iThemes Security Sneak Peek: Biometric Logins and Passkeys for WordPress

5:30PM Aug 10, 2022

Speakers:

Nathan Ingram

Timothy Jacobs

Keywords:

passkey

log

password

device

google chrome

factor

question

login

yubikey

computer

prompted

security

site

user

support

keys

biometric

apple

feature

timothy

Well, good afternoon, everybody and welcome to another live AI iThemes Training event. My name is Nathan Ingram, and I'm the host here at I iThemes Training and today I'm joined by Timothy Jacobs, Timothy's the lead developer for I theme security and he's going to be talking to us today about some fantastic new features that will be included in the next version of I themes, security, and that are those are biometric logins and pass keys. Now, in addition to his work at iThemes Timothy is a WordPress Core committer component maintainer of the WordPress REST API, and he also organizes the WordPress New York City Help Desk meetup. So welcome back to iThemes Training Timothy, how's it going today?

I'm doing great. How are you doing Nathan?

And I'm hanging in there. So just from a 10,000 foot view, what are biometric logins and pass keys and why are they important?

Yeah. So biometrics and pass us are what a lot of the big tech industry players are betting on and we're hoping our two is to me what's going to finally kill the password. We know how kind of terrible passwords can be. And this is a pretty exciting new way of being able to log in to not just your website, your apps, everything using something that is secure from the ground up. You know, passwords are kind of a thing that we've had for ages and haven't really stood the test of time. But passkey isn't biometrics, we're kind of engineered from the ground up to be secure. So they solve a lot of the pitfalls that we've had for years dealing with website security, and we're going to touch on some of those today.

Yeah. So for those of you that work with clients, if you have that situation of clients will never use two factor and they struggle to use a password manager and they always use their one favorite password for all of their sites. Hopefully this is going to be at the beginning of a solution to that. I love what Kathy just put in the chat, kill the password TM, we might need to see if we can trademark that phrase, that would be awesome. So, a couple of housekeeping details and we'll turn it over to Timothy Timothy, you've got some live demo as well as slides today. Right?

We are going to be live demoing a preview version of this release. This release isn't ready to go out just yet. So you're getting an early sneak peek at it. But there is going to be live demo and I've got all my fingers and toes crossed that will go well.

Alright, so if you'd like to download today's slides you may do so I just dropped the link in the chat one more time. If you're just joining us. If you're watching this on the replay, click the Download handout button that's down below the video and you can grab those. Also a couple of other housekeeping notes. Chat of course is open and we welcome you to participate dialogue between each other there in the chat. As we go. Also, if you have a question, please pop open the q&a box that you can if you mouse over the shared zoom screen, you'll see the q&a icon. I just wouldn't have that open if you'd like to you can ask a question there. But also if somebody else asks a question that you would like to see answered, you can click that thumbs up button that will be just underneath the question and upvote that question. At the end of today's webinar. When we get to the time of q&a, we will be taking questions in order of votes. So do that. Now one other thing that I'll mention I know some of you may be watching the webinar on a smaller screen than others. And when we get to the point where we're sharing the WordPress back end, and maybe some of the type is too small. If you mouse over the shared window at the top, there's a View Options button that you can drop down and actually zoom in your zoom window. That might be helpful. So Timothy won't really be able to zoom in any more than he already is. And so if you're finding it hard to add to to view then just use that zoom option to zoom in. So with that, Timothy, I'll turn it over to you. Let's get started. I'm looking forward to this.

Awesome. Let's go ahead and share some new slides. So yeah, as Nathan mentioned, we're going to start off oopsies let's say the advanced. We're gonna start out with some slides talking about I work with on a passkey and we're gonna hop into some live demo. So yeah, I wanted to start this talking about what I would consider this state of account security. What does that look like? Right? Now in the WordPress ecosystem. And so the big thing right now is that we have passwords, and we have the problem of weak passwords. We've all heard the stories of clients that are using passwords that are awful. They wonder why their site gets hacked and you say hey, what was your password, but it was the name of my website or something like that. It's like, oh, no, you can't do that. And so with IBM Security, we of course have this strong password requirement feature. And this is pretty cool that lets you say hey, you have to have a strong password if we ever encounter the fact that you don't have a strong password. So hey, no, you've got to change your password. We're not gonna let you continue any further until you do it. But we still kind of have a problem with that, which is that Hey, you tell a client, you need to use a strong random password like this. You know, I can't keep track of that. So you might try and convince them to use a password manager. But easier said than done. It's while we probably all know that their most secure way of you know keeping your Password Safe. It can be a little bit difficult to convince clients that hey, this is something that they should be using. And so you might have heard of this kind of cool idea of four random words for passwords. So there's this thing, this XKCD article about today, you can just use four random words as a password and the right this can give you a really strong password. But I often find is that sometimes then people say Oh, I can use four random words. But if we make them not random words, what if we make them very similar all the time, and start reusing them across all of my different sites and have horse battery staple? My business name or something is password and that's not so great. Because the problem with reusing passwords is that they can get stolen. There are password breaches that are happening all the time all across the web. And if your password gets stolen, and you're using on another site, it makes it super easy for attackers to do what's called a credential stuffing attack, where they just grab all of these passwords that they think they might be yours, and they're not even brute forcing them. They're just saying, Hey, we saw this in a breach one time and if you're reusing your password, they'll get into your account really quickly. The other problem with passwords, of course, is fishing. If you are working at a big company these days, you probably get tested on your ability to not get fished. This is when someone pops up a website and tries to trick you into giving your password and that's a problem that passwords have is that you have to be very vigilant to make sure that you're always entering the password in the correct spot, the actual website that you're looking to log into. And so all of these different issues with passwords is why we've had to factor as a feature of part of I theme security and kind of across the web. And two factor is an OK solution

