it accounts are gonna steal your site. There’s this great, I, I think it was a click hole post, one of the sister sites of the Onion that is pro versus con like debate format pro using two factor authentication. It’s the only thing stopping you an attacker from compromising your account versus con it sucks and it’s annoying that that framing has just not worked for the past five, 10 years of saying, Hey, you need to use two-factor authorization authentication because it’s the only thing that’s stopping your entire digital life from falling apart. But I feel like we actually have a solution that delivers a better user experience for users that delivers a better experience for site owners and the things that they care about and delivers better security and better privacy. It’s rare that all of those things line up

Kathy Zant (24:39):
Super rare in security education. I talk all the time about that security continuum where it’s, if you make it super easy, that means the hackers can get into and if you make it super hard, the most secure computer you’re ever gonna have is encased in cement and buried six feet underground in your backyard. That is the secure computer. So there’s like ease versus security and, and you just have to find where each thing that you’re trying to secure fits on that security continuum. And this is just no, you get to stay on the easy side of the continuum and you get to have better security at the same time. That’s like magic to me now. I need a new analogy. I need a new continuum or something you, it’s ruined everything

Timothy Jacobs (25:19):
They continue is you just choose basies, just

Kathy Zant (25:21):
Choose basies.

Timothy Jacobs (25:23):
It’s a brand new world. We, we finally hit the thing that is smack dab in the middle and is uh, straddling both ends appropriately.

Kathy Zant (25:31):
Yeah, it’s really amazing and you were the first person to really say, Hey, WordPress needs this. As far as I know there might be some person, but we’re, we’re going to ignore them for now. You are the person in my world who said, WordPress needs this and you brought it to WordPress. Tell me a little bit, I know, but tell the audience what, how you brought this to WordPress. How does this work for WordPress sites?

Timothy Jacobs (25:57):
Yeah, so my day job now is I’m lead developer over at solid wp and so we build a suite of WordPress products. However, if we travel back in time to about a year and a half ago when we introduced this feature, I was a lead developer for ithe security over at iThemes and we’re a security plugin that kind of focuses on best practices, login security, keeping users safe and trying to deliver these new methods for logging into your site, keeping your site safe. All those same arguments apply to users and the clients of your website where they get their site compromised, they come back to you and say, Hey, my site was hacked. And you ask them, Hey, how are you keeping your account safe? Well, my password was 1, 2, 3, 4. It was just easier to get in that way. Did you use the two factor that I set up?

(26:44):
No, I found it too complicated and slow. So I turned that off. We were looking for ways to let our customers deliver better experiences for their clients and we were paying attention to what Apple was announcing, what Google was announcing and this kind of rare partnership between Apple, Google, Microsoft, all the big tech companies to say, Hey, this is the new technology, it’s coming. And yeah, about a year and a half ago we started development on pass keys in iTheme security and it’s just another option in a WordPress plugin, it falls under our kind of banner of passwordless authentication. So we uh, number of years before that moved to this model of, hey, you know, what is a better user experience is getting a link in your email as opposed to needing to convince all of your users that they need a super complex password. So let’s use passwordless uh, login with emails. And then we said, okay, let’s take this to the next step in those pass keys. So yeah, for WordPress sites, there’s a plugin out there that you can install and it just becomes another login method. On the login page you say, Hey, I wanna log in. You can type in your username, it’ll say, Hey, you can use PAs keys and it’ll prompt you to set it up all during the login process. It’s really quick and easy and you’ve got PAs keys now protecting your site

Kathy Zant (27:57):
And protecting your users and making that, solidifying that customer to that brand, solidifying the your users to what you’re doing, making that so frictionless. So I’m talking to you marketing people out there, sies are a good thing. Yeah. So this is just amazing. So how has the reception been for, for this now ithe is solid. How are the new customers who are using Passkey over the past year, how has the reception been and what have you seen in terms of like how this has been implemented?

