What are the privacy and security concerns regarding our passwordless future.
In this episode, we talk about Apple's gatekeeping of web-based AR on the iPhone, a neat feature added to Apple Mail that blocks email tracking, and we say goodbye to the iPod. Then we talk about Apple, Google, and Microsoft’s plan to implement passwordless sign-in on all major platforms with Jackie Singh, former senior incident response and threat analyst at Biden For President, who currently is the director of an anti-surveillance nonprofit, which advocates and litigates against government use of mass surveillance.
Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.
Josh Puetz is Principal Software Engineer at Forem.
Jackie Singh is the former senior incident response and threat analyst at Biden For President, who currently is the director of an anti-surveillance nonprofit, which advocates and litigates against government use of mass surveillance.
[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.
[00:00:19] JP: And I’m Josh Puetz, Principal Engineer at Forem.
[00:00:22] SY: This week, we talk about Apple’s gatekeeping of web-based AR on the iPhone, as well as a neat feature added to Apple Mail that blocks email tracking.
[00:00:30] JP: Then we’ll talk about Apple, Google, and Microsoft’s plan to implement passwordless sign-in on all major platforms with Jackie Singh, Former Senior Incident Response and Threat Analyst at Biden for President, who currently is the Director of an anti-surveillance nonprofit, which advocates and litigates against government use of mass surveillance.
[00:00:48] JS: We do know there will be edge cases that will be left behind and we don’t yet know what the privacy surveillance and security implications are of this standard.
[00:01:06] SY: So we’re starting off this episode with a couple of Apple stories. There was an interesting piece in Protocol titled, “Apple is a massive force in AR. It’s also been holding the technology back.” So the piece goes into how, even though Apple has put a lot of effort in augmented reality, that’s a big bet they’ve made with a reportedly 1,000 strong engineering team working on AR glasses, it has yet to add support for web-based AR to Safari’s iPhone browser. The piece goes on to say the decision by Apple has taken a toll on the adoption of AR as a whole, according to industry insiders. One reason for this is the fact that Apple forces third-party browsers to use Safari’s WebKit, effectively blocking them from their own web-based AR endeavors for the iPhone. What based-AR on the iPhone would arguably be one of the most accessible ways millions of people could experience AR? But so far, Apple has shown no intention of tapping that spring. And why could that be? The protocol piece posits that they want the AR headset they’ve been working on to take center stage. So Josh, I want to know what is your take on AR just kind of in general? Is this something you’re excited about? I know you do VR. I know you got a Quest. I got a quest too.
[00:02:23] JP: Yeah.
[00:02:23] SY: But what’s your take on the whole, like, future of AR and the promise of AR? I feel like Apple’s been talking about this for a long time. How do you feel about it?
[00:02:30] JP: They have. I mean, okay. So honestly, whenever I hear AR and Apple in the same sentence, I am…
[00:02:35] SY: Do you roll your eyes a little bit?
[00:02:37]JP: A little bit because I flash back to probably the latest Apple Keynote. Whatever Keynote that was, the latest Apple Keynote, when there is an indeterminately long segment where they’re talking about AR on the iPad and they’re holding an iPad up and they’re looking at like toys or clothes and they swear this is the way we’re going to experience AR, children are going to be waving their heavy iPads over Legos and adults are going to be waving their iPads over mannequins to dress them and nobody does that.
[00:03:08] SY: No. You’ve tried those apps, I assume.
[00:03:11] JP: I mean I’ve tried them like once or twice. It’s not very sticky for me. I’m probably not the target audience. So my whole take on AR, I think I appreciate the web AR push. I definitely echo the sentiment that this is a way that more people could experience AR with the devices they already have. I think that’s incredibly beneficial.
[00:03:32] SY: Yeah.
[00:03:32] JP: Apple is definitely gatekeeping here.
[00:03:34] SY: Right.
