Episode 149: Unlocking the Future: Passkeys and Passwordless Authentication

Guest: Anna Pobletts

Bio: 

Anna is the head of passwordless at 1Password. In her role, she oversees the company’s passwordless solutions, with a focus on bringing passkeys to enterprises and consumers around the world. Previously, Anna was the co-founder and CTO of Passage Identity, a developer-first passwordless authentication company, which was acquired by 1Password in November 2022. Anna is passionate about security and creating a safer, human-centric online experience. For over a decade, her work has been focused on identity, cryptography, and application security, with previous positions at the Department of Defense, Praetorian, and Twilio.

Summary: 

In this episode of the Virtual CISO Podcast, host John Perry speaks with Anna Poplitz, Engineering Director at OnePassword, about the emerging trend of passwordless authentication, specifically focusing on passkeys. They discuss the definition of passkeys, their security advantages over traditional passwords, and the underlying public key infrastructure that supports them. The conversation also covers user experience, challenges in adoption, and how organizations can implement passkeys effectively. Anna shares insights on the future of passkeys and the role of the FIDO Alliance in promoting this technology.

Keywords: 

passwordless authentication, passkeys, cybersecurity, public key infrastructure, user experience, credential security, OnePassword, FIDO Alliance, identity management, digital security

Takeaways: 

• Passkeys provide a fully passwordless way to log into apps and websites.
• The goal of passkeys is to eliminate human error in authentication.
• Passkeys are tied to specific domains, enhancing security against phishing.
• Public key cryptography underpins the functionality of passkeys.
• Passkeys offer both security and convenience, making them faster than traditional logins.
• User verification is a critical aspect of passkey security.
• Education and awareness are key to increasing passkey adoption.

Anna Pobletts (00:00.098)
You’re listening to the virtual CISO podcast. Best insight on information security, security IT advice to business leaders everywhere.

John Verry (00:12.094)
Hey there and welcome to yet another episode of the virtual CISO podcast with you as always your host John Perry and with me today Anna Poplitz. Hey Anna.

Hey John, thanks for having me.

I look looking forward to this conversation. always like to start simple. Tell us a little bit about who you are and what is that you do every day.

Yeah. So I am an engineering director and the head of passwordless at OnePassword. So I’ve been in security pretty much my whole career, mostly product security, cryptography, identity. And I joined OnePassword a little over two years ago when the company that I co-founded called Passage was acquired. And so since then I’ve really just been focused on all things passwordless, like educating users, educating businesses on

why they should go passwordless and how they can actually do it and you’re building tools to help them do it. So really all things passwordless.

John Verry (01:06.219)
Well, I guess people by now, I guess the topic also told, that’s what we’re about to talk about. Before we do, I always ask, what’s your drink of choice?

Ooh, I am a coffee person for sure. I feel like I’ve gotten more and more particular in my coffee taste over the years. You I love trying new beans from our local roaster and like acquiring new coffee gadgets, things like that. Definitely a coffee person.

and how many cups have you had so far today? Because you do seem a little bit high energy. Is this the normal Anna or is this a…

is probably normal, Anna. This is definitely normal. But I’ve had two today, and the third one’s hit or miss, depending on how the day is going.

yeah, don’t know that you can consider yourself a coffee aficionado if you’re only drinking two. Are they 24 ounce cups or eight ounce cups?

Anna Pobletts (01:56.024)
They’re definitely big and I have one of those cups that keeps my coffee warm all day, which is nice. So then I can like, make it last a little longer.

Yeah, I have not gotten to that point yet where I’ve bought one of those. So, but this is about my fourth cup and I still don’t have the energy you do. So maybe I should be drinking the coffee you drink.

Yeah, you should try it out. I’ll send you some tips.

They, there you go, I’m looking forward to it. All right, so passwordless is definitely becoming a topic of conversation. Your pass keys being one of the more common mechanisms for that are slowly but surely entering our lexicon. So that’s really what I want to talk about today. So, to be fair, would you be so kind as to define what a pass key is as a baseline to the episode?