Timothy Jacobs (28:29):
I think people really like passkey once they get to trying them. I think there is a bit of a hurdle to saying, okay, we’ve had passwords for 50 years, how do these things work? And it’s a little bit difficult to let people take that first step, but I think for people who are willing to try, they’re really surprised at how easy they are to use. I use pacus now for logging into all of my sites. We don’t have a very solid telemetry in the WordPress space on how many people are using features, but from who we talk to, they say that, yeah, pass keys are really easy to use and really make the login experience better for me and my clients. So I think it is something that if you are in this space that it is time to talk to your clients about it, it is time to start setting it up as just part of your default processes of hey, this is how I’m gonna teach you to log in securely to your website because at this point it is standard basically on most devices.

(29:26):
The experience is excellent in the iOS and Android sphere. It’s a little bit weird if you’re a Microsoft user who doesn’t use Android or iOS if you just are a Windows computer user. But at this point it is something that I think most users have access to and can benefit from this much faster login process about a year ago is still rolling out as in the newest iOS version, but we’re now a year out from when Pasky has officially launched on iOS the last year and Android, I think we’re also about a year out at this point. So I think the technology is recent enough that most people have it available, most people can use it and can benefit from it immediately,

Kathy Zant (30:06):
Right? And and the benefits to the end user are are pretty clear. I think the benefits to like people who are writing like WordPress agencies of this is something that you can bring to your clients is also there as well. There’s a lot of advantages to being the one who goes to your customers and says, this is a new technology and this is how this is going to how, this is how benefit your business. This is gonna benefit security, this is gonna benefit your customer relationships. Can you talk to that a little bit too?

Timothy Jacobs (30:34):
Yeah. You can position yourself, I think when you are paying attention to these new technologies and when pasties, for instance, about a year ago when pasties were first launching, you could be the person who was saying, Hey did, did you catch the news last night when they were covering the Apple event and talked about how passkeys are gonna change the world? We’ve set up pasties on your website already. This is already a technology that we’re using and you can demonstrate to your clients that you’re really on the forefront and paying attention and selecting technologies that are not just, hey, it’s the most secure thing available, but hey, it is a secure thing that both delivers a better user experience, better security and a, a better experience for managing your website. And I think those are things that when you show your clients that you’re paying attention to that it’s leveling you up. It it it’s really saying that you’re paying attention in this space and that you are someone whose advice they can trust when it comes to the security and the technologies that power their sites.

Kathy Zant (31:30):
Yeah, that proactive activity of being the one that’s like the leader that when budget concerns come around and people are like, you need to stop spending so much on this website. The website’s fine. It doesn’t need any updates. Like when you’re the one that’s going, Hey, this is important to you and this is gonna serve your business and serve your bottom line, then that’s the, you are then the vendor that gets protected when everybody’s saying let’s shut down spending, right? Because it’s so important to, to be that, that embedded resource within an organization as an agency, I know a lot of agencies are going through their trials right now with everybody’s like scared of World War III and everything. This is a great way to make yourself like indispensable to your clients in my opinion, from both a security and ops type of thing as well as a marketing and let’s make better connections with customers. So here’s my pitch on it. Is there anything I didn’t ask you about PAs keys that anything new happening with it, it just

Timothy Jacobs (32:35):
PAs keys are getting better? I would say pretty often there’s a lot of conversations that are going around some of these login flows to make them even nicer saying that hey, detecting when the user has pass keys on their device and making that login flow even more primary so that you don’t need to, for instance, enter in your email address or username first and making that experience nicer. What we just got in the latest Mac OS and iOS releases and what we could do is break down some frequently asked questions about pass keys, but what we just got was a pretty cool feature in Mac OSS and iOS that people have asked me about is how do I share pass keys? I can share a password with my friend, neighbor, family member, et cetera. How can you do with pass keys? And just in the latest iOS release and Mac OSS release, they’ve added this feature to Passkey where you can share a pass key via iCloud key chain to anyone who you want to. So if you want to say, okay, you can use my passkey, you can do that and it is a more secure option, then writing down the password on a post-IT note and passing it to someone, it gives you that login protection but also lets you share it around so multiple people can use the same PAs key.

Kathy Zant (33:42):
Okay. What’s this gonna do to password managers in the long run? What do you think?

