This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. All right. Can everybody hear me? OK? Good. Welcome to a special Authenticate 2023 edition of the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff. How are you? Oh, not so bad yourself. I'm doing great. You're normally in the podcast. Is that where I start out with the complaint? I don't have one.
That's unlike you I. Know well. I mean the polls great, the weather's great, password stink, but pass keys are great. You know, so you found something to complain about right there. I snuck that in. So this is the first time we've done something like this, where we got up on the mainstage. Usually we're tucked away in a corner somewhere where we're not visible because we have faces for radio and we have voices for a silent movie. So we try to keep it simple here.
So far, the best part of this conference has to definitely be I can't see him, but Nick, the guy on the Segway with the camera, that guy's awesome. He's here, I think for the last couple years. Andrew, it's at least a couple years, right? Yeah. OK, so that guy's awesome. He's like, when we're talking superheroes for Authenticate, I think he should get like a honorable mention for that as well. People are probably wondering, you know, what is this session
about? Seems like everybody left, which is fine. This is really a conversation around identity that we're going to be having. So what we do from a podcast perspective at the Identity Center is we started this about 4 1/2 years ago. It's a side project that Jim and I have been working on for that long. We put out weekly episodes, got thousands of listeners around the world, hopefully some friendly faces and ears in here as well. And yeah, it's something we do weekly.
And if you want to add Jim I. It's just grown so much, you know, you mentioned thousands of listeners around the globe. I remember the first episode we had 25 downloads. We knew who all those people. Were that was 20 of them. Yeah, and now we're up to like, episode 2. 3238 went live this morning, so we're technically competing with ourself as we're doing this at the same time. Yeah. What do you do during the day, Jim? I am an identity advisory practice consultant.
I lead an identity practice. We both work for a company called RSM, 5th largest consulting firm in the US. Jim and I have been working together for eight years. This is something that again kind of a labour of love for us. What we do want to talk about today though is Fido authentication. We've got AI will call it a plethora. Of identity product managers who are going to join us up on the stage here in a second. So I'm going to go ahead and introduce them now and they'll
come back from backstage. We've got Daniel Grubby from TikTok, Christian Brand from Google and Mahender and Matt Event from eBay. So give him a round of applause as we're walking up here. Guys in the Arsenio Hall. Right. That shows our age by doing that. All right. So I know we're kind of running, you know, weirdly on time schedules. We're going to kind of jump right into it guys. You guys are all, sorry, I'm
moving the mic around here. You guys are all product managers from an identity perspective. Tell us a little bit about your roles and mahender, why don't we start with you? What? Just briefly describe what your role is, sure. Hi everyone I lead authentication product at eBay. I've been working in the identity industry for almost a decade now. A huge shout out to my engineers, UX designers and architects and data analysts who are Some of them are sitting right here and yeah, that's me.
Great, happy to go next. Hi folks, I'm Christian. I've been working on passkey and fighter related efforts for about a decade. Also, I'll give a shout out to the team. We have a lot of Googlers here this week. We've been working towards getting passkeys out for Google accounts for a long time. Earlier this year, as Andrew mentioned in May, we finally made it available as an elective like as an elective flow, as an option for users to try and play with.
And then earlier this month, I believe just the last week on Tuesday, we announced that we are going to start. Making passkeys the default option for users. So actually today I'm sorry I'm taking too long, but I will say this one thing today. If you do a web search in Google Search on Mac OS, iOS, and other places, you should start seeing a nudge on Google search to start using passkeys. All right, Daniel, That's what we talked to follow up with, but go for it, yeah. Thank you.
So my name is Dana Ruby and I am a product manager on our account platform team at Tiktok. And I focus specifically on account security, but we work on everything from signing up the new user journey as well as logging in. Yeah. And similarly, Tiktok has now launched Pass keys globally on iOS, which is really exciting as our first kind of step in the Pass Keys, you know, And we have a future road map as well, which we're excited to share with everyone. But hey Mahindar, eBay started
with web auth N very early. Why is that? So at eBay, you know we take pride in building magical experiences for our customers and putting our customer first. I would say two things help with you know, starting web auth and one is clearly articulating the benefits of I would say usability and security that web auth and provided at that point
in time. So you know reducing friction is going to help build the business or enable the business and improving security is going to build trust on the marketplace and helps you know hence helps with the customer retention as well. The 2nd aspect would be that eBay is also an early adopter of Fido UAF. We built native biometrics way back in time. So they bought them, and even passkeys and password list is a
natural continuation to that. Christian, you just kind of teased the announcement that Google made about pass keys by default. I'm curious, you know, I've been a supporter of that for a while. I've. I've frequently pointed to Google on our show about passkey adoption and how easy it was. What drove that decision to make that announcement? I think it was last week to say hey now. By default we're using pass keys as our primary authentication. Yeah.