[00:03:34] JP: On the Apple platforms, you have to write an app. They have an SDK called AR Kit for doing all this great performance, but you have to write a native application for it. You can’t do it via the web. And yeah, that’s a little gatekeeper. On the other hand, and Apple doesn’t really say that, but I feel like AR is waiting for a pair of glasses or something strapped to your face to really come to life. All the time, I’ve tried AR, I think the New York Times, they’ve been experimented with a lot of AR stuff where they’ll have stories and you can look at stuff in AR. There was one where they were talking about one of the rockets being launched and there was an AR representation of a rocket, but it was true to scale. So you could like go outside.
[00:04:14] SY: Oh, cool!
[00:04:15] JP: Yeah, hold up your phone and be like, “Wow! This rocket is like 20 stories tall. It would be huge next to me.” And that was kind of cool, but it’s kind of gimmicky. But it was really nice to be able to do it with my phone, but again had to be a native app.
[00:04:28] SY: Yeah. I feel like every time there’s an announcement, I’ll download an app and test it out. The only one that was almost useful was the Ikea app. Almost, like almost useful.
[00:04:39] JP: Oh, yeah.
[00:04:41] SY: I don’t know if you tried it. To me, it doesn’t really give me the illusion that something is actually in the room. That’s where I struggle because the phone screen is relatively small and I can’t quite make the leap of, “It’s like I’m looking at it in my living room.” To me, it’s still like, “I’m looking at a thing on my phone.”
[00:05:02] JP: Yeah.
[00:05:03] SY: So I can’t quite make that leap. And I don’t know if it’s because I’m using my phone. Whereas with Apple, their whole thing is having the glasses in the headset, which I can only assume would create a very different experience. But for me, it never feels like augmented reality. It feels like I’m looking at a screen where you photo-shopped something into a photo of my living room. You know what I mean?
[00:05:29] JP: Yeah.
[00:05:29] SY: I just can’t quite get there.
[00:05:30] JP: I will say, I do remember there was an online framing company and I used their app to upload one of my pictures, pick out a frame, and view it on the wall of my apartment. And that was really helpful. I was actually really pleased by that. That part was pretty great. But yeah, I agree with you. They’re kind of gimmicky. So who knows? Maybe if there was available on the web, people would find more use cases for it. I think right now the real barrier is you have to think of a use case for AR and then you have to incorporate it or write a brand new application for it. And if I, as a web developer, could just throw something up on a webpage, it would spur more innovation.
[00:06:06] SY: I agree with that. I think that if they were more supportive of web AR, I think that there would definitely be a lower barrier to entry, which in tech usually means we have more contributions and more people willing to just throw things on a wall and see what sticks and see if things work out. But even so, I feel like with what AR has been available so far, nothing I’ve seen has made me go, “Ooh, this is going to be great.”
[00:06:32] JP: So we haven’t talked a lot about Apple’s VR and AR hardware on this podcast because we don’t want to get into too much of the speculation. Well, I mean, we do, but I wonder if those devices will have a browser and at that point, Apple might be more amenable to it. If I had some Apple AR glasses, if it had a web browser in it, I'm kind of torn whether it actually will have a web browser. But if it did, maybe that would be a case which they would support it. I just get the sense they’re waiting for their hardware.
[00:07:04] SY: I completely agree. I mean, one thing that we know about Apple is they’re very, very, very controlling in terms of what they want the user's experience to be like. That’s really what they optimized for. It feels like they’ve consistently had a very clear opinion and perspective on the way it should be. And I think they care a lot more about creating what they feel is the right experience. And especially with AR, I can see this kind of being a big deal for them where they maybe want to get it right and they want to be in control of that. And that to them I think is more important than accessibility of a technology, as I think we’ve seen over the years.
[00:08:05] JP: In other Apple news, WIRED had a story about how Apple mail now blocks email tracking. So now email marketers won’t be able to spy when you read certain emails. Usually, this type of email tracking involves adding a pixel with a specific file name in the body of the email that the server can keep track of whenever that image is opened, as well as track you by IP address. Apple mail stops this nasty practice by downloading every single image first before you even open them. This essentially breaks down the system by making every email seem like it was open and read by a human, even if it wasn’t. Clever. And because Apple browsed these downloads through proxies, your location can’t be tracked either. So Saron, I know we’ve talked a bunch about advertisers versus Apple and their ongoing privacy policies and their ongoing I’ll say hostility towards internet-based advertising. What do you make of this?
