Logbot (Jan 31 2025 at 20:30): Logbot (Jan 31 2025 at 20:30):Dan Moore from FusionAuth joins us for a wide-ranging discussion about modern auth strategies. We talk magic links, OTP, MFA, passkeys, password managers & so much more. :link: https://changelog.am/78
| Ch | Start | Title | Runs |
|---|---|---|---|
| 01 | 00:00 | Let's talk! | 00:38 |
| 02 | 00:38 | Sponsor: Retool | 02:45 |
| 03 | 03:23 | N.A.C. & Friends | 02:38 |
| 04 | 06:00 | Dan's auth credentials | 02:20 |
| 05 | 08:20 | I got the magic link | 00:32 |
| 06 | 08:52 | Sand in the gears | 05:54 |
| 07 | 14:46 | Different auth strokes... | 01:20 |
| 08 | 16:06 | Tailscale auth | 03:32 |
| 09 | 19:38 | Ask for more than you need | 00:34 |
| 10 | 20:12 | Reasons to dislike SSO | 02:28 |
| 11 | 22:39 | Just email/password | 03:56 |
| 12 | 26:35 | So many auth providers | 02:15 |
| 13 | 28:50 | FusionAuth is built different | 00:55 |
| 14 | 29:46 | The email comparison | 01:26 |
| 15 | 31:12 | Sponsor: Temporal | 02:01 |
| 16 | 33:14 | OTP: better magic links? | 03:05 |
| 17 | 36:19 | Passkeys FTW? | 03:42 |
| 18 | 40:01 | Adam's not sold on Passkeys | 01:59 |
| 19 | 42:00 | 1Password for life | 01:09 |
| 20 | 43:09 | Adam's passkey gripes | 02:37 |
| 21 | 45:46 | Passkeys are faster | 01:26 |
| 22 | 47:12 | No silver bullet | 00:52 |
| 23 | 48:04 | MFA separation of concerns | 03:50 |
| 24 | 51:53 | What good MFA looks like | 04:26 |
| 25 | 56:19 | Password constraints | 02:01 |
| 26 | 58:20 | Sponsor: Notion | 02:18 |
| 27 | 1:00:38 | Adam's luke warm take | 07:16 |
| 28 | 1:07:54 | Microsoft Authenticator | 03:45 |
| 29 | 1:11:38 | Jerod's luke warm take | 01:41 |
| 30 | 1:13:19 | Over The Top! | 02:17 |
| 31 | 1:15:36 | Sophisticated truck drivers | 00:38 |
| 32 | 1:16:14 | Survey says! | 00:34 |
| 33 | 1:16:48 | Where the money is | 00:44 |
| 34 | 1:17:31 | Dan's auth solution | 03:04 |
| 35 | 1:20:36 | We're doing it wrong? | 01:29 |
| 36 | 1:22:05 | Some Google auth love | 01:51 |
| 37 | 1:23:56 | All the ways | 00:39 |
| 38 | 1:24:34 | Connecting with Dan | 01:02 |
| 39 | 1:25:36 | Bye, friends | 00:09 |
| 40 | 1:25:45 | Coming up next | 01:01 |
Adam Stacoviak (Jan 31 2025 at 20:39):Whoa. That's a lot of chapters :)
Matthew Sanabria (Feb 01 2025 at 19:27):As one of the Changelog "losers" I believe that the baseline should be username and password. I'm reluctant to create an account on a site that does not offer username and password. I personally despise magic links because they are 1) slower and 2) tied to an email that most likely isn't using a domain that is owned by the user. Admittedly I'm truck driver in this situation since I'm educated on the machines I'm using and have specific needs for my flow.
Don MacKinnon (Feb 01 2025 at 19:28):Dan is great to chat with! Glad you guys had him on again. He and I went to school together a lifetime ago.
Matthew Sanabria (Feb 01 2025 at 19:29):Also regarding OAuth a lot of places don't implement it correctly. For example if you use your Google account to authenticate to a site the site would mistakenly tie your email address to your user identity instead of the Google account ID. Then if you change your Google account email you can no longer access the site even though it's the same Google account.
