Unlocking the Web: Exploring WebAuthn and Beyond

Introduction

Mark Rendle: Hi. I'm Mark Rendle, and I'm here at GOTO Amsterdam. Welcome to another GOTO Unscripted, being recorded live at the conference. So, I am a software developer, or engineer, depending on how much I want to charge you. I'm here doing a talk later on about programming's greatest mistakes, which is lots of fun. And today, I am talking to Eli Holderness.

Eli Holderness: Hello.

Mark Rendle: I’ll let you introduce yourself.

Eli Holderness: Yes. I'm Eli Holderness. I'm a developer advocate at Scaleway, which is a small European cloud provider. If you want somewhere else to put your stuff that's not Amazon Azure, or Google if they're even still doing that? They've killed off their cloud offerings by the time this video goes out, who knows? We are an option. We're a pretty good option. The people who use us like us. There, I've done my sponsored-by pitch.

Apart from that, I'm a big, old nerd. I'm doing a talk later today about WebAuthn, and authenticating over the web without using passwords. How does it work? What's the user experience like? Some cool, little weird facts and tidbits about that. I like knitting. I like cats. I like being a geek with other geeks, so, conferences are great for that. That's me.

Mark Rendle: You're playing horn with The Linebreakers.

Eli Holderness: Yes. Absolutely. Mark and I are both doing Linebreakers...

Mark Rendle: Yes.

Eli Holderness: ...today, which I'm extremely excited about.

Mark Rendle: Yes. We have rehearsals right after this, in fact.

Eli Holderness: Absolutely.

Understanding WebAuthn

Mark Rendle: WebAuthn.Just reading through the schedule, and, like, "logins without passwords," which is surely the dream. How does that work?

Eli Holderness: So, you've got your public key cryptography, right? Which is, that you have a private key and a public key, and people can use knowledge of your public key, which you share, to verify that you have ownership of the private key. They can use it to sign things cryptographically.

This is how TLS works, for example. And some very, very clever people made physical objects, hardware security tokens, that use, basically, a bit of flash memory, and some crypto processors, secure crypto processors. And for the purposes of this interview, "crypto" means cryptography and not cryptocurrency

Mark Rendle: "Crypto" never means cryptocurrency.

Eli Holderness: They will pry that for my cold, dead hands. Very clever people made hardware objects that embody a private key. You can do all the cryptography on-device. The private key never leaves the object, and you can use this as a security factor, something you have. And this is very, very cool. The other thing it allows us to do is to use it as an authenticated factor for things like user accounts on the web.

And, in order to make this secure and standardized, there's a set of specifications made by the World Wide Web Consortium, W3C. Those specifications are called WebAuthn, and that's become the sort of standard term for using these hardware tokens over the web. There's a corresponding set of specifications, called CTAP, which is the Client To Authenticator Protocol. And those are basically, like, this mirrored pair of specifications, that say, "This is how the hardware token should talk to the computer. This is how the browser should talk to the computer." And when they're working well together, you can use these hardware tokens to verify who you are on the web.

Mark Rendle: Right. Okay.

Eli Holderness: Right. Without passwords. All of the clever thinking stuff is done with this piece of hardware.

Mark Rendle: Right.

Eli Holderness: None of it has to happen for the person. The only thing the person has to remember is, where did I put the dang thing? Which is a usability problem, and that's one of the things I talk about. I talked about this on ".NET Rocks!" a year and a half ago, actually, at NDC London. And one of the things that Rich Campbell was saying to me then is that he has, like, five, YubiKeys is a very common brand of these hardware tokens.

He has multiple registered for each online account that he has them registered to so that if he loses one, he has one still in her possession that he can use to get back into the account. And I'm like, this is all well and good, however, I'm not keeping track of all of that. They're expensive. You can't ask users to do all that. So, there is, like, this is very, very cool, it's very cool technology, but there are usability concerns here.

Mark Rendle: Yes. Because I own two YubiKeys, one of which I bought, and one of which I got free with my Ars Pro++ Ars Technica subscription. I have not seen either of them. I also own two Raspberry Pi 4s, and I'm not sure where those are. One of them's on. I can't find it.

Eli Holderness: It's gone. It's released back into the wild. It's living wild and free somewhere.

Mark Rendle: My house is just absolute chaos. I have a 17-year-old and a 12-year-old, and a wife, and a dog, and...