[00:08:59] SY: It makes me so happy. I love it. I feel like with every announcement with one of the big tech giants, I’m always kind of asking myself, “All right, what are you trying to get from me this time?” You know what I mean?
[00:09:13] JP: Who’s the product?
[00:09:14] SY: I’m like, “Who’s the product?” Yeah, exactly. Very on edge. I’m very, very on edge in the last, I don’t know, 10 years or so. I’m on the lookout.
[00:09:21] JP: Just the last decade.
[00:09:22] SY: Just last the decade. Before that, everything was great. And so when I read this, I was like, “Ha, finally! Yeah! I got someone on my side protecting me,” which felt very, very cool. The thing is about the whole image tracking, I know that Gmail, I’m pretty sure, has been doing that for a while, but I don’t think it’s to prevent tracking.
[00:09:46] JP: I’d be shocked if it was. Right? Because that’s been Gmail's bread and better. Right?
[00:09:52] SY: It definitely was not why, but I’m pretty sure they, for years, have been respective of the email marketers. Gmail has posed this problem of pre-loading the images in the email for you so that it’s just a faster, a better experience. But in doing so, it looks like you opened an email that you didn’t open. And I can’t remember exactly when they started doing this. There’s definitely some times in the last decade, but I remember when it happened, everyone in the marketing world kind of freaked out. I remember seeing a bunch of stuff from MailChimp being like, “Here’s what you can do now that this phenomenon has happened and your open rates are unreliable.” I remember it was a thing. I don’t think there is a solution now, but it’s kind of interesting that Apple is implementing kind of the same concept, but they’re actually trying to help. It’s intentional where Gmail was just kind of trying to create a cool experience. But I do think that it’s interesting that they’re using proxies. That definitely takes it another level, even when you do these downloads, you’re still not going to be able to know where you are, which is really great.
[00:11:00] JP: I guess this gets to the idea that basically email tracking is just busted. I mean, I know a lot of advertisers rely upon it. Marketers are completely reliant upon it. But if you think about it, you’re just measuring whether something has downloaded that image. You’re not really telling whether someone opens your email. You’re certainly not able to tell if someone read your email.
[00:11:23] SY: No.
[00:11:24] JP: I understand the desire for marketers to understand if their message is received, if their message is read, but ultimately, I think they’re going to have to rely upon, “Did a user come to my site?” You can still put tracking on the links that a user clicks so you could find out, “Oh, yeah, they came from this email that I sent.” You see those all the time. Reliance of marketers on the tracking pixel, it’s a really bad habit, but it’s really easy or has been easy up until now. And I think we’re going to see marketers move away from that. And honestly, I think that’s a good thing. How many times have you gotten a marketing email and then you’ve gotten a follow-up one and a follow-up one? You get that drip, like one per day. It just keeps coming. And a lot of that is driven by, “Oh, we saw that you opened it, but you didn’t respond to us. So we’re going to send you another email and another email.”
[00:12:14] SY: Okay. I have to be honest. I actually look at a lot of those email marketers.
[00:12:18] JP: Do you?
[00:12:19] SY: I don’t know what’s wrong with me, Josh. I really don’t. I just go through the little, because I use Gmail. So I have the little tabs, the primary, the promotional, the whatever.
[00:12:28] JP: Oh, yeah.
[00:12:29] SY: And I don’t know, for some reason, I just always check all of them and I’m like, “Let’s just see what’s going on.” And the thing with the promotional category is technically it’s mostly stuff that I signed up for. You know what I mean? So it’s kind of like getting a product feed for all the products that you’ve already decided you like, if that makes sense. To me, it’s a different experience than I type something into Google and I get like the ads on the side, right? Where I’m like, “Oh, that’s not what I meant.” Like, “I wasn’t looking for this.” But when it’s in my email, it’s like, I mean, I do kind of want to know what colors, eyeshadow, glossier has… I’m curious. You know what I mean?
