In this video, taken at the Authenticate 2021 conference, a panel consisting of Vittorio Betocci (Principal Architect, Auth0), Simon Law (CEO, LoginID), and Nick Steele (Principal Security Engineer, Gemini) sit down to discuss FIDO and answer any questions developers might have.
Integrate LoginID’s FIDO2 Biometric Authentication Solution for Free HERE
Transcript below: Vittorio Betocci (VB): Thank you. Bonjourno everyone, and welcome. I’m here again, but this time you will not hear me talk all that much. I’m chartered to do a bit of moderation for this panel. I don’t think there will be much need for moderation, since this is not a very unruly crowd.
Just to give you a bit of background, which I didn’t give earlier, I’ve been working in the identity space for many years, maybe a couple of decades. I’ve always tried to work at the intersection of identity and developers, even before it was cool. One might argue that today it still isn’t cool, but we are all geeks and similar.
I’m very interested because this is a very promising way of raising the bar both in terms of security and quality of life for both our customers and developers. So I'm very curious to see what will happen in this panel. Before we start, I’d like my panelists to introduce themselves. And you can fight for the right to be the first.
Nick Steele (NS): I’m Nick Steele, my Authn journey really started with WebAuthn. Back in early 2017, I was at Duo Security, before we got bought by Cysco. I was on a research team there and we were asked ‘what’s the next thing after U2F, after we move on from push MFA?’ which was Duo’s bread and butter at the time.
I went out and I found FIDO WebAuthn and it was in its early forms, back then. Actually, with the help of JC Jones, who was at Mozilla at the time, and the help of Evan Powers and some other folks in that early FIDO community, we were able to build one of the first public, open source examples of what a FIDO2 server looked like. Then taking that momentum to Duo and the open source community was how I got started and got me excited and kept me in the space.
Since then, I’ve been pretty active in the W3C working group helping drive the relying party. W3C tends to be pretty heavy on platform vendors, so Google, Microsoft, Mozilla, Apple. Vendors who are providing the hardware often don’t get the perspective from my side of the house where we, on the relying party side, need to make the standard usable with our applications.
So, with that in mind, I started, with the help of some of the other folks at W3C, the WebAuthn adoption community group. We’ve been closely with FIDO and Yubico to drive a lot of initiatives around education and adoption. We recently helped FIDO with a hackathon that they were supporting to help make WebAuthn more accessible to a lot of folks.
VB: Wonderful, fantastic, that’s a very pragmatic approach. Love it, thank you. And you, sir.
Simon Law (SL): My name is Simon Law. My journey into FIDO started way back. I was in the credit card payments space for my entire career and stumbled upon the FIDO initiative when I was working at Visa.
One of theses was, how do you increase conversion rates? So as you know, with ecommerce transactions now, you usually just type your credit card information and then magically, authorization happens. But as you know, there’s a lot of fraud that occurs. So, how can you increase security and also maintain convenience? That’s the tradeoff.
I got really excited when I started looking at the standard. At that time Visa was a board member of FIDO, but wasn’t very active in the user group. So I took the initiative to actually participate. The intersection of strong authentication with digital identity and ecommerce and payments is going to happen. I’m really excited to see how that’s going to come about.
There are attempts to do this in a proprietary way, through Apple Pay and whatnot, but I see the industry looking for a level where its standard across all the platforms and you really get that assurance from the hardware and biometric. That’s the exciting part.
VB: Thank you Simon. We are going to have three open-ended questions, which we’ll do. In the meantime, think about your questions. Because if you don’t, then we’ll have a very awkward silence, or we'll break early. So, trade offs.
Let’s stay with you Simon. I’d like to hear your most open, expansive answer about ‘what is the biggest WebAuthn adoption blocker among developers today?’
SL: There’s basically two models when you go out to developers. There’s a model where you need to convince individual applications to go out and make the changes. I think where you will go out and get a factor of multiplication is where you are able to layer FIDO2 onto an existing standard.
A good example is OpenID Connect (OIDC) and Oauth tokens. You have an existing standard that developers are very comfortable with and then you layer a technology like FIDO WebAuthn on top of it and you get that simple developer experience.
