iThemes Security Biometric Logins and Passkeys Explained
5:30PM Oct 19, +0000
Speakers:
Nathan Ingram
Timothy Jacobs
Keywords:
passkey
password
log
user
security
device
login
keys
prompted
factor
site
website
google chrome
timothy
set
questions
user account
link
clients
demo
Again, welcome everybody. If you're just joining us, we're just about three minutes away from getting started with this webinar on I think security Pro and the new feature of biometric logins and passkey is a great new way to securely and simply log into WordPress. I'm getting our captioning set up, we're just about ready to go. I'll drop in the slide link here again in just one moment in the chat. You'll find those links the link today slides there in the chat. Timothy Jacobs is with us and we got a great webinar lined up for you today. Plenty of time for q&a as well as you see the new features of I think security pro explained. We are just about three minutes out now as you get into zoom pop up in the chat window, say hi. Tell us where you're logging in from today. Good to see folks logging in from across the United States and around the world. Welcome Deb from Texas. Paul from New Jersey. Daniel. Welcome from London. Good to see everybody about two and a half minutes away. Looking forward to shilling again the biometric logins and passwords feature of I think security pro we demoed it when it was still coming soon. It is now in the latest version of I think Yeah, ready to go. Welcome Ben from UK
today slides once again dropped in there in the chat if you'd like to download those and follow along.
We'll have plenty of time for questions and answers to as well today about passkey Is there anything security related Timothy is going to give us some news on what's happening and I theme security to get us started today before we get into past keys. I have a lot to talk about a lot of fun stuff happening.
Yeah, we went over last time. We buddy our I think we went 75 minutes.
That's right yeah. It's always a lot to talk about with security
Timothy, would you be open to talking briefly at the top here about the the latest update that just dropped in WordPress yesterday.
Yeah, so there was a 6.0 dot three WordPress security update yesterday on your site should have been automatically updated. And if it hasn't, we still recommend you know, checking to make sure that automatic updates have been pushed out for all the major branches. So your site should already be up to date, kind of TLDR is there aren't any super high critical high severity issues. And there are though, still security issues so it's important that you get updated but we shouldn't be seeing oopsies Sneak Peek we shouldn't be seeing any major attacks going on or things like that. Not a critical security update but an important one nonetheless.
Yeah. Yeah that I had neglected to get that in the news roundup slides for yesterday and realize it right as we're getting into the top of the news from Core i forgot to talk about the update that had just dropped. So welcome, everybody. We're Yeah. And welcome, everybody. Glad you're here. We're just about ready to get started. I'm going to drop a couple of links in the chat the link to today's slides as well as the replay link that will have the video on about now Manu, I see your question. I'm not sure what you mean by web three. So please give me a little more detail on that. And Timothy unless you know what he might be talking about there.
I would presume they mean web three in terms of crypto and things like that. I don't think we have any particulars in there going on there probably some interesting security conversations to be had. But not not for I think security and WordPress at least not now.
Yeah, man if that's not what you're asking, just clarify that in the chat to me and we'll we'll get that updated for you. Alright folks, I'm gonna get the recording started and we will officially begin Well, good afternoon, everybody and welcome to another live AI iThemes Training event. My name is Nathan Ingram. I'm the host of your die iThemes Training and I'm joined by Timothy Jacobs, the lead developer for I think security. Welcome Timothy. How's things going in your world?
I'm doing awesome. How you doing Nathan?
I'm doing pretty well. We've got a good week started off here. It's gotten pretty cold down here in the south. Probably been cold for a while up where you are.
And then a bit better. Yeah, this is my weather, you know, the 50s and the 60s. That's what I'm all for if it could be that year round. It's a reprieve when the asphalt is no longer shining back 1000s of degrees at you in New York City. And the trash on the streets isn't you know constantly invading your navel cat nasal cavities. It's it's an improvement.
Oh, that sounds delightful. That just sounds absolutely delightful.
Give me the fall weather you know the pumpkin spice lattes. I'm out here.
Paul Talman loves awesome Paul there in the chat loves pumpkin spice. We can get into that later though. Give us a little overview of what we're going to be covering today.
Yeah, we're gonna be talking about biometric logins and passwords and I think security. So if you missed it, I don't know how you did. You've spoken quite a bit about it. But we launched passkey and I think security just after WordCamp us in September. And we did a preview webinar about this back in August. And now that the feature is live in official and you can use it right now. We wanted to give it another show off. answer your questions if you've tried it, what problems you ran into. So yeah, we're gonna be taking a another dive into past us.
Excellent. So this is a fantastic feature. It's live now and I think security. It really will make logging in simple and easy and secure for you and your clients. So let me do a couple of housekeeping notes and we'll turn it over to Timothy to get started. First of all, I'm going to drop once again into the chat a couple of links versus for today's slides. If you'd like to download those and follow along you may or it's also going to be plenty a live demo today. Also the replay link is there where you can rewatch this video about an hour after we wrap up today. It will have the transcript it'll have the chat and all those things as well as the replay video, which you can rewatch or share with others that might be interested. As always, if you'd like to ask questions, please pop open the q&a window down at the bottom of the Zoom share. You put your mouse on top of the zoom window the menu will pop up and you can click the q&a button that will open up that q&a window I would encourage you just to leave that open the whole time because you'll see the questions as asked by others. And if you also have that question, click the Thumbs Up button and that will upload that question and we'll take our questions in order at the end of the number of votes. So with that, I'm going to disappear and turn it over to Timothy. Let's get started.
