Passage adds device native biometric authorization to web sites to allow passwordless security on devices with or without Touch ID. In this episode of The New Stack Makers, Passage Co-Founders Cole Hecht and Anna Pobletts talk about how the service works for developers to offer users its biometric service.
Passage adds device native biometric authorization to web sites to allow passwordless security on devices with or without Touch ID.
In this episode of The New Stack Makers, Passage Co-Founders Cole Hecht and Anna Pobletts talk about how the service works for developers to offer users its biometric service.
Hecht and Pobletts have worked in product security for many years and the recurring problem is always password-based security. But there really is no great solution, Pobletts said. Multi-factor authentication adds security but the user experience is lacking. Magic links, adaptive MFA, and other techniques add a bit of improvement but are not a great balance of user experience and security.
“Whereas biometrics is the only option we've ever seen that gives you both great security and great user experience right out of the box,” Pobletts.
The goal for Hecht and Pobletts: offer developers what is challenging to implement themselves: a passwordless service with a high security level and a great user experience.
Passage is built on WebAuthn, a Web protocol that allows a developer to connect Web sites with browsers and various devices through the authenticators on those devices, Pobletts said.
“So that could be anything right now,” Pobletts said. “It's things like fingerprint readers and face identification. But in the future, it could be voice identification, or it could be, you know, your presence and things like that like it could be all sorts of stuff in the future. But ultimately, your device is generating a cryptographic key pair and storing the private key in the TPM of your device. The cool thing about this protocol is that your biometric data never leaves your device, it's a huge win for privacy. In that passage, your browser, no one ever actually sees your fingerprint data in any way.”
It’s cryptographically secure under the hood with Passage as the platform on top, Pobletts said.
WebAuthn is designed for single devices, Pobletts said. A developer authenticated one fingerprint, for example, to one device. But that does not work well on the Internet where a user may have a phone, a tablet, and a computer. Passage coordinates and orchestrates between different devices to give an easy experience.
“So in my case, I have an iPhone, I do face ID,” said Hecht showing the service. “And then I'm going to be signed in on both devices automatically. So that's a great way to kind of give every user access to the site no matter what device they're on.”
With Passage, the biometric is added to any device a user adds, Hecht said. Passage handles the multidevice orchestration.
Use cases?
“FinTech people like the security properties of it, they kind of like that cool, shiny user experience that they want to deliver to their end users,” Hecht said. And then any website or business that cares about conversions is kind of a general term. People who want signups, who are trying to measure success by the number of people registering and creating accounts, are signing up. “Passage has a really nice story for that because we cut out so much friction around those conversion points.”
Alex Williams
You're listening to the new stack Maker's a podcast made for people who develop, deploy and manage at scale software. For more conversations and articles, go to the news stack dot I O. Ok on with the show.
Hey, it's Alex Williams the new stack. Today we're talking to the two co founders of passage.id. Cole X. And Anna popplets are the co founders. So why don't we just get started? Cole, we'll start with you.
Cole Hecht
Well, thanks, Alex. It's great to be here. Passage kind of in a nutshell, it makes it really easy to add device native biometric off to your websites. And so I thought it'd be a good place to start just looking at our website, you know, passage of this console that uses passage. And it's a little bit of a different experience than what you typically see sending into a website passage will kind of automatically detect what biometric capabilities are built into this device. And so in my case, I have touch ID built into my laptop. And so passage will just prompt me to use that. And that smooth user experience really goes a long way with helping with your conversions, your signups and it also is much safer than passwords.
Alex Williams
So you use it on your your iPhone, right? For example. Yes. But people might be using like a laptop, they might be using their iPhone, potentially, just to check something or any other device, you know, how do you manage that environment. So people can be just going to one place so they where they can do their identification. So the
Cole Hecht
protocols that passage is built on top of kind of let us just use whatever is on the device. And so it can be face ID on an iPhone, or touch ID on an iPhone. And so that experience is obviously really familiar to iPhone users. But it's also Android fingerprint readers, or it's Windows Hello, on a Windows Surface. Or in my case, like I said, Touch ID on a laptop. The protocols are generic enough that we can just kind of talk to the device. And the device is going to show the user what they're already seeing all day. And now
Alex Williams
why did you start this company? What really prompted it for you? You know, why developers right now?
Anna Pobletts
That's a great question. Cole and I have worked in product security for many years. And the recurring problem endlessly, right is that passwords are bad. everyone kind of knows that. But no one really has a great solution. So we've done things like multi factor authentication, which add security but make the user experience really hard. Or we've tried other password list options like magic links, or like adaptive MFA, things like that, that may improve a little bit, but are still not a great balance of user experience and security. Whereas biometrics are really the only option we've ever seen that give you both that give you great security, great user experience. And it's just really hard to do. And so passages goal is to make it really easy for developers to actually implement those biometrics that you get kind of all three of those great things out of the box.
Alex Williams
What is then the unique proposition for developers that makes this distinct.
Anna Pobletts
So for developers, we're giving you this full UI UX experience out of the box complete biometric login on any device, with two lines of code. The gist of it is that it really gives you an opportunity to let us handle the authentication. And you get to focus on what you're really building. But we give you all of these great user features, you're not just building something as simple as username and password.
Alex Williams
And then you don't have to rely on a VPN, for instance, or you can integrate it with a VPN.
