\nDiscover a streamlined approach to WordPress logins with Passkeys and Solid Security (the new name for iThemes Security). Passkeys are compatible with leading browsers such as Chrome, Firefox, and Safari, as well as biometric logins like Face ID, Touch ID, and Windows Hello. Say goodbye to the hassle of extra two-factor apps, password managers, or intricate password requirements, as website administrators and end users can now enjoy secure logins effortlessly.\n\n\n\nPowered by the WebAuthn protocol, these cutting-edge login methods redefine passwordless login experiences, setting the stage for the future of safeguarding sensitive online information, including accessing WordPress sites. Join Timothy Jacobs, Lead Developer for SolidWP, for an in-depth exploration of how this innovative technology enhances the WordPress login process for both you and your clients.\n\n\n\n\n\n\n\n\n\n\n\n\n","is_multi-day_event":0,"livestream_public":0,"livestream_replay_set":1,"livestream_zoom_registration_link":"https:\/\/us06web.zoom.us\/webinar\/register\/WN_z2f8GmfwTOCiYEH5dAJN3w","EventOrganizerNames":"Timothy Jacobs","livestream_vimeo_video_id":863727425,"livestream_chat_log":"https:\/\/drive.google.com\/file\/d\/14CeW1vDu2Ek0q4zUrAZ56aqFNbiM1t3Y\/view?usp=sharing","livestream_live_transcript_url":"https:\/\/otter.ai\/u\/8TnurB_cU0UBSiY9KmXoptKBX30?utm_source=copy_url","mbfp_count":"s:14:\"a:1:{i:1;i:3;}\";","livestream_live_transcript_text":"Like getting our caption set up and connected so we'll have those go on in just a minute. Hey, Tom Glad you're here. Hey Sarah. So again, welcome. If you're just joining us in zoom, open up the chat and say hello, tell us where you're logging in from today. Hey Chris Jeffrey from Guatemala. Welcome.\r\nJust about to get the captions all connected up. All right, everybody\r\nshould have captions now. Hey Barney from Colorado Niles from Faroe Islands, that's a new one on me Niles. And I have to become geographically educated.\r\nWow, the pictures are beautiful, huh? Okay, it's\r\nkind of between the Iceland and the UK. I've never heard of that. Location before. So welcome Niles. Glad you're here. How about that everybody should Google? Is it? Faroe Islands Niles or furrow? How do you pronounce that? Hey, Nate from Washington Sadie from Scotland Stacy from Colorado. Welcome, everybody. Glad you're here. I'm going to drop in the link once again. I'll the link bundle is there in the chat for today's slides, as well as the replay link. If you want to share this later with somebody else or go back and rewatch. We're about a minute and a half away from starting efficiently with Timothy Jacobs and let's kill the password. Which is gonna be a fun conversation all about PASS keys and yes, gonna be a lot of fun. Hey, Stacy, welcome from Washington.\r\nYeah, Tom, right. It's a great it's a great title\r\nAll right, everybody. Again, welcome. If you're just joining us in zoom, open up the chat and say hello, tell us where you're logging in from today. Several more folks are just popping in. So I'll drop in our link bundle. Once again. Today's slides are there if you'd like to download those and follow along also the replay link is there. Hey, Elizabeth\r\nTerrance from South Carolina, Deb from Texas just about 30 seconds to go folks before we get started with Let's kill the password. All about PASS keys. I am just well I'll talk about this in the intro I'm delighted that pass keys are becoming a thing that people are recognizing now. Yeah, okay, Sadie. We'll talk about that because past keys and the last pass breach are like past keys are going to help us not ever have to deal with that sort of thing again.\r\nOr make it much less difficult\r\nAll right, it's three minutes after let me start the recording and we will get underway. Welcome to another Live AI iThemes Training live stream. My name is Nathan Ingram. I'm the host here at iThemes Training and I'm joined today by Timothy Jacobs. Timothy is the lead developer at solid WP that is the new name of AI iThemes if you haven't been following that, I iThemes is rebranding the solid WP Timothy is our lead developer and he's also a core committer and one of the maintainers of the WordPress REST API. Welcome, Timothy. Glad you're back with us today.\r\nThanks for having me. Nathan. I'm excited to be here. Absolutely. So\r\nthis is an intriguing title. We were talking about it in the pre show of let's kill the password all about past keys today. So I was thinking back to the very first conversation we had about past keys probably. It's been about a year ago, I guess, sometime around more than that.\r\nWe launched past keys I think in August of 2022.\r\nYeah. So we're talking then about this miraculous new thing of past keys that will make the days of these long, complicated passwords that nobody can seem to remember and password managers that, you know, novice users have trouble implementing. And people instead tend to just go back to their favorite password that they use on everything. So just just give us an overview. You know, if you had to answer what are past keys, what are they?\r\ni Well, they're the future of authentication. Um, so passkey is basically another way that you can log into a site without using a password, and they utilize some cool stuff. called public private key cryptography, which we're not really going to get into. But that's part of kind of where the key comes from. But yeah, they're another form of logging in and over the next 40 slides or so, we'll dive into what that means.\r\nVery good. So the ultimate end of this for the typical user, I particularly with the way pass keys are being implemented and I think security and solid security that will be coming in about a month or so. Yeah, the you'll be able to log into WordPress without a password, it will recognize you and log you right in. So for especially for those of you that are working with clients, this is a delightful thing, because clients tend to really struggle in many cases with keeping those complicated or complex, unique passwords for every website. And so this is going to help us along. So if you're just joining us, let me do a little bit of housekeeping and we'll turn things over to Timothy you're just joining us welcome. We're glad you're here pop up in the zoom and say hi and tell us where you're logging in from there in you will find the link once again to today's slides as well as the replay. So this is being recorded. Now. We'll have this up, ready for your review or if you'd like to share it with others. The link can take about an hour for us to get the video rendered and placed in about an hour you can share that link that's there in the link bundle in the chat, and you'll be able to rewatch and share. Also, we invite you to ask questions throughout today's live stream please use the zoom q&a button. So if you mouse over the shared screen, the Zoom icons will appear. Hit the q&a and that will open up the q&a window. I'd recommend you just keep that open. And as you see other people asking questions and you have that same question, put the thumbs up icon and we'll be taking those questions in the order of upvotes at the end of today's live stream. So with that I'll be quiet Timothy. Let's talk about past keys.