Dan Moore is the Head of DevRel at FushionAuth. He joins AJ and Chuck to talk about the new API called,  “WebAuthn”. Using biometric, secure authentication techniques, WebAuthn is a new approach for confirming your users' identities. He goes into detail about the usage of this API and how this is a good choice for users to validate web applications with ease and convenience. 

Picks

Hey there, and welcome to another episode of JavaScript Jabber. This week on our panel, we have AJ O'Neill.

Yo, yo, yo, coming at you live from the snow room.

I'm Charles Maxwood from TopendDevs, and this week we're talking to Dan Moore. Dan, welcome back.

Hello, thanks for having me.

Do you want to just remind people who you are and why we like you and then we can jump in and talk about off?

Sure, sure. So my name's Dan Moore. I'm head of DevRel, a company called Fusion Auth. And what we do is provide an auth service, kind of like Auth0 or Okta, where you

Mm-hmm.

can outsource some of the complexity of login, forgot password, et cetera, and focus on your application.

Awesome. So, yeah, we were emailing back and forth about WebAuthn. I'll admit I've kind of skimmed your articles about what it is and what it does. I'm wondering if you can kind of give the 10,000-foot view though for our listeners so that they understand what we're going to talk about and when you talk about how to use it, you know, maybe what some of the trade-offs are and stuff like that.

Sure, yeah. So the 10,000 foot view is really, WebAuthn is a standard that's been promulgated by the W3C that exists and is implemented by all major browsers that exposes strong forms of authentication that are typically hardware based to the web browser. So if you've fingerprint, that's all biometric or other kinds of authentication that are really hardware based. They're tied to your phone. Ubiqui is another example. And WebAuthn

Mm-hmm.

lets you access that piece of hardware through a standardized interface that's basically just writing JavaScript. So that's the big win is all your web applications, all your mobile applications that are kind of based on, you know, if they're a they can get access to that same strong form of authentication that you use to unlock your phone right now.

Right. Makes sense. So it sounds like it's pretty flexible. You can kind of go in a lot of different directions with it.

I mean, at the end of the day, it's a replacement for username and password or an augmentation of it. And I think that the real win is, again, just tying back to making the... Well, two things. One is it's more secure and it's much more difficult to fish. Some people say it's

Mm-hmm.

impossible to fish as opposed to like SMS or something like that. And the other thing is just removing friction. device than it is to enter your Zoom password to log into something.

So I've only ever seen one website that said that I could log in with web often, and I couldn't figure out how to do it. Um, I think it basically got me. I think what happened was I said, Oh, this looks cool. I'll like log in with web auth. And then it said, you don't have web auth set up. And there was no indication of what to do. So I just, you know, logged in with Google because.

Sure, yeah, I mean, and so I will say, this was standardized in 2018, and I've seen talks, and I've seen companies kind of pushing this out. I know Intuit has done this for at least some of their applications. If you go to Best Buy, you can actually see login with WebAuthn. No, they've changed it now. It's logging with passkeys, I believe. And that's actually worth digging into a little bit. Passkeys are kind of the consumer-facing name for this. WebAuthn is the developer-facing name. build this, you want to Google, hey, how do I build this with Boba then when you're marketing it to your customers, you want to say login with a pass key. And yeah.

That sounds really smart. I'm so glad that they did that.

Well, I think Apple and Google push them a little bit. I think Apple's push them a lot towards that terminology. And I think it's it's fantastic. And Google and Apple have both had presentations I think in 2021 about this technology. So it's, I will not say, I think it's probably in the, if you think about the crossing the chasm terminology, it's probably in the early adopters phase, maybe moving a little bit towards the early majority. But we, you know, the reason why I'm out on this podcast is we just implemented this in FusionAuth. And so

Mm-hmm.

we want, frankly, there's two reasons. One, I want you to know about FusionAuth and maybe choose to use our implementation. But second is, I think everyone should at least evaluate this. For if you're doing consumer applications have an easier, longer experience, you should absolutely look at this. Now AJ, it sounds like you kind of caught some of the rough edges and that could be part of kind of where this is. We can dig into kind of how you can use WebAuth in if you all want to, but

I'd love to.

it's like any other technology, right? Like it can be used for good or for evil.

Yes, those are the best technologies. Technologies that can only be used for good are typically only used for evil. Trusted

Ha

platform

ha ha

hardware,

ha ha!

for example.

Yeah, I'm gonna derail us back onto the topic though. And what I'd like to start with, because a lot of times we kind of get really deep into the technical details, but where I really like to start, now that we've kind of gotten an idea of what it is and kind of what it does, is what's the value proposition? I mean, for developers, you know, let's say I'm building an app, right? Or I work for a company that's, you know, building an app. WebAuthn, right?

Sure, yeah. So I unfortunately don't have any hard numbers, right? So

Yeah.

I will actually take a to-do to look at them, look for some hard numbers. and then we can put them on the links page afterwards. But

Mm-hmm.

what we see are the really two main purposes. But first is if you have high security needs, this could be something like for a banking application or something like that where

Mm-hmm.

the possibility of someone phishing you is gonna have real significant name ramifications. So WebLFN can be used as a single factor, right? So it's the only thing that provides login the same way as push notification or an SMS code. But the difference is because of the implementation details, it is really, really hard to fish. They've taken a lot of things that they've seen over the past 10 years in terms of how attackers attack these kind of codes, and they've built it on top of public-private key cryptography, and the private key is stored securely, right, on a device, a UBI key or a phone or something. to fish. So security is one business driver. The second

Right.

for me is ease of use. And again, I keep coming back to my first experience with WebAuthn. In our implementation, I logged in and basically registered with an account. And then I set up WebAuthn, which, AJ, to your point, we've tried to make simpler, but it is not super intuitive. But once you've set it up once, I

What

could log

does

in.

setting it up mean?