Eli Holderness: The dog is coding at night. It's taken the Raspberry Pi 4...

Mark Rendle: Yes. And I think the dog might have... When the dog sort of passes on and gets cremated, we might find that that Raspberry Pi 4 goes offline. I think she wanted internet, and...

Eli Holderness: Yes. It's become one.

Mark Rendle: ...it's running off her body's static electro... Anyway.

Eli Holderness: You can power them with potatoes, right? We can do this. Yeah.

Mark Rendle: But so, it sounds... WebAuthn is one of those things where they've taken something and made it work with browsers, and then stuck "Web" in front, so, like WebGPU, WebGL, Web Bluetooth, Web all this sort of stuff.

Eli Holderness: Exactly. So, in the security world, we've got authN, which is authentication, proving who you are, and then authorization, which is proving that you're allowed to do a certain thing. There are various different kinds of technology built around these two concepts. It's important not to get them confused because then you can leave yourself with big security gaps. It's why OpenID Connect exists, and you don't just use OAuth for it, because OAuth is authorization, and OIDC is authentication. There's a whole hours-long talk on the differences between the two, in that.

Mark Rendle: Auth is 401, and OAuth is 403.

Eli Holderness: In what?

Mark Rendle: In terms of status codes, 401 is you are not authenticated, and 403 is you are authenticated, but you can't do that...

Eli Holderness: But you're not allowed to do that. Exactly.

Mark Rendle: ...which everyone always gets wrong anyway.

Eli Holderness: Well, it's something that I've come up with... I'm learning Kubernetes right now, because it's the hot new buzzword, and I wanna put it on my CV, right? There are lots of different ways you can authenticate, but then for authorization, it actually has a built-in default method, role-based access control. A sort of golden path for defining what that is, but the authentication is actually kind of wide open. You kind of can build your own custom thing for that. Getting them confused can lead you to some very nasty security gaps, so...

Mark Rendle: Yes. Yes, it can.

Eli Holderness: Yes.

Mark Rendle: So, one thing I was wondering about WebAuthn is, so, YubiKeys, it's a USB.

Eli Holderness: Without loss of generality, it's a, you know...

Mark Rendle: It's a stick, and you connect it to a computer. Right.

Eli Holderness: Or you could do it with NFC for some of them, but yeah. It's a physical thing that you have to have in proximity.

Mark Rendle: Right. So, if you had your phone, because people do most of their web browsing through the phone these days, apparently, apart from grownups like me. So, you NFC with that.

Eli Holderness: You can.

Mark Rendle: But is there a, at the moment, or are they thinking about, I unlock everything on my iPhone with my face?

Eli Holderness: That is using a hardware token.

Mark Rendle: This is using a hardware token.

Eli Holderness: It is.

Mark Rendle: Would WebAuthn, would I be able to go to a website and just sort of tap, tap, Face ID...

Eli Holderness: Yes.

Mark Rendle: ...and just magically log into the website?

Eli Holderness: Yes. One of the things that's difficult with that, as just using that hardware token kind of raw, as it were, like, directly, is people lose their phones, people upgrade their phones. You know, people's phones become obsolete because of planned obsolescence by big companies who want to suck you dry of all your money and make you buy the latest iPhone.

So, these hardware tokens... Don't get me started. But these hardware tokens on your phone actually, have quite a frequent turnover, as it were, compared to, like, a YubiKey, the... USB-C is gonna be around for a while. We hope. That could last me 10 years, right? But I'm not gonna keep the same phone for 10 years. And this kind of ties into a larger thing about, like, what if you lose the device, right? Have you lost all of those accounts, have you lost the way to sign into all of those accounts, right?

One of the things I'm gonna talk about is this joint venture between, I think it's currently Google, Microsoft, and Apple. So, three big, kind of, platform cloud vendors, or not, Apple's not a cloud vendor, but people that you have accounts with that your entire life might be stored in Google Drive, like me, your Google account, or your Microsoft account, or your Apple account. What they're doing is they're doing this thing called passkeys, and those are private-public key pairs, stored, again, without loss of generality, in the cloud somewhere, in your, let's say, Google account. And when they're stored in your Google account, they're encrypted with the password to your Google account.

Mark Rendle: Okay.