\r\nAwesome. So yes, let's kill the password is the title of this talk just a little bit provocative, but we're gonna be talking all about past keys, which I think is the future of authentication. So studies have shown that over 80% of all hacking related breaches are attributed to password compromises. That's a really large number. And if you think about it, that's because passwords kind of suck. They are an authentication mechanism that we've been stuck with for 60 years and they're not a very great one at that. So what kind of are the problems with passwords? Well, they're weak, a lot of people are just going to use weak passwords. You know, we still see the reports of the most popular common passwords, the 123456, password, etc, etc, etc. And so we try to kind of like make this experience better. And we started saying, Hey, we're gonna require you to have a strong password. And so we have these password meters that say like, Hey, this is a strong password or it's not a strong password, but people found out they could, you know, come up with one kind of strong password and just keep using that password on all of their sites. Answer you'd have one password that logs you into your WordPress site, your Chase site, your Amazon, all of your different online accounts. Maybe if you were particularly clever you would change out Amazon and your password name to chase or something like that. You had your like, common password, part two in your common password formula or something like that. But those really aren't particularly great. The big problem is that when those passwords become stolen passwords, then the one password that you use that got compromised at XYZ retailer.com means that your Amazon account your Chase account is compromised your entire digital identity that comes compromised. The other big problem with passwords is phishing. So we have all of these things of Hey, make sure that you're going to the correct website. Make sure that you're entering in the password in place that you're think you're doing. And that China just revolves around. Be careful, don't mess up. Don't ever make mistake don't ever enter in your password in the wrong place. You might get all these different phishing test messages. If you're working at one of those large organizations or even small organizations these days they try and trick you into giving up your password to a site that isn't the real site. And some of those phishing pages can be really quite persuasive. And we'll see a couple examples of that in this talk. So how do we move past passwords? Well, we started to think like hey, how are they different ways that we can make this better? And we did that by introducing two factor. And so two factor is definitely it's the strongest protection available. This is where you log into your site and you say, Hey, give me an authentication code that proves that you have something. And so the things that we preach the best are these different authenticator apps, but a lot of them also have backup methods like email, and things like that. And the problem though, is that while two factor definitely improves things, this is a report from Microsoft, they found that only 22% of their Azure Active Directory accounts actually have strong authentication practices in place. These are large businesses that are using Microsoft's products and only 22% of them. This isn't just like, you know, protecting your social media account. These are companies that just don't have a strong authentication system setup. Microsoft is talking about a combination of like two factor and password lists when they say strong authentication, but only 22%. They found a report from the UK found that only 37% of businesses had policies in place for enforcing two factor and so we think about that why might two factor adoption even though we've had it for decades now? These so low, and one of the big reasons is that the user experience is pretty confusing. What we often recommend is the mobile app version. If you're familiar, probably with Authy, or Google Authenticator. This is an app that you download to your phone, and you can type in a code and manage your whole network of different codes there. But that's a little bit confusing. If you've tried to teach someone how to use this who isn't the most technically savvy person, it's not the easiest thing to explain. And so we came up with better versions of this like email, for instance, that kind of try and make that user experience a bit better instead of needing to worry about an additional app, you just hey, enter in your username and password and then a code gets emailed to you. But that experience still isn't that great. This is kind of in a different realm. This is from Twitter's reporting. And so Twitter says that 2.6% of Twitter accounts have to factor important to factor on their site. And you might say that hey, you know, my Twitter account isn't the most important thing in the world. though. I think someone being able to tweet as you and send DMS as you or view your message history might be a little bit alarming. So 2.6% of accounts, that feels very, very low and I found these what I found pretty funny tweets over on Twitter people complaining about the perils of two factor authentication. From Ashley, the average American weighs 66 years of their life on two factor authentication. This from Skidmore, why does two factor authentication feel like 17 factor authentication now there are two phases. The one thing I really hate. This user experience just clearly is something that people aren't happy with and clearly aren't satisfied with. And I think that's a large reason why we're seeing such low adoption across the board for a long time, basically the way that we've kind of encouraged people to use two factor is this kind of like shame based approach of like, hey, two factor is the only thing you can do to protect yourself. I found this summed up in this pretty funny headline, point. Counterpoint, two factor authentication is the only thing between me and hackers trying to ruin my life versus annoying to do. But clearly we know that it is annoying to do and just shaming people into you know, using better security. It has not been effective for the past, you know, infinite years of web security. Even though if you have to factor and you have it enabled, surprised and you can still be susceptible to phishing attacks, which I think is pretty wild. Here's a cool example that I found. So what phishing attacks do is we're trying to trick the user into giving up their password to someone who doesn't actually want it and so some of the ways that this can be done is just using popups pop ups these days can be very, very clever. This is an example here where they are kind of spoofing this idea of hey, I want to sign in with my Microsoft account. And in this face, the website is actually popping up a fake pop up that looks just like their browser window to say hey, type in your password and your Microsoft account here it looks exactly like it. And if you're not careful, you wouldn't notice the difference. Here's an even more advanced version. This is using a tool called Evil Nginx. And what we're seeing here is a website that looks exactly like Microsoft's login system. And that's kind of because it is Microsoft's login system. So this is a system that an attacker has set up that exists on its own domain. The only way you would know this is unsafe is because if you're paying extra close attention to the URL, but as this user is entering their username, they're entering their passwords. The login page is being customized based off of the corporation that they're logging into. Their two factor codes here are being properly prompted for and they're entering into a website that looks identical to what Microsoft's real website is. And so we're going to see this person enter in their two factor code here. And what's actually happening is it's being sent off to Microsoft servers. It's presenting the real Microsoft UI. And the only thing that you know, if you pay close attention up at the top of the URL there that this is actually cyber fish that XYZ instead of microsoft.com. And so of course attackers be much more clever these days with URLs that look more real than they actually are. And I find this demo pretty kind of alarming of I think it'd be really easy to make this mistake to think that, hey, you're logging into the correct site, you're using two factor, but you're actually being logged into an attacker site. And so the thing that you kind of have to remember is that Attackers only need to succeed once. If an attacker is trying to trick you into giving up your username and password. Once they have your username and password. It's done. You have to be vigilant every single time you're logging in. And that's just not really feasible. Maybe we're doing 15 things at once. Maybe it's the 40th hour of the day, and we've been you know, working and working and working and working and we're just tired and we weren't as extra vigilant as we had to be meeting to having a system where you need to be successful 100% of the time to stop an attacker and it's all on you as the human to not make mistake. That's there's bound to fail at some point for a lot of us. So we came up with this next kind of system, which is passwordless logins is what these systems lets you do is they let you skip your password and they let you skip a two factor authentication code and they try and give you a pretty simple user experience. You're just entering the email address that you want to log in at. And then you're sent a code an email, something usually that looks like this. And you go back to the website and you enter in their code. Promised email is kind of slow. It's not the best experience ever to need to open up and wait in your email inbox. I know I have contemplated not purchasing something because it was taking like minutes upon minutes upon minutes for me to get my two factor or password list Login link via my email. It just takes a long time.