Anna Pobletts
Yeah, so this is really, we're really focused on consumer identity. So people who are just out in the world with their iPhones and things like that, trying to log into websites. And so you don't need anything else. You don't need authenticator, applications, or UB keys, or anything else that you might need to like add additional security to your app, we kind of get all of those factors rolled into one, which is what's so cool, but it feels really easy. It feels just like that experience of logging into your banking app on your phone where you just hold it up to your face. And that's the experience we want people to have no matter what
Alex Williams
I want to hear about the use cases. But then I'd love to learn about the technical architecture our users, always viewers and listeners and viewers always love to hear about the technical architectures. But tell me a few of the use cases. Cole, what are some of the use cases that are being seen right now for
Cole Hecht
Yeah, Passage is great in that it's a very general tool. They can go on just about any website and work really well. Also just about any tech stack. So React is like what Anna's use, and right now. We can go with view You are Angular rails, Django doesn't matter. It's a very versatile tool in that way. From a business standpoint, a lot of interesting conversations right now, with FinTech people like the security properties of it, they kind of like that cool, shiny user experience that they wants to deliver to their end users. And then any website or business that cares about conversions, that's kind of a general term. So that's ecommerce, people who want signups who are measuring success by the number of people who are registering and creating account setting up like passage has a really nice story for that, because we cut out so much friction around those conversion points. Those are a couple.
Alex Williams
So you're building this for developers to then be able to build services with themselves. Okay, so it's not just for developers is for developers and the services that they build with it?
Cole Hecht
Yeah, absolutely. I mean, passage has like just the whole biometric security, privacy and user experience, like we have so much to say, to businesses and helping them do their business better. That is a huge thing for us. It's just that Anna and I are developers. And we know that the people who are actually putting code down and creating these apps and these websites, like our developers, and so we want to start with them, we want them to love passage just for that developer experience, knowing that there's so much to say to businesses, too.
Alex Williams
So tell me about the underlying protocols
Anna Pobletts
package is built on top of a protocol called Web authen. It's been around for a while now, it's been developed and continues to be improved upon. But ultimately, it lets you connect websites with browsers, and a variety of devices, the authenticators that are on those devices. So that could be anything right now. It's things like fingerprint readers and face identification. But in the future, it could be voice identification, or it could be your presence and things like that, like it could be all sorts of stuff in the future. But ultimately, your device is generating a cryptographic key pair and storing the private key of that in the TPM of your device. The cool thing about this protocol is that your biometric data never leaves your device, it's a huge win for privacy. In that passage, your browser, no one ever actually sees your fingerprint data in any way, which is really cool. So your face or your fingerprint, unlock that private key, which is used to sign data that is sent to the server, which is passage in this case. So it's all kind of very cryptographically, secure under the hood. And we just get to build a platform on top of that. The tricky thing about webauthn is that it's really designed for one single device. So you authenticate one phone to one fingerprint. But it doesn't really work well, in a normal internet world where you have a phone and a tablet and a computer all trying to log into the same account, it gets really complicated. And so that's why passage is so important, because we coordinate and orchestrate between all of those different devices to give you a really easy experience. And what's the
Alex Williams
underlying architecture for tying those devices together as your API? Or their Yeah, integrating with their API's?
Anna Pobletts
Yeah, so it's all stored on our back end, we handle all of the different devices that you have, making sure that you can always sign in and do so securely so that people can't just add their device to your account, you know, we make sure verification happens in all the right places, and that you have the best security and user experience at the same time.
Alex Williams
Okay, great. One of the discussions we had, you know, in preparation for this talk, we discuss Fido, Fido two, that's the overall protocol that you're using. How's that distinguished from? What about them?
Anna Pobletts
So Fido is sort of an overarching organization that manages these protocols. There's a bunch of different ones, there's sort of a protocol between the browser and the device. And there's one sort of the back end API's and the browser. And so there's a lot of different components to this. And they do a lot of work to kind of come up with new use cases and to figure out better ways to interact cross device and to better interact with different providers. So like Apple and Google and Microsoft people making the devices so they do a ton of really interesting work. The phyto alliance is awesome, and they have a lot of great resources.
Alex Williams
Cool, just in conclusion, where does this leave two factor authentication?
Cole Hecht
Well, two factor is really important. We love the idea of two factor in any way. One of the cool things that we love about these biometric authenticators is that when you do a biometric step, you're kind of simultaneously asserting two distinct factors. Just as a reminder for everyone we have three general categories of authentication factor, there's the something you know, like a password, normally, something you have commonly a phone or something you are to a biometric. And so when you're using touch ID, for instance, like Hannah said, you're unlocking private key EEG is burned into a particular device. And so that's something you have. But of course your operating system is making you do the fingerprint or making you do the face ID. That's something you are. And so it is two factors at once. And so we're really bullish on these device, native authenticators in offering two factors in a way that isn't cumbersome like it, it usually is. Normally, it's the password, then a second screen for pulling out your phone and six digits and like that is kind of what I hope eventually the old school two factor
Alex Williams
call and Anna, thank you so much for your time. Again, what is the website where people will actually have it and you know, in a blog post in other ways, but what is the website address?
Cole Hecht
Its passage.id, would love for people to check it out and start building with passage when they need a login page.
Alex Williams
Well, good luck, Anna Cole, thank you for your time. Thanks for listening. If you'd like the show, please rate and review us on Apple podcasts, Spotify, or wherever you get your podcasts. That's one of the best ways you can help us grow this community. And we really appreciate your feedback. You can find the full video version of this episode on YouTube. Search for the new stack and don't forget to subscribe so you never miss any new videos. Thanks for joining us. See you soon.
Transcribed by https://otter.ai