Eli Holderness: And then if I wanna go and log into a website, and I have a passkey stored in that cloud account, the website can go, "Oh, do you wanna use your passkey?" And then what I have to do in order to get Google to decrypt and supply that passkey is use the hardware token on my phone. So, it's not using, the cryptography on the hardware token is just, like, confirming that you still own that phone, that's registered to your Google account, and then you put your fingerprint in, your Face ID, whatever, and Google goes, "Oh, cool. Yeah. You have verified that you still have this device, you've authenticated, and you've authorized me also to decrypt and use the passkey to let you log into your account."

Mark Rendle: Right.

Eli Holderness: What that does, by storing them in the cloud, is does a couple of things. One, you're protected against device loss because you get a new phone, you register it to that same Google account, and you still have access to all those passkeys. But it also very much puts your eggs in one basket, again.

Mark Rendle: Yes.

Eli Holderness: I lost the privacy battle a long, long time ago with Google. I just, I've accepted that. If I wanted to...if I wanted Google to not know everything about me, I'd have to completely change my name, just get a Proton Mail, and never talk to anyone again. I'm not gonna do that. So, for me, using passkeys in my Google account is pretty good. It means I no longer have to worry about where my YubiKey is. I don't have to worry about my phone, and when I get a new phone, it will drop right in as a replacement in this auth flow.

But, if you are somebody who doesn't want Big Google or Big Apple to know what you're up to and where you have accounts, that currently, it doesn't exist. But, some password managers have it on their roadmap. Enpass and Bitwarden have it on their roadmap, to add passkey support. And then, Bitwarden, you can just stand up your own, and do your own thing. Then, of course, you have all the overhead of managing it, and if you lose them, then it's on you, right? It's essentially the same risks as single sign-on with OIDC, but, using very cool cryptography, and taking advantage of biometrics on your phone, which are, I think, extremely cool.

Mark Rendle: I always feel like if, you know, you're bothered about privacy, because I tried DuckDuckGo, because it's the privacy-focused browser. Actually, I have it set as my default browser in Edge, so when I'm typing stuff into the address bar, it's kind of going, DuckDuckGo is the one who are providing instant search feedback rather than Google. But I do find, if DuckDuckGo can't find it, I just go, "Fine, google.com," and then type it in there, and I am logged in, with my primary Google account, my Gmail account, and it knows me. And it's actually quite useful when your search engine knows you because it knows if I search for string, I've probably forgotten the constructor method that takes a span action or something.

Eli Holderness: It doesn't take you to the Wikipedia disambiguation page for "string." Yeah.

Mark Rendle: Yes. That's it. Yes. For "string."

Eli Holderness: Yep. Yeah, yeah.

Mark Rendle: Which is quite handy.

Recommended talk: Programming's Greatest Mistakes • Mark Rendle • GOTO 2023

Eli Holderness: I find it for, like, YouTube search stuff. Like, I fall asleep watching things, and there are some that I always go back to, and YouTube just knows that about me now. It's like, "You're a loser with no life. I bet you wanna watch the 22-hour perfection speed run of Star to fall asleep." And I'm like, "You bet I do."

Mark Rendle: Yeah. Whereas mine's going, "You want to buy this bass now."

Eli Holderness: Is it wrong?

Mark Rendle: Oh, God, no. No. I didn't know they were so expensive. But yeah, I recently switched over from Android to iPhone, because my wife, my son, and my non-binary teenager...

Eli Holderness: Your eldest.

Mark Rendle: ...have all got iPhones, and...

Eli Holderness: Ah. So you were the odd one out.

Mark Rendle: ...Apple watches, and it's just, it makes sense, and also, we've got the Apple One plus things that you can use in Arcade and whatever else. But it seems like Apple, in terms of, okay, yes, Apple gets a lot of this information about you, but I haven't seen any evidence that they're doing a damn thing with it.

Eli Holderness: This is one of the things I always think about, is, like, oh, there's this massive wealth of data that we're all generating, and metadata, and we had this excellent keynote yesterday, by Bert Hubert, about this. Munging through lots of data and trying to extract insights from it is actually really damn hard. And, you know, it's an entire discipline. Data science is an entire discipline. And sifting through these, mountains doesn't, isn't an adequate word, of data, to try and, I don't know... I guess if you're targeting a specific person because you suspect that they're a terrorist or whatever, like, you know, that's a much different proposition. But, like, I'm not really worried that Google knows that I like to buy lots of expensive hand-dyed yarns or whatever. I mean, that's, you can just ask me. I'll tell you that.

