00:00:00 Speaker 0: Hey everybody, I'm joined by my friend Will Johnson say hi Will. Hey, what's up everybody? Super happy to have you here. Thank you so much for giving us some your time today. So Will and I we met I in person. This is another 1 of those We met online first and then met in person in a conference. And I think,

00:00:20 I'm pretty sure where we met online first was through Egghead in the Egghead Slack. Is that right? Or did we meet first on Twitter? I think it was an Egghead first.

00:00:30 Speaker 1: Yeah, I think it was through AK at first, the same.

00:00:33 Speaker 0: Yeah. And then in person, I don't want to, like, I'm pretty sure, was it a React rally a couple of years ago? Did you ever come to 1 of those?

00:00:44 Speaker 1: No, it was actually, It was at React Miami. Miami. Was that the

00:00:47 Speaker 0: first time? No, no, no. Yeah.

00:00:49 Speaker 1: Yeah, it was. No way.

00:00:52 Speaker 0: What about last year at RenderATL? Were you there?

00:00:57 Speaker 1: No, I didn't go. I didn't go last year. I Think react Miami was the first conference. I went to like outside of Kansas City, so

00:01:05 Speaker 0: no We met okay, so KCDC you go to that conference as well, right? Yeah, yeah So I went to that conference in 20 Maybe 15 or 16 no no it would have been 2016 Yeah, were you there at that or maybe like I don't know if you remember.

00:01:26 Speaker 1: Yeah, no, I wasn't doing, I didn't start like getting into dev stuff until like 2018. So I wouldn't have been at that 1. I didn't know that was even a thing.

00:01:36 Speaker 0: I can't even believe that React Miami was the first time we met. That's crazy. I feel like I've known you forever. But it has been great to know you. And I'd like for the folks who are watching to get to know you too. Can you give us a little intro?

00:01:52 Speaker 1: Sure. Yeah. So my name is Will Johnson. I'm a senior developer advocate at Auth0 by Okta. I have 6 children who I love and we have a lot of fun together. And I spend a lot of time just helping developers, how to talk about different things with authentication,

00:02:13 authorization. I do a lot of education, I plan events and I go through a lot of things with a, like a developer first or a customer first mindset. I always think of how can I make this thing more entertaining, more easy, you know, simpler, whatever, whatever I can to make sure

00:02:33 that the person that's receiving is having a great experience is kind of what I like to focus on?

00:02:39 Speaker 0: Yeah, that's great. So you've been a part of education since like you first got into dev, with egghead, right?

00:02:46 Speaker 1: Yeah. Yeah. The first actually Joel, Joel is actually who gave me the advice I was I was I don't know I had said something on Twitter about because I had like just applied to this job and like didn't get it even though I really thought I did. And I was like, man, I really think I'm ready and I don't know what else I got to do. And then like Joel DM'd me and

00:03:06 was like, you need to write like blog posts and tell people like what you're learning and stuff like that. So that's actually how I got started. So I started writing blog posts about different things I was learning about JavaScript. And then I ended up working at Egghead, which is of course a web dev education company.

00:03:27 Speaker 0: Joel is awesome, isn't he? Like just super, super, like my strategy for success in my career has been do whatever Joel says It always works out great

00:03:40 Speaker 1: I Agree that that is something that's true do what Joel says take and He always has like recommendations for random things. Like off topic, he had told me about like this program to like loosen your hips up because I'm, oh, I haven't talked about that. Another thing

00:04:00 is like me and my kids got interested in soccer this year and I've never played soccer before or watched soccer, so I got super interested. So I wanted to start playing, but like 1 time I had like went out and played and got hurt like real bad and I didn't even do anything, But I was like hurt and sideline for like 6 weeks.

00:04:19 Speaker 0: Ouch.

00:04:20 Speaker 1: So Joel had talked about, there's like this program he did to like loosen up your hips so you can like move better and play sports. And I like, and it's like 21 days, I did it. And like my hips feel great.

00:04:32 Speaker 0: Like,

00:04:32 Speaker 1: so same thing with like, even if it's not career related, listen to what Joel says and you'll probably be all right.