Awesome. Yeah, so let's start talking about past keys. So before I wanted to dive into past views, I wanted to give you all a little bit of a state of account security and WordPress and the big. The big question is what do we do about passwords? We kind of already had this problem with users using weak passwords. I don't know if you've gotten some credentials from your clients. And you look for those passwords like Oh dear, oh boy, that's not the greatest and trying to get your clients to use stronger passwords can be difficult. It can be an uphill battle. I remember this, they asked things like that. We also then kind of get into this era of users reusing passwords, so they might find a kind of super maybe at first glance is a complex password that they've generated. But they use that same password on every single site out there, or they have slight variations and reusing passwords is extremely dangerous. You might be familiar we have a have I been poned integration in IBM Security and a big problem that we run into that you might see is that there are tons of website breaches that leak passwords. And if you or your clients are using the same password or multiple sites, when an attacker sees this breach of email addresses and passwords, they're going to try all of those stolen passwords on every single site that they can think of with your email address or with your clients email addresses. So reusing a password even if it's a strong one is extremely dangerous. These passwords can also be fished out of users if you're in a big corporation or even small corporations. You might have gone through your fair share of phishing training, where we go to Users and you say, here, you just won $500 Click this link to find it. That's the you know, you really shouldn't be falling for those attacks, but you might have the more advanced phishing attacks like Hey, I just published this draft post on our website. Can you go take a look at it and review it for me? And you might click on that link, thinking that you're going into your actual WordPress website but you might not be you might be going into a phishing website that is targeted trying to take over your site or your organization. And so the kind of big holy grail for preventing against these password based attacks has been to factor two factor is really the strongest protection that we've had available up until now and it lets you enter in both something you have or something you know which is your password is something that you have, which is your two factor device. The problem is that the user experience for it can be a little bit confusing, and it's difficult to teach clients how to use it. I'm saying that hey, you need this app here called Authy or Google Authenticator and you need to open it up and scroll and find your app. Go find it. It's a code that comes in every 30 seconds. Let's get it in there. And then the setup process is unfortunately not the easiest either. We try and make it as easy as possible to use and I think security but there's still definitely a way to go. We have email based two factor authentication solutions, and some that will let you just put a button in your email so that you get logged in automatically. But it's still unfortunately a little bit difficult for users. And while we have like some phishing prevention, there are phishing techniques that can even bypass two factor these days. I'm going to show you a quick demo of one of those video in a second. So let's take a look at a deeper dive into phishing attacks. So this is where users can get tricked into giving up their passwords. The really common one of this is pop ups. This is a kind of clever technique where you see the sign in with Microsoft button. You might see this a lot on the web sign in with your Google account sign in with Microsoft sign in with Facebook, all these different types of services. And this is a pretty clever pop up technique where you click the sign was button you think a pocket window is opening. But it isn't. That's actually all part of the website. And it can make for a pretty convincing phishing attack. But that's something that most users if you play around with it, you can kind of see oh no, this isn't right.
But an even more advanced technique that we can see some days is website clones. So this is a video overview of a tool called Evil Nginx. And this is a site that looks identical to microsoft.com because it really is microsoft.com This is a user who is logging into this site, where their real Microsoft account with their real username and password. And they're going through the exact flow you can see this is even showing kind of like customized login flow where they know Hey, your user account is this. So you might see these things where they present you a picture like with certain banking websites. Here's a logo. And now this user is entering their actual two factor authentication code into what appears to be microsoft.com. And the only way that you really be able to tell that something is wrong is by carefully taking a look at the URL in your address bar and seeing like, Oh, this isn't the site that I think and logging into. But everything other than that it looks identical. And so you can see here that this is at cyber fish shot XYZ which is a little bit of a giveaway. But attackers can be very creative with the URLs that makes them look like oh, this there's no red flag here. It looks almost exactly like Mr. goff.com just this zero is a no or something like that. And even more clever forms of attacks as in that. So what we've kind of been advocating for for a long time and I think security I can't remember now when we launch this feature, but it's been a couple of years is passing this logging. And so this is this technique that was kind of, I think one of the early big players. This was slacks magic links if you're a Slack user, and the way this works is it lets you completely skip entering in your password. So sending a strong password to your account isn't as inconvenient anymore, because you don't need to type it in every time. As long as you have a strong password set your account is more protected. It can also let you skip two factor authentication. And after all, you've just clicked a link in your email. So if you're using email based two factor authentication, we don't need to ask you for it again. So that can kind of make the login flow a little bit easier. And I think that's a pretty decent user experience. You just get one button that you need to click on and you log in. You can use it through your phone, you can use it through your desktop app, different email applications, they all kind of work in that you get logged into the place that you're looking to go for. And they are pretty phishing resistant if you activate the trusted devices feature and I think security will even show you a graphic showing where the login is attack is coming from so if it says we're logging into Russia, we don't click Confirm login that's something else something fishy is going on there. But unfortunately, email is pretty slow and it can be so particularly on WordPress sites. If you don't have something set up, like postmark are one of these email providers to give you instant email. And it can be a frustrating login experience where if you want to log in, you just want to click one button. You don't want to have to wait for a couple of minutes for an email to arrive to get out of your inbox. It's not the most friction free experience especially want to get in there right now to say. So our solution to this is something called PASS keys. And this is a quick little demo of it. So this is me logging into my website using a passkey I clicked on the user passkey button. I click continue and I'm logged into my site. That's all that I needed to do. And it was a kind of one click experience. My computer knows who I am. And it talks to my WordPress site and says this is who they say they are and I'm logged in instantly. I don't have any need for remembering and entering in a long password. I don't have any need for a two factor device. I can just get into my site using one click. So past use means no passwords. You don't have to use the two factor authentication methods. And you kind of get a one click Login and you can see here we earlier saw on my desktop but this it is in a phone environment. And you can see it's prompting me for face ID and it's logging me in right away. And this is a pretty big thing but it's the claim that Apple and others make about to passkey is is that it's phishing proof. It's not actually possible for you to be tricked into giving up your credentials to be tricked by an attacker into logging into a malicious site because your actual device won't even let you in. You might be kind of familiar with
