Post · bonfire.cafe

I gave an opening keynote at the FIDO Alliance’s “Authenticate” conference a few weeks ago! Although it featured timely strategies and tips for professionals deploying passkeys, my primary goal was to explain, as clearly as I can, why passkeys are important and how we should use them to reduce the harm that passwords cause.

YouTube link: https://www.youtube.com/watch?v=otObbUSxcqs

I’m really proud of this talk and I hope you’ll watch it and share it with others. I put care in to making it approachable while still delivering my perspective and insights to security professionals. If you don’t get the “why” behind passkeys, this talk will help fill that gap.

Brandon Butler

@brandonbutler@mastodon.social replied · 18 hours ago

@rmondello What’s your thoughts on sites that use passkeys + a second form of authentication? GitHub is one that comes to mind.

Doesn’t that defeat one of the benefits?

Ricky Mondello

@rmondello@hachyderm.io replied · 18 hours ago

@brandonbutler I address this in the talk! Let me know what you think of my argument around this. :)

Bob Young

@fifonetworks@infosec.exchange replied · 19 hours ago

@rmondello
Ricky, that was an excellent talk. I'm glad I watched it.
I'm one of those people who still has serious reservations about adopting passkeys, and I was hoping you'd provide new information that changed my mind. My main reservation centers around the huge number of people who only have one device.
If their only device breaks, and
If they deleted the password authentication option,
Then they experience permanent account lockout.

I help people globally with tech support, including account recovery. I have a “no fix, no charge” guarantee. I’ve seen this problem first-hand. One device, broken or stolen, and accounts from
Microsoft,
Google,
Apple,
are gone forever.

You asked in your talk for collaboration and input, so here’s my recommendation: any adoption of passkeys, any implementation of passkeys, needs to include “error checking” that prevents a user from ever having only one way into an account.

Christopher Bowers

@chrisipedia@mastodon.social replied · 19 hours ago

@rmondello maybe it’s the nerd in me but I’m hesitant to use passkeys because they seem so opaque to me. Do you have any advice that might cause me to step of the ledge?

Rob

@rob@social.prosumer.dev replied · 21 hours ago

@rmondello Nice talk! Thanks for sharing.

Did you choose “Head over heels" as intro music yourself or was this chosen by the FIDO Alliance?

Penguin

@PenguinToot@twit.social replied · 22 hours ago

@rmondello Great talk, thanks 🙂

WTL

@WTL@mastodon.social replied · yesterday

@rmondello <added to watchlist> 🎉

Gracjan Nowak

@gracjan@mastodon.online replied · yesterday

@rmondello It resonates with me what you said about actually allowing the user to drop the password. Some services allow that (PlayStation does it automatically), but at this stage most don’t yet. I’m happy that I can sign in to some accounts with a passkey, but the password is still there as a fallback, which I don’t need or want. This has further implications, in that I still need TOTP or SMS enabled to protect against password attacks, if a passkey isn’t asked for in that case.

Dayton Lowell

@Daytonlowell@mastodon.social replied · yesterday

@rmondello You're a really good public speaker, Ricky. You speak slowly, clearly, and communicate effectively. Great job!

I'm a web developer and I’d like to begin the investigation of supporting passkeys in our web apps. Do you have any good resources for what they might look like on the client & server?

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0 no JS en

Automatic federation enabled