Timothy Jacobs (33:46):
So it’s interesting. I think password managers are still gonna be something that power users use. Password managers are able to integrate into the passwordless login flow. One password right now has a beta out there that you can turn it on and it’ll let you store pass keys in one password. And so then you can have your pass keys sync to all of your one password accounts and it just provides the same kind of seamless experience. But instead of using the tools that are built into your devices, they are using a third party app. And so I know a number of different password managers are working on or have already launched integrations with PAs keys and they’re just basically they’re treating it as another bit of secure data that they store the same way they can also store credit card numbers and API keys. They can also store pass keys and the browser framework is flexible enough that they’re able to insert themselves and still make the user experience, uh, pretty solid.

(34:42):
So I think they are definitely still gonna be an option for users to use. The same way that we have Google password manager and iCloud password manager and people, it’s probably the most popular password managers are the ones that are just built into people’s devices, but we still have one password and KeyPass and so on and so forth that are out there, uh, for people who want a little bit more functionality. They want to have uh, more advanced tools and sharing and things like that. Um, so yeah, we could talk about like how some of those uh, questions that people have around PAs keys, which is like, what happens if I lose my device? I’ve created this PAs key, I’m using my iPhone. What happens when I lose my iPhone or when I lose my Google device?

Kathy Zant (35:24):
Or if your phone gets stolen, does that mean that the attacker, the, I don’t know, the robber has my PAs keys? Not that I think common criminals know what to do these types of things, but maybe they will someday. I don’t know. These kids are surprising me all the time. What’s up with that?

Timothy Jacobs (35:39):
Yeah, exactly. The way that this works is that most of these systems store passwords the same way. Store pass is the same way they store passwords in iCloud. When you create a PAs key, it is synced to your iCloud account. If you are using Safari, if you’re using iOS, if you’re using Mac oss, when you create a passkey for your site, it gets saved in iCloud account and it gets shared across all of the devices you own. If one of your devices gets stolen, you can still log into that site from your laptop, from your Mac. When you restore your phone from a backup, your passkey will be right there if everything falls apart, apple has their re-count recovery procedures that will work as normal. You prove to them who you are and they can give you back access to your account. And it’s the same thing in the Google sphere.

(36:24):
Um, your PAs keys get shared into your Google account, their intent encrypted and they are able to be sent across all of your different devices. And so that also means that, hey, if I create a PA key on my phone, it’s available for me to use on my desktop computer. I don’t need to create a PA key for every single device that I wanna log into. You just log into those devices and your PAs keys are right there. If an attacker, a robber is someone down the street in New York City comes to me and steals my phone outta my hand, this is where your device authentication comes into play. So your devices are storing these again in the same way that they store passwords and they use the secure enclaves that you might’ve heard about these special security chips in your phone for making sure that they are can only be interacted with safely. And that’s why you’re always gonna get prompted before typing in your past, before authenticating with a pasky to touch your finger to the phone, scan your face with face id, even if your phone was unlocked, they’re gonna prompt you again because they need to re-authenticate with that secure enclave to provide that pasky. So if someone steals your device, there’s nothing really they can do with it. They can’t get them out of there. They would need to break iOS. And so your PA keys are safe even if your device gets

Kathy Zant (37:38):
Okay. Now what about those people? I know a few, I know a few who are like, I don’t wanna get locked into Apple or Google. I wanna use my iPhone and I am like pretty deep into the iPhone world and to the iOS and Mac oss, all of that and I love it, but there’s plenty of people who are afraid of being that vendor locked in with their authentication. What are your thoughts on that?

Timothy Jacobs (38:05):
Yeah, I think that’s a totally reasonable concern and I think that section of users is where tools like one Password KeyPass bit warden are gonna be the tools of choice for those of us who are very cross-platform who don’t wanna lock ourselves into different ecosystem providers more than we already are, we can store our pass keys in our password managers and that’ll give us a still and even better experience. It’s actually gonna deliver on the fish proof mechanisms of, you don’t have to just hope that you’re typing your username and password into the correct site. When your password manager doesn’t prompt you for it, it’s actually going to be the real site that you’re authenticating with. Those password managers are gonna be the tools of choice. The way that this experience works, if you are already across platform user, you can use Paki still through your vendor.

