546
===

Dustin: [00:00:00] On today's episode. We are going to talk all about passkeys, what they are and how the future technology will get rid of passwords forever. Right here on your website. Engineer podcast episode number 546

Hello and welcome to another episode of your website. Engineer podcast. My name is Dustin Hartzler. And today we're not really going to be talking about WordPress per se, but we're going to talk about just the web in general and how passwords are So let's get started. Going to be a way of the past, I think in the future.

Now that passwords aren't going to go away anytime soon, but I want to talk about past keys and what they are and how they can help us be more secure when we log into things online. But before we get to that, I do have two announcements to share and a plugin. So the first announcement is all about the plug in previews button now in the WordPress repository.

You might have seen this before. I think I talked about it in last week's episode on the recap of state of the word. But basically there is a ability now if you own a plug in that's on the [00:01:00] WordPress repository that you can opt in to have your plug in be previewed on a WP playground. And what that means is that there's going to be a button on your WordPress repository page and you'll start seeing this as you're across the repository, looking for different things, there'll be a button that says live preview and if you click on the live preview, it will open up a playground site for you with that plug in already installed and you can log in and you can see how that plug in works.

And this was a feature that came out in December, and it's an opt in because there's some plugins that are addendums or extensions upon extension. So like if you have a plugin that extends WooCommerce, like you need to be able to have WooCommerce installed first. Otherwise, there'll be an error when your plugin when that gets activated.

So this is just a little bit of news. If you are a plugin developer, you can now toggle that and you can have the ability, but it is an opt in. So you won't be displayed by default to have a live preview. You actually have to go in and say, yes, I want the ability to have my plug in be live previewed in a playground.

So there's a link in the show notes if you're interested in a little [00:02:00] bit more about that.

And then the other news item that I came across this week, and it's been a slow news cycle for quite a while because WP Tavern is looking for some new writers. And they're usually the ones where I get a lot of information as they're curating information across the internet and what's happening in a WordPress space.

And so I wanted to just highlight that they're still looking for that. So there's not a lot of news, but the other thing that came out was an article or blog post over on wordpress. com. And it wanted, and it just pointed out the 10 most popular plugins on wordpress. com. And I know that's not representative of the top 10 most popular WordPress plugins, but I just wanted to read off the top 10 that are on this list and just curious on how many of these you actually use on your site. So yoast seo, woocommerce, contact form 7, google site kit, Elementor, All in One SEO Pack, WP Forms, WP Headers and Footers, Astra Pro, and Jetpack Boost.

Those are the 10 that are the most common on WordPress. com. And it's important to see that Elementor and Astra Pro, those are both plugins that Help to [00:03:00] do a page building style things on the wordpress site And then we've also got contact form 7 and WP forms which are two different things that are very similar And we've got Yoast SEO and we have all in one SEO pack So we've got three different kind of categories there of plugins that people are installing on wordpress.

com site. So I just wanted to highlight that here in the podcast. The other thing that I want to highlight today is a plugin and the plugin of the week is called WP tabs. And this is a responsive tabs plugin for WordPress. And I'm sure you've seen this across different places of the web, but basically think about, you know, you have a text box, but maybe you want to have different information that goes across the top and you can have like.

12345 tabs. Think of it kind of like a file folder type structure. When you click the tab, it's going to refresh the text and show something different. This is a plugin that is highly customizable and it's responsive and it's designed on the block system and it allows you to use all the features of Gutenberg to build out your tabs.

And it gives you a really slick way and a nice design on how you [00:04:00] can create tabs on your WordPress site. If you're interested in finding out more, you can click on the link in the show notes, which you can find at yourwebsiteengineer.com/546.

Or you can go to the WordPress repository and search for WP expand tabs free.

All right. Today, let's talk about passkeys. And I honestly knew very little about passkeys. I keep seeing it pop up in 1Password every once in a while. It's like you have these sites you can turn on passkeys for. And I was like, I don't quite understand what passkeys are.

And I want to be on the front edge of technology. I want to be doing the most, the latest and greatest and the cool things that are happening, but I wasn't sure what it was. But this week or Yeah, I think it was a few days ago. I started listening to a podcast over on syntax dot FM and honestly syntax dot FM is a great podcast for all kinds of learnings on web stuff.