apps like LastPass or one password, password manager apps that let you take a password and get logged in. And you might have the assurance that 90% of the time I can just you know click the little button that says log me in with one password log me in with LastPass and I'm right in. But sometimes it doesn't always work supposedly this is protection. I will say like, Okay, if LastPass doesn't pop up, I know something's wrong. I'm not logging into the real chase.com and logging into evil attacker chase.com But because these features aren't, you know, 100% reliable, it's difficult to say that okay, and break the habit of well, I guess I need to go manually copy my password and entered in this time, and actually get us to say, oh, maybe that means something's going on here going wrong here. But with passwords, they truly are phishing proof. There's no way for you to get lazy and say Oh, I'm sure this is fine and just copy and paste in your pasty. You just can't do it. You won't get into the site. pasties are based off of the web often standard. This was born out of the phyto. Alliance over a multi year process. It's been in development for over six years really if you look at some of the earliest forms of this, it goes back even further. And it's backed by Apple, Google Microsoft, pretty much all of the big tech giants are on board with past few years and trying to promote them as the future of LogMeIn on the web, and mobile apps actually. And they're at this point supported by all major browsers support is improving rapidly, and we'll kind of touch on this a little bit to the end of our slides. But you can use passkey is now with every browser. The support for different features varies, but it is available broadly. So you can see here this is the example with Google Chrome. And here's another example actually on a Windows device using windows allow. And so I wanted to give a little 1000 foot overview of what actually happens when you log into a site using pasties and so this is the registration process where the cute little blue device over here on the right, and the WordPress site is the little green browser window on the left. And so what happens is when your device and you click on the button that says register, your device talks to your WordPress site and says hey, I want to create a new account and what your phone then or your Mac or your laptop does is it generates what's called a public private key pair. And this is a really well known form of cryptography that's existed for a very long time. And it lets us say okay, here's this public key. Anyone can look at this public key and anyone can verify that it's me who signed it. And they do that using the private key side of it. So when you log in, you talk to the WordPress site and say, hey, I want to log in. And the WordPress says, how about you sign this piece of data for me almost like you'd be signing your signature and your phone uses the private key part of the public private key pair to generate a signature based on this data. Your private key your private information never leaves your site. The only thing or excuse me never leaves your device. The only thing that's sent to your site is just a signature and asked the WordPress website can take a look at that signature and say does this match up to what we expected it to be? And if it does, then we can sign you in. And so at no point here Did you need to enter in a password. Send a password from your device to WordPress send a copy of your touch ID your fingerprint your face none of that information never has to leave your device. There's no secrets that are actually exchanged. It's just a really solid cryptography method called public private key. And so the big thing that we want to hammer in with some of the improvements that pass us make is to account takeovers and phishing based attacks. And so again, no personal information is going to leave your device so this means that there's nothing for an attacker to steal. We see all the stories right of websites getting hacked and they get access to your passwords, which is a problem but they might also get access to other information like your address. And things like that. But with passkey is maybe saying well, does that mean that a website has a copy of my face now? And no, they don't. So there's nothing for an attacker to get. So if they do steal the database, the site gets compromised. You're not under threat. There wasn't any data of yours that was stolen from your authentication method. So it means that that can't progress to being attacked on other sites. If your account on one WordPress site gets hacked, it can't be used to take over a site on another WordPress site. Even if you because you can't even use the same password. It's just not possible.
You can't really be tricked into giving up your password at all. You can see over here on the right it says do you want to sign into security that tests that's my domain name for my testing site as admin. But then you can see on Google Chrome, it's a similar thing it says it's trying to log in and verify your identity for security. That test is presenting you the domain name that you're logging into but even if you blew past all of these warnings and didn't pay attention to the domain name that it was saying, you still couldn't make a mistake. It's kind of preventing you from accidentally giving up your passwords to a motivated attacker. There's just no way for you to make a mistake there. He was. Here's another example on Windows security. Now there are two form of authenticators with what's called webauthn. We have platform authenticators. And these are the really great ones we think most people are gonna be to using as these are things that are built into your computer, your smartphone, your browser. And they often use biometrics like touch ID or Windows Hello, face ID and other platforms to authenticate you. And to know that hey, you're actually using this device the same way that if you just have your phone, you can't access anything. Until you swipe in and unlock your phone is a similar mechanism where your device isn't going to share your authentication methods until you authenticate with your device again by using touch ID face ID Windows Hello etc. The other side of this are roaming authenticators, and this is something that's supported but these are separate hardware devices that you often connect with Bluetooth, USB keys, NFC. These are things like yubikeys or Titan keys. So the geeky ones of us might have things like this is my YubiKey that I've used for a while that I really love. And you can use that if you want to with iThemes Security pasties. But it is not what we're expecting users to be able to need to purchase and learn how to use for the most part users will use platform authenticators that are just built into their devices. And so both of these options have slightly different capabilities in terms of browser support. Right now, these are platform or authenticators, which have a little bit less browser support but at this point and I'm gonna be covering this in a second are pretty much all here for the major platforms. Roaming authenticators, on the other hand are supported everywhere, pretty much so if you do have a USB key like a YubiKey or Titan key you can use that with anything. If you're wanting to use the authentication methods that are built into the device, it varies a little bit more based on what your device supports and the versions of the operating system that you're on and browsers and so on and so forth. I wanted to cover two different platforms at a high level. If you remember my talk from back in August, I talked a little bit about single device authentication. This is where you if your laptop for instance, has a touch ID sensor for a couple of years now you've been able to login using just that laptop pressing your touch ID sensor and this was kind of single device authentication. That meant that your actual MacBook laptop is the thing that's been authenticated. But what we have now is iCloud sync to past us and this solves the major challenge that we've had with adopting passkey isn't webauthn Up until now is that pass keys were just on the individual device that you registered them with iOS 16 and Mac OS reinsurer which is actually launching next week. iOS syncs all the past keys for you. So they'll sync your passwords across all different devices. And you'll be able to log into your WordPress site using the same passkey from any of your devices without needing to go through a separate registration step for your phone and your desktop and your laptop and your iPad and so on and so forth. Android just recently published a blog post detailing their plans as well. They are syncing pasties using Google password manager. So that's kind of built into Chrome and your Android devices. So you can use Google password manager and have the same experience and this is going to be releasing in the fall later this year. Or I guess maybe winter we'll see December 21 Something like that. But Google has announced their attentions to launch it later this year. But we'll get into a demo showing off an early version of that using Chrome. I wanted to cover server requirements and then we're going to hop into demoing this and see it in action. If you didn't see the news I think security's latest release so not to requires PHP 7.3 Or later for me to tell most of y'all are on PHP version that is compatible with this. But if you're not make sure to update to PHP 7.3 or all the way up to eight that one, if you're adventurous to be able to use pasties and latest versions of I think security. You do need to open SSL on your site. This is something that pretty much everyone has. But if you see an error about it, you can ask your hosting provider and they can get it set up for you.