Well, let me just finish this thought, and then I will talk to you about

Yeah,

what

yeah.

setting up means, because yeah,

That

that,

was my next question anyway,

yes,

so.

totally, totally, yes, yes, that's great. And then I was able to log in with a, just touching my fingerprint to my Android phone. And you know, it's not perfect, right? Like sometimes my Android phone, the fingerprint reader gets dirty. And so I need to do something about that. But especially when you're on a mobile device, I don't like to have my browser save my passwords, so maybe that's just me, with a fingerprint just made a much smoother experience. So I think those are the two main business drivers. I would say as a developer, am I interested in higher security or with, and to be fair, there's a little bit of friction with both of these, or am I interested in a better consumer experience once they've gone through the registration process. So should we talk about the registration process?

Yeah, that's where

Uh-huh.

I wanna go next. Because yeah, it makes sense. You're not, it's harder to fish because you're not sending somebody to a page where it's, hey, enter your username and password to get the thing that I told you was wrong, that's not wrong, because I'm a liar and I'm trying to get your username and password. So, you know, the security, yeah, maybe the ease of use. Because yeah, sometimes it is easier to just authenticate it on my phone, even though I'm trying to get on on my computer. Sometimes it's a little inconvenient too. sense to me as far as providing security and maybe a certain level of ease of use. And so there's an actual word for that, but I can't think of it at the moment. So convenience, that's what I was looking for. So anyway, so yeah, so let's say that I decide, you know what, this is what I want to do, get away from the username password kind of setup. Yeah. How do I put this into my app?

Sure, so there's a couple of things. The first is you need to decide how you wanna use it. And there's three kind of main big picture options. The first is you can use it as a second factor of authentication, right? Which we are all pretty familiar

Mm-hmm.

with, right? Google Authenticator or whatnot. You could use it as what we call re-authentication, which is where someone has an account already and they've signed up and they just wanna add this You could think of that as someone putting an email address on their account so that they can get a magic link. It's just another way of authenticating someone.

Right.

And the third is you use it for what's called, we call it, it's called bootstrapping, I believe, or discoverable credentials, tied to the WebAuthent device, and that is only supported by some WebAuthent devices, so I'm not gonna talk too much about that. So let's talk about the re-authentication workflow, because that's probably the one that most of your users or listeners will think about implementing first. And the way that works is, I sign up the way I normally would, right? Like I use Google or I use whatever. I sign up with username and password, and then I go to my account and I say, a WebAuthn key, and then I click a button, and then the JavaScript browser APIs are called, and then it prompts me to put a fingerprint on my fingerprint reader, and then that gets recorded in my device and then also on the website. And then the very next time I come through, you can prompt that user and say, basically you drop a cookie in the web world, or you put a preference. in the web world, you drop a cookie. And then when your website sees that cookie, you can say, hey, do you wanna authenticate with WebAuthn? They put their finger on the fingerprint reader, and then they are magically logged in. They don't have to reenter their username and password ever again. Now, this is on that single browser, on that single device. So you can set up multiple different ones. Now, again, this gets to some of the, This is WebAuthn2 I'm talking about. There's actually a WebAuthn3. It talks about how you can kind of deal with that and work across different devices,

Was

but

there

that's

ever

still

a web often

in development.

won?

What happened to WebAuthn1?

Yeah.

I don't know. I know that there was some other passwordless stuff around the same technology that was done without the W3C by an organization called FIDO, which that might've been WebAuthn1. Sure. Sorry.

So I mean, all of us that have Macs have fingerprint scanners. I have never outside of maybe Safari, uh, paying for something through Apple. I don't think I've ever had the fingerprint scanner, um, be integrated with a website is that even does Apple even allow brave and Firefox and whatever to use the fingerprint scanner or would I have to buy one of these you know, weirdo looking, can't tell if it's an authentic company or not. Cause I've never heard of it before. Things off Amazon.

The answer is you can absolutely use Touch ID on your Mac with WebAuthn to login to web apps, if it's been properly implemented. Yes. So because of the support for the standard, all the browsers, which includes Safari, Brave, Firefox, although not so great on mobile, Chrome, Edge, they all implement this thing. So they've taken care of kind of the underlying guts and talking to the Touch ID or the fingerprint scanner, the hardware that's built into your computer. And you just need to format the request correctly, and then next time someone comes in, prompt them to go through the authentication process.

That's cool.

Hmm.

I want to use Face ID that way my kids can authenticate me in my sleep.

Careful what you wish for, Charles.

Right? Dad, I want this video game. Oh, there we go. All right. I'm a little curious as we kind of pull this together. So you said that keys are generated on both ends or, you know, the key. Anyway, there's a there's an asymmetric key pair, right?

Correct.

That's what I was trying to go to. And so when it generates that key pair, one end stores the private key, the other end stores the public key.

Correct.

And so I'm assuming, because a lot

a lot

of times

of times.

these technologies require some kind of server

server

backend-ish

back end ish

or something

or something

like that,

like that.

right? And we have a lot of listeners that, yeah, that, you know, Node.js, right? So the backend will handle a lot of this stuff and you just have to have the right

Mm-hmm.

library for it. And I'll ask you about that in a second. But is this something

something

that we can

we

also

can also

do

do.

on apps that mostly function on the front end, right? I'm thinking like a NextJS I've

We've

got a

got

database

databases

as a service

of service.

and I mean that's pretty much it you know.

So I don't have intense familiarity with Next.js, but as long as you have some server-side data store, then you're gonna be okay. Well,

Okay.

I should be careful there. I expect you'll be okay, because you can store the public key there, right? The private key always stays

Hm.

on the authenticator. Well, sorry, I just brought a new piece of jargon. The touch ID, the computer that offers touch ID, the phone that offers face ID, et cetera, those are called authenticators,

Right.

that generates the private key and then publishes the public key up to

Right.

the website. So the website just has to hold the public key, which actually that's another advantage for all your listeners is that you don't have to worry about someone breaking into your website and stealing the public keys because they don't have any value. They're public keys.

Alright.

But yes, so that is you have to have some server-side storage.

So

Is.

effectively what you're saying then is whether I'm having it send back the, because it'll send me the public key and then it'll also send me whatever encrypted payload it has for authenticating the user, right? And so at the end of the day, whether I have Node.js handle that or whether my front end library, you know, does some work on it and then passes that information back to my Firebase or something. That works fine.

Again, I haven't implemented this, but there's no underlying technical reason why it wouldn't work fine, right?