That's a great question. So I mean, at Google, we're extremely data-driven. So everything we do is usually based on numbers or metrics. It was a calculated decision earlier this year when we started in May to roll out passkeys. We wanted to really do two things right. Overnight adoption was not the goal. Primary goal was to show the rest of the world that this technology is ready for prime
time, right? We're willing to essentially subject our users to the Passkey experience if they choose to, you know, take up the challenge essentially. The goal was not to get hundreds of millions of users overnight. We wanted to start, you know, showing the world, showing developers, showing other companies that the technology is ready. But the second part of this was we wanted to start getting data right. We wanted to start having a set of users who self selected.
So if something goes off the rails, these users know where to turn it on and turn it off. Luckily nothing went off the rails. So I'll kind of like, you know, preference that, but start to get data, right? So, so we were gathering data for the last think about five months. We feel like we have enough data to show us what works, what still needs more work, and again, you know, happy to go into some details at some point.
But for now suffice to say we think the experience is on par from a reliability perspective with other types of technologies we allow during signing. But more importantly, passkeys are easier to use for users, and we have some survey results that I think we also made available as part of these blog posts users find. Passkeys easier to use. The perception is that they're more secure, which of course is
correct. And in general we're just trying to move the world to a space where we're saying don't hide your passkey support behind, you know, 3 clicks in some account settings. And I know that made sense, right? That's what we did as well. You can actually start to subject users to this front and centre, even users you've never heard the term passkey. We think the technology is at the point in most of the flows where users can start seeing this and intuitively.
Do we understand what they need to do? Daniel, you're with TikTok. First off, do you do the dances? Second off, you know, you guys are kind of newcomers to Fido. Why jump in now? Sure. Yeah. To answer your first question, no. I don't do the. Dances, I'm not a dancer. But second, yeah, so why now? I I think, why not now, right? The technology has obviously been adopted by a lot of big players in the industry and Tiktok wants to be a part of that.
I think that what we know at Tiktok is that one. Like you said, we want a user friendly but most secure login experience. The second thing is, is we know that Tiktok has a lot of login options, right? You can log into Tiktok with a password with an SMSOTP code, a third party option. We want to make sure that with this plethora of options that we also reduce the risk of all of
those at the same time. Offering users a passkey does that in a user friendly way, especially with the way that we implemented it, which upsells passkey as the primary login method for users who created it. And then the last one is essentially that Tiktok had already invested in 502 internally. We wanted to expand that investment to make sure that the most secure login methods that we offer to our employees are also offered to our users on the platform. So really creating consistency
there as well as important. So how? Did you handle communicating Pass keys to your end users? Yeah, of course. I think one of the biggest considerations, especially, you know, at a social media company like TikTok where you have a lot of young users and things like that. Are they really going to understand the tech, the technical architecture of what is a passkey, things like that? Even asking my own friends, I was like, hey, you know, let's test this out.
What do you guys think they're like, oh, I already do this every day in all my banking apps. You know, I use my face to log in. I'm like, that's not really what this is, But that's fine. So we found that and similar to what the UX guidelines from Fido say. Is that if you help users to understand or play off what they think is happening, this really can help adoption and increase popularity of it.
So playing off things like Face ID, Touch ID as ways to login and using that to communicate to users of this new login method will really help with adoption and popularity. I'm curious because it's not always happy path, right? There's things that go wrong, things that could be better. Are there things that were discovered that you consider you know, roadblocks, or things that still need to be worked out? I don't know Mahender or Christian or or Daniel.