Yeah, I think that’s a great place to start. So pass keys are a new way to log into apps and websites that is fully passwordless, right? So it’s more secure and more user-friendly than with passwords. I think the best way, like we can get into all the details around public key cryptography and things like that, but I think the best way to think about it is that the goal is really to remove the human error from logging into these apps and websites.

Anna Pobletts (03:06.232)
by giving you something where the security is just built straight into the technology. If you think about passwords, the biggest problem is that you as the user have to think up a good password and remember it and make sure it’s unique across all your different sites. And with passkeys, all of that happens totally automatically. It’s really easy to use. And you get these really great security benefits like phishing resistance. And so from a user perspective, that’s kind of abstract, right? But from a user perspective,

It just looks and feels like you’re unlocking your device. Probably using something like Face ID, your Touch ID, Windows Hello, like that’s actually the experience that a user’s having when they’re using a passkey to sign into a website.

It’s almost in a weird way, they almost don’t realize that they’re actually using authentication, right? So it’s almost like a stress-free authentication.

Yeah, the goal is that it’s so familiar and so easy that you don’t really need to worry about it. And there’s no like, let me check if this password is secure or like, let me check if this is a phishing website I’m typing into, right? All of that security stuff kind of goes away and they’re just touching their finger or looking at their phone and all of it happens behind the scenes.

So anyone that would be listening to this probably has used passwords their entire life, right? So they’ve served us, I think we could argue, remarkably well for a long time. But increasingly we have change, which is making them more more a challenge, right? Password crackers mean that we need to make them longer and stronger, which makes them harder to memorize. So if we end up reusing them or we end up writing them down in a place where we shouldn’t.

John Verry (04:47.502)
And that’s led to things like credential stuffing attacks, social engineering, know, I mean, really business email compromise and somebody gaining someone’s credentials are the root of what percentage of breaches, significant percentage of them, right? So what problems did the past key specifically solve? And, what is it that makes past keys more secure than passwords?

Yeah, there’s a few things. So you touched on a few of them. One is the phishing resistance, right? So phishing, social engineering, one of the most common attacks against password-based accounts, especially when you add AI into the mix, like these messages are getting more and more realistic. People can use AI to call you and ask you for your password, right? And like impersonate your boss. And so there’s just so much burden on users to check and make sure that it’s okay to type their password somewhere.

With pass keys, there isn’t really anything to fish and the pass key is tied to a specific domain. So any sort of like social engineering attack that uses a lookalike domain, know, like facebook.com with zeros instead of O’s, isn’t going to work. Like your pass key won’t be able to be used on that site. So we immediately like eliminate a huge swath of attacks, which is really, really great. The other category you mentioned was credential stuffing. Again, like there’s not really a

credential to steal and use in that way, right? And so everything is public key based. So most really common credential based attacks don’t really apply in this scenario. And like I mentioned before, kind of don’t have this users have to put a lot of work into generating a good passkey, right? It just happens behind the scenes. You don’t have to worry about it. And I think it’s really interesting because this isn’t like the first time we’ve been like passwords are bad. We need to fix it, right? That’s been a thing for

a while and we’ve tried different ways to fix it. We’ve tried multi-factor authentication. We’ve tried SMS login codes, like all of these different things. And they do add some security to passwords, but always at the expense of convenience or user experience in some way, right? You always have to change contacts and go to your email to look up a code or you have to get your verification app out and do an extra step. So you’re adding all of this time.

Anna Pobletts (07:06.464)
and energy to the login process. But with PassKey, the idea is you get all this security, but also it’s actually faster than locking in with a password or an email link or anything like that. So you’re getting the best of the both worlds. And it’s the first time that’s ever happened, which I think is why it’s being talked about and really taking off right now.

it breaks, we have that traditional iron triangle, right? You know, so you’re saying, ostensibly, we get it, we get all of it, right?

Exactly. That’s my claim. Exactly. No downsides.

people better. Is that what you’re telling me?

John Verry (07:43.128)
Well, we’ll see. Now you laid the challenge out there. Now I’m going to find the doubt size.

The key that we’re talking about, whether it’s credential stuffing, which is really a password reuse problem, people reusing the same password across multiple domains and someone testing that, hey, I found your password over here, can I use it over here? So it’s them capturing your password and reusing it somewhere else. We talked about the second one, which was a credential harvesting where people are stealing somebody’s credentials and then they’re using those credentials.