And lastly, this entire feature doesn't work if your site doesn't have HTTPS. We've talked for years about the need for you to have SSL on your site, even if your site is just a blog. And this is one of those features that's just isn't available unless your site is using HTTPS. If you haven't adapted PHP HTTPS little bit of a mouthful. You should be doing that. yesterday but not now. Now is better than never doing it. So you should really get on the HTTPS game. But yeah, you can try this now in I think security pro 7.2. It's available in the member panel, you should see an auto update for you. If you're available. I'm going to take a break to drink a little bit of water then we're going to hop into a demo and then tackle all your questions okay, so let's get into this. Um Let's see. So I need to stop this share over here and we're gonna share our screen again. Okay, so hopefully y'all are able to see this if you could confirm for me, that'd be awesome. Awesome. Okay. So I'm going to start for a second on Safari. To show you something that you might run into. I'm going to add a new pasty to my device here. I'm in my user profile. You didn't get to it obviously from user's profile or from appear and editing your profile. And what you might see is if you go into manage past us and add a passkey you might see this message your device doesn't support past keys. So on this computer, I'm not running the latest Mac OS beta. So it's passkey aren't officially supported on this device yet. So you'll see a message like this if you want to you can still set up a USB security key. But the flow is a lot more complex. It's more for advanced users. So you might run into that. But I'm gonna go proceeding with this demo in Google Chrome, which does have Paschi support. Right now. I'm using Chrome Canary. So hopefully everything's gonna be stable here. But live demo. Always gotta cross your fingers and see what goes on. So I'm over here my WordPress site. I'm going to start by showing you logging in with past years and we'll go through the setup process. So I'm going to enter in my username here and so I have a USB security key plugged in. Let's actually unplug that so we can see a better. But we're going to try again, and we're going to use this device. And so you can see that Google Chrome is trying to verify my identity on Timothy that I think step five, and I can actually approve this login request just using my Apple watch. So I'm going to double click and I've been logged into my WordPress website. And so it's just that easy of a setup process for actually logging in. But now let's dive into what it would look like for setting this up for a new user. So I have this subscriber account. I'm going to I'm going to pause my screen share for a second and I'm just generating myself a password okay. So we're gonna go into I think security settings. You're gonna see in the Settings page, a new feature called pasties. You're gonna want to start by making sure that this is enabled. Then you can head on over into passwordless login and once you enable will pass us you'll see that we have a couple of different authentication methods for passwords login now, we have metric links, which is the email based authentication that you are used to. But we also have passkey is now and so this should be turned on for you by default, but you can turn it on here if you'd like. You also have an option to choose who you want this to be enabled for. So you can let this be enabled by default, or you can disable it for all users by default. We prefer to recommend it and have it set to Enabled by default. But you can change that if you'd like. We also have two different login flows. I really love the username first method, and I'm gonna be showing that off for the rest of the demo. But there's essentially a difference between asking the user who they are first or asking the user how they want to like login first we're going to start with username first.
So we've got that saved I'm now going to let's take a look at that user
Okay, hold on one more second yell I'm going to create ourselves a new test user. I'm gonna pause the screen share for one more second okie dokie Okay, so we're gonna go ahead and login as this demo user.
So I'm gonna log in with my password. We're gonna skip setting up two factor for this user right now. And we're prompted to set up past us. So we've already logged in, but WordPress is telling us that hash keys are available to us and that we can set them up if we'd like to. So you can see if this setup if you don't want to, but you can read a bit about how pasties work. And the first step is to click Add passkey. So we're going to press Add passkey to register a device. So by default, this past year is going to be saved to my actual Google Chrome count for this device. And we're gonna go ahead and continue with that. But we can also register it to a phone or different devices like that, but we're gonna stick with this for now. So I want to now authenticate with Google Chrome and I could type in my computer's password here or as since I have an Apple Watch, I can just double click to improve and now I've created my passkey. So I'm going to call this Chrome Canary. So I can remember this passkey later. And so tell me the next time I log in, I can look for the use your passkey button to login with one click and we've got a handy link over to documentation for different browsers. If you want to learn more about it. We hit Complete Registration. And we have past us complete the setup for this user. So if we scroll down into our past few section, we can see we have Chrome Canary, and it was added today but it hasn't been used yet. So now the next time I want to log in as this user, I can go ahead and type in my username again. And I'll see a new option that says User pasty and so once I click this button, I get the pop up and I'm logged into my site. So really one click pretty easy to set up. Especially once you've set it up for the first time on a device or a service. I think setting up the next time will get a little bit easier. I'm also going to add a another passkey so I'm going to add a passkey not saving to this device, but I'm going to save it to a different device. So this is an option. If you remember from our talk back in August, they said an Android device on it saying Chrome has said that they're going to update this to mention that you can use it on Androids, iPhones anything and they've done this in this Canary release. This will be live later this year. But I'm gonna go ahead and say I want to create a passkey for a different device. And this gives me a QR code that I can scan. So I'm going to scan this with my iPhone using the camera and I get a little pop up that says save a passkey This is a little bit hard to kind of demo. There's a lot of moving parts here. But if you go to ithemes.com you can see kind of some screen recordings that show this. But you should see that hopefully my iOS device is now prompting me to if I want to create a new passkey so I'm going to say yes and it's doing a little bit of face ID authentication. And you can see that my Google Chrome instance is automatically updated. And I'm gonna say that I've saved this to iCloud and hit Done. And now you can see I have two paths use my account this Google Chrome Canary which is just for this computer, but I've used my phone to use iCloud. And so that means that I can use iCloud across any of my devices to log into my website now. So I'm going to show an example of how that works through Google Chrome. So again, I'm going to say let's use demo, use my passkey. And instead of using my password, I'm going to try again using a different device. And so now I can point my device here, hit sign in with the passkey and I get a little sign on screen that looks like this. connecting, connecting connecting. Yeah, so where this works is that the two devices are actually talking to each other. My phone is talking to my computer, over Bluetooth and then they're setting up a connection to each other over the web. So they kind of have to be next to each other. But I'm gonna go ahead and hit Continue. Yeah, I've been prompted up for here going to face ID and I've been logged in. So this is really handy. When I am just using my own computer. I can log in just using the past few that saved into my device. But if I'm on the road, if I'm using someone else's computer, I can always use the option that says hey, let me use a different device for this and you'll be able to log in using that device wherever you are. If I wanted to now and let me see if I can actually figure out a way I think I can demonstrate this to me one second.
Let me know grab this guy and I'm gonna see if I can show you all what's going to happen on my phone as well.