Whoever wants to take that one. I mean I'm I'm happy to start. I I think there are many rough ages, right. But I think it really depends on user flows. There are certain flows that work beautifully, take the same device flow for example, right. If you have a pass key available on the device that you're on, all you have to do is show your face and touch your fingerprint. I mean there is there is no
dispute there, right. That experience is much better, much easier than using a password and other forms of second factor which usually accompanies that that password with sensitive logins. When you do not have a pass key on the machine, we have two challenges, right? The one challenge is a technical challenge. Does the protocol work reliably? There is Bluetooth involved. There is network communications involved, There is the scanning of AQR code involved in some cases.
So that's one challenge. There is a second challenge, which is users just don't get that flow yet, right? They don't understand necessarily. We're thinking that Post COVID, like lots of users, especially in the US, used to scanning QR codes because we've seen them on menus and other places for a long time that.
Doesn't necessarily translate to other places in the world and even in the US users are sometimes used to scanning these characters with certain apps and certain phones don't really understand that well. So I think there's really a user behaviour issue and then there is a technical issue. On the technical front we're doing a lot of work and I think you know everyone involved here and I see a lot of familiar
faces involved in that. You know, process is is doing a fantastic job and we're pushing the technology forward. We're, you know, sanding down these rough edges and yes, we are at a point where we can start to subject users to these flows, although. So I think that's where I would say the elective portion still comes in. I don't think we want to put that front and centre for every
user. If you take these side by side entering a password, scanning a QR code and going through that process, most users will still tell you actually, you know what, my password is probably easier. It's not secure, but it's easier, right? We need to move the needle so that the QR code flow becomes
second nature. And that kind of brings me to the second point, which is who's going to take that first plunge to put their, you know, 100 million or a bullion users through QR code scans rather than? And doing passwords right, I think that is where we are saying you know with our elective or the by default kind of approach that we've taken, let's do that where it makes sense, let's do that for the same device passkey flows and that's what we're doubling down on right now.
Whereas the QR code flow remains an option for users and we want to gradually turn that volume upwards with the rest of industry. And that's why it's so important also to have my, you know, partners here with us on on stage because. We don't think pass keys is something that one company can take forward and make a success. We need the industry to show users that is how we are going
to work with this going forward. Scanning AQR code is certainly easier than opening a password manager on your phone and retyping a complex password. So I do think we need to kind of like push users to understand why these flows might be easier to use than than the the the status quo. But it'll take industry. I guess participation to really move that. I'd like to add to that as well. So I broadly see 3 categories, 3 roadblocks, right?
One is user awareness. Passwords are still common, password managers are common to you know at eBay. If you look at it, users don't see authentication as a thing that they need to do. They worry about buying and selling. Same applies to Google, like they they just want to search Tiktok, you know they want to make videos. Right, authentication is in the is the last thing that they worry about, right?
So to be able to create a smart contextual authentication that works seamlessly across devices is is of paramount importance I would say. So the second roadblock is the you know across devices right? Password. I mean pass keys or any technology needs to work like how password managers work. You go to any device you should be able to use, right. So interoperability becomes a key here. We've seen some of with eBay
data as well. Users enroll into these password list methods, but then they get a new device or they go to a new device and then they are back to passwords. So I would say these are the, you know, two or three roadblocks that we encountered at at eBay. As well. So it wouldn't be an episode of Identity at the Centre if we didn't talk about AI. Which you open and call it AIAI sometimes. How do you guys see AI impacting authentication going forward? Dana, we'll start with you. Yeah, sure.
So I think that the way I view authentication in our journey, right, is before someone logs in when they are already logged in, and then after they've completely lost access from their account in the first two scenarios. The way that AI has helped us already honestly, and the way that it will continue to help us is to look at aberrations and
users behaviour. We can map out, you know, what we expect from a user when they're logging in, when they're already in an account, and then understand when that can change. That can help provide us, especially with passkey, right? If users you know use a passkey to login most of the time we'll know when they don't. And it makes, as we heard earlier today, passwords or other methods more risky as a login. And that can be another signal we use to understand as a behaviour operation.
The other way that we look at it is when a user's completely lost access to their account, how do we authenticate their identity and get them back in? Let's say they deleted their pass key, right? They have no other login method on their account. How do we know that this is the authentic owner for, you know, companies that are in social media? There are a couple different challenges to this. There's AI around biometric
authentication that you can use. Obviously there are always compliance issues around that, but also with social media you don't always have to be your authentic self. So biometrics are not always going to work right? Wait, what? What? I know, surprise everyone, you can be whoever you want online.