Okay.

If you can store a user's first name, you can store the public key that represents that user in the same space.

Hey, so it turns out that there is a test site where

Uh, AJ, your mic cut out.

Oh, sorry. It turns out there's a test site, web often.io and you can use touch ID in Chrome. I think the reason that I had never seen it before is because I have one of those little Fido keys because I got it through the GitHub developer program. And, um, uh, I think that it just wasn't being implemented, uh, in most places. to add my Fido key to my Google account. I think it actually does. The option is called. It's not called touch ID. The option is called this device. And I never made the connection that that was touch ID before because the other two options in the list were like, you know, security key. And I don't even remember what the other option was. But it was, it was stuff where it's like, yeah, this is the thing that I know. And the other two things were like, I don't even know if I have those, but it's called it's called this device is is the name of the option.

Interesting.

Awesome.

They need to rename that to Touch ID when it's Touch ID so that people know it's Touch ID.

Yeah, I mean, and some of that is out of websites control, right? Like some that could be like just Apple, like giving you a list of possible capable

It's,

devices,

it's, uh, brave. Brave

right?

is giving, well, I mean, chromium. Chromium is not being specific to what, what the options are.

Hmm.

I'm sure Chromium would be happy to take a poll request from you, AJ.

Oh, I don't think so. I'm sure I'm pretty sure I'm I'm on their their no fly list.

I'm, you know, now that you've mentioned chromium, I'm a little curious too then if this works there, would this not also work with electron, right? Which is effectively chromium with node.

I would think that if they chose to implement

I would imagine

the Web App

so.

then, yeah, I would think so.

That's how you do phishing right there. You get the electron app so that people could be entering in. They think it's for one website, but it's actually coming from an iframe from electron that's that's how you exploit this.

Okay, so, speaking of that specifically, yeah, how does WebAuthn tell you, I am website A and not website B? Because you could man in the middle of this thing, if

Yeah.

you don't have a way to authenticate it, right?

And they've actually done a little bit of thinking about that. So one, WebSN APIs only work over SSL. And then

Mm-hmm.

two, every, you know, remember that registration process I had you walk through? Like basically you are tying that private key that's stored on the device, on the authenticator to a host name. So, you know, if I set up with example.com and then I add, I have my users register on example.com, and then I change my host name to, you know, food.com, they have to re-register all their, what about that stuff? So you can't

Mm-hmm.

really fish in the same way, right? You can't use example.com and then example, like with a, like a Unicode letter

Right.

that looks the same, because the software's gonna recognize that and not send on the signed response, basically.

Hmm.

around that, you know, and that's one of the things I think is just a reflection of WebAuthn being a relatively new standard. You can make it, HTTP 1.1, you couldn't say has to be over TLS because back then, you know, not many people were using it. In 2017, 2018, when this was being written, we started to see all of the, you know, TLS support across the web, so.

Uh, another little hiccup. It gives you the option to scan a QR code with your phone. That doesn't work. It needs some sort of special apps that iOS doesn't have. So it's not, it's not the standard authenticator specification. It's something different, which makes sense because the authenticator is pretty weak if you're considering it for primary authentication.

Sorry, I'm just looking up this WebAuthn.io site because there's a number of sites out there that'll help. This is part of, this is by Duo. So, you know, I don't know how up to date this is or how great this is. It looks pretty solid from here, but I haven't looked at this. So, I will say again, like just kind of speaking back, like I think that this is in the early adopter slash early majority phase. I think it's going to be, really great. I think that there are some, you know, AJ, you've already encountered some user experience issues. So I think that you want to think about, you know, as a developer, like, what's the point where I want to jump aboard this? And, you know, can I leverage libraries or authentication servers that will help me accelerate that?

Mm.

Because, you know, we all know that an open source library with a lot of eyes on it, or a product with a lot of eyes on it, will probably of these kind of, you know. Roblox are issues.

Well, I think it's it's just like when browsers started implementing any security at all for the very first time. And you'd have these pop ups. Would you like X to be able to access your camera? And then there was the pre pop up, which I still think is the right idea, both on the phone and the browser. The pre pop pop up says, you know, in order to use this feature, we need access to your camera. Do you want to ask the browser for access to your camera? I think the same thing needs to happen here. If somebody selects a passkey, then they need to say, be, you know, before they prompt the passkey prompt, they need to educate the user. Um, touch ID will be called this device or, uh, you know, you, you can, they need to, they need to know, you know, what's the, what's the, what's the I want to allow QR. I want to allow touch ID. I want to allow Fido keys or something like that. But somehow if they can't do that, they just have to educate the user beforehand. Because I'm not going to know that a picture of a screen that says this device is touch ID, because touch ID is on my keyboard, not on my screen. And I'm not I'm not going to know that I actually have to do that. So I'm not going to be able to do that. So I'm not going to be able to have some sort of special app on my phone if it says authenticate via QR because to everyone in the world who's ever used that well except for China where they have their own standard but for everybody in the US that means the authenticator spec which I forget what the RFC number is on that but the same thing that Google and offy and Facebook etc

Oh, you're

etc

talking about

etc

TOTP, that stuff? You're talking

yeah

about

TOTP

TOTP? Yeah, yeah, yeah,

yeah

gotcha.

that

Mm-hmm.

the authenticator why I call it the authenticator spec because that's what is, but the average person is likely to know what an authenticator app is if they do anything where its security is required as part of one of their logins.

Yeah. And I think that points to like, I think that that's why re-authentication is the best workflow to start out with, right? Because you can now, you can say, hey, do you want an easier way to log in? And then you can kind of walk people through the step because I think you're right, AJ, until we get used to this as consumers, it's gonna be a little bit weird. It's gonna be a little bit awkward. And I think the win is there in terms of security and in terms of smooth user experience once you actually struggle through things to get it set up. until then, it is kind of a new thing. I haven't seen that QR code before, but I definitely know that we spent a lot of time, the team, I didn't write any code on this, but the team spent a lot of time thinking about what's the easiest way for people to get WebAuthn enabled for their authentication sites, for their login pages, and we just released the first version. So I'm sure we're gonna do some refinement around this relatively new and relatively, you know, we're gonna learn, I think we, Fusion Auth, but we, the developer community, is gonna learn a ton about this, because I do think that the benefits are enough that this is coming down the pipe.