The idea here is that we’re not able to steal pass keys. that really fundamental when it comes down to the bottom line as to why is this more secure? Is the pass key is correct, if I’m wrong, it’s unique per domain and it’s also difficult to impossible to steal.

Right. So it is unique per domain and per user and all of that. And very difficult to steal is the idea. know, obviously if your passkey is stored in your iCloud account or on the, maybe it might even be stored in the TPM on a device potentially, or in your one password account, you know, if that account, the provider account is compromised, sure, there may be access to that private key, but that is a much higher bar of security than a password that you wrote down on a piece of paper, right?

Okay, you just opened the door to the next issue, right? You used the term private key, which is probably gonna scare the hell out of a couple people, right? Someone like me has been doing this a little bit of time. PKI technology is, I mean, I don’t remember what the years were, but the 2000-noughts or the early 2010s, every year was the year of PKI. This is the year PKI is gonna go mainstream, and it never did really mainstream.

John Verry (09:45.422)
because of some of the challenges and costs and complexity to implementing it. But now, Hasky’s fundamentally are PKI, correct? So let’s talk a little bit about, we don’t want to get into a class on PKI, but explain a little bit about how PKI works at a business person’s level.

Correct.

Anna Pobletts (10:06.082)
Yeah. So behind the scenes, pass keys are built on public key cryptography. Been around for a long time, the basis for a lot of other stuff. But I think applying that technology here, you don’t need quite as much like global infrastructure as you do in maybe a traditional PKI world. you kind of apply it to pass keys, right? When a user creates an account on a website, a unique public key is created and stored on that website’s server.

while a private key is stored on the user’s device or in their iCloud or OnePassword account. That private key never leaves the user’s device or device account, and it’s then used to cryptographically sign a challenge that is verified using the public key that the website has. So the public key is, of course, public. The website has it. They actually don’t have any sort of secret that could be stolen in a large breach of their database, which is another cool security benefit, right? They don’t have a list of…

hashed passwords, right? That doesn’t apply. That private key is, you know, like protected in your device or your highly secure provider account. And I think there’s sort of this like, you know, it’s been talked about a lot of like, can we use something like this to apply to passwords? And actually, like the underlying technology for pass keys is called WebAuthn. It’s actually been around for maybe like 10 years, but it was mostly limited to things like hardware keys, like UB keys.

and the credentials were not portable at all, which is where the really strong security came from, right? You have this key stored in a TPM on a device. And so the technology was really cool, but it just wasn’t really usable for the average consumer. There was no, there’s no fallback or recovery process. So it really only made sense in like an enterprise context. And then a few years ago, know, pass keys emerged as they sort of exist today where providers or platforms like Google, Apple,

or one password could actually like store and then sync your web auth and credentials across all of your devices using your iCloud account, your Google account, your one password account. And so this change kind of made things, made pass keys way more accessible and like actually usable in a consumer context. And I that’s why you’re suddenly hearing about it in the last few years of like, this is a technology that’s actually usable by regular people because realistically like,

Anna Pobletts (12:33.058)
people aren’t just gonna go buy a YubiKey to use to log into their Amazon account, right? Like that’s probably not realistic. And so we kind of had to like take this public key infrastructure and this protocol of WebAuthn and really like adapt it to be more usable in a consumer context.

Gotcha. And from a comfort level, think for most people, this mechanism that we’re using is the same mechanism that we use for HTTPS and TLS. I mean, it’s the same math that is going on. And realistically, we’ve been using this now for, I don’t know, 30 years, 40 years, whatever the number is, right? And presuming that the private keys are protected well.

You know, we know this is a fundamentally proven, valid, non-broken, at least yet, mechanism. So quick question to that end, if I’m using an Amazon Passkey, and Amazon does Sporkatsky, as I understand it, if I’m using an Amazon Passkey, is it using the same public key that it does for the website, so I know that I’m talking to Amazon? Or is it a secondary set of credentials that it’s using for

for the paskey.