okay, I'm gonna snap to move it all the my bills are not working properly Okay. I will see ya two factor is kind of like the strongest protection that you have available and it says hey, when you log in, you don't just need to give me your password. There is this different code that you get that is generated to you or sent to you? And you have to use that once and put it in and that improves things a lot. It is really the strongest protection that you have available. The problem is that it can be a pretty confusing user experience. It's difficult to teach the clients Hey, what is this two factor thing? What is this app that I have to use off the Google Authenticator? I have to find this thing and this code, what happens if I type it too slow? The numbers keep changing. It's a little bit difficult to deal with. And the problem is that even though two factor is great, it's still actually susceptible to phishing attacks. And so what really do I mean by phishing attacks, well, so here is a pretty cool example of how people can be tricked into giving up their password. And so sometimes this is just through a simple pop up but other times it can be through cloning an entire website. You can see in this GIF on the right here, this is a pretty novel phishing attack that I saw recently called the browser and browser phishing attack. And so what happens is they your website you're visiting on might say, hey, we can sign in with Microsoft. We can sign in with Google, we can sign in with Apple, and they'll present a pop up that looks like it's a pop up from the actual computer. But instead it's something that exists only within their web page and looks very similar to Microsoft's actual login page. You have to be very vigilant and check Hey, is the URL that I'm logging into the actual right one, but here that won't even work because this isn't actually your real browser. So this is a pretty novel way of getting tricked. But even if you might take a look at one of these and say, Hey, I'm not gonna get tricked by this. You might have this example here. And so this is we're watching what you wouldn't believe this is not Microsoft's website. It looks identical to Microsoft's website. And the reason it looks identical to Microsoft's website is because it's serving exactly Microsoft's website. So everything here is the actual UI that Microsoft shows and the only way you can protect against this is if you're 100% confident in the URL that you're visiting. You can see here, they're actually getting prompted for their two factor code from Microsoft, and they're going to enter it and they're gonna be able to log in and get into an actual Microsoft account without knowing anything went wrong, but in the background, and attacker has stolen all their credentials, their two factor code, their session, their account is totally compromised. And the only way you would know is if you took a look in the top left of that corner there and see that hey, this URL doesn't look right. In this example, it's just cyber fish at XYZ which is a little bit of a giveaway. But real attackers news long confusing URLs that are difficult to understand what's going on. And so that kind of brought us to our password list login feature that we developed. The idea of hash this login is that you can skip using a password you don't need to care that your password is really long if you never have to type it in and it skips two factor. If you have two factor setup. You can say hey, no, I just got an email that's going to log me into my account. I think that is secure enough. I'm not going to enter in another two factor code. And it has a pretty simple user experience. That is a bit phishing resistant. We'll kind of see a walkthrough of this flow in a second. But it does have the problem that you know, email is kind of slow and waiting on that email to come in is a bit of a bummer.

And so we can kind of see that here. You click you say check your email. You wait for the email to come in your inbox. He had a nice little email that just says hey, click this login button to continue. And it is phishing resistant this way so you can see we have a little dialog that pops up if you're logging in to a different device. And so this can kind of help protect against phishing attacks. If you're really vigilant saying hey, this, this login information doesn't look right. But a very determined attacker who is willing to customize things for your particular website could actually bypass something like this. So the solution that Apple Google Microsoft Fido a whole lot of companies been working on is web auth and in past use, and so I'm going to show you a kind of quick demo video of what this looks like so you can get a taste and then we'll dive into it a little bit more. So this is me saying hey, I want to log in as a subscriber. And I'm logged in. That's the entire process. I didn't have to do anything else. I didn't have to get a two factor email. All I'm doing is I'm typing in my username. I'm hitting use my passkey and I'm logged in in one click, which is really cool. So what is this this is biometric login with past keys. And so this like passionless login before it means you don't have to use any passwords. You don't have to use any two factor coats, and you get truly a one click login experience. You don't need to say Hey, okay, what's going to happen here, I'm going to wait for an email. It's going to take five minutes you just click Login and you're logged into the site. And this one really is phishing proof and we're going to talk about that more in a second. You can see an example here. I logged in my desktop earlier, but this is me logging into my website with my phone using face ID. And it's just as quick there. I say Hey, want to log in. It gets prompted up to me, and I'm logged into my site. And so the thing with passkey is, is that this is based on what's called the webauthn standard. So this is an open standard that was born out of the phyto. Alliance. And it's backed by Apple and Google and Microsoft and many, many more. There are countless names that I could have included on this slide and it's supported right now by all major browsers. And it has been in development for some six odd plus years. So this is a very mature standard that's been thought through by a lot of people. A lot of different companies looking through the edge cases to build something that is a truly great insecure login experience. And as you can see this screenshot here we have is an example from iCloud on Mac OS with Safari. But Google Chrome has its own UI that's popping up here. You can see it even integrates with my watch, by way of my Mac and on Windows. You can log in using your fingerprint reader. So how do Paschi is actually work? This is a kind of cool little 1000 foot overview of what's happening under the hood. What happens when you go to a site you say hey, I want to register a new pasty is you're going to talk to the server. You're going to talk to their website and say hey, I want to create a new account. And what the server's respond with is saying, hey, send me a public key. And what your computer's gonna do is it's going to generate this new public private key pair and it's just going to send the public key to the website that they're trying to log into. And with that, the server is all done. That's all it needs. To create an account. And so you'll notice there, there was no private information that was sent. All of these things are things that your device takes care of. You don't have to do anything yourself, your device generates this public key for you and sends it over there. And the server doesn't need to hold on to anything secret. The only thing they care about is that hey, there's this public key and what that means is that when you then want to log in, the server says to your device, hey, here's this little piece of secret information that I randomly came up with. I want you to sign this information so that it proves to me that you are who you say you are. And so your device creates this signature with a private key sends it back to the server and the server is able to verify and say hey, that looks exactly like who you are. And you don't have to do anything. The device handles all of this. And it means that okay, we're logged in. We know it's you. Nothing private was sent. The only thing we know is who you're saying you are and we're able to log in securely and quickly. And so we're talking about phishing