Yeah, one thing that you've kind of implied there too with what you're saying that I want to just bring up. And I'm going to illustrate this with another example. So I was on Twitter this morning just kind of browsing, you know, before I got in an argument about politics, right? Because that's what Twitter is actually for. Anyway, I'm halfway joking. It was with a high school friend of mine and we were just having a back and forth. that Node.js is it basically said Node.js was a mistake, right? And then, you know, the follow on was effectively, well, actually use it every day. And what I see in a lot of cases is that something like WebAuthn, you know, it has enough security wins to make it worth it, right? Just kind of like Node.js early on. It gave people some options to use JavaScript in a way that they hadn't been using it before and to do some useful stuff It wasn't the ideal tool, but it was something there. And yeah, I think we're going to progress into, just as we have to get to WebAuthN or to the current version of Node, we're going to progress into something that fits the needs for most people. And so yeah, this might still be a little bit clunky. It might still be a little bit, you know, weird to set up. But at the end of the day, it sounds like the security wins are at least worth considering off for you as an app builder. And at the same time, yeah, we may get WebAuthn3 that actually solves some of the issues we are going to wind up having with WebAuthn2 and at the same time, you know, make everybody's life a little bit easier because yeah, you have heightened security and better ease of use.

Yep. And one of the things I kind of talked about the hostname mapping and the TLS stuff, where you can't use it over non TLS websites. Another thing that's kind of tied to it is that it really does require a physical person to press a button. Right. It's if someone prompts me for a WebAuthn, if I if I get prompted for a WebAuthn, you know, log in to authenticate, there is no code I can send to somebody else.

Mm-hmm.

way that I can share that with anybody who's not physically present with me. And I can't even see the private key, right? Because that's kind of hidden on the device

Alright.

and I can't share that. So that's just another one of the security benefits that I think they've looked at the issues and they're trying to ameliorate some of the issues that have, you know, come up around authentication.

Yeah, one thing that you just brought up that's also interesting with this is that in some cases, like I'm using LastPass, for example, for some stuff, right? And it's because I have virtual assistants and audio editors and people that need access to my stuff that's protected by a password. And I could kind of see the need for something like that going away to a certain extent because it's send an authentication request to this person, right? text or maybe you have some secure chat or something that you're going to send it to them. They follow that link. They set up their own authentication and then it just allows the dual login as a way of managing stuff.

you Yeah.

I'm kind of dreaming of the day where that's a thing because the other thing that I run into is that there are a lot of SaaS products out there that I use and they want to charge you per seat, per login, per user, whatever.

Well, that's how

I

they

would

get

love

you.

to be able to just say, authorize any of these and then if they wind up moving on to another place to work, then I can just turn it off. I can just turn off that access.

Well, I got some bad news for you, Charles. I mean, they'll probably just charge per web authend passkey that's

Probably.

been associated with it, right? Like they got to feed their kids too. But no. Yeah, I think that is an interesting way to think about it is as you could have one account that has multiple different passkeys and you still control the password,

Yeah.

right? And then at the end of the day, you can add or remove those passkeys by going through the registration process.

Yeah, but I can't share my own biometric or whatever web authentic is connecting to. I can't share that with anyone else. I can't say, oh, here's my thumbprint. Right.

Right, I mean, again, that's where WebAuthn3 kind of comes in. And Apple's working on some of that, right, to share the private

share

key

access.

that's generated by the, well, I

Right.

don't know the full details of it, but like basically the idea is they want you to log in on the Mac and then be logged in on the iOS device

Mm-hmm.

or vice versa. And that inevitably is gonna involve some kind of secure stuff happening over the, to a centralized server control and run. I can't speak too much to that. I know that is one of the things that they're trying to fix about the WebAuthn2 spec or improve. An example is, if you set things up as with your Mac and you only have your touch ID to log in and then your touch ID device gets broken or you set up on your phone

Oh yeah.

and then you lose your phone, up a creek, right? So

Mm-hmm.

that's one of the things that you wanna make sure that any WebAuthn solution you have allows you to put in two or more pass keys and make sure that you encourage all your users to do that. In fact, I don't know, I might even go so far as to say, I don't know if I would want to let someone log in without two or more pass keys or some alternative means, right, they could have an email address on file

Right.

or they could have a password, but WebAuthn alone, because it's tied to that device with WebAuthn2 is a little bit scary for a, this is the only way in to an application.

Yeah,

So

but

with.

nobody's a single device user at this point. Honestly,

That's true too.

I'm just, you know, I guess there are parts of the world where maybe that's a thing. But, you know, some of the time I'm gonna wanna log in on my computer, sometimes I'm gonna wanna use my phone, sometimes I'm gonna wanna use my tablet, sometimes I'm gonna wanna use, I don't know, you know, maybe the app actually has WebAuthn because it's built on Ionic or something, right, which uses WebTech. may have a separate deal than the website. And so, yeah, I can imagine, yeah, that being, yeah, instead of it being, hey, this is this user, it's, hey, this is this user with these devices. So yeah, what you're saying makes sense, but I think realistically you're going to have to solve for that anyway.

That's true, although I will say that there are some accounts that I have that I don't use on my, that I don't use cross account, right?

Yeah.

Like some I do, but like if it's just a shopping site and I just want to like, you know, I'm always going to be shopping on my, on my computer because a lot of typing or whatnot. But yeah,

Hmm.

I, I hear your point. The greater case, it's going to be something that you're going to want to make sure that you support.

Yeah, one other thing before I let AJ jump in. Um, how would this work then if I'm like, cause sometimes I wind up in a browser, not often, but sometimes I wind up in a browser on a device like my Apple TV or Amazon fire stick, how do you authenticate those?

How do you authenticate them without WebAuthn? You're probably

It

using,

makes me use my phone.

yeah,

Yeah.

so you probably would use your phone and then they would just delegate, use WebAuthn on your phone

De-off-ification,

as opposed to

yeah.

the, yeah.