So every user on every website is going to have a different key pair, a different set of credentials. There are, in different contexts, there’s going to be different levels of verification you might expect. Like in a consumer environment, you can use any key. It can be from one password. It can be from iCloud. could be, like, you don’t really care. In really high assurance use cases or an enterprise use case, you might actually want additional levels of verification.

Anna Pobletts (14:17.996)
that we can provide like, only want my users to use pass keys from one password, say. That’s gonna be like a control that I put in place in my organization. And so can actually, there’s a lot of sort of flexibility in where the keys come from and who is allowed to have them and what levels of verification you wanna do on top of that. But I think your fundamental point is Kirk that like, the technology has been around for a long time and.

The idea of pass keys being new and therefore being scary or maybe unproven doesn’t really apply here and that it is certainly separate from your HTTP STLS infrastructure. There’s going to be a separate authentication layer of credentials.

Gotcha. Yeah, what I was referring to was like, is the public key that’s being used for the passkey the same public key that’s being used to authenticate the website? OK. And then getting back to what you just talked about. underneath the covers, mean, at the end of the day, a passkey is a digital certificate, I’m assuming, right?

No, it’d be different. Yeah, for sure.

Anna Pobletts (15:25.034)
It’s just a public key or a private key, right?

Right, right, which is technically a digital server, right? Like, is it X.509 or like one of the standards or is it something unique, you know? Yeah.

everything is standard. There’s a lot of different algorithms that can be supported depending on the website and things are evolving over time to support new algorithms, things like that.

Okay. then, and then so what’s happening is it’s giving me effectively a small digital file, right? That is going to be kept somewhere that that so I can like when I do windows, hello, I’m assuming that that file is being kept on that local, either hard drive or in the TPM, by the way, TPM stands for, for the people listening.

trusted something module.

John Verry (16:10.592)
Okay, I couldn’t, I didn’t know what the P was either. I would have defined it and thought I looked really smart.

Like secure enclave, something like that.

I’m thinking T protection, identity, okay.

It’s a special place.

And the special part, begins with P and we can’t think of it. But the TPM, so typically, I guess, on regular machine is being stored there. Now, one of the things I did want to ask you, right, is you work for OnePassword. OnePassword is making a big push into the fact that you guys are able to store these as well. So that would allow us this ability where I could move from machine to machine and still log into my Amazon account with my password.

Anna Pobletts (16:54.378)
Exactly. So this was very much like the one of the challenges early on was you’re so stuck in one device with a passkey that how do you then like none of us just use one device, right? I have a phone, I have a laptop, I have a tablet. And so how do I actually use a passkey all those places? Well, I do have my one password account on all of those devices, right? That’s how I get my credentials in different places. Obviously you could use another password manager or you could just use your iCloud account or something like that, but

I think the usability aspects of being able to sync any of your credentials, whether it’s passwords or pass keys, vastly outweighs the fact that now we have to store those credentials in those services, But we’re all so focused on security and end-to-end encryption and things like that, that we’re making sure to provide that level of security.

And one of the massive advantages to HTTPS and one of the reasons why it’s pervasive is it’s transparent to us, right? Our browser, like when I go to log into Amazon, whether I’m using password or pass keys, the browser does a lookup and validates with my private key, that public key, it knows I’m talking to Amazon, and yes, I’m going to pass it my credentials. But it all happens without me being aware of it. So the same process effectively happens with a pass key.

I go to log into Amazon and I don’t really have to type in a password anymore because it sees that I’m trying to auth, it recognizes that I’ve got a passkey credential and that same validation and authentication process takes place transparent to me. So it looks like I’m no longer using passwords when I go to Amazon.

Yeah, exactly. think it’s HTTPS is such a good example of this. Like the security is just built into the technology, right? That’s such a good example. And so the goal with passkeys is the same. Like you’ll go to Amazon, you’ll click a login button, and then you’ll have to like do a prompt to say like do your touch ID or unlock your one password vault, something like that. But the idea is you don’t have to like take a security action outside of that, right? You don’t have to.

Anna Pobletts (19:02.52)
type in a password or if you’re creating an account on Amazon, right? You don’t have to think up that password or be like, okay, is this actually amazon.com or is the O switch with the zero and this is like a lookalike site I need to be aware of. And so it takes all of that like thought process you have to do out of the equation much like your browsers do with HTTPS now.