mentioned there that the only thing that was moving around was the public key. So no personal information leaves your device you might log in with your touch ID, your face ID but a picture of your face, your thumbprint, your fingerprints, none of that information is going to the server. The server doesn't even get to know your name. The only thing that they get is just randomly generated data. So it is very secure in the sense that no personal information is ever leaving your device. And what that means is that there's nothing for an attacker to steal. So if an attacker compromises the server, like we see happens, kind of frequently these days is that some website gets hacked. If they do get hacked, there is no data for them. The only thing that's there is public information. There's nothing for them to steal nothing for them to sell. They can't use on any of the sites and even if they have that public key, they can't log into the site as you because your data is protected by your private key which never leaves your device. And what's really cool here is that you can't be tricked into giving up your password either. So if you look at this pop up here it says do you want to sign into security that tests which is the name of my testing website as admin? And you might say that, Oh, I guess I have to make sure that I'm logging into the right URL. We see this and all of these different UI. As you can see, Google Chrome is saying, Excuse me, it's trying to verify my identity on security dot test. And we see the same thing with Windows it says Hey, make sure you're signing into the right site. But here's the truth of this is that it doesn't matter. If you just completely blow past the warning. It's impossible for you to mistakenly log into the wrong site. Your browser just won't let you so if you have a credential, it's not going to log in as a you you could be on another site that's like malicious dot Microsoft dot malicious hacker here.com or something like that. And if they prompted you to log in, you wouldn't be able to log in you wouldn't be able to give up your credentials. So it's impossible for you to be tricked into giving up your password. Now there's something that I wanted to touch on this a little bit more technical, but it kind of goes into explaining where we are in terms of the compatibility story. There are two types of authenticators. There are platform authenticators. And roaming authenticators. And so platform oops is

no

spoilers, no looking. Okay, platform authenticators. They are built into your computer or smartphone. So this is something that is just built into the computer that you use, it's built into your smartphone it's something that you always have with you. And these often use biometrics like touch ID, Windows Hello, face ID to be able to log you in securely on your Macs. We have the fingerprint readers now and on Windows, you have the fingerprint readers and the windows though face scanning. Same thing with Android. And so they use this is where the biometrics part COVID is a way to authenticate with your platform authenticator, the other kind of roaming authenticators and these are separate hardware devices. They can act with Bluetooth USB or NFC, there are these things that you might have heard of before things like YubiKey is or Titan keys so I have one of these and I've been able to use it for a long time. You can see it there in focus. It's this neat little YubiKey and this is a hardware authenticator. So in this case, this actual device here is what is able to log me in. I think security supports both of them. But I think for most people what are we able to use as a platform authenticator. They're things that are built into your device built into the computer that you're using. So you may have heard of things like YubiKey in the past, don't worry, you don't need to start sending out all your clients YubiKey is and try and convince them that there's this new, complex thing to adopt and they have to worry about this piece of hardware. No, they can use platform authenticators that are built into their device. So what is the compatibility story? For these things? Platform authenticator, as you can see here are supported by Chrome Safari, Firefox, brave and edge on a number of different operating systems. The basic thing that is missing here for platform authenticators is Firefox right now on Mac OS. So that's not really a possibility right now. So if you're a Mac OS user, I'd recommend sticking with Safari, or with Google Chrome because they support those and of course you need to be on the latest operating systems. The other thing that we've learned in testing and I'm not 100% sure about this, there's very little documentation. But what we've seemed to have learned during our testing is that you need to have an up to date Mac too. If you have a very old Mac computer, it's probably not going to be compatible with the platform authenticators. But if you're using any recent Mac or recent browsing recent browser, you're compatible with this out of the box. There's nothing you need to do need to do. Whereas roaming authenticators, these are supported pretty much everywhere. This is what the web often standard has supported for a very long time. So if you are a hardcore user who wants to use the YubiKey I'd say I am partial to my YubiKey I quite like it. You can use these anywhere.

Now I wanted to call out Apple specifically. Because Apple is a little bit of a weird place right now. Right now. There is a difference between single device authentication and cross platform device authentication. And it's what this means is that right now if you're using a Apple device that has a touch ID sensor has a face ID sensor in your phone or something like that or a Mac that has a touch ID sensor when you log in using passkey is it is just that computer that actually got authorized. It is just your Mac just that phone, just your iPad, etc. And you need to register each of those devices separately. What's New in iOS 16 and coming to Safari later this year, and a major release is iCloud syncing for past use. And so what this means is that you get a passkey and you can use your across all of your devices that are connected to your iCloud account as long as you have generated it on one so you can sign up with your phone and then use that on your Mac or on your iPad on another phone without having to do anything else. So I'd say if you're an Apple user, you may want to wait a little bit before hopping on passkey is because they'll get a lot more easy to use later this fall when these new operating system releases. But if you do want to, if you're eager to get in, there is an option in the developer menu that used to enable that but we're not going to really talked about that now. Now, when can you get past keys. So this is going to be releasing an IBM Security Pro. It is a Pro feature in version 7.2. Our plan is to release this later this month. Don't hold me to that but we're very, very confident that we'll be releasing it later this month. And pretty soon we're also going to enable a first time for us with IBM Security is we're going to enable a early access quick release. So if you go into the quick release settings for the iThemes licenser there's a little checkbox that says enable quick release updates. And later this week, hopefully maybe next week at latest we'll be doing a early access release so you can take a peek at it just a little bit before it goes out into the wild. The other thing that I wanted to touch on is server requirements. The next version of iThemes Security is going to require PHP 7.3. From what we've seen, almost all of y'all are using a PHP version that time but if you aren't talking to your hosts that can get you updated. your site's going to need to have open SSL support it 95% plus of all sites have this if you're not sure you can ask your host. But you're almost certainly have open SSL on your site, so you don't need to worry about it. And the one big thing, your site needs to be behind HTTPS. So this is something we've talked about for a long time. Even if you're not an E commerce site, even if you're just a blog, you should be using HTTPS and to use this feature at all you're gonna need HTTPS this requirement is going to continue being pushed from the browser makers and vendors. But it's just something that you're going to have to you're gonna have to do if you want to use this feature. So with those slides done, I'm going to hop into a little bit of live demo now. That's shift into that Okay, hopefully that is pretty clear to everyone. Okay, so yeah, we have a new menu, and I think security called pasties. And so this is the past use feature. And there's a new module that you'll need to enable might be enabled by default. We're not sure yet. The other thing that you're going to need to do is going to head on over to the Configure menu and to login security and go to password of this login. And you want to make sure that passkey is is checked and enabled here. So this is part of the past for this login module. So we are still supporting the magic link email base login feature. But if you want to use pasties, you're going to need to check this checkbox. Now. Let's take a really quick look first at what this looks like logging in for real. So I'm going to log back into my website here and I'm going to say I am Miffy. I'm going to get a prompt asked me if I'm sure I want to do this. I'm gonna say yes. And I get the message saying Do you want to sign into Timothy that I think that Devis Timothy and I'll say continue and I'm logged in. Oh now here's the other thing is this two factor is partially allowed and partially not allowed. Live demo. I didn't intend for it to be popped up this time.