I mean, I'm thinking about how long it took them to go through data from CERN, right? The Large Hadron Collider. And that was, like, with funding, and scientists working around the clock. It's hard. It's a hard thing. So, I think we should be concerned about privacy and data stuff, but I also think that it's not the end of the world if, like, Google knows all my stuff. I'm not that interested.

Privacy and Data

Mark Rendle: I don't know if the rumor's true that there are huge data centers, like, under Utah or something, which are just full of hard disks that have got all the encrypted communications that have been sent over the internet over the last 20 years.

Eli Holderness: Oh, my goodness. I know that my employer, Scaleway, we have a data bunker underneath Paris, that is a disused nuclear shelter. And it's full of hard drives, as it's where we have our cold storage. You can put stuff there, as a customer of Scaleway. And that is hard drives. It's not magnetic tape. So, the talk I gave a couple of weeks ago, in Oslo, was about data storage, and this is one of the things I learned. So, a hard tangent into something else, but yeah. It wouldn't surprise me if there are, there are massive, massive banks of, like, data stored somewhere. But then…

Recommended talk: Practical Data Privacy • Katharine Jarmul & Alyona Galyeva • GOTO 2023

Mark Rendle: They've just stored it encrypted, on the basis that one day they'll be able to decrypt it. So, it's literally the raw TLS, encrypted web traffic.

Eli Holderness: Oh, amazing. Hey, well, we get quantum computing...

Mark Rendle: And then when they get quantum computers, they just... Yeah.

Eli Holderness: ...we just break TLS, you know. Elliptic curve cryptography is gone...

Mark Rendle: Yep.

Eli Holderness: ...and society will collapse, so...

Mark Rendle: It's well. It is. But, you know, society is...it's a well-overdue collapse anyway, so...

Eli Holderness: Absolutely. Reminds me of the end of "Cabin in the Woods," which is a favorite film of mine. And at the end... It's a horror movie, and at the end, the protagonists go, "You know what? I think it is correct and right that the world should end and we get the bad ending. Give someone else a chance to..."

Mark Rendle: Yes. And that was quality.

Eli Holderness: Yes.

Scaleway as a Cloud Provider

Mark Rendle: But, so, Scaleway.

Eli Holderness: Yes.

Mark Rendle: It's an interesting proposition because you're a cloud provider.

Eli Holderness: We are.

Mark Rendle: It's a cloud provider...

Eli Holderness: Yes.

Mark Rendle: ...in a world where AWS and Azure exist.

Eli Holderness: Yes. So, these are American companies, and...

Mark Rendle: They are. And Scaleway is a European company.

Eli Holderness: Exactly. And it's not one of our massive selling points, but something I do find interesting is we have customers for whom it's imperative that they not store data in data centers owned by an American company, or owned by a company that also has data centers in America. And we're neither of those things. We've only got data centers in Europe. So, we can kind of de facto satisfy some very hard requirements that they have. For example, government-related bodies, education bodies, that, like, a variety of stuff, and most of which I'm not privy to, right?

Because I'm a minion. All I do is go to conferences and give my silly talks. But, so, there's a need there, I think, for regional cloud providers, given, again, data privacy, data sovereignty legislation that we have in the EU, for better or worse,

Mark Rendle: Yes. Because, theoretically, an American company can be forced by the American government to hand over any data that the American company controls, and then...

Eli Holderness: Yes. And, you know, whatever the EU has to say about, you know, AWS, again, I keep saying this, without loss of generality, but AWS, or whoever can just go, "Sorry. PATRIOT Act. Nothing I can do."

Mark Rendle: Yes.

Eli Holderness: And we're not subject to that in the same way. I mean, I think there are probably failure scenarios that exist, but, again, I'm not versed in these kind of law, so...

Mark Rendle: Also, you probably pay tax. So, that's different.