In addition to that, I think there are opportunities where there are platforms that already host login, like Auth0, where they may be able to offer to a large segment of existing clients. That’s where I think you get that huge multiplication factor where you don’t need individual websites to reinvent the wheel. All they have to do is turn it on and you get a great distribution channel.
I think figuring that part out will really accelerate the adoption of FIDO WebAuthn in the space.
VB: I’m very grateful that you said it, because if I had said it, I would have been selling your stuff and would no longer be welcome at the conference. Instead, you said it, so I can say ‘plus one, I agree’. In the previous session, it was just that.
The app was using OpenID Connect through Auth0. The app does not really tell you ‘now is the time to do authentication’ because now it is necessary to authenticate the user. If you deem it necessary to use WebAuthn, that’s what you do, but your relying party does not change. You could see it was still running in my application, I had to change the debugger in the settings on the service side. So, fantastic. I’m personally biased, but I love your answer.
Nick, let me read the question again for you. What is the biggest WebAuthn adoption blocker among developers today?
NS: Well, on the developer side one of the biggest blockers that remains is that there is a lot of terminology that can trip people up and confuse developers that are coming in with zero knowledge about what the WebAuthn or FIDO2 framework even looks like. When you have words like WebAuthn, and WebAuthn is part of FIDO2, and FIDO2 is CTAP, and CTAP2 is in addition to CTAP1 which is also U2F, it turns into a tangled web fairly quickly.
Providing materials and education, basically just showing diagrams being like ‘this is how it all evens out’ is something that folks need to get started on the development side. This is something that also causes issues with your time box.
I have a sprint in order to implement WebAuthn on my platform and I need to go out and spend more time learning about x,y,z. A lot of organizations now, that I talk with, really don’t have the luxury to go out and have a buy vs build conversation around WebAuthn. So, they have companies like LoginID and Auth0 that can provide WebAuthn as a service, which is great.
Back when I was developing, three years ago, there really weren't a lot of vendors we could look to to provide that. On the development side, it's gotten easier with open source libraries. There’s a lot of really good tooling, some of which I’ve written myself, and the libraries that are out there are actually becoming pretty robust. They have unit tests and are pretty much plug and play server applications for running WebAuthn.
That’s been great, but when it comes down to me as a developer needing to come in with specific organizational attributes I need in my WebAuthn request, that requires a lot more knowledge than me just plugging and playing these applications. I now need to know ‘maybe I need to use the metadata system’. Then that leads me down to ‘what is FIDO MDS?’
Having access to easy answers and being able to explain this to the rest of your engineers and the rest of your organization, how to explain this to your dev team, how to explain this to your executive board, I think, is one of those barriers that still makes it a little rough for adoption.
VB: I have a follow up question for both of you. Let’s see if you both vote the same way and we get a definitive position. Do you believe that the complexity which you just described is intrinsic in the problem and so the solution is better tools, better explanations, better adoptions? Or, do you believe that the technology might still be a bit rough around the edges and in order to get the job done it is just a function of how the technology works today, but we could design some things to solve this so people don’t need to understand all of this stuff? They can understand something at a higher level and still get the job done.
NS: I’d say the majority of developers can come into the FIDO2 WebAuthn space and find a solution and they don’t need to know a lot of the details in there. The other minority of engineers, folks in the finance space, folks in the identity space, folks in government, NGOs, and other government organizations do need to have a little more insight into it.
Those are the folks who need to provide documentation, testing tools, a more robust performance suite, and help support them. They’re going to be the folks that build FIDO2 and WebAuthn to last. The government only really looks at their internal systems every 20-30 years? We need to be able to help meet them at the next inflection point when they decide if they’re going to stick with WebAuthn and stick with the FIDO2 framework or move to something else.
VB: So, basically your answer is ‘it depends’. Thank you. Simon.
SL: Actually, I think there’s a lot of improvement there that needs to happen. When we’re engaging with clients, like you said at the beginning, Nick, there was a jumbling of the terminologies. But, I think the final piece that is really important is the attestation.
I still think that people in the industry still think that’s not needed. But, that’s actually the crux of what you want to do with FIDO and so that’s missing. I think the standards and the technology needs to increase so that it is for the average developer plug and play. But, at this time, it’s not.