Yeah, makes sense. AJ, sorry I

Okay,

keep cutting

so

you off.

because I work with Dash Incubator, I am immediately extremely interested in how this could be used for cryptocurrency wallets. Because one of the, I mean, they're way too technical. It's too confusing. It's too scary. If you lose your 12 words, then you lose all of your money. You know, that's really

Just

bad.

use FTX. I'm sorry.

Oh yeah,

Too soon. Too

you

soon,

got

sorry.

it. You got it. No, it's... I'll pick the breakdown video on that anyway. Um, but, but just, and not just that, cause I, let's forget that I even said that because the core, the core issue is not that the core issue is how do I, as a non-technical person have a cryptographically secure seed that I can reproduce and that I don't have to remember. And this sounds like if I get. A couple of Fido keys. And I've got touch ID on my MacBook. As long as I continually set up whatever it is that requires that cryptographic seed on a new device when I get it. And I always have at least one device that that has it. Hopefully two. Then I could do an in of them. You know, key type of thing where any of these three devices can unlock my seat. And that. interesting to me.

So what you're saying is it's a crypto, are the crypto wallops websites or they

Let's not use

apps?

that word. Let's not use that word.

Okay.

A random

Ha ha ha ha!

seed. Yeah,

Okay.

I shouldn't have muddied the water by saying that because it's gonna take people down in the wrong direction. The basic idea is I need to be able to generate a private key. I need to be able to generate the same private key every time. I need that private key to be public. I need it to be able to be on my Facebook, on my Twitter, on everywhere. So it needs to be encrypted. I need to be able to have a private key that I could give to every member of my family, all of my friends, put on my website, Something that anybody could have. And that is the real, whatever it is that accesses it could be, you know, a home server, it could be a bank account. It could be a crypto wallet. Doesn't matter, but I need a private key that I can publish. Everywhere in the world and have everybody have access to it, but only I can decrypt it, but I need to be able to decrypt it by more than one means, and it sounds like this. Could give me a means by which. I'm assuming that WebAuthn has some sort of 32 byte random number associated with that. That's what I'm asking. That's, I'm sorry. I got so excited and my brain's just going all over the place. The question I'm asking is, is there a 32 byte random, random number associated with the WebAuthn login that would be suitable for cryptographic applications?

with the WebAuthn login? I honestly don't know. I'm

I

trying

mean, I'm assuming

to think here

it, it

because,

creates a user ID that

yep,

it sends to you. And

yep.

that user ID has some sort of probably time-based hash components so that you can't do a replay attack. So probably it probably has a user ID, a nonce, a time

Yeah.

component, and then some sort of secret.

Well, yeah, I mean, it's basically signed like so. So the way that works is that the that there is a challenge, which is essentially the nonce. I don't think it's time based, although there may be some some I know there's some time checks that happen in terms of how long you can have authenticator prompt. But the secret is is is held is the private key. Right. Like this. You sign over the data. you previously provided your public key. So that's how the website knows that it's you going through that authentication process is because it's checking the signature of the data that's come back. So I don't see where there's like a 32-bit kind of hanging around, but it's possible you could send down some data. But I guess you're still running the issue of like, day, it sounds to me like, why wouldn't you just have a central repository where you could have multiple different accounts log in and by proving that they've logged in, however they authenticate, but you don't care how they authenticate, then they get access to that secret key. Like why do you need to like bring, I guess I don't

No,

understand

it's got to be encrypted.

what

You

the...

can't, you can't put the stuff on a server where anybody, you know, Willy nilly can just get access to it. No, no, it's

Sure,

got to

but...

be secure. You know, no, putting, putting something in, in plain text on any server is completely insecure, especially in the wake of all we know since Edward Snowden onward, anybody in the government can have access to anybody's data on Facebook, on Twitter, on Google drive at any time for any reason, without any friction.

So you're saying how do I use the private key that is available on these authenticators, on my Touch ID, on a YubiKey or something like that, how do I use that to encrypt a value and have that N of M transaction happen so that anybody with one or two of these things can decrypt it to get that special value? Is that what you want, essentially?

I, yes, but it's, I'm, I overcomplicated it. And what I was saying, cause my brain was going a hundred miles a minute. What I need to know is what entropy can I get out of this that nobody else can get? What amount of entropy can I get out of a web often process that doesn't have to be stored on a server because it has to do with what happens on the Fido key or in the touch ID or, you know, it's part of the operating system mechanism, not server mechanism, part of the device and operating system mechanism. Because if I have that, then all the other stuff is just layers and that's easy to do. It's already solved. There's already libraries for it. It's just I need entropy. And I need to know that that entropy exists between the thing that I'm using and the operating system that ostensibly is not compromised.

Don't got a great answer for you, but I can ask. I can ask some of the devs.

Yeah.

That'd be awesome. Thanks.

Yeah. And we may just post some follow up stuff on top end devs in the comments or add some, you know, if you have, get an answer, put it in the show notes. But yeah, for right now. Yeah, and I have to say, I'm actually gratified that you're willing to tell us you don't know something as opposed to try and make it up. But yeah, so at the end of the day then, it looks like this is something that is definitely worth a look. Are there good places that kind of walk people through WebAuthn? What, you know, how to put it in and how to, you know, validate that it's working and doing what we expect?

Sure. So I think the site that... There's kind of two sides, right? There's like the consumer facing side and then the developer facing side. And the site that AJ found, the webautein.io is a good one for consumer facing side. I've seen some other ones as well. The Ubico folks have a pretty great guide that walks through kind of some of the nomenclature of WebAuthn because there's some words special jargon, like there's like a, instead of a workflow, it's a ceremony to authenticate and things like that. I think I published a couple of articles, one on the fusionauth.io website and then one on the Stack Overflow website, which give kind of that high level overview. And then as far as kind of implementation, I think you're gonna wanna find that library that we're gonna do some digging around for and I'll, you know, whether it's Next.js or Pure Node or whatnot. There's kind of two components of the developer side thing that you want to look for in terms of implementation. The first is generating the right options for the JavaScript API, because there's a number of options. Like you can say, hey, you know, you need to generate that nonce that we talked about or that one time string. You need to say, hey, to allow. I don't know whether we want to get this deep, this technical, but like, you can, there's two types of authenticators. There are ones that are tied to a device, and then there are the ones