00:04:38 Speaker 0: That guy, yeah, seriously, Jay Hooks on Twitter. If you're not following Joel, you should. He's just a real pleasure. I should have him on here. But yeah, so, well, with your work over at Okta, or Auth0 by Okta, you're focused on the

00:04:58 education piece of that, But there's something really exciting coming into the world of authentication that I know you're excited about, I'm interested in, and we don't cover in Epic Web. So this would be a pretty cool opportunity to talk about that. And that's passwordless authentication or web authen.

00:05:20 Can you first talk about like, what is the problem with the way that we do authentication in the modern age? And how does passwordless auth solve that problem?

00:05:34 Speaker 1: Sure, yeah, we can talk about that. So, I mean, there's a lot of problems with passwords, in my opinion. Like number 1, probably the, if you're trying to make a secure password or a good password, it has to have different characters, uppercase,

00:05:54 lowercase, you know, numbers, letters, like, all of this stuff, be at least 15 characters and things like that. So it makes it incredibly complex for you to be able to make a good password. And at the end of the day, that super complex password is also super hard to remember.

00:06:14 Right, And that's not a good user experience, right? You got something that's super long that you can't remember, but if you do happen to remember it, and if you really think about it, humans in general, we're not necessarily remembering the password. We're remembering the pattern on the keyboard. That's what you're actually remembering, right? So that's what you got stored

00:06:35 in your brain, just that pattern. So you, as humans, we wanna keep things easy. So what do you do? You reuse that password somewhere else, right? And that's not a bad thing, right? As in, it's not a bad thing that you're doing, right? You're not committing a cardinal sin.

00:06:55 It's just that the way that passwords are implemented, it kind of almost forces you to have to take that route, right?

00:07:04 Speaker 0: Yeah.

00:07:05 Speaker 1: But then someone breaches your password because, you know, no password or impregnable humans aren't as random as we think we are. Right. Someone says that password, they put it into a dictionary of breach passwords, someone accesses the dictionary and then they run that password on a bunch of different websites

00:07:26 to see where they can get some hits. And now people log into your information. So it's just that passwords in general, just in the way, especially with our lives being more and more online, they're just not really a good way to try to keep your data safe. And then we have different ways to try to

00:07:46 make it more secure, right? So we could use a pathway manager, use one-time passcodes, use magic links and all these other things, but really they're just more steps for the user, more things that you gotta remember, more things that you have to keep up with and you know what if you break your phone right like real

00:08:06 story I had just just got a phone I don't know like a week it was like I had it for like a week I went to the gym and dropped the dumbbell on the phone smashed the entire screen right So I tried to like order it through, you know, the insurance or whatever, but in order to order replacement, it

00:08:26 sent me a code to the phone. Oh no. So I couldn't even, you know, get a replacement phone because they had that security measure set up. So that's kind of like the problems that we have with the passwords. It takes so

00:08:46 much for the user to be able to keep it secure. And even then it's not necessarily secure because there are still ways around it. Right. So that's what, go ahead. If you want to say something.

00:09:00 Speaker 0: Yeah. Yeah. I, I think, it's probably important to call out that, like, I can almost hear some people in the background saying, yeah, well, like, if you would just do these 6 things, then like everything's fine. And I don't disagree with that. Like, you can absolutely make yourself more secure. But we're web developers and we're building products

00:09:20 for users and we cannot force our users to do those 6 things. And on top of that, I mean, I suppose you could force them to do that in the way you design your software, but you're going to have a hard time having happy users. And so like we're trying to make a good user experience here.

00:09:40 And so the fact that you have to do these 6 things to make your password authentication secure, kind of makes you wonder if maybe there's another way to do this.