[00:13:09] JP: Okay. Okay.
[00:13:10] SY: So I always check it out. The thing that freaks me out, however, is the drip. The drip really freaks me out. I remember I was considering buying the new Rihanna perfume, purely because it’s Rihanna and I’m slightly obsessed with her. And last time it sold out. And so I was like, “Okay, this time, I’m going to get it,” right? And I clicked on the link in the email that promoted it and then I remembered how much perfumes cost. And I was like, “Oh, no, no, no. It’s not that serious. Never mind. I’m fine. I’m fine.” And I exited and I think it was like a day later I get one of those little drip emails that’s like, “We saw you looking at the perfume. It’s going to be sold out again. Are you sure?” And I was just like, “God!” Totally freaked me out. So those types of email tracking thingies really make me uncomfortable, but kind of the regular promo, I don’t really mind it too much unless it really bothered me. But yeah, I do agree that the efficacy of it is very unreliable.
[00:14:18] JP: Marketers are resilient. Life and marketers find a way. Somehow we’re still going to get them.
[00:14:23] SY: Well, the thing that I was thinking when I read this headline was I was thinking, “Oh, man, Apple ruined social media tracking, taken away email tracking.” What are these people going to do?
[00:14:37] JP: They do in the App Store. You know what though? They’re for sure is tracking on that App Store, like they would go into the millisecond how long you are debating whether to download Candy Crush or not. I guarantee it.
[00:14:50] SY: Fair. Fair. And one more bit of sad, nostalgic Apple news this time. The iPod Touch, which was the last version of the iPod, is being discontinued. So the over 20-year legacy of the music player, the thing that changed it all now officially comes to an end. However, in a press release, Greg Joswiak, Apple’s Senior Vice President of Worldwide Marketing, said, “Today, the spirit of iPod lives on. We’ve integrated an incredible music experience across all of our products.”
[00:15:25] JP: Pour one out for the iPod.
[00:15:26] SY: Pour one out for the iPod. Let me pour out my apple juice. Yeah. So first of all, I'm honestly surprised it lasted this long.
[00:15:36] JP: Right. Did you remember that this thing was even still around?
[00:15:38] SY: I was like, “Oh, yeah.” Because the last time I looked at the iPod Touch, which maybe was over the summer, it was maybe the last time I was at Apple Store, and I like looked at it and I was like, “Isn’t this the iPhone?” Because they looked exactly the same.
[00:15:55] JP: It’s basically what it was. Yeah. It’s an iPhone without the cellular connection.
[00:15:59] SY: Right. And I was kind of trying to think like, “Who’s the target market for this?” I guess if you want to give it to your kid, but you don’t want them to call people, I don’t really get it. So it didn’t really make sense to me as a product the last time I saw it. So I’m not super surprised, but it’s the end of an era, 20 years, especially for a piece of technology, it’s pretty solid. So definitely end of an era.
[00:16:22] JP: Yeah. The iPod Touch is kind of like this weird Frankenstein of an iPhone and an iPod smooshed together. Yeah. I also forgot it was still for sale. I was like, “Really? We’re still selling that? Okay.”
[00:16:32] SY: Like, “Why? What’s your purpose?”
[00:16:33] JP: Yeah. Like, “All right.”
[00:16:35] SY: What do you do?
[00:16:36] JP: It was really, really cheap.
[00:16:37] SY: That’s true. That’s true. Yeah, for an Apple product.
[00:16:38] JP: Yeah. Did you ever had an iPod? Do you remember your first iPod?
[00:16:42] SY: Yes. I had the Nano.
[00:16:45] JP: Oh, yeah.
[00:16:46] SY: I had the white Nano. It was one of my favorite things. I can’t remember when I got it. It was many, many years ago, but I love that thing and I put on my music on it and I jammed and it was so cute and it was a little rectangle shape. I just love that device, had that for a long time.
[00:17:03] JP: So cute.
[00:17:04] SY: You know what I always thought was really ugly?
[00:17:06] JP: What?
[00:17:07] SY: The shuffle.