But yes, depending on how your configuration is, you may still have a two factor requirement. We don't think we think you're fine from a security perspective if you don't want to use two factor when you are logging in with with passkey is but you will be prompted the first time so I'm gonna enter in my login code. So they're kind of like two settings that configure this and I think security if we go into user groups, there's a setting here called allow two factor bypass for passwords login. And so we'll want to make sure that that is allowed for all of our users so I'm going to allow two factor bypass. And so what this means is that optionally a user can say hey, I don't want to I need to save this year. See? Save it for everyone. Just to be sure. There Yeah. And so this will let users make that decision themselves. So on my profile screen here you can see I have enabled passwords login checked. But then I also have a checkbox here that says use two factor green patch this login so if I want to I can enable that. Otherwise I can disable it and we'll leave it disabled. For now. So I'm gonna log back out again and hopefully we'll get a more seamless example this time. Wow. And continue. Okay, so yeah, I'm getting this prompt now to say additional security measures. I can choose to enable or disable two factor and we'll say we want to disable two factor and there we go. So now if I log in with a username and password I'll get prompted for two factor but when I log in with past this login, I won't be and password login does some other cool things. Not just that one click. So let's pretend that I'm on a different device. I'm going to get a Google Chrome instance over here. Okay, so you all should hopefully see this Google Chrome window too. And so this is a different browser and I'm going to say I want to use my passkey here

and so I haven't authenticated with Google Chrome yet. So what I can do is I can verify identity using my iPhone. So pretend let's say I'm using a different computer. I'm logging in on someone else's site. I click add new phone. It's going to pop up this QR code and with my phone, I can go to that QR code. I'm hitting with my phone here sign with the past, you get this cute little login. I'm going to say Continue. It's gonna take a picture of my face. And I got logged into Chrome. So one click there. I say hey, I want to log in using my passkey. I'm using a different device. But I'm able to do it using my phone because iCloud syncing has synced my pasty across all of my devices. So that's the really cool part about how iCloud works for these things. Which isn't coming to later this year out of developer preview. So that's kind of why I said a little bit earlier that hey, you might want to hit pause for a little bit before adopting this if you're an Apple user, because I think passkey is makes this a lot more clear. But now that I'm on Google Chrome, I'm gonna go ahead over into my profile and say that I want to add a passkey for Google Chrome. And so this will let me log in using this device with Google Chrome even if I didn't have my iPhone with me. And the way I do that, as I go over into my profile, go to register past use and click on Manage past use. I can add a new passkey I'm gonna get a little prompt here that says, hey, this is what passes me and this is how you can set it up. I'm gonna press adiposity to register my device. Google Chrome is gonna pop this up here. I'm gonna say hey, I want to register with this device. I'm getting because I have Apple Watch connects with my MAC a little prompt on my watch that says double click to approve. Hopefully y'all can see that. There we go. I will double click to approve that. And now I'm going to name this device I just created and we'll call this Google Chrome. And then we're all done with our past use so we can hit done and exit out and now if I log in on this Google Chrome device

I'm getting that message that says Google Chrome is trying to verify my identity and I'm getting a pop up my watch. I'm gonna double click and I got instantly logged in. So one more kind of flow that I want to demo to you. We're going to create a new subscriber account here

we're gonna copy this password now we're gonna save that password for now. And we're going to log out. Now I'm gonna log in as this subscriber user. So we're gonna log in with their username and password. And when we click log in, yeah, I'm gonna be prompted to have a two factor. I'm gonna say I don't want to use two factor for this user. So we'll hit skip. And now I'm going to be prompted to set up pasties. So if I want I can now set up pasties through this flow. And I can just hit skip setup if I'm not ready. If I am. Just click Hey, add a passkey. And I'll say this device again. We have my passkey. And now the next time I log in as a subscriber, I'm not gonna need to enter my password. I'm just gonna say I'm a subscriber. Use your passkey and double click my watch. And I'm logged in. So that's kind of an example of how that flow looks like for a new account. Right now with ICM security, the first time you set up your account, you're still gonna need to log in with a password. We're looking up a way for in the future that you can register without ever needing to use a password. But yeah, it's a pretty quick flow. I type in my password I say hey, I want to use my passkey and I'm good to go. There are a couple of options and I theme security they want to talk about and then we'll open it up to q&a. So the first one is the flow actually. So I'm going to switch over to Safari, we'll log in. Right now we've been using a flow that we call method first of flow that I really like is the user first flow. So the way that this works, is that we first prompt the user for their username. So if we go into past this login, they can change your passwords login flow to the username first, hit Save. And now, when I log in, through here, I'm gonna see a different login form. First, I'm even prompted for my username. So maybe we'll log in as a subscriber again, I'll hit Continue. And it's gonna see what login methods are available to me. So I'll log in with the username and password use my pasty or email a magic link. And we'll say I'm gonna want to use my passkey. Again, get logged in. But if for some reason let's say patch this login was disabled for my account I'm gonna go over here and say disable.

When I log in as a subscriber, I'll get prompted for my password. And so that gives you a really great flow to kind of progressively enable. And so what options are available to you as you are using the site. And yeah, I don't have past few logging enabled. This looks like a little bit of a bug. But, as assured we are still in the early preview days after the release but yeah, this is passed to this login. I think that's everything they want to demo when he I think it'd be looking to remind me if there's something I'm missing, but if not, we can open it up into q&a and talk about this more.