\r\nAnd honestly even then, passwords login. Well, it's phishing resistant. We're kind of not tricking you into entering in your password onto a site because you don't have a password. You still can be tricked sometimes into clicking the wrong link. This was a sign in link for LinkedIn that I got and you can see the approximate location there was Philadelphia, Pennsylvania. And if an attacker was sending me one of those links, and I clicked on it, the only thing that I would really need to know is look at that approximate location say Hey, is that where I am? The problem is that the approximate location things in these very rarely work. I was thinking this screenshot is actually in a train going to upper state Upper New York State and I would have ignored that location warning anyway. So it's easy to say Hey, okay, I'm sorry. I remember supposed to click on this link or not someone requested this. Maybe it's just a login was an enact going there. It's so easy to make a mistake using this password, this login technology. So what we have now though, is a solution that I think solves pretty much all of these problems, which is past us. And so this is a short little demo of logging into a Google account using a passkey all I needed to do was click one button and I got logged in, which is kind of incredible. Here's another example which is from I theme security and logging into your WordPress site. I'm just entering in the username that I want to log in as I click Use My passkey and I'm logged in immediately. So what's actually happening here? What are past keys past keys are another way to authenticate with a site. And they're a way of saying this is who I am. They don't require passwords. They don't require that you use two factor authentication. They're able to provide a one click login experience that is very fast, and I think has a user experience particularly getting better every year as our devices get newer and newer. That is easy. For a lot of people to understand. You don't have to have a separate app. It's built completely into your iOS. You don't have anything else to worry about. You just say hey, I want to log in and it asks you if you want to log in. pasties are also fishing proof. That's kind of like a big bar to ever say that, hey, anything is like fishing proof or anything proof. But passkey is are actually fishing proof is the language that companies like Apple use because it won't let you log into the wrong site. There's no way that you can make a mistake. So passkey is are also called you may have heard the web auth and standard or web authentication. This was born out of the phyto Alliance who have been working in this area for years and years and years. passkey is and this latest iteration of passwordless login has been born out of six years of development. So it's gone through multiple iterations at this point and has been getting better and better and better each time. This is one of these tools that is actually we rarely see see these days was actually backed by all the big tech companies. This is backed by Apple. This is backed by Google and this is even backed by Microsoft. And at this point, it's supported by all major browsers. So I mentioned up at the front a little bit about this, we're not going to get into deep. But how do pass keys work? Well they work using this technology called public key cryptography. And so this is something that you are using every day on the web, on your computers and your iPhones whether you know it or not. It's used for things like SSL and TLS. When you go to a site and this is HTTPS versus HTTP, that is public key cryptography. When you're doing software updates, almost all software updates that are out there. WordPress is the exception. But almost all were software updates that are out there. They actually do signing to say that, hey, is this code signed by who I think it should be? And if so they reject it that uses public key cryptography. And you'll just see this all the time happening in the background. It's something that you really wouldn't even need to be aware of as you're going throughout your life. So what does the registration process look like? What kind of like an architecture layer what's happening is we're saying we're on our devices, the blue on the right hand side and the computer that we're logging into is the green browser window on the left. And so what we're saying is, when we go to a website, we want to say, hey, I want to register and create a new account. And what the computer says to your device is send me a public key. And your phone is going to create that public key pair for you. And it's going to send that public key to the website that you're registering. With. And no point did you need to do anything in this process. The device took care of it all by itself. You don't need to think about this key, but it's just this key that's been created that now lives in your device. And all of that is happening in the background. When we see this in action, it looks something like this. This is Google's page that lets you create a pasty for your Google account. And so I say, Hey, want to create a pasty? I click the Create a passkey button. And that's it. My browser's gonna prompt me and say, Hey, are you sure you want to create a passkey? And when I say yes, you can see that a passkey has been added to my Google account. You can watch that go through one more time.\r\nSee, I'm getting prompted. I'm going to click Continue.\r\nAnd that's all I need to do.\r\nSo what happens when it's time for me to log in? Well, we go over to that website and say, hey, I want to sign in. Now what the website does is it sends back what we call a challenge. It's a piece of randomly generated data, and it wants you to sign it with that private key that was generated in the previous step. And so what happens is the phone takes care of this. It creates a signature with the private key. It sends that signature and just the signature over to the website. And the website is able to say okay, knowing your public key and the signature and the data that I sent you as that challenge. I'm able to put all these things together and verify that you are who you said you are. And again, this happens without you needing to think about it at all. So we can see again in the Google flow here. This is how I'm logging into my Google account using a passkey. I entered into my email address. I said I wanted to log in and Google presented me a UI that says Use your pasty. My browser said are you sure you want to log in and I logged in? I didn't have to think about that public key private key stuff. It's all something that your phone and your devices are handling for you. So summarizing here, they work using public key cryptography, your passkey is actually a public private key pair and your device, your phone or your computer is in charge of keeping your private key safe. It's not something you need to do. You're never going to write down your private key. You're never going to manage to memorize your private key. You're not going to put it in a safety deposit box. Anything like that. There's something that your device keeps safe your device and is going to guard this private key using your device passcode and biometrics. So I've seen some questions about like how does this compare to fingerprint logins and stuff like that? What