[00:17:08] JP: The shuffle? I had a shuffle for a while, the one that it had a button, like it was just one. I used to run with that. Yeah. Oh, good times.
[00:17:15] SY: It’s like it had a head and then it missed a whole body.
[00:17:19] JP: Right. It just had like little wheel. Yeah.
[00:17:21] SY: Yeah. It looked like it was missing the body, like visually it freaked me out. I didn’t like it. It made me very uncomfortable.
[00:17:29] JP: I had an iPod Mini, a blue iPod Mini for many, many years that I also loved. But embarrassingly, I will share this with you if you don’t tell anybody else. My first iPod was the iPod for Windows.
[00:17:43] SY: What?
[00:17:43] JP: I was a Windows user back at the time. And the first iPod was only on the Mac and it got really popular, but Windows, people couldn’t buy it. So Apple had this really weird version of the iPod. They brought out that had some like Windows software and you could plug it into a Windows computer. I got a Mac version shortly after that, but yes, I bought an iPod for Windows. I’m not proud of it.
[00:18:06] SY: Wow! I didn’t even know that was a thing.
[00:18:09] JP: It was like a very briefly a thing. It was before they had iTunes on Windows.
[00:18:13] SY: Oh, yeah. I do remember that. Yeah.
[00:18:15] JP: Yeah.
[00:18:15] SY: Yeah, they have iTunes in the Mac ecosystem I feel like for a long time.
[00:18:21] JP: It’s such a magical device. I took that thing everywhere. Oh, man. It really helped, I think, kill conversation and small talk in the modern age. I'm really grateful. Every time I’m on a plane or a bus, I’m grateful. I don’t have to talk to anyone because I have these ear pods.
[00:18:37] SY: You know what? That is so true, especially because they’re bright, white ear pods that nobody can miss. Just leave me alone, like you know I’m occupied right now.
[00:18:45] JP: You don’t even have to turn it on. You just put them in.
[00:18:46] SY: You don’t have to. Yup.
[00:18:47] JP: And nobody would talk to you. It’s amazing.
[00:18:49] SY: Absolutely great. Do you have any of your iPods?
[00:18:53] JP: Oh, well, I was just talking with our producer, Levi, about this because Levi said he still has his original one in a drawer. I unfortunately don’t.
[00:19:00] SY: Did you throw it away?
[00:19:02] JP: No, I grew up in the heyday of eBay.
[00:19:04] SY: Oh, okay. Yeah, it makes sense.
[00:19:06] JP: As soon as the new one came out, I kept all the packaging. I was like really militant about keeping all my packaging. I would package it back up very perfectly in its box and sell it on eBay for maximum value and then buy the new one. I thought I was so clever. I was saving so much money, but now I have none of these old devices.
[00:19:23] SY: I know!
[00:19:24] JP: I'm bombed.
[00:19:25] SY: I probably kept it, but it feels like so long ago that in between like moving and packing and stuff, I don’t know if I still have it. But I do have a lot of my old iPhones though.
[00:19:35] JP: Oh, save those.
[00:19:36] SY: Oh, yeah. Oh, yeah. I sometimes just like pull them out of my little tech history drawer. And I’m like, “Oh, you used to be so small.” Remember when they were like opposed to big phones for a really long time?
[00:19:49] JP: Even the iPod is so tiny.
[00:19:50] SY: It’s very small.
[00:19:51] JP: Yeah, it’s amazing.
[00:19:52] SY: Very small. Yeah. Yeah. It’s great. Oh, okay. Bye iPod.
[00:19:56] JP: Well, goodbye iPod. Thank you.
[00:19:57] SY: Bye.
[00:19:58] JP: Thank you for your service. Rest in peace.
[00:20:01] SY: Coming up next, we speak with a security expert about Apple, Google, and Microsoft’s plan to implement passwordless sign-in on all major platforms after this.
[00:20:34] SY: Here with us is Jackie Singh, Former Senior Incident Response and Threat Analyst at Biden for President, who currently is the Director of an anti-surveillance nonprofit, which advocates and litigates against the government use of mass surveillance. Thank you so much for being here.