All right, so this is really, really interesting Timothy I see a lot of potential, particularly using it with clients and people who might have some confusion, some good conversation happening in the chat as we went as well. I think like Sue mentioned, I think there'll be a little bit of education involved for those of us that are supporting clients for example on this is the new flow and how it's gonna go and one of the questions was, will I themes provide some sort of generic training video that we could supply to people that we're serving as our clients and Kathy Kathy Zant from the Kadence team answered? Yeah, that's definitely in the works. Yeah,

that's on our roadmap and we're gonna our plan is to have documentation that you'll be able to also kind of embed into your site that will be kind of free from iTunes branding, and we'll just give a kind of like overview of what this feature means and talking about like the education side of things. We've been using passwords for 3040 years. So there's definitely a lot to unpack here. I would say the big thing is that Apple Google Microsoft is really large tech companies are very committed and onboard with past few years and using this as the future of logging in and they think it's going to be a lot easier, particularly with some more advancement that we've seen with like the iCloud and device sharing and things like that, that will make this flow a whole lot easier. And so I will say though, that really this is going to depend on the big sites, the big companies like Apple and Google is really pushed this to the users and help with that user education side of things. This is after all, kind of like a feature in your computer. And there'll be something that I hope to see that they'll talk about in their marketing materials and talk about in their documentation. So hopefully come this fall, when Apple says hey, here's this new iOS release. You're not gonna be the first ones needing to teach your clients how to use pasties. Apple will have already done some of that work for you. And hopefully their fingers crossed will be they'll see this cool new marketing feature that Apple says hey, you can log into a site with one second the last few. How do I get that for my WordPress site?

Exactly. This is fantastic. So there's a bunch of questions stacked up folks if you have not yet done so please pop up in the q&a window and either ask a question if you haven't asked one yet, or upvote the questions that others have asked so we know which questions are the most interesting, and I'll give you a couple minutes to do that. In the meantime, one of the big questions that happens what happens now with two factor authentication? What if you lose your phone or lose your computer or you get a new device? How easy is it to deal with that situation with a passkey?

Yeah, it's a great question. And that's the biggest part. If you saw in my side, their web offense such Fast Fuse have been in development for six years is something that there's been a lot of thinking on and that is one of the hard parts to figure out. But Apple has kind of been I would say that people moving this way the best. So the way that this works with Apple is through iCloud. So when I generate a passkey using iCloud, which is just what you'll have when you log in with Safari, that passkey gets saved into my iCloud account like any of my other passwords and things like that. And so that automatically gets transferred to all of my different devices, my iPhone, my watch my Mac, my iPads, everything that I'm logged into with iCloud now has access to that same pasty and so the only thing that you need to remember then is your iCloud account. You got to remember your iCloud account to be able to gain access to that if for some reason you lose all of your Mac's or house burns down your phones or wind up in the wash everything all at once breaks. Apple does have a kind of recovery flow that will let you get back into your iPhone account by like proving you are who you say you are. And so what I like to see is for other ecosystems to adopt what Apple is adopting. The other thing is is that you can register multiple devices. So when you go into your account there, you can say hey, the first time I'm going to log in, I'm going to log in using the authentication that is built into my phone and I can carry my phone around anywhere and login to any site using my phone. But let's just to be sure let's also create a passkey for my Mac maybe my desktop computer that doesn't leave the house. And so then I have two options available to you. But that is a good point of like what happens when everything goes away. And so that's why right now we still require passwords to be part of your account. So you'll still have a password associated account. That's why it's still important to use a strong password you're just not gonna have to type it in so don't turn off your strong password requirements. But it does mean that then if you lose access to everything, you can log in with a password go through the regular password reset flow that WordPress has get back into your account and set up another passkey

very interesting. One more question that I had personally and then we'll turn it over some audience questions. So earlier when you were adding you went through the flow to add the passkey using Chrome. It said use your Android phone but yet you use your iPhone. So it Yeah, Google is just trying to push you to Android I guess.

Yeah. So this was the way that the like phone based sharing things work is kind of like a newer part of the systems. And so originally Google Chrome's version of this would only kind of work with Android. But this is now also developed into a kind of standard. And so I don't know which Google version it's planned for, but there is a Google Chrome update that will remove the Android part of the equation. No, just say add a new phone. And if you take a look at Apple's video from WWDC, this year, when they do their whole Hey, look at all these cool things that are coming out. You can kind of see that in their demo video that it doesn't say, add a new Android phone. So you can in fact use your iPhone but right now just says Use your Android phone.

So when you scan that code QR code of some sort with the phone what happened on the phone? Yeah, so

my phone prompts me and I'll see if I can show this to y'all a little bit better. Oh, I have a video of this. Let me grab this video. Because yeah, this is it was a little bit challenging to figure out how we want to demo passkey is because there's so many different devices with my phone being involved and my computer being involved and zoom doesn't provide a great way of sharing two devices at once, unfortunately. But I'm going to move this video over here. So hopefully I can see this. So this is me logging in via Google Chrome and iPhone what I just showed you. So I get prompted for Android phone. And now you can see this is me on my phone. I'm going to click sign in with a pasty it says hey, do you want to sign in? I'm going to say yes and then on the site here, I get signed in right after. So what's happening is that Google Chrome is presenting hey, here's this challenge that you need to sign and deal with. My phone says hey, yeah, this is that person and they are who they say they are. Chrome gets told that and then Chrome says okay, we can log them in. And so that's basically how that flow is working at 1000 foot level. Yeah.

That is just amazing. Okay, lots of questions stacked up here. If you have a question you haven't asked please do that. If you'd like to upvote the questions of others. Please do that as well. All right. First question from Ben Bradley is biometric login going to be available for all users? For example, if have a membership site, lots of folks signing in, or maybe an e commerce Store? Can this be used for all of my users? Yeah,

if you'd like to. So it's part of the past for this login module. So inside of iThemes, security, you can say it's enabled or disabled by default for users and you can say what user groups is enabled or disabled for. So if you want to enable it for let's say, subscribers, which we aren't, you can do that. Right now. It is able to be integrated at launch with WooCommerce restrict content Pro, easy to drill downloads and lifter LMS. We're also planning on adding support for LearnDash and TC before release, and it's pretty easy to integrate with other plugins as well. You kind of just include a little link and a modal pop up with a peer that lets you log in and then he'll be taken forward. So yeah, that is part of the feature. So you can anyone who's on your site can use it if they want to.

Very good question from Sue. So the private key you talked about, is that something you have to keep safe somewhere to use again, like if you get a new phone or computer we can answer this but maybe specifically Yeah,

so as a user, No, there's nothing that you need to do. Your device takes care of it. So when you log in your device isn't to say, hey, here's this public key. I'm going to store this private key. But if you saw when I was registering a device that private key is never shown to me. I don't need to memorize it. I don't need to write it down. I don't need to keep it in a safe. My computer holds on to it. So as long as my computer's protected my password that my private key is protected. And so obviously you don't go sharing out your computer's password with other people. But, yes, it's not something that you need to take care of your computer takes care of it for you. Very good.

