In this episode of Identity. Unlocked, principal architect at Auth0 and podcast host, Vittorio Bertocci, has a conversation with John Bradley. John is the Senior Standard Architect at Yubico and the author of many important specifications pertaining to identity management, including FIDO2.
As usual, Vittorio begins the interview by asking John how he got into the field of Identity. John overviews his career and when he met Vittorio before turning to his current work on web authorization and FIDO2 standards. John’s current company is Yubico, and in his role with the organization, John wrangles standards. In other words, he represents Yubico at standards organizations and plays referee between companies in order to make sure the entire community is benefited by the companies’ shared work. Moving forward, Vittorio asks John to clarify significant terms for listeners. In order to do so, John shares the story of how Yubico and Google worked on their own program, U2F (Universal Second Factor) authentication, as other companies independently started FIDO. Yubico and Google decided to join FIDO in order to not be seen as competing, and the merged organization joined and developed technology to produce FIDO2. John further clarifies that FIDO2 is a marketing term rather than an actual standard, and the standards at play are WebAuthn and CTAP (Client to Authentication Protocol).
Vittorio and John also discuss details about how this technology works, with Vittorio boiling the ideas down to a description of a browser using CTAP to communicate with an authenticator, who then uses WebAuthn to communicate with a website. On the back end, the FIDO infrastructure is one of the various options for server validation. At this point, John clarifies, he and his team see WebAuthn used more as a second factor for authentication than as the first factor; however, with Apple’s work on multi-factor authentication, John imagines that the pattern of WebAuthn use may change. John expects that people will probably use local face or touch identification for the web credential for individual devices. Once this technology becomes ubiquitous, passwords will become increasingly obsolete. Of course, there are still problems that this vision of the future raises, and John and Vittorio talk through some of these problems, the need for the industry to create new practices, and ways in which authentication will likely become more integrated into our lives (as we’ve seen it start to do in the form of such things as wearable authenticators). As the conversation moves toward a conclusion, Vittorio asks John to share about what his team is working on now and plans to work on in the days ahead, including level 2 of WebAuthn, CTAP 2.1, and much more!
[4:20] - John clarifies the history of FIDO and FIDO2
[6:13] - John explains the history of WebAuthn
[10:59] - Uses of WebAuthn
[14:57] - How do you recover passwords without a roaming authenticator?
[18:26] - Has John ever considered an idea like implants for authentication?
[21:45] - John explains his work in progress and what he sees on the horizon.
Identity, Unlocked is the podcast that discusses identity specs and trends from a developer perspective. Identity, Unlocked is powered by Auth0. Vittorio Bertocci is Principal Architect at Auth0 and applies his vast knowledge of the identity industry to Auth0 in all aspects of the company, including internal and external education, product innovation, and customer integration.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.