So let me go into zoom Are y'all seeing this maybe not. I don't think that's going through
Okay, hopefully I can see this now. Yep, that looks good. Awesome. So I'm going to type in my username here. This is on that same test site. I'm going to hit Continue. I'm gonna use my passkey and now you can see the prompt that I'm getting on my device and hit continue
and I'm logged in and can manage my passcode here. So you can see i on this device here. I set up this passkey with Google Chrome and you saw me do but I saved it to my iPhone. And so my I found via iCloud has the same across all my devices. And I was able to just log in using that same device without needing to set up past use another time. So for most users, you only need to set up past us once probably, if you're in the Google Chrome and Android universe, you'll set it up to your Google Chrome account. If you're in the iPhone universe with iOS, you'll save it to your iCloud account and then across all of your devices. You're just able to use it using that one click option that I just showed you. But if you're using another device, you can still do that by scanning the QR code and following the prompts that happen on screen. And maybe you could show that let me see I'm gonna go and log out in Google Chrome. Let's actually log out of our demo device here
and we say use your passkey but we're not going to do that. We're going to use a different device. And if we open up the camera
you can see that nice, pretty little flow there. And I'm getting prompted to sign in which y'all should see this side of it. But I know you can't see the google chrome side of it. Unfortunately, I can't really share all the devices at once. But over this hopefully it kind of illustrates what's going on here. And so I'm getting prompted if I want to sign in and I do and I'm logged in I'm gonna go back to our Google Chrome sharing
There we go. So those are the kind of major flows that are available with passkey. As you can see, I've set it up on one device. I've synced it across multiple different devices I can log in with multiple different devices. And get logged in with a securely don't have to use two factor authentication. But it's really just as secure as two factor if, in fact, it's actually more strong than using two factor and a strong password. So with that, we're going to open it up to you. I see a lot of y'all have had questions over in the q&a. And we can just start tackling some of those.
Very good. So I know some of you asked questions in the chat, please pop up in the q&a window, which you can see by mousing over the shared zoom screen, click the q&a icon and please ask your question there. That way it gets put in the list. That will start to give Timothy right now before we do that, I'm going to quickly drop in the two links one for today's slides. And then one for the replay. I know what some of you mentioned in the chat I rewatching. This will be pretty helpful and you can slow that down and walk through that at your own speed after we wrap up today. Okay, also in the q&a window, please press the thumbs up button by any questions that you would like to also hear the answer for that a lot. But those questions then give them priority in the list. Okay, first question from SU. D Timothy. Do you think that this is a solution for non technical clients? Have you ever taught anyone how to use it? As you know that is your that is not a technical person? You know, what's your advice? And that's
where I don't have clients as much these days. Nathan's probably the best person asked me this as I know you started to think about during the rollout for pass keys. We did do a bunch of user testing with users of various technical backgrounds and we found that they were able to successfully complete the registration flow and the login flow. And the truth of matter is that it has to be I think the state of security that we're in with passwords, frankly, just isn't sustainable. I don't remember the exact numbers off the top of my head but I think Facebook said they prevent millions, if not more attacks every day from attackers that have a user's real username and real password. And the only reason that Facebook blocks those attacks is because of some of the more advanced monitoring that they're able to have on in place. But these are users that have their password compromised, and the state of users needing to remember really complex passwords. We've proven it's just not possible. Humans can't remember 24 digit random codes. It's just not a thing that's possible. And needing to teach you says that, hey, you need to use this whole of their password management app. Unfortunately, they don't work all the time. And so passwords is something that's radically new, you know, we've had past use for our passwords for like 50 years. There's a lot of inertia there, that we're gonna have to get over. And teaching people how to use this new thing is definitely going to take some time. But I think unlike two factor with mobile apps, and unlike password managers once you have this setup, you actually have a much quicker and much faster flow. And the setup process while different than what you usually do, for most users will just be Hey, I use my Google Chrome every day and I get to log in with one click or hey, I use my iOS devices every day. Or my Mac OS devices. I'm in that ecosystem. And I get to log in every day with just one click. So I think that's where we need to get to as an industry just because all these accounts that are getting compromised. It's just not a sustainable path forward. If we don't and I do think that it is a solution that can be taught to non technical users. I mean, as the techie geeks we've already had and been comfortable with using two factor codes and different apps and all this stuff and we've been protected by this really is about protecting the broader base of users. And the bad thing to remember is if your clients are using an administrator account on their website, it's just as important for their account to be protected as it is for yours, the developer or the site builder.
Yeah, and once the past key is set up, and the your browser is linked as it were to the website. It's just it's as simple as clicking the button once and you're logged in. Right, right,
exactly. You don't need you the juggling different things. You don't need to be going back to email and the setup process. This is also a thing I've been showing this off in the web. But passkey is are also coming to Android and iOS, and already there for iOS in actual mobile apps. So if you log into different applications, you'll be able to log in and register your account using pasties. So it's not just gonna be something that is stuck only in the web. It's something that is being pushed across the web, desktop applications, mobile applications everywhere. So it should be something that you just become more and more familiar with. And that's going to take education, both through my says people that have clients and can teach about it, but also from device manufacturers like Apple and Google and pushing out user education on their end as well. But I do you think it is something that can be taught and unlike two factor and password apps is actually a more convenient solution than even needing to type in a 15 character password. That's the same on every site.
Yeah. Okay, good question. From Sue here. She says our clients get new phones and don't think to backup their to FA is there a backup for past keys can they be backed up what what happens if you know does for example clearing my you know, browser data, flushing cookies or whatever? Does that clear the past key but if you get a new computer and a phone, how does that all work?
Yeah, that's a great question. So this is this was the major kind of last bit of the UX that needed to be solved for past us is that past few years kind of have existed on devices for the past couple of years where it was just saved to that device. And you can set up a passkey for your laptop with Touch ID and your desktop with Touch ID and those would be two different pasties and they'll be disconnected from each other. But iCloud and iCloud and Google both have syncing mechanisms. So when I create a passkey and save it to iCloud like I did with my iPhone, that passkey is saved into my iCloud account. So if I get a new iPhone when I set up my new iPhone and log into iCloud, I got that passkey automatically. I didn't have to do anything. If I get a new computer, I can do that. And let's say you lose everything whatsoever. You're following the same kind of account recovery procedures that Apple has had for a long time. So there is a multi step process where they have to make sure it's really you. You don't just want anyone to go be able to go to apple and say, Hey, I lost this account. There's a whole multi step process that they go through to make sure that this really is you. But you can recover even if you lose everything. And it's similar for Google's password syncing as well. When you set it up on your Android device, it gets synced into your Google password manager store and it syncs it everywhere. So when you set up a new device or lose your device, you're still you're still set on the WordPress side of things. Pass. These aren't like a thing that you would backup. You still have password based authentication available. So you can go through the password reset flow and create a new password if you wanted to. But you don't need to backup anything in the WordPress side of things. It's all about your device. And all the device manufacturers back this up and sync it everywhere.