[00:20:49] JS: Thank you so much for having me. I’m so excited.
[00:20:51] SY: So you have some very impressive titles. Tell me a little bit about your security background.
[00:20:57] JS: Well, I started out as a young idealistic hacker in the hacking community at a young age. I started attending Linux user groups about age 12 or 13. So I was that weird young kid around all the older men who were wondering why I was there. And I really enjoyed those and so I started going to 2,600 meetings, The Hackers Quarterly. It’s a magazine that gets put out four times a year. And I used to talk about how to get free things from vending machines and how to get free phone calls and things that 14 year olds really heard about. And eventually, I found my way through that circuit as seen to the military and then through defense contracting, to consulting for very large companies and helping them understand how to develop their cybersecurity programs and how to improve their security posture. And then I found my way to the Biden campaign, where I was hired as the threat analyst, the incident responder to help deal with the cybersecurity posture of a presidential campaign, which was pretty complicated, I have to say.
[00:22:03] JP: What was that work like? What kind of incidents and threats are you dealing with on a presidential campaign?
[00:22:09] JS: Well, I have to say that I am under super duper NDA.
[00:22:14] JP: That makes sense.
[00:22:18] JS: I would love to tell you about all of the crazy and interesting stories and the wonderful people that I met. But unfortunately, I have to cap it off by saying it was the most stressful role I’ve ever had, but it was also the most important and I felt so civically involved and proud to have been selected. And it really made me feel like I could have an impact in cybersecurity. So it was very different from a lot of other roles that I’d had in the past.
[00:22:44] SY: Wow! So we got some big news this week on World Password Day that Apple, Google, and Microsoft are planning to implement passwordless sign-in on all of their major platforms across mobile, desktop, and the browser. So for those of you or those of us who might not know what passwordless sign-in is, although it sounds kind of self-explanatory, but still, can you describe for us, what should we expect from this experience?
[00:23:11] JS: What this passwordless setup is, is actually a FIDO, F-I-D-O. There’s been a FIDO Alliance, which has been in existence for a decade or two that’s been trying to bring this to the world for quite some time.
[00:23:25] SY: Oh, wow!
[00:23:26] JS: And so the idea is that passwords are complicated. Passwords are difficult to implement properly. Not just from the user perspective, but from the implementer perspective, the development perspective and the ongoing management, right? Breaches are expensive. They hurt reputation and companies want to do something about it. And so what they want us to do about it is to log in to everything using a system that’s essentially established by these coordinated tech companies, by Apple, Google, and Microsoft. And they’re working together and agreeing on this standard that they’re going to get us all to use similar to the way that we use OAuth today to log into a website using our Twitter credentials or Google credentials, right? Instead of having to set up a new login and password, we’ll be using our unique FIDO account, which relies on public key cryptography. So in a way, it’s a step forward for security because we won’t be handling our own passwords anymore and we won’t have to ask developers to handle passwords anymore or just companies in general to handle them.
[00:24:34] JP: Let’s talk about the nitty-gritty of how it works. What does a user experience and how is that different than today’s login architecture, which is mostly sign-in name and password?
[00:24:48] JS: Well, that’s a really good question. I think that completely depends on the implementation and I’m not sure that we have seen very many implementations of this standard so far. I mean, it is very new. And so we’re looking at something similar to what we do today with two-factor authentication where someone sends you a message and says, “Hey, is this actually you trying to log in?” And then you can say, “Yes, it is me,” or, “No, it isn’t me.”
[00:25:14] SY: So it’s been 10 years, you said, since we’ve been working on FIDO, which to me in the tech world, that kind of feels like a while. Is that a long time for this type of technology, this type of implementation and why 10 years?
[00:25:30] JS: I don’t think so. In general, I think that there is a pretty long arc that we aren’t used to observing ourselves as end users for the protocols that underpin the internet. These protocols really need to be tested up and down, a lot of different entities want to give their input, and it’s a collaborative process that takes sometimes decades to even reach a final standard for something that everyone can agree on.