Eli Holderness: Yes, yes.  I've been working at Scaleway for six months, and I'm kind of new to the cloud-native world. And as I said, I've been learning about Kubernetes, I've been learning about all of these really cool things. Meeting people, you know, who are big in the cloud-native world, being like, "Okay, well, what is the difference between a container and a virtual machine?" and the answer is not as clear-cut as you might think, and all of this kind of cool things. Yes. Y

Mark Rendle: Yes. And then just when you get your head around how containers work, and Kubernetes, then they're gonna pull the rug away again, and make you switch everything over to WebAssembly.

Eli Holderness: That was what I was gonna say. Oh, now we're doing WebAssembly. That's the latest and greatest. So, I already knew a little bit about WebAssembly, because I'm a Python person. And a year ago at PyCon, Anaconda announced that they had, with, in conjunction with, there's a thing called Pyodide, which is CPython compiled to WASM, so that it can run in the browser. And Anaconda has built a bunch of tooling around this, and they've called it PyScript, and it's this, like, nice syntax for doing essentially Python in HTML. And it was very cool. It continues to be very cool. A lot of tooling has been built up around it in the last year. So, that was my kind of first introduction to the idea of WebAssembly.

I think it's cool. I like that it sort of...obviously, you are a JavaScript person, in the sense that you know what... Not to spoil your talk later today, but JavaScript is touched upon. I like that we're continuing to kind of rethink what's the browser even doing. I mean, the browser has won the operating system wars, right?

Mark Rendle: Yes. Absolutely.

Eli Holderness: The fact that we aren't just going, okay, well, this is how it is. People are going, okay, what could we do with this? Could we drastically change things, like, a paradigm shift? If we're gonna go for the buzzwords.

Mark Rendle: Yes. I'm seeing something that I'm sort of tracking. I keep following new blogs, when I find blogs about it, but there's this really interesting...and this is actually an effort among some of the smaller cloud providers, in an attempt to provide something that Microsoft and Amazon really have no interest in providing at the moment.

So, if you have WebAssembly modules, and you can deploy a manifest with your WebAssembly, that says, "Okay, I need cache. Key-value cache. I need a key-value column store. And I need messaging." And so, you declare that you need those things, and you write your code, and compile it to WebAssembly, and there is a WebAssembly, sort of, standard ABI, like, the application binary interface. And then, wherever you deploy it to just looks at the lists of things that it wants, and goes, "Right, here's your messaging. Here's your cache."

Eli Holderness: Infrastructure as code? 

Mark Rendle: And it just mashes it together, which removes vendor lock-in, because then Scaleway can be saying, "Okay, we're gonna use Redis and RabbitMQ," but someone else can go…

Recommended talk: Beyond Passwords: How WebAuthn Actually Works • Eli Holderness • GOTO 2023

Eli Holderness: Yeah. We actually have RabbitMQ. 

Mark Rendle: If Microsoft did get on board with it, they'll go, "Well, we're gonna do Azure Cache for Redis, and Service Bus, or something,

Eli Holderness: Is it RabbitMQ we have, or is it something else? Anyway. Yes, maybe cut that bit.

Mark Rendle: Yes. It's something. Yhat's a really interesting aspect of this, the idea of not having to take a binary dependence on, like, StackExchange.Redis in a .NET application.

Eli Holderness: Yes.

Mark Rendle: And instead, just go, "I just want cache."

Eli Holderness: Yeah.

Mark Rendle: "And I wanna be able to set a value and get a value back, and that's it."

Eli Holderness: Just implementation-agnostic.

Mark Rendle: Yes.

Eli Holderness: Yes. Maybe you would want to be specific if there were, like, specific trade-offs that one implementation had, and you would wanna specify that, but, like, yeah. By and large, people don't actually need that. I certainly don't need it for, like, the, like, little toy apps that I build, or for home lobbying or something. So, yeah. I think that's very cool. I think more modularity and portability of stuff is good, just is an unqualified good unless you are somebody who makes money off it being difficult to leave your service.

Mark Rendle: Yes.

Challenges in Kubernetes: Multi-Cloud, WebAssembley

Eli Holderness: Which, that is a business sort of thing, that businesses would like to do. But in general, Scaleway is very much, we're trying to do things with open source. We're trying to make it easy for you to get your data out. Ideally, we'd like to keep people with us because they like using our products, rather than because it's hard to leave. You know, that's the goal. I certainly would like to believe that's the goal. Yeah. But no, it's very cool. It's interesting to be at a cloud provider without it being one of the big ones. I mean, I've never worked for Amazon or Azure or anything. But, yeah. It's an interesting space to be in, as we've got all these, like, you know, obviously, Kubernetes continues to roll out breaking changes in its minor versions every few months.