actually happens if you're using for instance an iPhone or a Mac with Touch ID is that they use those biometrics by you authenticating with your face or by you pressing your thumb on your thumbprint reader. That's what tells your device that okay, I can release this private key to do some signing. You don't have to worry about it. Your device takes care of it for you. What happens is the web site then gets this public key and that public key. It's like it says in the word. It's public, you could share that public key with anyone in the world. There's nothing that the website needs to keep safe. There's nothing that the website needs to keep secret or private. And whenever you log in the site then asks you to sign that challenge with your private key. Your device is going to prompt you to authenticate usually using a thumbprint, a face ID match things like that. It will sign that challenge and send it over the website nothing you need to do in the background. So how do passkey is work with account takeover and phishing. So there are two things that happen with phishing attacks. And there's kind of a thing to think about of like the different motivations that attackers have. So one thing that I want to make very clear is that no personal information is ever leaving your device so even though you may authenticate with your face ID or your touch ID. The website isn't getting a copy of your face. The website isn't getting a copy of your thumbprint. So an attacker doesn't have anything that they can really steal from the website that would be useful for them in terms of authentication data, when you create a passkey it's different on every single site. So an attacker can't go and hack xyz.com steal all of their passwords and try and use them on abc.com. They're completely separate from each other. And there's nothing sensitive like biometric data, they want to be compromised. The other thing is that you can't actually be tricked into giving up your password. So we say all the time, Hey, make sure that you're logging into the right site. And if you look at these different screenshots here, you can see that there is this kind of remnant of make sure you're logging into the right site. It says do you want to sign into security dot test as admin and in Google Chrome, we have a similar bit of UI here that says Google Chrome is trying to verify your identity on security dot test. And here is another dialog from Microsoft saying is similar thing. But the thing to keep in mind here is that if you don't have credentials for hacker microsoft.com, then you will never be able to log in with your microsoft.com credentials. Your browser only knows that this is this specific site that you can log in with your credentials and it makes it impossible for you to override your browser and say no, I know what I'm doing. I need to put in my password. I'm gonna go ahead and do it. Even though the browser isn't auto filling me or things like that. It's actually just impossible for you to put that information into the wrong place. The browser knows that Hey, are we on the correct domain? If we're not, we're not gonna let you do anything about that. So a bit more about passkey is there to kind of general spheres in which they land with web often passkey specialists authentication, there are platform authenticators, which is kind of where the past key language is moving to. These are things that are built into your computer or smartphone they use biometrics like touch ID face ID or Windows Hello. And then there are also roaming authenticators. So these are separate hardware devices. They connect with Bluetooth USB, NFC, things like that. Oftentimes, these are like yubikeys or Titan keys. I have one of one I've been a user for a long time. These also use the same kind of like webauthn technology, but it isn't typically what we're referring to with passkey is there more there for advanced users and advanced use cases? They aren't the things that I would be recommending people to go in and get you want to focus on the platform authenticators, which are becoming available more and more every day. So which is the browser support for this look like? It's pretty good. If you're using up to date operating system is at this point, you have it pretty much everywhere. The only real exception is Firefox on Mac OS. But pasties are becoming more and more available. Just make sure you're running the latest versions of your operating systems. One of the things that you may need if you're on a Windows device you may need a Windows computer that is also compatible with Windows Hello. So if that is a feature that is available to you, then you should also be able to access passkey functionality on your Windows machines. Well are we still here? Yes. Okay. Sorry. weird glitch. Um, so I'm going to talk about passkey is in a couple of the different ecosystems that exist. The first is apple. So if you're using passkey is with your Apple devices. You should know that pass keys are stored in iCloud. And so what this means is that they are synced across all of the devices that you're logged into iCloud with. So if you have an iPhone and iPad, a desktop, Mac, a laptop, Mac and Apple Watch all those different devices. iCloud takes care of sharing your passkey that you created on any one of those sites and sending it to all of the different sites or excuse me, all the different devices that you have. And so you don't need to think about hey, I logged in with my MAC, how do I log into my phone? The past few will be shared everywhere. These work best in Safari Apple's kind of talked about some plans to let other people integrate with how Apple Stores past using the keychain and things like that. I would say at this point. If you are an Apple user, if you're in the Apple ecosystem and you want to use pasties, that's a far is the best place for you to be. You can also share past us so this is a dialog prompt where you can share pasties using AirDrop and so that lets you say hey, I want to share my login to the site. I don't need to give them a username and a password. I can just share this passkey then because they have that private key then they can log into the site. So it actually provides I think an even nicer experience of sharing passwords than we had in the past of okay, how do I share this passwords someone else you should be using my login? Well, I'm gonna write it down and we have to remember them something like that. But here you can share them out. So the Google ecosystem is similar hash keys are stored in Google password manager, which is what Google is already using. If you save your passwords to Chrome. Again, they're synced across all of your devices where you're logged in with your Google account. And if you're in the Google ecosystem, it works best with Chrome, which is I think pretty much what we expect here. We can see an example of this process using an Android phone from Google's Google's articles here as you can see, it's a similar thing I'm saying I want to use a passkey and I touch ID with my device.