So next question is from Paul and actually days had a similar question. And they both revolve around. So what if we have currently a shared WordPress user that multiple people are using? How does that work in the past key scenario?

So I would say so I'll say there's two things here. One, I would never encourage account sharing. Um, it's, it's going to work against you with features like trusted devices, where we try and keep track of like the IP addresses that people log into. It's really bad for audit logging. If you're using multiple accounts. You don't know if you did this or one of the seven other people that are using this account, did this so I always recommend create separate user accounts for everyone. Even bigger deal, say someone leaves your company and you have a shared WordPress account that you use on across 40 sites. You're gonna have to change that password on every single one of those sites, and everyone's gonna have to know that they need to use the new password. If you have a different account for each of these people, you can get rid of that account. Now. What we saw here though, is that on my device section, I have my registered pass keys. I don't have just a single pass to you. So we can see I have a passkey here for iCloud. I have a passkey here for Google Chrome. So if I wanted to, I could create multiple paths to use for each of these people. So you could log in you could say hey, I want to register a passkey on their device, and they can register that device using their own passkey. And anyone can log in with that pasty into that account. There's not a need for like, Hey, this is the one true and only any past few could work. I would say like a better solution in that case probably would be like a YubiKey or something like that, that you'd like maybe pass around. But I really would say security best practice. Everyone should have separate user accounts.

Yes. And that was said with emphasis with the shaking of the finger. So that's definitely good take away from this one. All right. Let's see my name has a great question. Will logging in with a camera on a computer be good enough for face facial recognition?

Okay, so this is probably a little bit of a mismatch. And I just wanted to show you that like insert for a security key option. Excuse me. So the face ID and touch ID things. This isn't part of what we're doing is I theme security. And so this is literally the confusing part with biometrics. What we're saying is we support pass keys and pass this login through web often. The device that you use is what is able to determine that hey, do you have biometric support? Do you have touch ID Do you have pin numbers that you have to use? So it's gonna depend on your device if you're using something like an iPhone, modern Android phones, they have their own touch ID and face ID sensors. On the Mac, there isn't like a face ID option yet. On Windows you do you have Windows Hello. But this isn't a thing where you can connect a webcam to your computer pointed at your face and I theme security is going to make sure that that face is the same face that was registered earlier. That's up to your device to securely do and the biometric part of that thing is really just verifying that you are who you say you are. So the same way that you might for instance, if you're on your iPhone and you want to log into your bank, I can't remember the last time I typed in my password, but it prompts up that face and so that's the same kind of thing here is that your iPhone is storing your bank password, and then you're logging in for you and it knows that to you. And it's the same thing with past us. It's gonna say hey, is this the person they say they are? Okay. We'll send them that information that they need to know.

Yeah, it's a great answer. And so currently, I think I think goodness Apple face ID is only supported on handheld devices so the the camera on a MacBook for example, is does not have a high enough resolution to actually map a face and certainly not my little webcam I've got on top of my monitor here. Yeah, maybe one day but

that's what's great about the iCloud options, right. So is that when I want to do it, I can log in my phone, which has a face ID. And I'll just say that's my phone at my computer and get on going.

Yeah. Okay, Stacy, is it possible to turn off two factor requirements for passkey login but keep it turned on for the username and password login.

One more time. So

is it possible to turn as let's just say, we want to have a site where some users are using past keys and other users might be using standard username and passwords right? Can you turn off two factor for the password less folks or keep it turned on for past username password?

Yeah, so that's what I talked about with two factor bypass. So if we go into user groups, we have this option here that says allow two factor bypass for passwords login. So if you have this checked, the way it works right now for I theme security is that if the user has to factor enabled, the first time they log in using past this login, they'll be prompted to say, hey, excuse me, let me back up the first time they log in with passionless login. They'll use passwords login, so they'll get a thing that says enter in your two factor code, and then they'll be prompted and they get to choose, do I want to provide two factor every time I log in with passwords, login or don't tie and so they have the option of like, Yeah, I'm actually this is really secure account isn't important to me. I'm going to keep that two factor option enabled, but if they don't want you they can skip it. And that's configured on the profile there. So if we go into my profile, we see this option here use two factor during pastor's login. And so if that's unchecked, I won't be prompted for it and that's why you didn't see it in the couple of things here. But if I do check it then when I log in with passionist login, I will be asked you very cool. Let's say we think that it's fine. If you want to enable us we don't think it's a security problem to say, hey, if I'm using past use, I think we're safe to say that that's fine. You don't need to also use two factor when you're logging in.

Very good, I think the next question relates to something right there on the screen. Stacy would like to know, can we revoke the passkey of a device that's lost or stolen? Yeah.

So if you go into manage passkey is you can hit delete. So let's say we don't want to log in with Google Chrome anymore. Um, it says it was out on this date it was deleted on this date and seven days from now it'll be permanently deleted. If I wanted to restore it, let's say did it by mistake. I thought I lost the device, but it was actually just under the fourth couch cushion. I can restore that device.

Very cool. Very cool. Let's see. So next question is from Manu. And you've answered this sort of in a different angle. But what Monty would like to know is if a device is stolen, can a thief access your past key?

So if they're able to log it was there two parts here? One, if the device is stolen and you're using a YubiKey this YubiKey is my password login. So if they're able to activate this YubiKey then they're able to get through so you need to protect this if this is your primary authentication mechanism. If you're using however something like your phone, dumb just having the phone isn't enough, they would have to be able to log into your phone with your password. And then iOS, for instance. I can't speak to how it works on Android. But iOS secures this data in what's called less Secure Enclave and it's the same on Mac OS and that for that they also need to have your face so they would have to have stolen your device hold your face up to the phone and they can get you in. But just having the device isn't enough. They're stored in a very secure spot today. We need to steal your device and steal your password and potentially your face.