Roger. Now, if I had a highly privileged account, let’s say my retirement account, am I able to layer multi-factor authentication using Microsoft Authenticator or Duo or Okta or something of that nature as well? Can I have MFA layered on top of passkeys?

Definitely. It’s really kind of up to the website’s implementation, but that is a very common thing to do right now for sure. What I’m seeing a lot of really high assurance websites do is first roll out pass keys as a form of multi-factor authentication. So you might still have a password or maybe an SMS code or something like that, and then pass keys as that additional factor to provide additional assurance. And so…

for things like banking or things like that, you may want multiple forms of authentication just to be sure and they’re doing all this risk on the backend. But then for things like your Amazon account, maybe you don’t mind as much and you’re fine with just the ease of logging in, right? Yeah, so it’s very customizable for, but it’s ultimately a probably a decision for the website and what they wanna support.

Gotcha. then so like on one of my machines, I’m using Windows Hello. So when I log on, put in a simple code, 460, I can’t remember what it is right now. Is that an example of multi-factor? Because the certificate is stored on the TPM within that machine. And then the second factor is the unique.

John Verry (21:01.029)
ID that I’m putting in at that point.

In passkey terms, we think about that, we call it user verification. So it’s essentially verifying that it is actually you, John, at that computer, because you typing in your pin or using your face ID or whatever is really unlocking access to that private key. And so it is sort of a second factor in a sense, but we call it more of a user verification step.

Right, I got you. I mean, it is really a second factor, right? It’s something else that you know, because otherwise what you’re saying is that somebody else sitting down at that same computer would have the same level of access as you, much the same way with PKI, if someone has your private key, they’re you. Yes. Okay. Gotcha. All right, so this sounds pretty damn good so far. So there must be some challenges that come along with this, right?

Exactly.

John Verry (21:56.174)
What are the challenges and how do you solve them? So before we got on here, one of the things I was going to talk about was access to multiple devices. early on in pass keys, that was a little bit of a problem. And then smart people like one password came along and said, hey, no, we can solve that problem for you. What about things like prick devices? What happens if my machine crashes and now I no longer have access to my private key? So let’s talk about some of the gotchas.

and how, you know, what they are and how we solve

Yeah, I think account recovery is for sure a big question we get a lot, right? Like this, if my device is bricked or I lose it or I, for whatever reason, just don’t have access to one or all of my devices, like what do I do, right? How do I recover these pass keys when it’s not something I could have just written down on a piece of paper somewhere and have access to that? And honestly, it’s not all that different from anything we have now. I think it’s kind of a joint

ownership over this problem between the providers, the place where you’re storing your passkey and the website, right? So providers like OnePassword or Apple or Google can provide you ways to recover your iCloud account and to make sure you have access to those credentials. And at the same time, the website, you know, like an Amazon can also provide ways for you to recover your account in the event that you lose your credentials. And so I understand the concern, but it’s sort of like,

It’s really like, we do better than what we have today? And I think we’re still kind of working through the best ways of account recovery, but it’s not nearly as bad as it was a few years ago when everything was tied to a device. And if you lose that device, you are just like totally out of luck. Now the provider can actually play a role in helping you recover your credentials, which I think makes the story much better than putting all of the onus on the user to have two Yubi keys, you know, for all of their websites. So it isn’t really reasonable or

Anna Pobletts (23:55.402)
and on the website to do the recovery. So a lot of that, we’re kind of still like working through a lot of that. think that’s a pretty common challenge. What you’ll see with most websites who have passkey support is that they still support passwords, right? They are not actually fully getting rid of passwords. Most commonly, it’s sort of an option. And I think part of that is that passkeys are still kind of new to people. And so they want to roll them out slowly and not surprise users with something they’ve never heard of. But I also think part of that is learning

you know, what works well for account recovery? What challenges do people run into with pass keys that maybe we didn’t anticipate? How can we make the user experience better? And so they’re rolling it out slowly over time to make sure they can sort of see the benefits of pass keys without dealing with a lot of like churn for customers. And I think that’s kind of the other, the other like challenge I see is really just like awareness and adoption. Like there are a lot of people who still don’t know about pass keys and a lot of businesses who

have an opportunity to improve their business with pass keys, but just don’t really know or understand the technology. And so, you know, it’s a lot of education and awareness still to make sure that people see that this is, it’s here and it’s ready and it’s exciting and you know, they should give it a try.