\r\nAnother is Windows So Windows M is managed by Windows Hello. Right Now. These are either credentials that are stored on your particular device, or they're using a hardware key like a YubiKey. Microsoft has said that cross device syncing is coming sometimes in 2023. I also saw that there are Google excuse me, their Microsoft preview builds of Windows 11 that have kind of more passkey functionality built into them. What I would say right now, at this moment, if you are a Windows user, you want to use pasties that Google Chrome is still the place where you'll get the best support, but this should be getting better in the next couple of months as Microsoft Works out those final bits. So how about if you are a multi platform user or multi platform household? So a big thing to remember is that browsers support using a passkey from a nearby device. So you don't even have to be logging in with a computer that you normally use. Let's say you're traveling and you're using a friend's computer and you want to log in, you can still use your passkey if you have your phone with you. Basically what happens is this little UI pops up that says hey, let's connect with a phone and you scan this QR code with your phone and that creates a secure connection that lets you share that past key. The other thing to keep in mind if you do you have multiple devices in different platforms that you own is that user accounts can have multiple paths keys. So for instance, a lot of my accounts, I have a Google passkey for my Google ecosystem, and I have a passkey that I created for my Apple ecosystem. And my Apple ecosystem gets shared through all my different Apple accounts. And the Google ecosystem gets shared through my different Google accounts. The other thing that's really cool that's changed since last time we talked about past years is password managers are now starting to support this. So this is a screenshot from one password which currently has beta support for past use itself. So if you are a one password user because you want to be able to use a password manager across all your devices, and maybe you don't find the built in password management capabilities that Google offers or Apple offers or Microsoft offers, but you're using something like one password, you can use pass keys to one password basically presents its own UI. And so you can see this screenshot here from eBay site which is using pastillas and you can try it out and your past you will get saved your One Password account your one password vault, and then you can do with that as you please you can share it you can use it across multiple different browsers you can use across multiple different operating systems, and you now are sharing your passkey in one place. And it's kind of divorced from being stuck in the Apple ecosystem stuck in the movie ecosystem. It's very, very cross platform. So here's another example of logging in cross platform. This is on a Windows computer. Let's say you are visiting a friend who has a Windows computer and you're using your iPhone. This prompt comes up that says hey, would you like to authenticate with your phone? You can take out your phone, point the camera at the QR code and say sign in with your passkey and your phone will prompt you to say are you sure you want to do this? And if so, you click continue\r\nand we're logged in.\r\nThis other example is in the Google side of the ecosystem here. So we can see that I'm trying to log into this site using a passkey on my Android phone. And you can see this android phone over here on the left is pointing to the QR code on the website. They go through this connection process. It asked me if I want to use my passkey I have to authenticate with my phone to prove I'm really there. And then I got logged into my bank using a pasty so where can you use pasties? The really big story that happened this year is for international password day, Google rolled out passkey is to also Google accounts. So if you have a Gmail address, you can go right now and your Gmail account security center and try opacities immediately. The other places you can use them are Microsoft PayPal, eBay and you can also use it using WordPress. So if you're using iteam security, you can enable past keys and you will be able to log into your WordPress site using past use, which I think is pretty cool. So why should you adopt passkey is right now, I'd say that it's faster to use than passwords and two factor authentication. You don't need to use a separate app you don't need to remember and type in a long password. It's an experience that is built entirely into your device and usually happens with just one click one touch one scan of your face. For those of you with clients, it's really important to help your clients keep themselves secure. I don't know how many times that I might have a 32 character long password on my WordPress site for my client. But then I see that my client is using their name 1234 Is their password and I'm like oh my god. So really, we talked up at the front 80% or so of attacks and related breaches are related to having weak passwords. So if your clients are using a bad password, the fact that you're using a strong password doesn't matter. They're going to get in the attackers when you get into your clients bad password. So you want to help keep your client secure by setting them up with using past use. And I think it's also important to be on the forefront of new technology. When you're talking to your clients. You want to be able to say that, hey, I'm an expert on this. I am keeping up to date. I'm making sure that hey, you heard about this past use thing on the news on one hand, one off comment, come to me and I can tell you exactly how we can set up your WordPress site or even show the initiative and say Hey, we should set this app for you. It's gonna be easier than the two factor that I've been trying to get you to use for years and it'll be easier than typing in that long password by hand. Let's get you set up with past keys. So, to come back to the title of our talk, I guess there's like phrase of like newspaper analysis of if there's a headline with a question mark, the answer is no. So I'd say is the password det Well, not yet, but we're getting there. We are getting close. This is I think, truly one of like the leaps and bounds that we've seen of like how are we actually going to make authentication easier for folks? And we've been saying, Hey, you just got to be careful. You just have to use a random password. Just use a password manager. Just use two factor authentication, all these different things, and we haven't seen much adoption for it. But we are finally getting there. But until passwords are actually dead. You gotta keep using strong ones. Not to get back on the like shame based education strategy. But until you're using passkey is everywhere you have to keep using strong passwords. You have to be setting up two factor for yourself and your clients. And you really should be using a password manager either one that's built into your operating system, or a trusted one like one password etc. And so that is past keys. I have a couple of frequently asked questions that are here but we'll see if I've anticipated any of them correctly, and then hop to the slides. But it's time to dive into your college questions.\r\nLove it. Okay, so folks, if you haven't done it yet, please open up the q&a window there in zoom take a look at the questions that have been asked if you have a question to ask drop it in there or upload the questions of others that you also would like to hear answered. And as you folks are doing that, Timothy I've got some questions. Yes. So what how do you deal with you talked about sharing the passkey if you're on an Apple device with AirDrop that's pretty cool. What if you know, like I've got two laptops and a phone and a tablet and how do you manage all that? You know, I guess you could if you're an apple exclusively, you could AirDrop but what if you're not what if you have a mix of devices.\r\nSo if you're an apple exclusively, you don't even need to airdrop because you'll be able to have those pasties synced automatically. So if you've got a Mac and iPhone and iPad, multiple Macs like I do they'll get synced automatically for you. So you won't even have to worry about air dropping. Um, if you are in a cross device household and you have things on multiple platforms, you have two good options. One, each of the different ecosystems has a way to sync things. So for all your Apple devices, my recommendation is to create a passkey on one of them and it'll be shared across all of them. And then on all of your Android or Google devices to create another one passkey and Google will sync it across all of your accounts. And so you're going to wind up in your user account having two paths to use one for Apple and one for Google and they'll be shared everywhere. You also though in like the next coming like weeks is the ability to use password managers. So one of the reasons that people do use password managers is because they exist in a world that is more complicated than what just Apple or Google would like to imagine that we live in where we only use their products. And so password managers do provide this great cross platform experience there is still become very, very easy because you just get this little pop up that says hey, do you want to log in, and it's just as secure and you don't need to worry about two factor authentication. But if you're using one passwords beta for instance, you'll be able to share your past key across your Google devices your Android devices, your Windows devices, et cetera. So it kind of the answer is multivariate. And for the most power users among us use most disparate devices. Still using some of the capacitor manager can be helpful, but you can actually do it all in a first pattern. First party manner.