Alex Barnes (Feb 01 2025 at 20:16):Ah that makes a lot of sense. I've changed my GitHub name and recently had trouble accessing things. Didn't realise that was incorrect implementation.
Tim Uckun (Feb 01 2025 at 20:53):I for one don't want to create a new account at every web site I visit. I like it when they have auth so I don't have to worry about keeping track of another password in my manager.
Matthew Sanabria (Feb 01 2025 at 22:14):With a password manager I don't mind creating accounts. I prefer it. Gives me a single place to audit my accounts versus having to remember which N sites I signed into with which N auth providers.
Nabeel S (Feb 01 2025 at 22:28):When I build something, I like starting out with an OAuth implementation because it feels like less of a security burden on me. Though I would definitely want to have basic email/password auth as well before trying to go more mainstream.
Nabeel S (Feb 01 2025 at 22:34):Also, as a Windows user, my feelings about MacOS are then same as Adam's feelings about Windows (but in the opposite direction). I find the MacOS UI childish and clunky. I was a huge fanboy of MacOS about 20 years ago, but it feels like the UI hasn't evolved much since then (Who remembers how long it took them to add the ability to resize a window from the corner?) It's probably just whatever you get used it :shrug:
Ron Waldon-Howe (Feb 01 2025 at 22:47):Nabeel S said:
... Though I would definitely want to have basic email/password auth as well before trying to go more mainstream.
I wonder when/if Passkeys will replace email+password as the baseline for authentication?
Nabeel S (Feb 01 2025 at 23:04):Is passkeys as a baseline even possible? It seems to me like passkeys are generated only after authenticating the user some other way (password + OTP for example).
Ron Waldon-Howe (Feb 01 2025 at 23:08):Passkeys are designed to completely replace passwords, and even password+2FA
https://www.passkeys.io/
Ron Waldon-Howe (Feb 01 2025 at 23:09):That said, there are various issues that make this sort of tenuous for users that inhabit multiple ecosystems
e.g. if my only credential for Instagram is a Passkey in the Apple iCloud keychain, then I completely lose access to my account if my switch to Android
Tim Uckun (Feb 01 2025 at 23:27):I think passkeys have potential but honestly I really want something like mozilla persona. I want to be able to create different persona and use them as I want across various apps and web sites. Use this web site https://www.fakepersongenerator.com/ and create a bunch of fake people and use them as I please.
James Wendel (Feb 03 2025 at 16:49):For OAuth in company environments, there is one big benefit: insider threat mitigation.
Imagine an employee that gets let go, but they have a username/password login into some critical 3rd party service (AWS, Stripe, etc...). While an IT department can easily disable a Google account, remembering to disable access to all 3rd party websites is a lot more work for them. With OAuth, it helps mitigate a bad employee.
Tim Uckun (Feb 03 2025 at 20:37):@James Wendel This is where a good password management app comes in. You can share logins without exposing the password to the employee and you can revoke their access when they leave or move from one department to another.
James Wendel (Feb 03 2025 at 20:57):@Tim Uckun "without exposing the password" is a deterrent, not a guarantee. OAuth is much safer here. (1Password says as much).
https://1password.community/discussion/144413/how-to-share-password-without-revealing-password
Jarvis (Feb 04 2025 at 16:42):Our local news channel did a story about passcode predators: https://youtu.be/ln2w74nqBcw?si=9RT_Buff0jSarihW
Didn't realize this was a thing and we probably shouldn't have so much financial power in our phones.
Tim Uckun (Feb 04 2025 at 20:46):That's the future though. In China every payment for everything is made on the phone. Even purchases for less than a dollar. Elon is trying to do the same thing in the USA with xitter (this explains why his target in the US government was government payment systems.)
In my case my phone is my primary 2FA. I have authy on there, passocodes for various web sites, and mail and notification based 2FA including one time passwords, and text message based 2FA.
It's just too powerful and convenient to ignore.
What's hilarious is that for some people the phone is locked by a four digit pin so your master key is stored under the flower pot on the porch.