Yeah, and it's actually interesting because we've had situations with clients that do use two FA where somebody got a new phone and now it's like what it reminded me off, to be honest is, you know, 15 years ago, every time somebody would get a new phone i Back when I was supporting email from my clients, you know, now they helped me put my email on my phone, which God I never want to go back there again, right? So the to FA like if you get a new device, you got to set it up and people don't know how to do that. But this is actually going to solve that problem Right
exactly. This sticks with you. So when you log in with your Google account, when you set up your new phone, it's already there. And there's even like options that will automatically migrate it for you at later points in the setup process if you choose not to initially. And they've really thought through that kind of procedure, because there's no one
and this is it's important to note that pass keys are not something that we came up with here at AI themes. It's not just I think security. This is an industry standard that we're really on the cutting edge of and it's going to be more broadly adopted. It's a there's a big deal on this new Mac OS version that's going to drop one of these days soon. Next week. Yeah, so it's rolling out across the board. And it's something that's you know, it's it's new to folks now, but it's it certainly won't be it's going to be the new thing that is that is coming. Stacey would like to know our past keys more secure in your opinion than two factor authentication.
Yes. Definitively, and there are a few absolutes in security, but I would say yes, definitively more secure. Um, if you remember from that demo video that I showed with that evil nginx setup. This is a tool that a security researcher built that does this all for you You didn't have to manually copy like you'd see these old phishing websites of or where, you know, they try their best to make it look like Google. This is actually Google's source code of their website being delivered to you. It's identical pixel for pixel. It will take your two factor code and if you give it a bad one, it won't get you through the the ability to create hyper realistic phishing websites is better than it's ever been. And the tools for it are easy to set up. And traditional two factor is susceptible to phishing, if you're entering in that six digit code and you're not 100% sure that you're entering into the wipe website, your six digit code is gone. I bet passkey is really are much more secure. And we think we give you the option and I think security to say if you still want to use two factor with past use so if you are in a field where security is really really really really important, like really important, you can use to factor with past use. But we believe that and apple and the other big players you've had it is totally fine to use passkey as as a replacement for passwords plus two factor and it is more secure.
Yeah. Let's see, Paul would like to know would we give what what do you think? Should we give our users all the options for their login like would you give you know, just username and password or everything like username magic login two factor password lists, but what do you think about that? Great
question. So the dream scenario that we want to get to is you just use passwords, but we're not there yet. We don't have an option. I think security yet though it is on our roadmap for letting you disable password based authentication. So when you set up your WordPress account, it's still important that you've set up using the randomly generated password that WordPress gave you. And ideally, you'd write that down somewhere or save it to your password manager. But you'll never have to see that again and never have to use it again. And what we're going to want to do and I think security a future release is give you administrators the option to let users say turn off password based authentication entirely. I don't want to ever use a password. Don't let me use a password. If someone's trying to use your passwords and attacker. It's not me, but we're not there yet. In terms of password list, login really, we want to be pushing users using passwords. And the most secure method would be to disable the magic link the email based method for password this login, but I don't think you need to do it yet. But that is the ideal point is that you'll just say use your passkey and you get to use your passkey and that's also this is what's very cool about the username first flow. So if you've looked, what I see when I want to log in, is I just say enter in my username or email address, and I'm entering in demo. And when I enter in demo, I think security knows that I have passkey setup for my account. So it's presenting this to me, but if I didn't have past you setup, it wouldn't present this to me. So user is not going to click this thinking, Hey, what are past views? Do I have that or not? And try and do it before they set it up. So I really like to use name first foe that kind of gives you this progressive options. And so in the future, you might not see this login with your Password button if you've disabled that for your user account for instance, but that's not where we are today.
Yeah, interesting in the the email magic link is there because that's toggled on inside the theme security settings.
But you can toggle it off if you want to. But it is still enabled and the email magic link I think still does have a little bit of a place it makes for a really nice setup. So I wonder if this is do I want to do another two minute demo for a second maybe? Absolutely. Let me see if I can set this up
so I'm going to go over to this site here. And I'm going to login into the administrator user. I'm actually
using my past few I really like I mean like I think that's cool. That ad is clicked on my watch name and my WordPress website. But I'm gonna create a new demo user I will say this passkey and we'll say Timothy what email should I use? And I'm gonna hide this many I'll copy and paste this. Alright, I need to pause the screenshare I'm going to generate a new password here
so we're gonna go to our phone again
Okay, now I'm going to try and log in as that user. So Timothy, I originally call this passkey. I called the passkey. And we're gonna log in. And so this is the first time that I'm logging into this website. I don't know that say what the password was that was created for this account. And what I can do is I can use magic links to get in for the first time which makes for a really kind of convenient flow of getting into a website without needing to know or even set up my password I just have the random password is generated for me by WordPress. Can you see this? It says my screen share is paused.
Yeah, that's someone Sue just noted that we were not able to see what you just did.
Okay, I'm gonna do that again. Sorry about that, y'all. So I'm going to log in as that user.
Again, this is because of setup as username first. So you're logging in as that user and then based on whether or not that user has passed key setup or not. It's going to present them with the various login options like in this case, magic links are toggled on, and you have the option to log into the password.
Right I haven't set up passkey is for this account. yet. So I'm going to use the magic link method because I also don't know the password. It was a random password is generated for me by WordPress. So an email that magically and I'm going to check my email and give me a second to pull that up y'all
so I'm over here in my email and I have my passion is login is here. Click here to login. So I'm gonna hit login now. We're going to skip setting up two factor again. But now we're in the passkey setup process on a new phone.
And just to pause for a second the reason that presented us with the two factor screen is because two factor is also toggled on as a login option, if that was not toggled on and the theme security settings that wouldn't have been presented.
Exactly. And if it was, you can also disable the two factor prompt depending on what users you want it for. We'd like to have it there because we want to tell us about all the security methods they have to protect themselves. But so I'm gonna add my passkey do I want to save a passkey for PASI maybe wasn't the perfect choice of username is a little bit redundant. But it's telling me that passwords are saved my iCloud Keychain. I'm going to say yes I do. And we'll call this iCloud and again, it's telling me about using passwords and this part only gets shown once so I'm now logged into my website, I still don't know the password for this user account. I'm going to log out log in as passkey again and this time I have the magic linked option from before but I also have the user passkey option. So when I hit use your passkey I'm getting prompted
and I'm signed in so at no point did I need to scan anything go into different apps. I still don't know what on earth that password is for this user account. If I needed to get it I could do a password. Reset if I wanted to. But I was able to log in as a new user that was created for me use magic links which is where I still think there's a little bit of a nicety of having magic links here to gain access to my account for the first time. And then I was able to set it up past use the next time that I want to log in. I just use pecky login and I just get in with one click. So I kind of wanted to show an overview of what that full kind of flow looks like in an ecosystem where passengers are completely available to you and you have no need to open up a password manager manage any of that stuff.