Hmm.

like, like a touch ID, and then there are ones that you can move between devices like UV keys. And so you can actually say, hey, I don't want to authenticate for this authentication event. I don't want to use any pass keys that are tied to a UV key. I only want the ones that are tied to the Mac or vice versa. So you have to kind of generate those things correctly and understand those. And the spec is really good about that. And then there's the whole storing the, then there's a whole prompting process and storing the public keys. And that is

Hmm.

something that is, there's a few libraries out there for that. I've seen them in Python. I'm sure they exist in JavaScript as well. But that's a whole separate set of things that aren't defined by the standard at all. That's just more like, okay, when do I prompt someone to or a WebAuthn to give me their passkey, and when do I prompt them again? And how do I store that pass, you know, the credentials that are given to me, well, they're not credentials, sorry, they're a public key essentially, safely. And how do I prevent that UX to like give people the option to sign up with multiple passkeys, things like that. And that

Thank you.

I haven't

Bye.

seen as much standardization around.

Cool.

Cool.

AJ, do you have anything else you want to jump on before we go to picks?

I want to lament that Google does not actually implement web often, whatever it implements only allows Fido keys. I can add touch ID to my GitHub account. I'm assuming I can do that with the NPM account, which I'm trying to do right now, cannot do with my Google account. Totally pissed off. You need to personally go rag on Google to make them adopt this thing. I'm counting on you, Dan,

Sure,

counting

sure,

on

well

you.

I mean, I appreciate your trust, but when you say Google doesn't support that, like you're going to your personal Google account and you're saying, hey I want to add WebOSN and it doesn't support adding a passkey there.

None of these call it web often or passkey. They call it security key

Sure.

or it's just under security as add to F a. So under Google, it's. Okay, it's under security and then it's under two step verification.

Mm.

Then it's under security key, which if you already have a security key, it will show up as if that's the option and there's no option to add it. But then if you click on your existing security key. Then it takes you to a security keys page where you have the add security key option. If you click that, then it will ask you if you want to do phone or physical key. And if you click physical key and next it pops up and it, then it goes through the browser's Fido process, but it does not have the, this device option for touch ID.

So my guess is that that is a situation, remember I talked about whether you can differentiate whether you want to allow like a UB key or allow like a authentic here that's tied to a device, they may not just support that, right? And they may not support that for the reasons that we talked about where if it's tied to my Mac and my Mac gets busted, then suddenly I'm locked out of that or I can't use that key anymore. I'm not saying they should, but that to me sounds, that's what that sounds like,

Uh,

than that.

except that I already have a key. So that's, that's already debunked, but also I had this problem yesterday on my phone, I, I basically, I just had to switch browsers because on one browser and brave on my phone, it wasn't letting me log into my Google account. I wanted to access a settings and it, and it wanted me to two factor. And then I did my authenticator two factor, and then it came back and wanted me to three factors. So I did my password. I did my two factor. the only options that gave me were, um, insert a security key or use some other thing, which was probably related to Google's proprietary app that, you know, their own proprietary technology that they developed, um, that's apart from web often that they have apps and, and hardware integration for. Um, and so, and, and on my phone, of course, I don't have a USB-C port,

Right.

uh, because it's iOS. stick in my ub key anyway so I had no way to log in to the to get to access these settings on my phone then I switch browser browsers and then I did the second factor authentication and then it just let me through so I guess it likes Safari more than it liked brave

Okay, well I will call Google and I will give them your feedback, AJ.

Thank you. I really appreciate that because I think it's going to be a lot more coming

hahahaha

from you than it will mean coming from me.

Nice. All right, well, I'm gonna move us into picks. AJ, I'll let you go first. What are your picks?

Well... I'm going to pick that video about the whole FTX thing if I can find it. but it kind of explains how the whole thing is just a huge, huge, huge sham. Because this is the guy, if you remember a couple months back, how there was this big market crash where somebody just dumped half a billion dollars in a single transaction. And by doing that, it caused the, I mean, granted, it's all Ponzi scheme pyramid stuff anyway, so they're all at fault, but there was some sort of, I think the exchange was based out of Korea, like the largest competitor to FDX other than bitnami or whatever that other things called Binance. Sorry, bitnami, whatever you are. And they so anyway, but doing the half billion dollar dump, he probably had some insider information from somebody about how their algorithm worked and knew that if he dumped over a certain amount that it would cause their algorithms to go haywire and then collapse the market. Anyway, the dude is literally, literally, literally, literally, literally in bed with this SEC director's daughter. And so that's how they got the knowledge about how to set up everything that Bahamas just right so that they can be completely shielded from any liability. And now he's all buddy buddy with the SEC saying, Oh, well, it was just a mistake of risk. And so we need more government regulation to help poor people like me to not make such bad decisions. So the whole thing is just a big loopty loop of causing problems, making And exploiting people's tax dollars and trying to make it so that the average people will never have a a non fiat digital currency that is in that can reach match mass adoption. It is it is a it is a big huge and though it again it's a conspiracy because it's literally different people who are you know they're clearly conspiring. half a billion dollars to shut down somebody else's business. That is conspiracy. You had to conspire with other people to arrange things, to get the situation set up so that you could destroy their business, right? That's what that is. That's not fair market play, you know, anyway. So I'll find that video and then link it. I am super, super stoked that I can use Touch ID with GitHub I will find out momentarily if I can use Touch ID with NPM, but I'm suspecting that I'll be able to. And so I'm really, really, really ecstatic about that. And I just did it. Yes, you can use Touch ID with NPM. So now I have my Touch ID is registered with NPM. Now the question will be, is it Touch ID

Mmm.