\r\nYeah, interesting. So past keys are\r\nthey're relying on the security of the device itself, right. So how important then are is like Guardian gets malware in a passkey world.\r\nSo that's an interesting question. It varies depending on the device. So I would say always, if you use two factor and if you use passwords, and your device is infected with malware, but we've got key loggers and key loggers will pick up your password. They'll pick up your two factor code, and most of the sites that use two factor they don't we see that timeline ticking down. It's like 543210. And then a new logistics codes appear. But almost all the sites they don't stop you immediately after those six codes because we have to account for Hey, is the time on your device maybe a few minutes off the time your server, we don't want the user experience to be bad. So oftentimes, an attacker could use that code depending on how two factors implemented or they can just steal your session. So if your local device is infected, got a problem. I would say that pasties actually make this solution a bit better. A key logger attack for instance isn't going to be susceptible to this you're not typing anything in. One of the reasons why support for this was a little bit more complicated earlier on. You can't use this technology, for instance with a very old Mac because it doesn't have what's called in the Apple ecosystem, a T two chip and these are security chips that exist on our computers is pretty common and all like the modern devices, all of your new phones, etc. All of them have them. And their number one job is like holding on to and protecting secrets. So even if in this case that some malware got in your phone, the hope is that your key would still be safe in the hardware security module in your actual device. That's a little bit of blurring. But you have these different T two chips that are kind of protecting this information there. So as always, if you have a compromised device and you log into your site, they can do things like steal your cookies, steal the passwords, you're typing in, I'd say passkey is make this a little bit better. But I again, it's kind of chain link fence type of scenario that if your device gets compromised, they can do a lot even if they don't need to steal your passkey\r\nYeah, and so that's what I introduced first question here which is where are the past key stored in there in the security chips these magic checks on the hardware. And so you may\r\nhave heard of like the Apple Secure Enclave and this kind of technology terminology that's been thrown out there. And so yes, that is kind of one of the things that is required. If you are using a hardware one for instance, you might have a YubiKey and it's stored in here. But we have these chips in your phones and your computers that are kind of specifically designed for this type of stuff.\r\nSo if I understand all this correctly, and I'm taking the host prerogative here of asking a bunch of questions that I think other people may have these as well but if I'm understanding this correctly, then the issue with past keys become it's not so much now. I've got to have a complex unique password on all the sites and all these things. It really becomes more about device security. So I can't have 1234 as my Mac password right to log in, because if I lose my device, and someone else gets access to it, then they potentially have the passkey is that right?\r\nWell, it depends. So if you have an iPhone, for instance, someone could steal my iPhone, but they don't have my face. So that's why a lot of these things have the authentication that is built into your device and that's kind of what talks to this your Secure Enclave so they need to authenticate with my face. authenticate with my thumbprint, things like that. They also i when you're using things like Macs and iPhones and Android phones and things like that, they don't just let you make infinite attempts on logging in when an attacker compromises the site. They get to slurp up the database and say, Okay, I'm gonna run on my own computer that is very expensive and very has millions and millions and millions of guesses. But you can't try millions and millions and millions of times into iPhones and Android phones. They have built in protections into their hardware that makes that more complicated. So yes, it's important to keep your device secure as ever. And if you do lose physical access, there's a lot of kids who say, Hey, if you don't have physical access to your device, it's game over. But one of the things that Apple and others are working very hard on is making sure that even if you do lose your device, an attacker can't compromise it and even if they have all the time in the world.\r\nYeah. Interesting. All right. Let's get into some questions. Others have asked. Christine has a and by the way, if you have a question, please use the zoom q&a. And we'll get those stacked up in the order of up votes. All right, so Ben's question here. I'm an Apple user, but I don't use Safari. On the desktop. Can I still use past keys? Yes, you can\r\nuse Google Chrome. And you can then either use Google's passkey solution, or Google will actually save a passkey directly to your computer. So if you are an Apple Watch user like me, and they will prompt you for clicking your watch to login but yes, and if you are a one password user, or some other password managers, you'd be able to use those password managers in the future. If you Safari, it's just going to give you that iCloud integration where it syncs across everything. But if you don't use that, because your Google Chrome user, you absolutely can't. Yeah,\r\ngood. And that gets into Ben's next question here which is using a password manager like keeper keeper is what I use. Also, it does have password pass key support now as well. Most of the major ones do. Yeah, so that would help you with cross devices. Christine says if you share a login like i Oh, this is a great question. Okay, so let's do this scenario is my client has given me access to something right if there's and if in a world that moves to pass keys, how do you deal with that? If so, logging in as your client to some other place.\r\nYeah. So my recommendation always is actually have different user accounts. So kind of the concept of conflating users as Hey, multiple people might be using this account is really a practice that you want to avoid as much as possible. So I would say that it breaks things like hey, how do we confirm that this is you via an email that says hey, is this really you? We noticed you log into a new location if you're logging in from multiple locations that are different it makes those things weaker things like that. So really, I always recommendation is, hey, actually have separate user accounts almost all the platforms these days, let you have multiple users you don't I don't ever want my clients real Stripe account. I want them to invite me as a developer into their stripe accounts. So that's always like the number one security hygiene thing that I recommend. The second thing is that all of the platforms, this support having multiple paths keys, so you can go ahead and create your own passkey. And a lot of the platforms like we saw with AirDrop for Apple and things like one password, which already have password sharing built in is that you can continue to use those methods. So you can either AirDrop it to you or you can use one passwords built in sharing method and copy sharing link, etc. All of those different tools have ways to say hey, here's how you would share this out. So you can continue login to their account if you want to. But that's my order recommendations basically.