Ron Waldon-Howe (Feb 04 2025 at 20:54):On password strength, how far does anyone else get in https://neal.fun/password-game/ ? :P
Yawar Amin (Feb 04 2025 at 22:32):Hello Changelog folks. i enjoyed this episode, thanks for that. one thing i feel like didn't get emphasis: passkeys are meant to prevent phishing scenarios where users are tricked into typing in their credentials into scam sites. this is a pretty huge deal
AJ Kerrigan (Feb 05 2025 at 00:59):Yeah I suspect that didn't get enough passkey-specific discussion because password managers and magic links offer the same benefit, so the discussion was more about how passkeys differ from those patterns :shrug: . Good point though :thumbs_up:
Yawar Amin (Feb 05 2025 at 01:14):yeah the mistake technical people often make is evaluating passkeys from the perspective of already using high-quality password managers and having strong random passwords and MFA setup. from that perspective the benefits may not seem high. but the real benefit is for ordinary, non-technical people who will never have that kind of protection
Ron Waldon-Howe (Feb 05 2025 at 01:42):I think we missed the window for Passkeys to actually take off
Most non-technical users probably tap the "login with Facebook" button everywhere already
Passkeys would have been terrific before social IdP became so prevalent
Yawar Amin (Feb 05 2025 at 01:46):we are fast approaching the window. the Big Three are pushing it–Apple, Microsoft, Google. the rest will follow. logging in with Facebook etc. is already kinda tainted because of data privacy issues. now we finally have a great alternative
Yawar Amin (Feb 05 2025 at 01:51):also solves the problem of fragmentation of IdPs–which provider did i log in to this site with? Google? Facebook? GitHub? this was mentioned in the podcast.
Ron Waldon-Howe (Feb 05 2025 at 08:32):Until all the different cloud keychain vendors implement some standard for passkey portability, the privacy and fragmentation problems will still be prevalent
"did I login using my iPhone or Chrome here... ?"
Tim Uckun (Feb 05 2025 at 09:09):I would imagine most iphone users would prefer to login with apple instead of facebook.
Yawar Amin (Feb 05 2025 at 17:18):passkey portability is actually not that important. i wrote about this https://dev.to/yawaramin/youre-thinking-about-passkeys-wrong-171o
Yawar Amin (Feb 05 2025 at 17:23):'did i log in with my iPhone or Chrome? it doesn't matter, if either doesn't have a passkey, i will just be guided to set one up'
Ron Waldon-Howe (Feb 05 2025 at 19:47):Perhaps we just need more Passkey adoption from more websites: https://www.passkeys.io/who-supports-passkeys
Seems unfortunate that they aren't so ubiquitous that a list like this is practical
Yawar Amin (Feb 05 2025 at 20:16):adding a new auth method securely and with good usability is not exactly a piece of cake, these things take some time to plan and roll out properly
Chad Gregory (Feb 06 2025 at 01:34):@Adam Stacoviak a good 2FA authenticator is 2FAS. I use this and it’s great. They have a browser extension that allows you to you to have autofill and submit for 2FA codes. The flow is activate the extension, a push notification is sent to your phone, you authenticate with biometrics on that device and the code is auto filled for you. It is also smart enough to send you the next code is the current one is about to expire. :+1: Good stuff https://2fas.com/
Lars Ellingsen (Feb 06 2025 at 04:20):Regarding free password manager options, my previous employer Dashlane (1Password competitor) has a free option, although it is quite limited. https://www.dashlane.com/personal-password-manager
Lars Ellingsen (Feb 06 2025 at 04:34):And actually on that note, I worked on a pretty cool project there to integrate with Identity Providers. Basically you can only auth to something like Okta and get in to your password manager - which is different as normally your password is used as a key of sorts to encrypt your password. This also means that an admin can just disable your IdP account and not have to remove permissions within Dashlane.