on different? Is it different keyboards or is it just on the operating system level? I suspect it's the operating system level. That's super exciting. And let's see, is there anything else that I can think of recently in terms of apps that I've used or just cool stuff? Um, I don't know. I've been, I've been really, oh, actually no, I've got one other thing. So, uh, Raspberry Pi is just not powerful enough to run Plex. And I actually I can't quite pick this yet because I haven't run it through the paces because I just got it set up on Saturday and I haven't really done much with it yet. But you can get a Dell Optiplex microcomputer, which I'm calling mine Microplex because that that's a quadruple untundra right there. And it's 120 bucks. but I'm sure that they'll come back in stock again. So these micro Dell Optiplex micro computers, I got the 7050, which my buddy told me was gonna be enough to be able to do at least one stream of 4K transcoding on the fly. So I believe it's gonna be at least, good enough for 1080, which to be honest, you can't tell the difference between 1080 and 4K unless you're three feet from the screen. But anyway, so it's really cool something that's less than the cost of what a Raspberry Pi 4 is right now, probably sipping a little bit more power, but not much because everything I've got connected and let me see what the kilowatts says right now. Anyway, I'm really glad that I'm going to be able to get Plex working better because my wife's been complaining about it. Okay, I'm with like five computers and five monitors and a bunch of other stuff, I'm less than 200 watts of power right now. not I think it's sipping you know 10 or 20 watts or something but yeah so now I can get my my Plex set up to work better and then hopefully it won't be upsetting my wife when it has to buffer for 10 seconds before being able to play it so

First world problems.

Hey, we

The

got

streaming

it.

box in my house is too slow.

We got to get our Harry Potter on.

Right?

Well, you know, outside of the first world, they don't have this problem because they can buy a flipping DVD and expect it to work. Well, I mean, I guess we we still can, but that's what I'm preparing for, because in the near future, you know, you're not going to have access to anything that you didn't get on DVD and Blu Ray. You know, you're going to have access to it at the whims of whoever owns the rights to it that month. So. All

Interesting. Okay. Yeah,

right, that's

I

all.

felt that a few times, but yeah. Interestingly enough, you brought up Plex and I guess I will segue into my picks, but this wasn't something I was going to pick. I actually have my dad's old computer here that apparently has more than enough juice to run Plex. And so I was working on setting that up here because we've, I mean, and you know anymore we just want to stream stuff and so yeah the idea behind having a media machine in the house that'll just do the stuff sounds terrific. I just installed Ubuntu on it and apparently you can run Plex on Linux. I was looking for Windows like to be able to install Windows and I couldn't find a cracked version that I trusted enough to install it and it was like a hundred bucks or something or 150 bucks for a license for Windows 10. And I was like, no, you know, I want to do the project, but not that badly. So yeah, if it'll run nicely on Linux, I'll just Linux the thing and let it rip. I may have questions for AJ though, as I get it set up, but pretty happy and excited about that. I'm sure you're saying something brilliant.

Oh, I was saying it's basically just copy and paste. Uh,

Yeah.

also actually, no, there's one other thing that I'm, I'm gonna, I'm going to retro pick now. Umbrell Umbrell is, has come onto my radar and, uh, is now interesting to me. I think there's a lot of stuff they're getting, right. I think there's a lot of stuff they're getting wrong, but, uh, you can put Umbrell, you can, you can run a curl bash to put Umbrell on a system. And it seems like it's a series of Docker containers or something, and it will options as apps. So they have a self-hosted option of uptime robot, which somebody else creates. They just created the Docker container in the system by which it deploys and maps ports and all that.

Right.

So that you get a, you get a click button, Synology like experience of installing apps onto your Raspberry Pi or to something like the OptiPlex or whatever.

Yeah.

And Plex is one of those options. So if you, if you copy and paste for Umbrell, you can get a whole bunch of other stuff in addition to Plex and Plex is just click a button. Plexus, you know, if you've already got it set up, getting it set up on a new computer on Linux is you just you just copy and paste and then it goes.

Yeah. Yep. Makes sense. Yeah. And so that, yeah, then I just have to figure out how to, you know, rip the CDs or, you know, or DVDs if it's not a standard thing and then just stick it on there. But anyway, as far as the Dell Optiplex pick goes, I actually was in a little bit different position. So I was looking for computers for my kids. And in And my 11-year-old has this pension to throw fits and then throw things. And he had broken all of the Chromebooks except one. He's paying for it. Another conversation. But anyway, so we were looking for some cheaper option because the Chromebooks, we either found them on a surplus from a school or we didn't pay full price on them, but still like to replace them. another surplus deal it's $100 a pop, give or take. So yeah, I was looking on Walmart.com and yeah we found some machines that look a whole lot like these Dell Optiplexes that AJ's talking about and they were like 70 bucks a piece and they have Windows 10 on them so they'll update, you know, we can run the security updates and stuff on them and then the other part of that up to date enough to where we can install like my 11 year old really loves playing Roblox. And so we could put that on there and then I can sit down and play it with him. And so just stuff like that. Right. So that was a tremendous deal. I mean, they were they were rehabbed. Right. So somebody else had owned them and given them back to Walmart. But yeah, they were like 70 bucks a piece. And so that turned out to be a good deal. And it included the keyboard and mouse and everything else with it. I think the only thing I had to figure out was putting monitors on them. I have plenty of extra monitors around here, so that worked out. Another pick just alongside that is, and this is something AJ may be able to take advantage of, but I'm sure there are other similar deals out there. The local university, BYU, they actually have a surplus that they sell all their surplus IT stuff off. You can get... I mean, obviously it's not top of the line, they're selling it off, but you can get all kinds of stuff. You can get projectors, you can get computers, you can get TVs, all of their stuff goes through there. I think the last email I got from them was taxidermy, right? And so they'd had a whole bunch of taxidermy animals that they were, you know, surplusing. So, but usually it's technology and office furniture. And so I've never needed a hundred chairs, which is usually what they're doing with the chairs, but you can go pick up a desk, you can go pick up, like I said, computer or a projector or whatever and you can get it for a pretty darn good deal. So you know it's just whatever they have so you're not always seeing what you want but you just go to surplus.byu.edu if you're here in Utah and then I'm sure there are other places. The local school district also tends to surplus stuff but they tend to do it in, what's the word for a big batch? They do it by the palette kind of. And so it's like you can get a killer deal on Chromebooks, but you have to buy 100 of them. Right. I'm trying to remember where they surplus their stuff. So I'll look that up in a second and give you the website for that. But that website services organizations like that from all over the US. And so if you're looking for surplus stuff, the furniture, they tend to sell off one at a time, unless it's, you know, like chairs or, you know, something that you would want a lot of. But yeah, they've had pretty decent deals on those. Some of the stuff's not worth buying, but you can browse through it. And they also have like books and lots of things like that. So I'm going to pick that. AJ got me going on all this other stuff. The thing I usually start with is a board game. And we are heading into Christmas. And so of course, you know, I know people are doing like Advent of Code, but one of our friends gave us an Advent calendar. This, the one we're going through is the one from two years ago, room game calendar and we're doing it with the kids and they're having a good time going through it with us. It's called Exit the Game Advent Calendar and I'll put a link to it in the show notes, but effectively what it is is you open a door, so you know like you do on a regular Advent calendar and what we get is we read the story, it tells us to open the door, we pull the And then we have to solve the puzzle in order to find the next door. And so, um, you're trying to find three numbers. And if you get the right three numbers in the right order, then what you do is you flip the thing where you dial the numbers in over and it gives you direction. So it's like up into the right, up into the left down one. And then, um, it, it also has shapes on it. So you can check and make sure you got the right door. Right. Just based on those directions. And so you get to check your work and then that's the door you open next time. And my kids have really enjoyed it. They haven't been too terribly difficult to figure out. I mean, they do have hints that you can check in the other booklet. So one's the story booklet and the other one's the hints. And if you, you know, the first is just kind of a more generic hint. The second one's a little more specific. actual solution, like how you solve it. And so, you know, if you're getting stuck, you're not gonna stay stuck. But anyway, it's been really fun. They've been enjoying it. Board Game Geek rates it at 2.09. So it's pretty approachable to anybody who likes, you know, playing games, stuff like that. So that's my board game pick. I'm also excited about our book club. Bob Martin's going to be able to make it to most of these. And it's clean architecture. We're doing clean architecture starting on Wednesday.