That just brings up all sorts of scary scenarios. Like the next zombie movies coming out here they're gonna anyway,

that is pause calms me a little bit. tongue in cheek. But I say that's also a part of why usually just a camera isn't enough. What happens with face ID? Is there a whole bunch of infrared sensors that actually try and make sure that your face is three dimensional? That is not just a picture of you. So the essences are actually pretty difficult to trick.

Yeah, yeah. Okay, John has the next question. So once biometric login is established on my iMac, then anyone can log in if they're on my iMac desktop, is that right? If not what is the backup situation when someone else needs to access the site in case of emergency?

Alright, so I guess there are two questions there. I someone would be able to using your Mac if they're able to successfully biometrically authenticate on or they're logged into your device. So when your account is logged in, for Apple is not going to prompt you for two factor using touch ID or something like that. It's not gonna prompt you for your password again, usually. So yes, if they are in your device they can then log in as you um, if there's someone else who needs to gain access to that account. Like we kind of mentioned before passwords are still a thing so you can store your password in your will or something like that. Which can be a good practice there. Also some kind of like services for this that handle like giving out passwords after someone has passed away. And they're able to prove that there's a death certificate, you can give it to someone you trust. So there is still that option. And you could also register multiple pass keys. But I would always say that if you need other people to be able to gain access to your site, you should just give them in multiple user accounts and have their own user account that they can log in. But yeah, the in case of emergency thing will still be a password, or just register another passkey.

Yeah, John, if that didn't answer your question, just you can clarify there in the chat. I'll be watching. Next question is from Ben. I'm a Mac iPhone user, but not a safari user. What do you recommend to proceed with the adoption? Should we keep going or should we wait?

So I would say things will get a lot better for Mac OS slash iOS people come this fall with a new version of Safari? Right now. To enable the iCloud syncing that I talked about. You have to enable developer mode and enable a checkbox and things like that. It's been in testing for like a year and a half or so. But Apple has said that this is coming in the next major Safari version. So I'd wait till then. And the same with logging in using my iPhone. Using something like Google Chrome. That's also right now behind the developer kind of guard so the story for those devices on iOS is that it's a little bit slower than the other device manufacturers. I would say you can use Google Chrome right now really well. You'll just get the option to type in your computer's password or if you're using a watch like me, you get that little watch prompt to double click on your watch to just login. And but in the future, I think Safari will be the best option for Mac users. It's just going to be a couple of months before those new devices come out.

Interesting. So right along that same subject, Paul would like to know when we're talking about the term devices, and we've used that for a lot of different things. This device is a browser at device. So each browser you use should be registered.

So again, this depends, um, so the thing that I kind of always web off and is supported everywhere, but what it means is different on different devices. And when we launch we're going to work up a kind of like, spreadsheet of how these features are different for different users. I would say like one of the things always be mindful with like crossbars or stuff is that I says developers were the ones who were using five different browsers and six different computers to test everything. But most people they just use the same browser every time. So they'll just need to learn the one way that passkey is work. For them. But so right now, if you're a Windows user, the authentication is built into your device. So if you're prompted to set up a passkey, and you set up your passkey is stored into that Windows computer, and you could use any browser there. On Mac OS, it is her browser. So Google Chrome, I needed to set up a separate passkey for Google Chrome versus Safari. But if you're using Safari with iCloud, it's syncing across all of my devices. So any device that is running Mac OS that's logged into my iCloud account, I'll be able to log into with the same pasty be that my iPhone, my iPad, my desktop, Mac, my laptop, etc. All of those will be shared in iCloud. But Google Chrome doesn't have access to iCloud, at least not yet. Maybe that is something that'll come in the future. But that's not a possibility. That being said, again, you can do the flow that I kind of demoed that video there where you just take your iPhone, you pointed at the QR code when you're logging in with Google Chrome, because just any iOS device is what I needed to be able to log in anywhere I am.

Great question and a follow up both from Sue and Paul. Does an incognito Chrome for example, count as a different device?

No. So it's stored in when we talked about Max needs to be recent Max, they need to be max, I believe with a Secure Enclave, which just like any Mac after like 2016 or 2017 or so. And so your passkey is stored into that Secure Enclave. And so it'll work with Google Chrome incognito, what have you, they're not treated as separate pasties. And yeah, I would say in terms of like the registering each browser type of thing. Most people that are like our clients were really wanting to use this feature. They're not using seven different browsers like we do where we're cross browser testing everything. But yes, you also want to need to register a different passkey when you're using iCloud syncing, because you'll again, just be able to log in using your iPhone.

Yeah, awesome. Let's see we're right at two o'clock. Now. I still have seven questions. So let's move to lightning round. right quick questions. Quick answers. Yep, for that. Sure.

I've got I'm here all day. So you

didn't talk slow. It's fine. So I Gordon would like to know, and again, this is something that's been answered in different contexts, but just specifically, what steps would I need to take if I change out my computer if I get a new computer? What do I have to do?

Sure. So if you are using a Mac with iCloud, you don't have to do anything is stored into your iPhone device. If your device yet doesn't have a great way of going computer to computer by the manufacturer, I don't know if there's a way to do this. For instance, in Windows yet, but what you're wanting to do is when you log in, you can log in with your password, and then you'll register that device. So you're still going to have a password that's associated with your account. It's just not gonna be a password that you need to log into all the time. So when you move to a new device if you're not using something that syncs past few hours, you won't have to, you'll have to set up a password again, but that's why the passkey syncing is the really cool feature that Apple is adding here. And if you're using a phone, it's even easier, right? Because you can have your phone that will be your passkey and then your login on your new computer, you'll say hey, I want to use a passkey. You'll take a point your camera at the QR code that pops up you'll get logged in. And then if you want to you can register another passkey for your new device.

Gotcha. Deborah's question, do you need a different passkey for every browser user device and OS

Yeah, so again, it's gonna depend on your computer. So if you're using Apple, and I file it, it will sync across all of the devices that are using iCloud. If you're using Google Chrome again, that's why it's best to use a moveable authenticator like your phone with Google Chrome, you can click that Add a new Android phone button, and then your Android phone becomes the device and anytime you see a pop up, you just put in your Android phone at that pop up and you get logged in. So that's kind of my recommendation there. You don't really need to like you can see my account here like this is the calendar view saying I have to passkey is registered. I don't need to register past us for everything. I'm able to log into this using my iPhone right now. My other Mac right now everything

got it. Roy would like to know what you think about where the past keys are going to be LastPass one password killer ultimately.