But basically, for some companies, you know, like Facebook, there's a soft requirement that you have to be yourself on Facebook at other companies like Instagram or, you know, TikTok. You can have a pet account, a meme account, really anything you want, right? And how do we know that this is you? Especially if we've lost all other authentication methods And and I think that's really where I'm curious to see how AI can help us in the future as well. Mahender Yeah, I think AI works
both ways. The good side of it is it can help personalized and, you know, secure authentication. You know Gen. AI can start, you know, authenticating users through natural conversations, right? You have. Zero trust security that that is coming up where AI plays a big role as well. But if you look at the flip side of it, I mean we saw a lot of keynote speakers talk about you know AI used for hacking and you know taking users credentials. I think you know the future of
how AI would help. You know, technology like passkeys would be in. Distinguishing between I would say real humans and AI bot that's coming to attack. I think that's where the industry is going forward is what I would, I would like to add to what Daniel said. Hey Christian, feel free to add in on AI, but I also want to know what's next after peskies. That's great because I think that question addresses the first one as well.
So I want to add on to what Daniel Mahendra said, not to repeat that I I think at Google we have a slightly. I don't want to say a different responsibility, but but almost like more responsibility. If you think about it, your Google account is also where a lot of your passkeys are going to end up. Google is the root store for a lot of passkeys for users. If you're an Android user, by default your passkeys for other services will go to your Google account. That's where we keep them for
you. So when you buy a new phone or when you change devices, you get access to your passkeys again. That all makes sense, right? The challenge is if you are a single device user and we have a lot of single device. Exist in the world if you break your phone or you lose it, or you have to sell one phone to buy your next one, which a lot of users have to do in some territories, some countries.
How do you get back into your Google account with a passkey if your passkey is stored on your phone? Big challenge, right? Huge issue. Today we fall back to other forms of authentication for that. Passwords, SMS, you know, sending a prompt to an e-mail address, whatever.
Most of these technologies really don't work at scale, and they don't work at the level of security where we want past keys to be, what we have started to look at and what not on the eyes I. I recently went on a trip to China and I had to activate WeChat, and WeChat uses remote facial recognition. That's how you authenticate your payment profile actually work remarkably well.
However, there's a lot of, you know, concerns around like remote biometrics and I know that's one of the things which at Fider we kind of like claim. The whole point is everything is local, right? Your biometrics remain local to your device. So it's great on the privacy front. The problem is. If you need to authenticate a user back into their account, think of account recovery. What do you use? Remote biometrics is a potential solution.
However, if you think about remote biometrics, whatever that like is maybe remote facial recognition? It's remote voice recognition, if we think back at Rachel's presentation this morning. Jedi has made this stuff, you know, untrustable. It's not really trustworthy anymore, right? If I'm able to create a, at least today, two-dimensional picture of a user, mostly these remote matching stuff is all two-dimensional, That's a challenge. Voice recognition, again,
another challenge. I know there's a lot of financial institutions who sunk a lot of money into remote voice recognition features. I I'm not quite sure that we are going to be able to keep up with. What's the rate of advances there in order to get that technology to a point where it it can detect that this is an electronically altered or a generated, you know, piece of media. That is what that is what
bothers me a little bit. So we're starting to think of Google. How do we solve this account recovery problem? We have a couple of ideas. We're working on a whole bunch of things right now, but AI is really throwing a bit of a spanner in the works in some of these. The Unhappy Path is something we
see exploited quite a bit. I think we saw it recently with events in Vegas. We're running short on time, but we always try to carve out some time to end On a lighter note, this is where we just have some fun, not necessarily identity related, something that we can just kind of goof off around. What we typically do is we'll ask our guests hobbies, things they do outside of Denny, etcetera. So we've kind of tailored a few different questions here. Jan, I'm going to start with you.
So I've come up with this exciting scenario for you. If you had to perform one song to go viral on TikTok, and if you nailed it, everybody would suddenly be enrolled in passkeys for all their accounts, what would you sing or perform? Sure, probably. Who are you? By The Who, I think it's the most punny of answers I could give. Clever. But for context, I grew up performing, singing. I was trained in Opera. Randomly, I used to live in Paris. I sang in the Paris Opera when I
was there. I LED an acapella group, composed all those songs. I was in a band in Austin for a long time when I lived there. Way too many moments on stage performing. So the one that I the one song I didn't love to sing the most though, was somebody to Love. By Queen, that was always a lot of fun. Queens are hitting every bar, right? Right. Yeah. Yeah. Yeah. So maybe that one is that. You must be a karaoke superstar. Let's all go after this. But we have lakes.