So, the misnomer in the industry is that ‘all you have to do is a WebAuthn and that’s good enough’, but really you need the attestation, the MDS server, and all that. That;s really confusing right now. There needs to be that step up. I think once we solve that problem, developers will be able to adopt it and get that level of assurance that FIDO was originally intended for.
VB: Great. Wonderful. I’m not going to give you my opinion, because you don’t care (laughter). So, imagine that we are successful. Successful means that WebAuthn has become completely mainstream and the main way that people do authentication on the web.
What would the world look like? Say, 5 years from now, which is a long time, so things can change significantly, what will the world look like? Can you think of practices that happen today, but will disappear? Things that we are not doing today, but will start happening? What’s your vision of 5 years into the future?
SL: It’s a very good question. I’m going to take something that my co-worker, Bill Leddy, said that I’m very aligned with. I think the problem will be shifting to identity instead of authentication. I think authentication will be a harder problem for hackers out there and then they will go after the identity side of the equation. I think that part is still evolving.
My prediction is there is going to be a lot of adoption over the next 5 years, but it will still be a never ending problem. The next iteration will be to cheat you at the identity level. There’s technology now with liveness detection, getting government issued IDs, which is good. But, I think that’s where the fraud will come.
NS: My vision, I present two futures. My big dystopian future fear is that WebAuthn and FIDO2 will be only as a service instead of a centralized process. A lot of really good work, and I mean this in the nicest way possible, there’s a lot of really good work being done at Microsoft, Apple, Mozilla, Google to provide really elegant solutions to issues like account recovery and issues like federated passwords and cloud based credentials.
But, this still adds a layer of centralization that could cause a vendor lock that I’m afraid of. One of the really nice things that I find interesting about WebAuthn, after drinking all my blockchain Kool-aid at Gemini, is I am really interested in seeing is what does a decentralized WebAuthn system look like and where can we go from there.
So, I think in the future while there’s going to be these great really well thought out applications of FIDO2, from big vendors, I really want to see what’s happening in the decentralized space. Like trustless authorization and trustless authentication where WebAuthn credentials are being stored in interesting and new ways.
VB: Thanks Nick. Everyone in this audience knows that I am doing a superhuman effort not to comment on what he just said. I’m going to give the floor to John so he can ask his question and save me from doing something unrecommended.
John: My question was for Simon, it's kind of a half smart ass, half real question. When you talked about identity, I thought to myself ‘can you please define identity?’
VB: Wow, so we have another 5 hours right? (laughter)
SL: That’s a great question. Authentication is something that you do to prove you are yourself each time, identity is who you are. That’s the way I describe it to our customers. Hopefully, that answers your question.
John: I’d like to ask what Vittorio thinks of all the questions.
VB: I think for me, super quick, the biggest adoption blocker is the difference between the people who do the products and the people who use the products. So, we have the curse of knowledge where we are so deep into this that we say its key for everything. Even when we look at stuff, it's not key for the end user. In terms of the features, I honestly have no idea, but I hope it’s not what Nick suggested because I’m not a big fan. I’m a fan of user centric, I’m a fan of privacy, I’m not a fan of the klingon language and that elves are from the hills or elves are from the seaside, because they do not exist.
So, defining the grammar of the language which we are using to me seems an empty exercise when there is so much that we still need to solve. But we still have 1 minute and 5 seconds.
John: Sorry folks, I’m going to take one question here. Is attestation of the authenticator, or limiting aloud gestures, something that is readily supported in libraries today? How would you rank the difficulty of implementing this? Are any of you seeing this being asked for today?
NS: He’s looking for libraries that support attestation out of the box?
John: I assume he’s looking for being able to do select authenticators looking for attestation and so on. Limited use of gestures.
NS: Yeah, yeah, yeah that’s all easy config with a lot of the tooling out there. When you use the metadata, you have to have a way to talk to the metadata service. But, for the most part that’s a pretty standard option that you want to set when you’re running it. All the applications I’ve seen have the ability to say ‘user verification preferred’ that comes out of the box.
John: We’ve run out of time for questions. Thank you all for your time