It uses AWS Nitro under the hood. This is going pretty deep but if anyone is interested there is an AWS write up. https://aws.amazon.com/solutions/case-studies/dashlane-case-study/
Not an ad, I got laid off from there :joy: but it is cool tech
Ron Waldon-Howe (Feb 06 2025 at 08:58):I remember Dashlane having pretty poor Linux support back in the day, but that's not a deal-breaker for many people :penguin:
AJ Kerrigan (Feb 06 2025 at 14:19):"I got laid off from there but still speak positively about it" is a heavyweight testimonial :grinning:
AJ Kerrigan (Feb 06 2025 at 14:19):Also case study with nitro secure enclaves in that context sounds fun :eyes:
Lars Ellingsen (Feb 06 2025 at 15:26):Ron Waldon-Howe said:
I remember Dashlane having pretty poor Linux support back in the day, but that's not a deal-breaker for many people :penguin:
They got rid of the desktop app so it's all mobile and browser extensions :pensive: we tried to bring it back during a hackathon but I don't think that ever went to production
Lars Ellingsen (Feb 06 2025 at 15:27):AJ Kerrigan said:
Also case study with nitro secure enclaves in that context sounds fun :eyes:
Yeah! It was a cool project for sure. I was focused on the frontend and interacting with it but even that had a lot of weird considerations compared to a normal server
Tim Uckun (Feb 06 2025 at 20:58):I recently tried a bunch of password managers here is my very quick review.
Lastpass: Easiest to use for the average person, good price, good UX, good CLI, questionable company past.
Bitwarden: UX and GUI are not very good, Autofill doesn't always work, free option is very robust but pay them for the cheapest tier anyway because it's so cheap. Open source.
Protonpass: Slick UI, Free tier is OK but it ties you into getting proton mail too. Not open source, company doing questionable things lately so I deleted my account.
1Password: No free tier, didn't work better than the others while being more expensive.
Dashlane: Didn't try, free tier only on one device.
Keepass: Had problems with syncing in the pass so didn't try this round. Also not very good UX.
I ended up using bitwarden but I am really torn. I need to share passwords with my wife and I don't want to inflict bitwarden on her. The only thing that might work for both of us is lastpass unfortunately.
Tim Uckun (Feb 06 2025 at 21:02):Oh I use Authy for 2FA but also rely on text messages and notifications from some providers. Of course I use passkeys if the app supports it using the iphone.
I really wish somebody would sort this stuff out eventually. What happened to namecoin? What happened to Mozilla Persona? Are we always doomed to service our corporate overlords?
Ron Waldon-Howe (Feb 06 2025 at 21:24):Yeah, I started with Bitwarden, added Proton, and have now dropped Proton
Ron Waldon-Howe (Feb 06 2025 at 21:25):Bitwarden has a separate authenticator app, which I find useful because it's easy to export and backup
AJ Kerrigan (Feb 07 2025 at 00:11):Tim Uckun said:
I need to share passwords with my wife but don't want to inflict Bitwarden on her
I feel this.
A few years back I replaced my LastPass family account with Bitwarden and I'm still the only person who uses it :sweat_smile:
Tim Uckun (Feb 07 2025 at 01:38):I wonder what it would take for make bitwarden work for the ordinary person. Seems like it shouldn't take that much work. Be able to launch the vault from the browser plugin, make both the vault and the browser add on look better, change some of the terminology so it makes sense to human beings etc.
Ron Waldon-Howe (Feb 07 2025 at 01:57):Bitwarden did get a bit of a make over recently, but I think most of my family should probably just keep passwords in a notepad in a locked drawer :shrug:
Yawar Amin (Feb 09 2025 at 15:28):realistically, yes. or even in a paper in their cabinet drawer in their bedroom. impossible to hack remotely. the phishing problem remains though
James Thurley (Feb 09 2025 at 19:48):Perhaps LastPass have overhauled things since I left, but having switched from LastPass to 1Password I’d say the UX difference was huge, particularly on desktop. In particular notes on LastPass were laughably bad (fixed size annoyingly small text area, plain text) vs 1Password (nice UI, adjustable size, Markdown support). I’d describe the LastPass UI as passable, again, unless they overhauled it.
Tim Uckun (Feb 09 2025 at 21:05):The lasspass UI isn't pretty by any means, it's usable though and that's my point. You can get to the vault from the browser extension and it doesn't require a re login which a lot of them required. This whole "get to your vault from a click in your browser" thing seems so obvious that I am shocked everybody doesn't offer it.
Last updated: Apr 05 2025 at 07:14 UTC