00:09:55 Speaker 1: Yeah, exactly. And that's like the part that I don't like either As a user myself, right? The experience is not good. And yet, like you said, there are 6 steps. Like why would you want to have your user do all of those things, right? Because at the end of the day,

00:10:15 right? Like the website that I ordered that phone on, I'm not looking forward to going back there. Right. Because of that particular user experience. So those are the things that you want to think about because a bad authentication experience can leave a bad taste in your user or your user's mouth and not want them to, you know, return or avoid it as

00:10:35 long as possible. So that's kind of what I like about the password list specifically with WebAuthn. So with WebAuthn, instead of storing any of your credentials or anything like that, it uses public key cryptography. So there's a public key and a private key

00:10:55 that gets created at the time that you're registering the website or registering your authenticator to the website. And the private key itself is stored on the device. So none of your like private details are sent to the server. The only thing that's sent to the server is the public key and that gets saved with

00:11:16 your user ID. And then when you want to log in again, the public key and the user ID are retrieved. And then it does some stuff like that to verify everything is correct and sends it back. But no 1 has access to your device if it's

00:11:36 on you. So of course, if you fell asleep and someone unlocked your phone with face ID, of course, but you but not like An attacker from another country who's stolen your passwords off of, you know, the web, the web somewhere can get access to it.

00:11:52 Speaker 0: Yeah. Now I think that's a important distinction. There are a lot more attackers on the internet than there are people around you when you're sleeping. So, and the fact is like, if they got into your phone in that way, then you're pretty much borked anyway. So, I think it doesn't make much of a difference either

00:12:12 way. Now, so this is really interesting. And we don't have to go too deep into the actual implementation details of how pass keys work. But I think if I understand it right, then the basic idea is now your phone is basically the password or whatever device or authenticator app. So like 1Password

00:12:33 also has support for storing pass keys. So whatever that is, is gonna be your, effectively your password. And that communicates with the website and says, here's my public key, I guess. And then the server says, okay, let me check that. Oh, yep, you are who you say you are and now

00:12:53 we can let you in.

00:12:55 Speaker 1: Yeah, pretty much. That's a way that you could look at it. So like you said, the private key is stored on the device or whatever service you may use that supports FAST keys. And it stays there and you can, when you do want to log in, Yeah, it gets

00:13:15 sent. So what happens is that it sends a challenge. So the server, it grabs the public ID that matches with that username and your ID that it gave you when you registered, it sends it to the authenticator with a challenge, then the challenge is what gets signed and verified. And

00:13:35 then it gets sent back with the okay to the server, unless you win.

00:13:40 Speaker 0: Gotcha, gotcha, that makes sense. Okay, so this has a couple interesting implications. For 1, having your password be effectively the device or the authenticator app means that if you lose the device, then you lose access to your account. So, What are the

00:14:01 ways that you can sidestep that particular problem?

00:14:06 Speaker 1: So a few of the ways is that you could be, you could, you know, have multiple devices, right? That's, you know, always a way. So if you had a phone, right, as you, that you're using as like your main thing, then you could get like a security key, like the YubiKey

00:14:26 or a Google Titan. It just, we just want to have some type of backup. I would recommend that you don't have a password as the backup, but that's 1 way to mitigate it. But that's 1 of the things that makes PassKeys itself different. So there's WebAuthn, which is a browser-based API

00:14:46 that you can use to create passwordless login. But pass keys, when you're implementing pass keys, is that the private key, instead of getting saved on the device, it gets backed up to the cloud, right? So that could be the iCloud, you know, or the Google, you know, password manager, it'll be

00:15:06 saved there. And then you can access it on different devices. So if that's something that you are worried about, which isn't a legitimate concern, you can actually use the pass keys implementation of using WebAuthn. And that way you can have it synced across different devices. And so if you lose your phone, it's

00:15:26 not, you know, the end of your logging in experience.

00:15:31 Speaker 0: Yeah. Yeah. I think what's interesting about this is that whether you're using 1Password or iCloud or Google to sync all of those, at some point, like you're signing up, getting a new device, you have to sign into that service

00:15:51 to be able to authenticate your new device on these other services and things. And you signing into that service will probably involve a password. And eventually, I would actually be interested in your take on what the future of that is in particular, but I think

00:16:12 the point isn't necessary, let's like kill all passwords, but let's reduce the number of passwords we rely on. And also, like if we do need to have a password for 1 reason or another, let's make it so that people don't have to enter it very often. And so like, then it's okay for them to, you know,

00:16:32 have longer ones or like they never, they don't have to go through the whole 2 factor auth flow and all of that because it's still more secure to have a pass key. Is that kind of your take or what's your take on that?