If you wanted to sing. Something I know, right? Hendar, you and I have a shared experience through in that 1% of humanity that has gone to the top of Half Dome in Yosemite National. Yeah, really awesome. Describe that experience for us. It was nerve wracking, I should say the least. You know I'm not fit. You can look at me right? And I was like, let's go to Hop Dome with my friend. And we started at 3:00 AM. We probably saw a bear or we think we saw a bear. We don't know. We climbed up.
I think till then it was fine. Like we we took six hours, 6 1/2 hours to climb up the Half Dome. We finished all our water, right. And coming back down was a pain. I mean I cannot explain. It's easier to implement past keys than climb Half Dome. I would say that. That's a professional tie in. You should do a podcast, Christian. You have a variety of interests. You've learned to play guitar, you're learning golf, and obviously you're in digital identity.
Of those three things, which is the hardest? Well, that's a great question. First, before that, I just want to tell Daniel we've done karaoke at 7 out of the last 7 Fido Plenaries. So we'll we'll we'll hook you up it. Finally has been thrown down. Absolutely. It's interesting, right? I think golf takes a lot of time, right? It's four hours essentially for me to play 18, which like you know, takes me away from the house for for a lot. So it's hard to invest proper time in that guitar.
You can become mediocre or or you know kind of like help yourself to the point that you know you wouldn't embarrass yourself. You have to play a song I think much quicker than with necessarily you know working in the identity space, like I I feel like identity is is almost like binary, right? You're either, you know don't really get the principles and and you're not really, you know, I I guess part of the solution until you are, until you really
can contribute. There's just so much happening in this space. It's so fast moving. Not to discourage anyone from like participating in the field, of course, but I think there's there's such a lot going on. And if you are disconnected and you're not staying on top of things for three months, the world has changed so much that you almost like, have to I don't wanna say like relearn.
So I feel like, you know, playing golf and and and playing the guitar I enjoy because it's kind of like riding a bike. Once you have the skills you retain them today, 10 years from now, you know you can probably still pick it up and and and help yourself versus the identity space which is just so fast changing. So again, I'd say identity, certainly the hardest thing that I'm involved in right now do
enjoy golf. But I will say, picking up the guitar and being able to just, you know, do something for 5 minutes is is one of the reasons why I love that instrument. One of the things I like about the identity industry is just when you think you know what you're doing, you don't the ID Pro organization. And I think I saw EM here somewhere, he might have stepped out and I'm probably butchered
the stat. But there's a annual report that comes out every year of skill survey and they talk about, you know, when did you feel most comfortable in identity? And the numbers changed over the years. But I remember seeing, and I think it was a couple years ago, it was 10 years. 10 years of identity and access management experience is when you start to think you know what you're doing. I would encourage folks, reach out, talk to people. There's lots of good resources.
It's been a great industry to work in for for a lot of folks. But we're going to go ahead and start to wrap things up. I think it was mentioned earlier, there is a Expo hall just next door. Make sure that you go out and check out. There's a lot of good solutions out there. The challenge is there's a lot of good solutions out there, so you have to try and find the right fit for your organizations.
And we're going to be podcasting in Eclipse 2, which is sort of behind the Expo in the hallway there. So we have an episode later this afternoon that we're going to be recording as well as pretty much all day tomorrow. So feel free to come in, drop in, check this out. What we do, they will be longer shows as we sort of normally would do it. And if you like what you heard, idacpodcast.com subscribe, It's a two man operation. It's literally just Jim and I, and we do this every week,
vendor neutral conversations. Want to give a round of applause to our guests here on the stage. Thank you so much for joining us. And we're going to go ahead and thank also Megan, Andrew and Adrian for helping make this happen. So this is a highlight for us on the show, to be able to be up on a stage like this and just have this conversation. So wanted to give Andrew an opportunity to come up or maybe it's Megan to make a quick
announcement. We'll go ahead and play our outdoor music and say, OK, we're pretty much it and that's done. Thanks for listening and we'll talk with everybody in the next one. You've been listening to identity at the center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on Identity at the Center.