would pass key recovery conceptually follow the already reasonably well proven password recovery mechanisms? mean, you know, is it going to be that, you know, we know some secrets about you, you know, your high school mascot and your, you know, your first child’s name or whatever the, you know, the dumb things that we do or, know, recovery email address, your recovery phone number. you know, cause at the end of the day, you know,

In one case where we’re storing your password on our server so you can come back, which I agree with you is probably one of the best values of passkeys is because we can put have I been pawned, will no longer be as important as it is right now. And it’s really just a matter of instead of me storing a copy of your password locally, I’m

John Verry (26:08.184)
generating a new certificate for you and delivering that to you. The delivery part is easy because we can do that through HTTPS. So it’s really just a matter of as long as I can authenticate that you are who you are, it really shouldn’t be that much different than password recovery.

Yeah, think account recovery is definitely kind of like the weak link in the sense that right now it’s kind of just whatever already existed with passwords, right? Ideally, that also changes in the future, but I think that is still a challenge with pass keys of like how can pass keys somehow make that account recovery process better? And I don’t think there’s a great answer for that right now, but I really, something I’m really interested in thinking about and like figuring out, because I think that is still, if your primary authentication becomes really secure,

then the weak link obviously becomes recovery, much as it is now even. And so I think that’s still a very interesting problem that isn’t 100 % solved, but we’re working on it. We’ll see.

All right, well, solve that for me, please. So if I’m listening to this and I’m thinking, this sounds really cool, I’d like to mess around with it. How does somebody go about that process of saying, hey, I’m going to start to use pass keys? Individually first, then let’s talk about the SMB case second, right? So if I’m a consumer, how do I start using pass keys?

Yeah, exactly.

Anna Pobletts (27:18.882)
Yes.

Anna Pobletts (27:29.09)
Yeah, that sounds great. So from a user perspective, I would start with apps and websites that you already use today that support pass keys. Google, Amazon, Target, all support pass keys. And so I would really encourage you to go to your accounts on those websites and set them up. We actually, at One Password, we have this directory called passkey.directory that lists all the sites that we know about that currently support pass keys. It’s…

I think it’s like over 200 now. It’s more than doubled just in the last year. And so surely I’m sure everyone uses at least one of those 200 sites that are on there and you can go and just kind of like see and try it out. I really think once you kind of have that first experience as a user, you’re going to be like, I get it. Like this is really cool. And I think like seeing it in action really kind of causes that aha moment for people. So I’d really encourage that. If you’re a one password user,

you’ll be able to like save and fill your pass keys directly from like your one password app or extension, just like you do with passwords or anything else right now. And same, if you’re a Google or an Apple user and you use their password managers, it’ll all look and feel very, very similar to what you do with passwords today.

So let’s go the same question. So I’m running a, you know, 100 person organization that is Microsoft 365 like most 100 person organizations are. How do I start using, you know, as a business because it sounds great. How do I start using S.J.?

Yeah, so most of your providers like Microsoft with, you 0365 or something probably support pass keys already. And so if you are like an admin for that organization, you can probably go in and turn on pass key support for something like 0365. Again, there is very much this like prerequisite that websites have to do work in order to support pass keys, right? Like you as a user cannot just…

Anna Pobletts (29:30.594)
go start using a passkey on any website. And so I think it’s really one thing that I’m really passionate about is like the developers and the businesses and how we get them more websites to actually support passkeys so that people can actually start using them, right? That’s what Passage, my company, before One Password did, and that’s what I’m still doing at One Password. It’s all about adding passkey support alongside of whatever you have already.

because I really think the only way to get true adoption is to tackle the problem from both sides. So from the one password perspective, we’re saying we can help businesses implement passkeys because honestly, it’s a lot harder than passwords. There’s a lot more nuance to how you implement it. And as a password manager, we can also help users manage their passkeys. And so we can kind of meet in the middle where both parties are really incentivized to use passkeys.