00:16:50 Speaker 1: I mean, for me, of course, you know, no 1 knows what the future holds, but I think that the more and more that we evolve for us like security, we're getting more and more digital. I think that like as of right now, will we completely

00:17:10 replace passwords? Maybe not, maybe not in the next, you know, 5 years, but 10 years, 15 years down the line, I feel like we will do away with passwords and have more unique identifiers, like more ways, you know, more things with biometrics or, or using your actual, you know, real identifiers,

00:17:31 right? So if you, like OffZero, we just launched support for mobile driver's licenses, right? So that's something that's, you know, verified in the real world, right? You got to have an address, a social security card, a birth certificate. You gotta have quite a few real-life documents to

00:17:51 verify that you can own this driver's license, right? So that would be a pretty good way to use as an identifier over a password, right? So if we have like digital versions of that that have been verified, you know, through the proper parties that say who you are, that'd be a good way to, you know, get

00:18:11 rid of passwords because usually only you can get those. So I do think in the future, we will get rid of passwords and just use different ways to identify each other that are more personal and unique. Just because passwords is caused, you know, data breaches and like so many problems,

00:18:32 you know, throughout these years. And it may have worked, you know, back in Aladdin's times when you can say, you know, open Sesame and only the only person who knew it was, you know, that person, but, you know, these days they're just too easy to access.

00:18:49 Speaker 0: Yeah, yeah, that makes sense. I agree, there's definitely a problem there. Still, I think it is something that users are kind of expecting and pass keys are pretty new. Like literally just days ago, I got a notice that 1Password added support. And I think

00:19:09 Google also, I got a notification in my browser that said, hey, we've got support now. And so it's pretty new. And so definitely something interesting. And that's why it's actually not included in Epic web. I was thinking about it, but it was just like a little too new for me to say, this is how you do it. Like

00:19:29 people paid for it. Cause I don't know, I got to play with it first. That said, actually, there is an example of the Epic Notes app that people are building. It's with the Epic Stack, where somebody put together WebAuthn with the Epic Stack. And so if you do want to look into what things would look like adding

00:19:50 Pass keys, then you can take a look at that So I wanted to ask also what about? Things that where I've got a mobile app in addition to my web app so we have web auth n for doing pass keys If I've got like a desktop app, and so Mac and Windows, and then we've got Android

00:20:11 and iOS, and do all of these other platforms have implementations of like where we could use a passkey for those?

00:20:21 Speaker 1: As of right now, I do not know. I do, what I have seen is that usually if it's done on a mobile app, It takes you to the browser to do it. And even the same thing, if I have seen it on a desktop app, it takes it to the browser. So to be honest,

00:20:42 I don't know that there is any like native ones for those. Any implementation I've seen so far redirects you to a browser to do the registration and authentication.

00:20:53 Speaker 0: And honestly, I think that's actually great. The web is really awesome. In fact, folks watching this will be in the Workshop app, and to authenticate the Workshop app, you are authenticating your device. And so rather than setting cookies in the browser and stuff, we wanna authenticate the device so that every Workshop app

00:21:13 you go through, you're authenticated, whatever browser you're using, you're still authenticated. And in fact, some of the exercises I say, okay, now clear your cookies. And I don't wanna log you out when you clear your cookies either. So yeah, so we authenticate the device and the process for that involves opening up a separate window

00:21:34 to talk to Epic Web Dev directly. And you go to epicweb.dev and say, yep, confirm this device. And then it sends back a code like this OIDC flow, which is pretty interesting. And so, yeah, that is what I would expect for pretty much authentication for all of these different platforms. Just

00:21:55 like either, you could open up in the browser or I wonder if you could even just do like native has their web views and stuff like that. And you can make it look like it's just part of the app too. So, awesome. So what else is exciting in the authentication space that people should keep an eye out

00:22:15 for?