[00:25:58] SY: What kind of work will app and web developers have to do to support the standard? What are some of the things that we might expect to have to learn, implement, consider if we want to kind of take part in this passwordless world?
[00:26:15] JS: That is definitely not my forte, as what the actual implementation would look like. I know, in general, there are methods that companies use obviously to make development integrations easier for developers such as SDKs. And so I think we can probably assume that the major companies will release their own implementation SDK that allows developers to very smoothly streamline this implementation into their applications.
[00:26:41] JP: Would you consider this kind of passwordless authentication to be more secure than the current system of password authentication?
[00:26:48] JS: I would say so. I would say that eliminating passwords as an access mechanism is good, but I do think that the standard allows us to use a lot of different things for additional authentication, a lot of additional factors such as biometrics. And so if we’re thinking about shifting from passwords to biometrics, we’re shifting from a dataset that when breached can be aged rather quickly, meaning folks can be notified that their passwords are breached and they can potentially take some kind of action to change their other passwords and to keep an eye out for any other breaches of sites where they may have reused that password. But we’re going towards a future where biometric data when breached will be uninterruptible in the future, right? We’re actually moving pretty quickly towards quantum computing and functional quantum computers. Right? So when we’re talking about this implementation, which relies very heavily on public key cryptography, we’re looking at a one to two decades’ stopgap measure at best because now you’re providing organizations an opportunity to integrate an access mechanism that relies on data that can’t be changed in the future, right? Like if we set up your phone to authenticate you based on your face, today with face ID, that’s all well and good because the data lives on your phone. And so we have this assurance that it isn’t living on some cloud server, somewhere waiting to be reached, but future implementations of FIDO and authentication that relates to biometrics such as your face and your fingerprint and voice print, again, this data doesn’t age. So when we reached the age of quantum computing, all of these breached datasets or datasets that were transmitted securely at the time over a public network, such as this new implementation standard that we’re talking about, were potentially going towards a disaster. So I’m not actually sure that we’re doing very much over the long run with this new standard, but I do think that it’s a step forward to help limit the impact of breaches. Like I said before, breaches are expensive. They hurt reputation and there are a lot of hassles relating to just dealing with passwords, having to manage and store dataset that can be breached. But now we’re talking about logging into everything using a system that’s managed by one or more of the tech companies. And so we’re centralizing and storing more data with them. Right? And ultimately, we’re tying our hardware to these services. So not only does Microsoft now require with Windows 11 that you tie your Microsoft account to that PC when you first set up Windows 11, which is a change they recently made kind of undercover, a little quietly, but now we’re going to log into even more services using these tokens, which are now being carried in an encrypted form, which can be broken in 10 to 20 years over public networks. So I think we’re improving the customer experience here and just the user experience. People hate passwords. It improves the developer experience because we’re avoiding a lot of those pitfalls related to managing authentication ourselves. But we’re going closer towards a dystopian future that we potentially don’t want. The major tech companies are centralizing their power and they’re creating more surveillance risks for people. We’ve already seen this in the past with changes that Apple made to their advertising ecosystem with regard to IDFA, which was this unique string of numbers that advertisers were using to tie your activities on your cell phone, to your unique hardware that Apple provided you. And so now it’s a good thing that third parties don’t have this. Apple made a change. So that third parties can’t get this data, which actually made a lot of changes ripple throughout the advertising ecosystem. But in reality, it’s a mixed bag because third parties have already developed new methods of profiling us without that ID and Apple themselves they’ll get to use it. So what we’re talking about with all these changes are walls around the walled gardens that essentially get higher, which protects their competitive advantages as massive tech companies, but there may not be any actual measurable impact to end user privacy. So that’s really what I would love to see through this effort is wanting to make sure that these companies actually do something about privacy and security instead of just having to be seen doing something about it, to get brownie points in the market.
[00:31:12] JP: It sounds like the real risk here is that we’re trading convenience for a concentration of power among the larger tech companies. Is it possible for consumers to benefit from these passwordless protocols without that downside of consolidation? Or is that inherently baked into this mechanism?