question for you. do I really, so if I’m let’s say using Microsoft 365 and I start using pass keys, do I really need to worry about whether all of the SaaS apps that I, know, as long as they support single sign on, right? I mean, you know, the reality is that once I’ve got the credential that says I am me, right, you know, from, I don’t know if it’s still a Kerberos ticket and all the old stuff that I used to know.

when I had some technical credibility. But at the end of the day, I come to the next website and I pass along Tick and say, hey, Mr. Website Conductor, I’m allowed to ride this train. And I get on the train. And I don’t really need to worry if that would be pass keys. So in theory, I can take advantage of pass keys on any application that I’m already doing single sign on with.

Yeah, for sure. think if you’re, I would start with your, you know, 0365, your Okta account, whatever that is. And they, it’s really cool in enterprise. most of those products probably have controls you can add where you can specify specific types of providers or authenticators that are allowed to be used. You can really add a lot of security. If you want to distribute UB keys to all of your employees, you can, and you can make sure they’re always using UB keys. Or you can be a little more open and be like, as long as it’s,

Anna Pobletts (31:46.604)
you know, one of the providers that we list or know about, that’s okay. Passage by one password is more intended for like consumer product applications, like product companies who are building applications for the general public who say like, we use this thing internally, it’d be really cool if we could offer pass keys to our users, right? In like scenarios where single sign-on doesn’t make sense. But yeah, from internally, I would prioritize your sort of front gate IDP layer.

sure. Right. Okay. So that implies that, you know, pass keys like a directory like, I guess it’s Entra now, can actually support it. It doesn’t have to necessarily be a website, right? Any… And then…

John Verry (32:31.512)
Okay, that makes sense to me. So you hear about the Fido Alliance. Yes. No, actually, I know what I wanted to ask you before that. Let’s go back to the Ubiquite for a second. Right? So Ubiquite is a hardware device that plugs into a USB token. And I guess the TPM, which the P, we’re still trying to figure out where that is. We’ll never know. Just trust it. It’s that secret. It’s that go to keep in secrets that they don’t even tell you what the P stands for. So.

We’ll never know.

John Verry (32:59.49)
So effectively what we’re doing is we’re storing the passkey on this physical device at that point, right? Why do people use Ubiquice? Like what’s the advantage of actually doing it that way as opposed to storing it locally or storing it in one password?

Yeah, I think there’s, well, so YubiKey have been around for a while, right? And they are certainly the most portable version of a passkey in some sense, where you’re able to like take a physical thing, plug it into any computer and use it. So they are actually pretty portable in that way. The problem of course, is if you lose one, then there’s not a great recovery story the way there is with like synced passkeys.

Well, UB keys are, think, so powerful in an enterprise world where you really want management of the keys and the credentials. They provide a lot of management of those keys. They also are much more mature in those areas where synced pass keys aren’t really there quite yet with a lot of the management. I hope that one day they are, and you can get a lot of the same capabilities as an IT admin that you get with UB keys today in a

passkey that’s stored in a software provider. It’s just that we’re not quite there yet, but I would hope that someday we are.

And then I mentioned briefly the FIDO Alliance. Tell me a little bit about what the FIDO Alliance is for people that are interested in learning more about Paschis.

Anna Pobletts (34:25.9)
Yeah, the file alliance is, it’s really cool. It’s an open industry group that is focused on reducing our reliance on passwords. And they do this by promoting the like development and the use of standards like passkeys. So it includes members from all over the world. It includes websites of all different types and platforms and credential providers like OnePassword. And it’s really

to get to be a part of this and collaborate with all these different companies and find ways to drive adoption of PassKey and improve PassKey technology. There’s been a lot of cool stuff that’s come out in the last, even just in the last year, right? They have this really great new resource called PassKey Central that’s an implementation reference. We have started on a new specification that is for encrypted import and export of credentials. I don’t know if it’s sort of a side tangent, but…

If you wanted to say like transfer your change password managers, right? Like move your passwords from one to another. The way you would currently do that is you download like a plain text CSV of all your passwords, right? And then upload it to another one. And so this import export format is an encrypted version of that that allows you to transfer or share credentials between different providers, like end to end encrypted, fully secure. And I think it’s such a cool example of, you this was

driven by pass keys and a requirement to not have those private keys be downloaded in a CSV, but it’ll also apply to every other type of credential. So we’re also just like making the rest of the ecosystem more secure because of something that was driven by a pass key requirement. Just a fun side tangent if you didn’t know that about password managers.