\r\nYeah, interesting. So Christine, this followed up with a couple of things here and that what what she's asking about is you know, we have to pay for an extra license if you want another user and she's logging into the client's mail. And in all these situations, you would, am I correct in assuming that as platforms begin to implement passkey support, they will likely also implement something like a delegate user. Also process\r\nI wouldn't think so because you don't need to. So you would just create a second passkey. So the path all the accounts have to support multiple pass keys. And so any account would let you create a passkey for you opacity for another person. And then they're sharing the passkey is itself is a private key that can be shared securely between people. And so if you're using one password, or if you're using the Apple ecosystem, using AirDrop you can share that around. So yeah, I wouldn't see a kind of like delegation of pasties. You really would want to have one passkey I think per person there. And really you want to have one user account.\r\nGotcha. And so then you would, we would we would hope then that as businesses began to implement passkey specifically on these things like we're getting questions about they would have also some sort of a multiple passkey setup,\r\nwhere they all do, it's pretty much like a requirement of implementing it correctly. All of them support multiple pass keys. Because one of the things that ask us have slight technical tangent is there is a field that we get to see as I think security for instances is this passkey considered backed up. And what some sites where it go to exclusively password lists where you can't even enter a password if you wanted to. They require that either that passkey has been backed up somewhere like backed up to iCloud or that you have a second passkey so that if one passkey ever gets lost because you lose your device that you have something else. So everyone pretty much supports multiple passkey. So I've never come across an implementation that doesn't.\r\nYeah. Okay, next question from Sue. When chrome updates I get a message like this is a new browser. Do you want us to trust it even though it's my computer? And I said yes. Would that impact the passkey when a browser updates,\r\nit shouldn't know. So I if you're in the Apple ecosystem, the way Apple has this stuff set up is to use keychain. And so it gets sent into keychain, and keychain is something that persists beyond browsers being updated. You can even if you use like Google Chrome and Chrome Canary and stuff like that, oftentimes they'll share like the same set of passwords and stuff like that. So no, you shouldn't have any kind of trouble of using a new version. of software and the passkey is disappearing with it. In the Windows ecosystem, it's a little bit more complicated. But it's part of like how Windows handles authentication. So there shouldn't really be any scenario in which you would just lose them from updating your browser.\r\nAnd similarly great question here from Christine. So if I get a new computer, or a new phone, do I have to update my How do you deal with past keys in that scenario? Yeah.\r\nSo if you're in the Apple ecosystem, the first thing that you do when you sign up your new computer is you log into iCloud and it's the same thing still, you sign into iCloud and all your passwords will be there. If you're in the Google system. It's the same thing. You get a new Chromebook, you log into your Google account and all your past keys will be there. With Windows again, the situation is a little bit more complicated because they don't have past keys being synced to microsoft.com accounts like Windows Live accounts or whatever. But I think that is something that they are implementing. But if you're on Microsoft, you can just use Google Chrome and if you use Google Chrome, then they're being shared to your Google account. So you just log into your Google account again.\r\nYeah, okay, so Stacy's got a good comment in the chat here. What do you do with the the point of view of I don't want to give Google or Apple or anybody else any more power over my information,\r\nuse a password manager. So if you don't want to be plugged into those ecosystems, you can just use a password manager like one password. You're saying KeePass has implemented support like multiple different password managers can provide support for this. So you can absolutely use a password manager I'm sure the open source ones as well. They're adding support for it.\r\nYeah, very good. John has a question about a demo setup, setting up pass keys and I think security and John I just dropped a link in the chat to the previous livestream that we did, where we walked all the way through that process. It should, it should be very helpful for you. Let's see, Sue is asking if Windows Hello isn't available in my operating system, she's running Windows 10. Can I still use past keys?\r\nProbably not. Um, that might be the issue that you're running into. Like I believe Windows Hello has some specific hardware requirements. I'm not a Windows user. So I apologize for not being able to give them as detailed path to fixing there but I believe Windows has like some Windows Live and has like some specific hardware requirements for certain features. Because they need to have certain hardware to do things in the secure way that they would like. And so if you're using an older device, it may not have those particular security features that they need.\r\nYeah, so so the answer is just upgrade to Mac. It's\r\nor the Google ecosystem. Yeah, get it get the Chromebooks quick, good.\r\nOkay, Christine. This is an interesting question. In a situation where online shopping, right? And as you're checking out, you know, you have the option to make an account and make a passkey. Would you make it set up a passkey for sites you might never visit again?\r\nYes. So this is the reason why there's so many reasons I like passkey is this is one that we didn't touch on, which is we touched on a little bit which is privacy. So when you create a passkey so in the world of passwords, you kind of need an email address for two reasons. One, the website probably wants to know your email address so they can send you marketing information, but they also need a way to be able to let you reset your password things like that. And so it's kind of commonplace to create your username, create your password, create that account, but in a passkey universe. The only thing that gets shared if they go like all the way back to the slides, is this public key. So send me a public key. That's it. You don't actually even need a username to log into a site that uses pasties. You can just say, hey, I want to use my pasty and your browser will pop up the list of all the user accounts you created on that site for you. It's kind of crazy. So sites that care about giving you the options of privacy would be able to have an account that doesn't have an email address associated with it. That just has a way for you to say, This is me. And that's it. So past us actually provide an even more compelling experience in terms of privacy possibilities. Now this is on to the site that you're logging into. If they want to ask you for a username and email before they let you create an account, then they're going to ask you for that email address. But they don't have to. And I think that's pretty cool and nothing again, like I want to be very clear, the only thing that is sent to that site is your public key. Your biometrics aren't sent, your name isn't sent, your email isn't sent, none of those things are actually given up by your device. So anything else is stuff that you've explicitly said. This is my email address that it won't register with.