A good question just popped in from Daniel in the chat. And we do we've got we still have 14 questions or 12 questions left that
I've gotten all day Nathan's? Okay. So
Daniel would like to know, if you have existing users like we just saw, we set up a new user. If you have an existing user, how do you migrate those folks? Over to pass keys? Great
question. So the next time they log in, if we detect that passwords are available to them, we will show them the option if passives are enabled by default. So if we go back to our setting here and we're going to happen to pass this login. If I disabled the availability by default for all users, they wouldn't see that prompt they would have to go to their profile. But with this enabled, they'll see that prompt is set up past us and so they can have an existing user account and if we detect capacity is available to them will prompt them to set it up or they can skip if you disable this, any user can go to their profile. Scroll on down to pass us and first we'll need to enable this checkmark enable password list login. Once they enable that they'll see this whole passkey section here and they can go into Manage Devices and add in a new passkey. And I have a whole bunch of these here because this is one of my test sites. So most users will probably only have one or two pass keys. But that's that setup process. And you also have this option here use two factor during passwords login. So by default this is on because we don't want to ever remove security that a user has set up without them taking an active step to do that. But we prompt the user that logs in for the first time using passion. So again if they want to continue using two factor when they use password this login, and we think it's perfectly safe to disable this for most users. What we call their threat model what they're concerned about. It's fine to disable that. And it makes the login process really nice.
Very good. All right. Let's see here. Next question is from Stacy. Stacy says I have I know several people that share their computers with members of their household. How do they prevent other users from getting on to their website?
Awesome question. So this is why I've been prompted. So if I go and log out again, I'm going to log in as my user, hit continue. And it may say use your passkey now this is why this prompt is critical. It's a Google Chrome Canary is trying to verify my identity. What I'm doing each time this happens and you might be able to see that you can kind of also you'll remember that you can change how zoom presents the videos, so you can make me Nathan's face is super big. But
grab the verb there if you mouse over the vertical bar just to the left of the video. You can slide that all the way over.
Maybe I can also read that I'm doing a little bit I'm showing off my gymnastic skills. Yeah. But so I need to authenticate with my Mac but I'm still here that this is still me. If I didn't want to use this. Let's say I can use your password. You can see it actually timed out for me. So I'm actually entering now my computer password. So this is the password that I use to log into my Mac. So when I hit login, I get logged in and it's spinning. So that's the part that Sue protects you. That's why you already saw those prompts when I was already authenticate with my phone and I was using Safari, but I still got the prompt to scan with face ID because Apple wants to know that it's actually me who's using this device right now. And it's the same thing on the Mac. We actually want to verify that you are who you say you are so you get prompted to if you use a Mac with a touch ID sensor like a laptop to get prompted for that. Otherwise you get prompted for your computer password.
Yeah, very good. And so it really comes down to the past keys are associated with a user account on the computer. And Stacy saying that they still all the people in the household use the same user account at that point like I don't know what to do for you.
Yeah, I would not recommend that. Yeah, I guess would be the thing to say. If that is the situation that you're in, save it to your phone and your passkey is now on your phone, and you'll need your phone to log in as opposed to saving it to this device. But yeah, really. We had a similar question about kind of sharing user accounts in August in the context of WordPress. It's always a security best practice to have people have separate user accounts so you can make sure that everything is secure if someone loses their password. You only have to have their password updated and not force everyone who's using that account to have that password updated. That's really the best way to go about it.
Got it. Let's see. William would like to know how can you use pass in William? I'm going to try I think I understand your question here. I'm gonna do my best. William is wanting to know how do you use pass keys without needing a two factor code but still requiring a code for password login really pass keys replaces the need for a password right?
It does. But so what I think William is asking you so this user account here I have two factor setup. I have it set up using email because that's what I was testing earlier. But if I also set up passkey with mobile apps, because I have this checkbox unchecked. I'm not needing to enter in my two factor code. If I wanted this checked.
I see what he's asking now.
Yeah, go ahead and clarify for me.
Yeah, so he's saying if you choose if Pat if Goodness If pass keys is in is enabled, but yet you still choose Login with the password option. Will they then prompt for two factor if two factor is enabled?
Yeah. So I'm going to hit continue here. And I'm going to choose to log in my password. Now give me a second after you open up my password manager. Normally, this would be a bit easier to demo but because I need to show you all the popups that happened from the browsers I have to actually share my screen. I can't just share one app. So just give me a second here to pull this up I forgot my password. So I'm going to enter in my password here, login. And because that checkbox was checked for my user account, I'm now getting prompted for my two factor authentication. So I'm gonna go ahead and copy in that code and hit login. And I'm now logged into my sight I had to use two factor but I should I should demonstrate this better sorry. So I have used your factor during passwords login. If I uncheck that the same thing would have happened. So I'm going to log into my user account. Joe into Timothy. Say I want to use my password. Copy and paste this. And I get asked for a two factor code because I'm logging in with the password. I'm gonna grab my authentication code again. Now the part where that setting is important is if I have this checked in my profile use two factor during passwords login now if I password this login I'm still gonna be prompted for two factor code. Oops. There's too many email addresses during our Nathan 15 User Accounts testing here so I'm going to use my passkey I'm going to login and my password and my watch. And I'm still getting prompted for two factor because I have that setting enabled. We don't think you need to have that setting enabled for 99.9% of users. You can say that okay, I've got two factor setup but I'm never going to use it because I'm logging in with passwords login, but it is an option for you. But if you have two factor set up on your account, and an attacker goes in and knows your password, they're going to still after entering the two factor code. So that's why we would still recommend setting up at least an email based two factor, but you're just never gonna have to use it. And this is why it's important in the future to maybe have an option that says Don't let anyone ever log in with a password. No no no if some sort of login and password it's not me, because then attacker can't brute force anything. And they have to brute force your passkey which is effectively impossible.
Yeah. Okay, we have a bunch of questions here. Can we go rapid fire? Yeah. All right. So Stacy wants to know, what about Windows 11 and platform authenticators.
So Windows Hello, supports WebAssign and passkey is awesome.