I started

Five o'clock

it already.

Mountain Time.

I love it.

Yeah, so

I wanna,

we're gonna be,

I might

we're

join

gonna be,

in.

yeah, absolutely. So if you have a membership, either a Top End Devs membership or just the book club membership, then you can jump in with that, but I am excited to be talking about it. And yeah, we're getting all that stuff together. And then I've been talking to some folks about, you know, some of the stuff. So like I had some people whose employer bought them access to like one of the conferences or something. And you know, they're like, we didn't get the email. And you know, some of it, I hadn't set it up to send out an email in those particular circumstances realized I needed to. And I've been using Spark Post for that. And I really like it. So I'm going to pick Spark Post as an email provider. Part of the issue is I've just I've had issues with Send Grid. That's the one that I think most people use. mostly just getting support. Right? If I run into something, they just haven't been great. So anyway, I'm going to pick Spark Post. One last thing that I'm going to just shout out about is if you're trying to run a business. So for a while back, I switched over to Hey.com for my email and I was using Hey.com and I really like it. There are a lot of things I really like about Hey.com, but the issue is that doing any kind of automated anything with it, outside of the couple of automations they've built into it, it's impossible. to reach out to sponsors or conference speakers or podcast guests or anything like that. I went and I set things up in Podio so I could do a lot of that stuff. And Podio does a good job of a good chunk of it, but it was still, it was just this hassle because it's not right there in my inbox. And so I've gone back to Google and I've been using Gmailius again and so I'm going to pick those. I'm going to pick Google Mail. You know, mine's on a domain. And I'm not in love with them, but it allows me to do the other stuff because everything integrates with it.

I'm

And

still

then,

looking for a

Jim

solution.

Elias. Yeah, it stinks. If any of these would build an automation to something other than Google or Microsoft, because Outlook.com, most of them integrate with that too. I'd probably switch to that, but none of them are doing it. Those are my picks. Dan, do you have some shout outs, picks?

I do. So I'm late to the game here, but I actually just watched the Station 11 mini-series off HBO and it was, I think it was HBO, it was amazing. So Station 11 is like kind of a post-pandemic dystopian apocalyptic book and they did a phenomenal job with this 10-part series. It's kind of a one and done turning the book into a mini-series, but I really really enjoyed the characterization. I enjoyed the affirmation of life. I enjoyed the mystery. And I think I have not read the book yet, but I actually just got the book and I'm planning to read it. But I think they did a fantastic job with that. So love station 11. Now, you may not want any kind of pandemic literature, but I really enjoyed it. Maybe you want to cut that part. I don't know. to dive into the WebAuthn Level 3 spec. So I've kind of mentioned that a couple times in this podcast. I think that is phenomenal that they're going to do another round and smooth out some of the edges. But, so I'm excited to dig into that. So those are kind of my picks. So,

Awesome. If people want to connect with you online, where do they find you?

Sure, so if you want to learn more about FusionAuth, or WebAuthn, or OAuth, OIDC in general, you can go to fusionauth.io if you want to find out more about what I think and some of my thoughts about technology and society and other things in general, like what Twitter's for, as you said, Charles. You can find me on Twitter at moreds.com, that's M-O-O-R-E, D as in Daniel, Sam. And I talk about OAuth and YDC and technology. And then I also had my most recent poll was, what do you think about persimmons? Or have you had tried a persimmon? Because I actually had one and it was pretty enjoyable. Actually, that should be, maybe I want to take a page out of IEJ's book. That's a retro pic. I think persimmons are a delightful fruit and I'm looking forward to doing more with persimmons.

Hurrah!

I don't think I've ever seen one.

It looks like a orange tomato on the outside and a spiced apple on the inside.

and it tingles your mouth. It's the weird, it's the one that, or at least the one I had. Apparently there are multiple different varieties that you can buy.

I think it's how ripe it is. I think the more ripe it is, the less it tingles, but I could be mistaken.

Awesome. I've had some other stuff that tingled my mouth, but I've had some stuff that numbed my mouth. And I still don't understand why people enjoy that. I mean, it wasn't, it was a little bit weird, but it wasn't unpleasant. I just, I don't know. Anyway, thanks for coming, Dan. And thanks for showing up, AJ. We'll jump off and until next time, Max out.

Yeah.

I'm so glad we had this episode because now-