[00:31:35] JS: Well, when you’re talking about Google, Apple, and Microsoft coming together over a period of years in order to establish a standard that they can support together, I really don’t think that there’s an opportunity for consumers to leverage that for their own uses without involving those companies. Right? I really don’t think that they’re going to build systems that enable security and privacy outside of their watchful gaze, if that makes sense.
[00:32:10] JP: So this entire 10-year process of coming up with this standard and refining it, it sounds like consumers haven’t had a seat at that table at any point.
[00:32:24] JS: I don’t think so. I think that’s a really amazing point to make. Right? Where is the request for comments? Right? When you’re talking about, say, a new NIST standard, they ask the community, they have open conversations with the academic community, with the operational cybersecurity community, “Hey, let’s talk about these changes we’re making to a cryptographic standard,” for example, which could have massive implications for all of us. And so when we talk about something like this standard, which will have incredibly long running repercussions and second and third order effects that we can’t possibly anticipate very well now, I think we should all be asking more questions about what this is that is being pushed down to us and whether it is actually all in our best interest.
[00:33:07] SY: The other thing that we were thinking about is how this affects accessibility. And I’m wondering if you think that this future of making the access of everything contingent, frankly, on a smartphone, is that a net positive, a negative in terms of tech accessibility?
[00:33:26] JS: So from an accessibility standpoint, I think there are positives and negatives, right? From a positivity standpoint, when you’re talking about being able to use different types of mechanisms in order to authenticate yourself as opposed to being forced to use a password, which is a highly visual type of system. Right? And obviously, devices have accessibility features that allow people who maybe have some degree of blindness, for example, to use passwords and be effective with them. I do think that opening up the standard to additional factors like tactile factors may be incredibly useful for more users in the future. But you really hit the nail on the head when you mentioned that you need a smartphone to do a lot of this stuff. I mean, really all of it. These are technologies that are being implemented, not for the “Global South”. Right? I don’t even like using that term because it makes some kind of an implication about the people living there. But the reality is that there is very low internet penetration in many parts of the developing world. And so we’re moving towards a future that may exclude entire swaths of people around the world because they just aren’t up to it yet. And so I really would love to know what the plan is from these companies relating to sunsetting passwords and two-factor authentication and what that looks like. We do know there will be edge cases that will be left behind, and we don’t yet know what the privacy surveillance and security implications are of this standard.
[00:35:02] JP: Are there any authentication alternatives that you think the tech industry should be moving towards that might have a better balance of security, consumer protection, and accessibility?
[00:35:17] JS: The key to being able to be a little more like quantum decryption proof, you want to make yourself resistant to that, you need to shift from asymmetric encryption to symmetric encryption, which means that you’re pre-sharing a key amongst each other, as opposed to relying on public key cryptography, which has a different paradigm. Unfortunately, it’s a little more unwieldy. Right? I mean, there are measures that can be put in place, but when we talk about the viability of implementing something so complex and giving people the opportunity to use something that looks a lot like something they’ve used before, I think the adoption viability of this is extremely high. And I think we’ll see it be used very widely and potentially even replacing passwords in a decade.
[00:36:05] SY: Is there anything that we haven’t covered that you’d like to speak on?
[00:36:08] JS: I think there’s a little bit of opportunity with the new standard for vendors to do some level of additional people verification as has been recently mentioned by Elon Musk, but I think it may do so again at a cost of identifying people as they’re using services, which is that key part of the surveillance capitalism ecosystem that we dislike and want to start dismantling, especially using some of these web3 technologies that people have talked about. I don’t know how these things are going to shake out, but I’m really interested in, again, what the surveillance and privacy implications are going to be of these technologies, because I don’t feel like enough people are looking at it and really thinking it all the way through from a user-centered perspective as opposed to what’s convenient for Google, Apple, and Microsoft.
[00:36:53] SY: Well, thank you again for joining us.
[00:36:55] JS: Thank you so much for having me. I’d love to be back anytime.
[00:37:08] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at [email protected] Please rate and subscribe to this show wherever you get your podcasts.