(38:56):
So if you are a iOS user and you wanna log in on a Windows computer, you can absolutely do that with your paki. A big a little QR code is gonna show up and you’re gonna scan it with your phone. And that’s the experience. If you are someone who is cross-platform or uses devices frequently, let’s say you go to an Apple store and you wanna log into an account while you’re there, you could do that, whether that’s a good idea, but you could do that by using your phone as a passkey, logging into a device that isn’t actually the one that you own that you’re working on. They can synchronize with each other and you know, go through pretty much the same login experience, but just taking a picture of that nice little QR code first.

Kathy Zant (39:33):
Nice, nice. Good thinking. Okay. Wow, I’ve already been sold on pass keys. Is there anything else that people ask you a lot that you think people should know?

Timothy Jacobs (39:44):
Well, that’s a big one.

Kathy Zant (39:45):
There’s anything top of mind that I should have asked you. That’s basically the question .

Timothy Jacobs (39:51):
The other big news that we have is when we did our solid security launch, we launched an integration with Patch Stack. Oh yeah. And that’s something that I’m really excited about. Patch Stack is a really cool security company in the WordPress space, and they focus on a technology called virtual patches. And virtual patches are my favorite thing. The way virtual patches work is they deliver laser targeted, uh, fixes to your site to prevent your site from getting compromised. If your site has an active security vulnerability on it. Let’s say that you are using one of the 50,000 plugins in the WordPress plugin directory and one of them gets compromised and it has a security vulnerability out there, and you are on your phone, you’re at the park, you’re on vacation, and you’re not there to update your site right away. Or even there isn’t a patch yet.

(40:41):
This was a zero day that was discovered and is being exploited in the wild. And how do I keep my site safe? Patch Stack lets you deliver to your site virtual patches where you don’t have to do anything and virtual patches protect your site from any of these attacks while the vulnerability is still out there. So until you’re able to update the latest version that’s fixed to deactivate that plugin, if it turns out, hey, this plugin’s been abandoned three years ago, and you can use virtual patches, and I think they’re a really great approach in the WordPress ecosystem of how do we keep your site very fast but still keep your site safe when you have a security vulnerability and laser targeted virtual patches do that for you.

Kathy Zant (41:23):
That is so cool. And so now this is integrated with solid security. So if you’re using the solid security plugin available to you

Timothy Jacobs (41:31):
Exactly. If you’re using solid security, it’s basically there by default. You don’t have to do anything else to configure it. You can also of course, use it through Patch Stack directly and protect your site. So you’re an existing Patch Stack customer, you can leverage their virtual patches technology.

Kathy Zant (41:46):
Amazing. You guys are knocking it out of the park and the rebrand looks just amazing. Really great job on that. And the, just the interface of the plugin has changed so much too, and it’s so much more, I think it’s intuitive and beautiful. Great job.

Timothy Jacobs (42:03):
Yeah, the team has put in a whole bunch of work. We’ve been working on this since March, February, even January, depending on how you accounted. So it’s been a long time in progress and yeah, I’m really excited that we were able to launch and so many people have put in so much work to make this happen.

Kathy Zant (42:18):
Yeah, congratulations to the whole team at solid WP Solid Security. It’s still just one of the best ways to secure your WordPress site and to make it easier for your customers, reducing some friction on logging in. It’s such a great tool. Timothy, thank you so much for joining me on the Emerging Tech Do the Woo podcast. It, this has been just such a great conversation. Where can people find you online? I know you’re on Twitter and

Timothy Jacobs (42:44):
Yeah, you can find me. Probably the best place is timothy jacobs.com and you’ll find my WordPress site over there and some links off to o off, off to Twitter, off to

Kathy Zant (42:51):
The x. I keep forgetting the rebrand . I’m still, it’s like I’m still not over that. And now it’s, I have to stop saying WooCommerce. I just have to say, woo, that’s, oh, the names are changing. I’m working on it. It might, might take some therapy for me, , because it’s been , I’ve been saying WooCommerce for a long time, but we’re still doing the woo over here. And, uh, we’re so glad that everyone joined us. Uh, this has been, I think, a great conversation. We’d love to have feedback from you. Tag us on Twitter or X or wherever. Just let us know. If you have more questions about Pa keys, Timothy is around to answer them. Thank you so much.

Timothy Jacobs (43:27):
Thanks for having me, Kathy.