Paul would like to know what about users that tested this were they able to set up? Oh, Paul, okay. Paul is asking about instructions for clients. We're gonna we're gonna work on that, Paul.
Yeah, we have a pretty comprehensive document, but we don't have something that is specific for clients yet. But if you go over to this learn more about pass us article. We have this kind of overview. And then we have different documentation for different devices. So using passwords on your Mac using passwords. And Windows using passwords on mobile devices. That kind of walks you through the different steps.
Yeah, very good. Timothy, are you are you in a spot where you could copy and paste that link into the chat? Yeah, that would be super helpful. Stacey is saying she's using Windows 11 isn't sure what Windows Hello is. So it's built into Windows OS. If you just search for it, Stacy, it's there. Yeah. Let's see. Stacy would also like to know, okay, how do I just disable passkey altogether? Is it on by default?
No, it is not on by default yet. It's something that we may turn ON by default in the future. But since we just launched it isn't bad to disable it. When ready,
very good. All right. I've just dropped Timothy chatted me the link I have just started I'm sorry buddy. No problem. That is the Help Center article on past keys. If you're watching this on the replay, just open up the chat log or just Google wander past keys and look for the ithemes.com listing. Let's see Mani would like to know I usually use a Mac desktop and login with passkey and then I have to add my Mac admin login. How secure is that if someone obtains my Mac login, and then can log into all the websites.
So that's your threat model is that if someone is able to steal your Mac device and knows your computer password, then they would be able to log in. So if your threat model includes that someone might be able to steal your physical device and be able to gain access to that password, then I would recommend including two factor still by going into your user profile and enabling that setting. I think for most people that's not part of their threat model. But if it is, you can definitely do that. But at that point, your two factor devices probably also on your phone and once they've stolen your phone and your computer and all that kind of stuff. They kind of go hand in hand. So for most people, the keys to the kingdom become just make sure my computer is protected and make sure I have a good password on my computer.
Yeah. Let's see. question here from Sue. Sue says we have medical doctors whose hospitals require their own two factor tool. Is this going to bypass that tool for them and see, I guess, are we talking about logging into the hospital website?
Yeah, I mean, like it'll depend on how people adapt it. But there are also like additional strength verification options that we don't have the settings and I think security but there's passkey is can actually be configured such that they will only accept passkey as if they are authenticated by biometrics. So there are even higher levels of security that the greater ecosystem can adopt. We're not launching with those options and I think security right now, but I think passkey is have different levels of security hardness depending on your requirement, I can see why that might be necessary in a medical center.
Good. Alright, so for the sake of time, I'm skipping through some questions that we've answered pretty much in other ways already. Let's see. Paul is would like to know, on the login screen that I think security takes over the standard WordPress login, where there's the option for magic link passkey, etc. We'll log in styler plugins allow you too.
So login designer, more or less works. We don't have specific integrations for this. If there's one that you use, that you want to see us support, drop a line to our support folks, via the help in your member panel. But you'll get the kind of like basic stuff, so I'll show it to you. It's not actually mean,
I've actually done demos on the with login designer. That's the one we've typically used in
the past few years when I like to but yeah, it'll still work. Deal
All right, I believe that wraps up all the last questions here. We've answered most of these in one way or another. Timothy, any final thoughts as we're wrapping up?
I want to touch on Mark's question for just a second here. Um, the big thing to look at is if you go to web often slash.me And we can drop this link as well. And and you go to the site, it will tell you what your browser supports. So that compatibility chart is from webauthn that me but the best way to test is to go to this website and see what options are lit up for you. And what you really want is platform authenticators. And so if you're on iOS right now and the latest iOS you have it, the latest Mac OS is gonna have it next week for everyone. If you have a Mac with a touch ID sensor you already have it. It's a slightly different version. But the super awesome version, for lack of better words, is coming next week with Mac OS frontiera for Android. It is coming to Android officially later this year for kind of past us. There's kind of an already existing model. It is available in Google Chrome now as you can kind of see here and it's available in stable Chrome and Chrome Canary, which is what I've been testing is just has some little UX improvements. But it is available with regular Google Chrome now. That's the demo that we did last two months ago in August. On Windows, it's available with Windows Hello. And I think that covers the big three so that's the 1000 foot overview on.
Very cool. And we had some questions about Chrome Canary. That's a developer version of Chrome that lets you do API things and
the bleeding edge.
Yeah, very good. All right. Well wrap us up, Timothy. What are what are a couple things that folks can take away from today?
So I think past keys are a big new stack. We've had passwords for years and years and years and years and years and there's going to be a lot of inertia to get over. But I think passkey is truly are the future. It's not me saying this, though. I said as well. But this is what Apple and Microsoft and Google and all these tech companies are pushing for because it's so critical. And so I think it'll take a little bit of doing to you know, get people used to it a little bit. But I truly think that unlike the security protections we've had before, this offers a user experience that fundamentally is better than having to type in your password. It's better than eating to use a two factor app. And I think that's what we've needed to get user broad user adoption. And so it's going to be part of what we do at AI theme. So producing user documentation helping to do this. It's going to be coming out from Apple and Microsoft and Google pushing for this, seeing it and apps and websites. And also from us as developers and people who have clients to push them in teach them about how they can use passkey is maybe with a WordPress site and then they can learn how to use it for all of their WordPress sites for all of their websites that they log into for chase.com. You know, but it's a process but we have 5060 years of history to overcome, but I think we'll be able to do it. For sure.
You know, and Paul has just given us a great thought to to end on as well in the chat. It's an important change that's coming right. So as technical professionals, this is something we need to get familiar with and maybe start tinkering around with it with ourselves. So once we're comfortable, we can start to help our clients get comfortable with it as well. It's like any other new technology that's coming down the line. Yeah. Well thanks, Timothy. For a great presentation here for all your work on this credit. I
want to Yeah, one thing Yes. is on ithemes.com We have a really cool video. So I didn't show this but resources blog let me search for past us for one second. But we have a very cool video that kind of gives you an overview of what past views are and why they're important. Two minutes watch it. And that'll give you that's something you can send your clients and say like you know this is this is why pasties are cool.
Yeah, very good. Okay, folks, that's gonna wrap it up for us today, Timothy done. Great work here. Thanks for your wisdom on the webinar here as well as you're in your great explanations and answers to questions. Great questions from all of you folks as well. We're back tomorrow from members for office hours. That's 1pm Central tomorrow. Here on I iThemes Training where we go further together.