00:22:17 Speaker 1: Oh man, there's a, I mean, there's a lot, like I said, the, the, the mobile driver's licenses is an interesting thing. And there's also the verifiable credentials, which is kind of the same thing like mobile driver license, but digital versions of real artifacts. So for example, like

00:22:37 your college ID, right? Or even like the ID thing, you know, it's kind of, let's say if you want to go, if you're someone who drinks alcohol, think how much personal information you give like a 16 year old cashier at a gas station, you know, just so you can prove that you're allowed to buy alcohol. You

00:22:57 give your address, your birthday, the expiration date, you give them a lot of information just from the check that, you had like a digital version that could just be scanned where they don't have to see all your personal info, right? That'd be a lot easier. Yeah, that's what I like about verifiable credentials. If you wanna confirm that, you know, you're an alum or something

00:23:17 like that, or you get access to special financing, you can just pass in that verifiable credential that's been verified through all parties. So it's, you have to get the okay from the school and from like whoever issued the ID. So it's not like it's easily forgeable and verify

00:23:38 who you are. So I think verifiable credentials is something to keep an eye on. And another thing is that I just seen a talk from Angie Jones about Web5 and like decentralized identifiers, which I don't know if anyone uses BlueSky, but that's kind of an example of, you

00:23:58 know, that username that you have in BlueSky, you could potentially take that username and that data to other social media networks if they support Web5. So I think that's an interesting thing to look at as well. So I feel like the future of identity and online authentication things are very, very exciting.

00:24:19 And 1 more thing that this was actually launched recently by Auth0, cause I feel like authentication has moved fast, right. As far as like the innovations that we made to make it more secure. But the other side of that coin is authorization, which is, you know, saying what you have access to, hasn't

00:24:40 made those same strides. So 1 of the things that we're working on is called, fine grained authorization, and it's based on like relationships of able to show what data you know your access to and Instead of just what we usually do is just you know, try to add roles. But as your company gets bigger

00:25:00 and more people have access to more things and don't need access to certain things. The roles just, you know, role-based access just isn't enough to cover all those use cases. So like open or find grant authorization is kind of the catalyst for trying to solve that, the authorization

00:25:20 problem that we currently have. So I'd say those are the 2, the 3 things to look at. Verifiable credentials, decentralized identifiers with Web5 and fine-grained authorization. Those are like the most exciting things for me that I'm like, you know, digging into as time goes on right

00:25:41 now. I'll more than likely give a talk on Verify for Credentials probably in the next, you know, year or something like that as more comes out about it, because I'm also pretty excited about that.

00:25:52 Speaker 0: Yeah. Yeah. That 1 sounds actually really interesting to me. So with, does the driver's license fall under that category of verifiable credentials? Is that the same thing, same sort of thing?

00:26:03 Speaker 1: Yeah, it is.

00:26:05 Speaker 0: Yeah, so would that mean that I can finally stop carrying around a wallet and I can only carry my phone?

00:26:13 Speaker 1: Yeah, which is kind of like, you know, weird that everything has like come to the phone these days. I always think about that. There's like this video of it's like someone's desk and it has like a radio, a calculator, a calendar, a portable music player. And like As the video, the time lapse goes on, all of those things just start disappearing

00:26:34 out the picture. And the only thing that's left is the phone.

00:26:39 Speaker 0: That's cool. I love it. I think it's awesome. Yeah, so I know that you European folks, you're like, wait, you have to carry a wallet around? But yes, in the US, we have to carry our driver's license everywhere, and it's the worst, I hate it. So that, and that's like a standard. It's not just

00:26:59 like a Okta thing. That's the credentials thing.

00:27:04 Speaker 1: Oh yeah, Verified Printers, no, that's not a Okta exclusive thing or anything like that. It's being worked on by a lot of people. And so We don't like officially support everything about it yet, but it's definitely something that's in the works.

00:27:20 Speaker 0: Yeah, I love that, love that. Okay, and then the decentralized identity, that's pretty cool. When I signed up for Blue Sky, I remember like, just like anybody else, when their new social media thing comes out. You're like, oh, I've got to get my Username before somebody else takes it right? But once I got on blue

00:27:40 sky, I was like, why was I in such a rush? You can use your website like your domain. Yeah. Yeah. Yeah, and I love that I just thought that was that was great. And like that, that really helps with the, what's the word I'm looking for? Like the, the problem that the verified check marks were supposed to solve

00:28:01 or like impersonation, That's the word I'm looking for.