Mark Rendle: Yes.

Eli Holderness: I don't understand what they're doing. Why are you using semantic versioning? And then version 1.27 has breaking changes in it. That's not how it works. That's not how it works. 

Mark Rendle: Yes. No, it's, this is the downside of the bazaar, as it were.

Eli Holderness: They can rewrite the rules, it's fine. I write a Kubernetes newsletter for Scaleway. So I'm up-to-date on, or at least I have a vested interest in reading the change logs and seeing what's going on this week in development in Kubernetes and stuff. So, and I'm gradually getting used to the idea that they do just... I don't know if version 2 is ever gonna come.

Mark Rendle: Yes. No, it...I happily sort of exist on the surface of Kubernetes, and I can create a service, and a deployment, and load balancer, and maybe some secrets, and then that's, like, this little bit of the iceberg, and then there's the whole of the rest of...it's not even just the iceberg. It's a planet that's down there, just...

Eli Holderness: One of the things we have at Scaleway, which is really cool and I want to learn more about it, is a multi-cloud Kubernetes offering, where you have the control plane lives in Scaleway, and you can deploy nodes wherever you like. So, let's say you have a load of GPU in Azure, and you wanna use that to do some GPU-heavy task, like some workload. You can do that, and you can have it controlled by a control plane that lives within Scaleway.

Mark Rendle: That's pretty cool.

Eli Holderness: It is really cool. I wanna learn more about, like, how they made it work. Like, there's a good conference talk in there, right? Like, the story of building. It's called Kosmos. And I wanna go and, like, the thing is, I think probably a lot of the engineers who built it are French, so there's gonna be a, me not knowing enough about Kubernetes to ask the right questions, and me not knowing enough French to ask the right questions.

Mark Rendle: I can lend you Willow.

Eli Holderness: Absolutely. Yes, yes. Mark Rendle's eldest is a keen linguist, and I think is hoping to study, and...yeah.

Mark Rendle: And but also, computer enthusiast, and...yeah, so...

Eli Holderness: Yes. No, I mean... Because the thing is, the first time I met Mark Rendle, you were just like, "Oh, hey, by the way, I have two kids. They're the coolest people ever." And I was like, "They do sound like the coolest people ever." So, yeah, yeah.

Mark Rendle: Yes. They are. No, the linguist, and computer, and...

Eli Holderness: There's a lot of overlap.

Mark Rendle: ...retro console. Absolute Nintendo freak these days.

Eli Holderness: Yeah. They're part of a crowd that's, like, I know a lot of people who have got those intersecting interests. All you've gotta say is that they're also into, like, knitting or yarncraft, and that'll be the trifecta.

Mark Rendle: No. No.

Eli Holderness: Oh, okay. Okay.

Mark Rendle: Not so much with the physical world, actually.

Eli Holderness: That's fair enough.

Mark Rendle: It's all very abstract.

Eli Holderness: Yes. Scaleway is a cool place to be. It's cool. I'm learning a lot of stuff. Sometimes it feels like I'm stuffing my brain full of things and some of it's overflowing over the top, but better that than being bored, for sure.

Mark Rendle: Absolutely. Yeah.

Eli Holderness: And one of the things I get to do as part of my job is come to conferences like this and talk to cool people, and, yeah, it's great.

Mark Rendle: Cool. Okay. Well, I think that's probably it.

Eli Holderness: We've said some words.

Mark Rendle: We've said a lot of stuff and stuff. We don't wanna keep people around any longer than we have to. So, yeah, it's been really interesting, and I will still come to your talk this afternoon unless I'm doing another one of these. I don't know.

Eli Holderness: You might be going to Dylan's.

Mark Rendle: Or I might... Yeah.

Eli Holderness: How many times have you seen Plain Text from Dylan before?

Mark Rendle: Oh, no. So, I definitely don't need to see that again, but... So, yeah. And I will see you up on stage tonight when the horn.

Eli Holderness: Oh, yes. You're not getting away from me today. Yeah. No, we're doing all the same stuff.

Mark Rendle: All right. Cheers. Thanks very much. Thank you.