\r\nVery good. And that actually leads into a question that Nate had dropped in the chat about 10 minutes ago, as a scenario like here's a big WordPress site and somebody you know, they get their path, somehow, you know, a bad actor is able to infiltrate that site. Would Is there a scenario where people would have to change their past keys and really, that's not even a thing, right? That's not\r\nYeah, exactly. The only thing in the database when you're using a pasty is a public key. And I love that in the name it is a public key you could put it on your forehead and there'd be nothing wrong with your security. Um, so yes, that wouldn't be a problem. Now. I'll say this other thing, right now for instance, I theme security we still let you log in with a password. A lot of different sites out there still let you also use a password. I think it's going to take a little bit more time before people are really familiar with passkey is before we give people the option to say Don't ever let me log into the password. I don't have a word password. Set for my account. There is enough no need for me to reset anything. It's 120 characters random garbage or something like that. We're not at that point yet. So if for instance, your WordPress database got compromised, I would still be saying okay, rotate passwords. But pass keys mean that no if password gets, if someone's passkey gets compromised, because the device gets stolen. It doesn't impact anyone else's. If they see the list of all the past views, and I think security, we stored them in a database table. If that database table got leaked, somehow it wouldn't have any impact on your security. You wouldn't need to reset your password to use anything like that.\r\nAnd see, that's the beauty of passkey it's like we're you know, constantly I'm on you know, have I been on database, I'm getting the females or whatever. That's going to be a thing of the past as soon as this gets brought implementation, which I'm just really happy about exactly. And on that note Tom Rafe would like to see your public key on your forehead to accommodate that.\r\nNo, no, I think it's far too many characters. But you know, that would be a great tattoo on a on a you know,\r\nyeah, right. It'd be I could see on a t shirt. That'd\r\nbe a fun here's my passkey shirt.\r\nLet's see another question here from Nate. Any thoughts on how pass keys might impact HIPAA compliance?\r\nUm, so I wouldn't see any reason why they would hurt as so. We've kind of talked about that stat earlier from Azure. About what they use this term of strong authentication. So Azure considers strong authentication password lists. So you may see and I would hope to see HIPAA, certifiers trying to say okay, password list is actually where you want to be moving, that you shouldn't be using passwords and then we would consider password lists with past us to be more secure. So they are definitely more secure option. I like to see passwords starting to be flagged as a this is a bad practice where that lies in like, what's a lot of regulation and up to like individual auditors and things like that. I don't know. I couldn't tell you if your auditor would say, Hey, you're using Pasc use this is horrible or not. I would presume if they know what they're doing. They wouldn't. But Microsoft actually is one of the ones that does let you interestingly create a microsoft.com account without any password. So they are very much on board the strong authentication being not just a password and two factor but also password lists. And they have a lot of writing in that regard as well.\r\nYeah, very good. All right. Well, we've reached the end of questions. It's been a great presentation about the future of the password list future as we destroy passwords of all kinds, hopefully in the years to come here. So would it be fair Timothy, For me to say a good takeaway for people might be start playing around with past keys like we are the people you know, who are kind of I mean, if you're on this live stream, you are, you know, a leading edge thinker when it comes to you know, early adopting tech, it may be that you have clients and, you know, to get are the first step to getting our clients used to using a new thing is to start using that thing ourselves and to get very familiar with it and how it works. And would that be a fair takeaway?\r\nYes. And up until recently, it's been like, Hey, here's a couple sites I mentioned past use that directory. Almost all of you, I'm sure have a Google account. Go to your Google account, go in there and go to the past few section on your authentication and try creating a password and using it. That would be like my challenge to you. This isn't available, I believe, still for Google workspace accounts. They have to like, figure out permissions on do we let orbs determine whether or not users have access bla bla bla bla bla but if you have a Gmail account, you have access to Vasquez and you have since like may something or whatever world password day is. So go to your Google account, try path keys, use them there. It makes quite a nice login experience and it is a battle tested implementation. And then pay using your WordPress to just enable that option. I think security and you can log into your WordPress site in milliseconds.\r\nVery good. Yeah. So once again, I just dropped a link in the chat that's Google's doc on using a past key with your free gmail account again, if you're using Google workspace branded email with your domain with Google's infrastructure, it's not available yet. Also, I using the tutorial that I just dropped in the chat the last time we did a live stream about passkey as you can work through that process in Stacy's having some trouble there. If you maybe try it again, Stacy, if you haven't tried it recently, and work through those steps that we talked about in that last livestream. Yep,\r\nreach out to support also tried with Google, if you can say to our support that Hey, it works when I use my Google account that helps us diagnose whether it is an issue with your device or an issue with our implementation or some combination thereof. But yeah, use passwords every day.\r\nVery good. So get used to it folks. This is where the world is going get get familiar with it. If you have to upgrade your computer like C does. You know this is a good time to think about doing that. Because that is the world we're starting to live in. I've been using the Mac for years but actually upgraded to a touch keyboard several months just to get the touch ID right so it's easy to easy to use. So. Alright folks, thanks for hanging out with us for the last hour. Great stuff, Timothy. As always, thanks for your wisdom in the talk and in the questions and answers. We're back tomorrow with the fly course for members talking about client consultations and then office hours on Thursday. So thanks again for being with us for this live stream on iThemes Training where we go further together.","livestream-resources-group":"s:250:\"a:4:{s:29:\"resource_link_text_single_day\";s:6:\"Slides\";s:23:\"resource_url_single_day\";s:82:\"https:\/\/drive.google.com\/file\/d\/1cSbFbqauKxbEtBzz6EMU01prP1RBL4sL\/view?usp=sharing\";s:24:\"resource_type_single_day\";s:6:\"Slides\";s:6:\"_state\";s:8:\"expanded\";}\";","multi-day_replay_details":"s:102:\"a:2:{s:16:\"course-resources\";a:1:{i:0;a:1:{s:6:\"_state\";s:8:\"expanded\";}}s:6:\"_state\";s:8:\"expanded\";}\";"}},"postCountOnPage":1,"postCountTotal":1,"postID":448435,"postFormat":"standard","geoCloudflareCountryCode":"US"}; dataLayer.push( dataLayer_content );

Help Docs Software Kadence Solid Security and Passkeys: Seamless WordPress Logins

Solid Security and Passkeys: Seamless WordPress Logins

Discover a streamlined approach to WordPress logins with Passkeys and Solid Security (the new name for iThemes Security). Passkeys are compatible with leading browsers such as Chrome, Firefox, and Safari, as well as biometric logins like Face ID, Touch ID, and Windows Hello. Say goodbye to the hassle of extra two-factor apps, password managers, or intricate password requirements, as website administrators and end users can now enjoy secure logins effortlessly.

Powered by the WebAuthn protocol, these cutting-edge login methods redefine passwordless login experiences, setting the stage for the future of safeguarding sensitive online information, including accessing WordPress sites. Join Timothy Jacobs, Lead Developer for SolidWP, for an in-depth exploration of how this innovative technology enhances the WordPress login process for both you and your clients.

Was this article helpful?

Thank you for your input.

Thank you for your feedback.