00:28:03 Speaker 1: Yeah,

00:28:03 Speaker 0: yeah. So I love that. And then the last thing you wanna say, or you talked about, I wanna dive into a little bit, because in Epic Web Dev, we go through and implement role-based access control. And actually I referenced a blog post from Auth0 as part of those instructions

00:28:23 for people to kind of get an idea of how that all works. And I think that it does work really well for some scales. In fact, for a lot of applications, you don't need permissions at all. You can like literally just say, you know, these couple of users are admins, they can do anything and everybody else is just a user for like

00:28:45 simpler apps. But then like the layer above that would be role based access control and that can get you pretty far. So I'm curious, what are, can you like describe a little bit more some of the challenges with role based access control? And like when would somebody feel like it's it's time for them to upgrade

00:29:05 from role-based access control to more fine-grained access that Okta is working on?

00:29:15 Speaker 1: Well, you know, just like with anything with web development, the answer is it depends. But it's like, for example, of course, like, yeah, if you're doing like a hobby project or something like that, and you, you know, need roles, You know, you don't really need to go that far but

00:29:35 you think about if you have like a 5,000 a 5,000 Member company and say Jack has a team of 100 or something like that, right? And you want

00:29:55 all of Jack's reports to be able to access the document, but then let's say that 1 of the managers down there, you know, doesn't need access because it's not his department or something like that. Like the bigger you get And the more the

00:30:15 relationships seem close, right? You have to go beyond just, you know, adding a role and, you know, calling it good. And so with fine grained authorization, it's relationship based access control. So you can, it's like, the access is very

00:30:36 granular. And if you wanted to, go ahead.

00:30:40 Speaker 0: I was just gonna say, yeah, that makes sense. Cause like, you'd have to have a role for like every single person. And like, typically the more permissive role wins in the event of a conflict. And so that would just, yeah, modeling that type of a role-based access control would be

00:31:01 pretty tough.

00:31:02 Speaker 1: Yeah, it's super. I've seen like some, you know, pretty like hard to wrangle examples. So like people were interested in that. Just like to get like more info, there's a open FGA.dev and it's basically an open source project that we have that kind of

00:31:23 helps with that fine grain authorization implementation. So if anyone like was interested in that, they could definitely like check it out to try and dive a little deeper. Cause

00:31:32 Speaker 0: like

00:31:33 Speaker 1: I said, I'm, I'm new to it myself. I find it interesting. But I'm by no means the expert on FGA. Not yet. You'll get there.

00:31:46 Speaker 0: Hey, that's very helpful. Thank you. All right. We're coming down toward the end of the time we've got together. Is there anything that we didn't talk about that you'd like to?

00:31:58 Speaker 1: No, not that I think not that I can think of.

00:32:01 Speaker 0: We covered lots of good stuff.

00:32:03 Speaker 1: Yeah, the main things that excite me, I'm excited to, you know, 10 years from now, we revisit this conversation and with no passwords, but I just wanna say thanks for having me And congrats on the launch and can't wait to, for more people to learn about the web from Kent C. Dots.

00:32:22 Speaker 0: Hey, thanks a lot. Well, awesome. What's the best way for people to keep up with what you're working on and, and to pitch in if they want to help out?

00:32:30 Speaker 1: Sure. The best way is on Twitter or X, whatever the name is this week, but it's Will Johnson IO, and that's all the way through Will Johnson IO. And then I'm also on LinkedIn and I have my full name, William Johnson. And those be the best places to reach

00:32:50 me. So if you have any questions, I love talking about, you know, authentication scenarios and, you know, helping you out through using, you know, implementations and things like that. So don't help to send me a DM. If I don't know the answer I will make sure I get you in contact with someone who can help you but I'm here available

00:33:11 to help if you need it.

00:33:13 Speaker 0: Well that's awesome. Thank you very much Will. It's been a pleasure to chat with you. I always enjoy our chats. And thanks everybody for watching. We'll see you later.

00:33:21 Speaker 1: See y'all.