I literally had the when we were acquired last year and we had to move off the password manager we use into a new one and that was exactly the process and I’m like, I know I’m not the best file with every path, you know, you know, no longer an admin my own desktop, but I can’t secure shred this file. you know, what do I do? You know,

Anna Pobletts (36:22.85)
Crazy.

Anna Pobletts (36:27.118)
Yeah.

Anna Pobletts (36:36.098)
Yeah. And so I’m just really excited that all of these changes are coming and are being driven by PassKeys and by the Fido Alliance. So there’s a lot of cool stuff that they’re working on. I would highly encourage if you work at a business that is interested in PassKeys, wants to learn, wants to contribute, like you should learn more for sure. I definitely recommend.

So I’m trying to figure out if I should give you a second chance here. So you could either look really good or really bad. So let me give you a second chance.

Second chance of what?

I- I’m- You have to answer the question first. What is- What is Fido? Stick-

All right, yeah, hit me.

Anna Pobletts (37:13.019)
great, fast identity online. I do know that one.

I was, it was good. Good point. you not know what the D was, was bad. People would have been like, yeah, one password off the list, man.

fair.

Anna Pobletts (37:30.392)
we would definitely have to edit that one out.

All right. Did we miss anything?

Ooh, let’s see. I think I would love to share, I think a little bit about like adoption. I think it’s been like the last year has been really cool to see the amount of like adoption that’s happened. OnePassword has hit some pretty exciting milestones to close out the year that we shared recently. We, let’s see, we’ve had over like over 4 million pass keys saved in OnePassword and we have over 2.1 million

passkey authentications per month right now. And I think like what’s exciting to me is that it’s not just the websites are adding support for passkeys, which is great and important. And we have this whole list of 200 websites and that’s great. But if users aren’t actually using them, that doesn’t matter, right? And so I think it’s cool that these stats really show that people are actually choosing passkeys over passwords. And I think that’s what’s really gonna drive

adoption and excitement and other websites to go add support is like proving that people are actually using it. You know, it’s not just the technology is there, but you know, people aren’t really choosing it. So I think that’s what’s been most exciting for me this year. And I’m just like really excited to see what happens next year.

John Verry (38:51.928)
Cool. And what makes, I’ll give you, what makes one password, if someone’s listened to this and said, right, she didn’t know what the P stood for. But other than that, she seemed pretty smart. Maybe one password’s a good product. Why should people consider using one password versus other password managers? Including, right, you mentioned a couple times, now Apple’s got some kind of password manager. Google’s got some kind of password manager. Why should people be looking at one password specific?

Like what’s your, what’s your fragile sauce?

I think there’s two things. One is like user experience and convenience. We’ve always emphasized our usage as like a productivity tool, not just a security tool. And we will work in any ecosystem, right? So I have an Android phone and a MacBook. And so like those are not really the same ecosystem. And so One Password is really well designed for a scenario where you use all sorts of different devices.

We also have a very strong security model that is not just based on a single credential. We have like a device machine generated key as well. Everything is end to end encrypted. So one password itself even has no access to your credentials ever, even in the event that we were to be breached or something like that. And so I think our security model and our usability really has set us apart.

That’s cool. Also, so if folks want to get in contact with yourself or somebody there to chat about what you guys are doing over there.

Anna Pobletts (40:19.766)
Yeah, you’re welcome to reach out to me on LinkedIn or just email me anna.poblitz at onepassword.com and check out like onepassword.com, Passkey’s directory for kind of the latest updates on Passkey things. I’m hoping there’s some pretty cool announcements in 2025.

Awesome. Well, thank you. This has been, this has been helpful. I think it’s a really cool topic. I’m glad I was able to finally get someone smart on the chat about it. So thanks.

Yeah, it was really great to be here. It’s my favorite thing to talk about.