So I think that's part of the goal. By browser manufacturers is that you should really the one password you'll need is the password to your computer slash iCloud account. And I would love to see that be the case. It'll take a while depending on like getting things like financial institutions or having like the big slow moving ones. So I still say a password manager is a good thing to have for the passwords that you do need to store. And yeah, like Sue points out you can store credit cards, passport, social security numbers, financial information, even like software license keys and stuff like that and Password Manager. So that's not the only use case but hopefully the days of needing to open up your password manager and find the password and copy and paste or and so on and so forth are dead.

Yeah, interesting. Gert is a great question from Stacey. We talked about it's not a great idea to share user accounts between people. But what about a scenario where you're visiting a relative and you use their computer? She says currently she visits her brother uses his computer and then just to two factors into her LastPass account there. How would that work with the passkey scenario?

Yeah, great, great question. So if I log in here, and say we want to log in. And let's say I want to use my passkey. I have this sign in option available which won't prompt me if I'm logging in on someone else's computer. But if as you can see other sign in options, and I can select my iPhone. And so then that's going to pop up this screenshot with this QR code the same way kind of we saw in Google Chrome. So that's how you would kind of do this in a multi device world is you'll have the thing that says hey, use my phone, and the phone that you carry with you will be what you use to log in. And you'll be able to log in on someone else's computer.

That's brilliant. That's just amazing. That interaction there. Okay, great question here from CMET. How does this apply to WordPress multi site especially as a master administrator who's logging into all the accounts by the parent site?

So right now we don't support multi site for past few years. And the thing with passkey is this is something that we'll look into supporting the future. Part of the security of passkey is that they're tied to the domain name. So if you have subdomains or subdirectory installs, it would be possible to do this with past use. But right now domain mapping wouldn't work with multi site. And the way it would work with subdomains is kind of as normal you would log in and you wouldn't need to set up 30 different paths keys, one for each site. You just have the past few with your user account. And then yeah, we're looking at a better way to support multi site more holistically before we launched support for it. So to start on launch, we won't be supporting multi site.

Yeah, interesting. Let's see question from days will two factor be supported in parallel with past keys or do you intend to deprecate two factor at some point in the future?

We have zero intention to deprecate two factor. So two factor will continue BT to be supported, ad infinitum. I would say the thing that we probably aren't gonna be adding to two factor is new, two factor types. Right now this initial feature of passkey is is just going to be using passwords for logging in. But we're also going to add passkey is that you can use this to two factor methods. So if you want to continue using a username plus password, plus two factor, you'll be able to do that. So we won't be integrating with the two factor providers, most likely in the future. But two factor is here to stay username and some passwords are here to stay that will probably offer options for people who want to disable them if they want to. But yeah, all of those features are here to say.

Interesting. So this is b that I believe it's our final question. So Paul, just to ask, so is the old school method of username password still going to work? For example, there's some problem for some reason, the passkey we're just having trouble. Earlier you just showed one of like other options is logging in with username and password one of those options like I said last Oh,

I'm gonna enter my username here. And I get an option here it says login with username password and password. If I'm honest, I don't remember if the password in this account anymore. I'm using past use. But yes, that feature is not going to go away.

Very good. All right. That brings us to the end of questions. Timothy. This is just phenomenal. I am super excited about the potential here. This is a new technology. It's just starting to roll out. It's gonna be interesting, I think, a year from now having a you know, a year of this, this option under our belt where this is going to be going forward. Any final thoughts as we're wrapping up?

Yeah, I would say I agree. I think the big thing here is what? What different device manufacturers are going to do in terms of user education. Excuse me, on iOS, for instance. passkey is aren't just going to be for logging into websites, apps can integrate with past keys and things like that. So I expect and hope that Apple and Google and Microsoft will really be pushing past us and they've all said that they are really on board. Because passwords suck man, we outlined all the reasons that they're terrible. Go to have I've been poned and I'm sure you'll see multiple of your passwords that have been stolen. It's pretty horrible. So those big tech companies are really on board pushing past us and I would say we need to encourage it. We need to do our parts in educating our clients and about why these are important because we have been using passwords for 40 years. There's going to be a little bit of a education to people who are using them. But I do think that is worth learning a new thing and in the end it will be a much better experience for logging in for everyone and much more secure. Hopefully, compromised accounts will be a thing of the past.

Very good and am I'm correct in saying right that I think security will be the first WordPress security plugin to bring past keys to WordPress.

Yeah, so as far as I know, we're currently the first WordPress security plugin that is using passkey is for logging in. Some people have added support for Web off and it's like a two factor method and things like that. But I think our passwords login is the first if not very early. I mean, you can see that with Safari and Apple are going to be a couple more months before it's really primetime. But I'd say the experience right now is really great for Chrome Windows Android users, and it'd be great for iPhone users. Just around the corner.

Yep. And reiterating the release of I think security that will contain this new passkey feature is coming out when

so we don't have a date confirmed yet. We're going to be almost certainly this August, but it might be a little bit later. And we'll probably we'll be publishing a lot of content associated with this release, both for helping you educate your clients educating you on how the feature works, demos, tutorials. We've been putting a lot of content out so this isn't gonna be the last time that you're going to see any of this information. So we hope you've enjoyed this kind of like early sneak peek at passkey is but you're gonna be hearing

more from us. Definitely. And again, this was a sneak peek that was in the title of today's training webinars. So like Timothy said, we'll be doing a lot more training on on this feature going forward. And I think security, both from a technical perspective, as well as I'm sure from a client and business perspective. I'm really looking forward to this just personally in our agency work. I think it's going to be a huge change, a good change for our clients. So with that we'll wrap up Timothy, any any last thoughts before we sign off?

No, that's really enjoy the past hour looking forward to having you all take your hands on past us.

Very good. Well, thanks again, Timothy, for sharing your wisdom and insight with us. It's been great. Thank all of you for being with us. It's well hopefully it was a good investment of your time and you are as excited as I am about the new paths keys features in I think security. So once again, my name is Nathan Ingram for everybody else here and I think I hope you have a great rest of the day. I'm back here tomorrow for Office. hours for our members here on iThemes Training, where we go further together.