It doesn't really focus on wordpress at all, but there's a lot of React, a lot of stuff that just goes right over my head every single week. But this interview on a password list [00:05:00] future was episode number 710 and they had Anna from passage on and they talked all about passkey. So I wanted to kind of point out some of the information and start just a conversation on passkeys and what they are and how, why they're so much better than using a typical username and password.

So let's go ahead and dive in. So

Let's first look at just understanding pass keys, and we'll go through a kind of a technical explanation, and then I've got a simpler, a explain it to me like I'm five explanation. So the definition of a pass key, they're also known as cryptographic keys, and they are unique strings of characters generated through complex algorithms.

They consist of a pair, a public key shared openly and a private key, which is kept secret. And then when a customer or a user attempts to log in, the system uses the public key to encrypt the data and only the corresponding private key can decrypt it. This key system adds an extra layer of security compared to traditional passwords.

So explained a little bit differently. Imagine you have a [00:06:00] treasure chest and you want to keep it safe. And you decide to use a special kind of lock called a passkey. And this lock takes two keys. A gold key and a silver key. The gold key is a special key that you can show to anyone. It's not a secret. You can even post it on a bulletin board and let everybody look at it.

People copy it if you wanted to. And that is the first key to get into your treasure chest. But then you also have a silver key, which is a private key. And this is your super secret key. You don't show this key to anyone. It's just for you. Now, if somebody wants to send you a message or put something in your treasure chest, they use the gold key.

They can put anything in there they want with the gold key. They lock it up and only the silver key can open it. And then when you want to open the chest and see what's inside, you use your silver key. It magically unlocks the lock because it only will work with the silver key. So the passkey is kind of like having that special lock on a treasure chest. You share one part with everyone and you keep one part secret.

And then messages and [00:07:00] things can be locked up with the gold key and then open only with the silver key. And it's a way to keep your treasure safe and make sure that only you can access it.

Let's talk about some of the advantages of passkeys. And I think the best way to do that is to talk about some of the key differences between passkeys and passwords.

Get it? Key differences. Anyways, ha ha. The past keys are created differently than password. So when you create a password on a site, whether it be a banking website or just any website that you come across the user. So that's us. We have to follow the password best practices so that they're not easily cracked by cyber criminal.

So we have to go in. We have to use a tool maybe to generate a random password or we have to come up with something that is memorable if we're if we're not using a password membership. So the onus is on us to make sure that we are creating a unique password that is hard to use or hard to decrypt, if you will. If you use a passkey, users don't have to create anything.

All they have to do is generate the passkey for their account and then they can log into the device. They generated the passkey from so that's a huge, huge advantage. [00:08:00] Another thing is passkeys are phishing resistant, unlike passwords. So phishing is a cyber attack where a cyber criminal pretends they're somebody they're not like a company or a family member or something.

So the targeted victim is persuaded to provide sensitive information, such as logging credentials to a website that looks like the legit site, but is actually not the regular site with passwords is easy to fall from these phishing attacks because users can enter their username and password into a malicious site, unaware that the site was designed by a cyber criminal with passkeys.

Cyber criminals can't trick users into entering a passkey on a phishing website because there's nothing for them to enter. Making passkeys phishing resistant. So if you have a site like best buy as a good example, best buy. com is one that has past keys available. And so if you would go somewhere like best buy now.

com and. It would ask for a username and password, but you know, you use a passkey on there and then you're there's you don't have to do anything for a passkey like you go in and you authenticate with your 1Password or you authenticate with face [00:09:00] ID for a password. We'll talk about that in a second.

But basically, there's no password to put in. So the phishing attacks kind of go away, which I think is huge. Also passwords are easier to compromise than passkeys for online accounts to be secure. It starts with creating strong passwords. So a strong password is one of at least 16 characters, but not everybody uses 16.

Some only use eight strong passwords are also never reused. They don't contain personal information or any dictionary words or phrases with with past keys. Users don't have to worry about creating strong passwords or having their account compromised. If the company account with experience with data breach says activity servers only store the public key, and that's Public for anybody.

If the server is breached and compromised, then they only have access to the public key, which is useless without the accompanying private key. So it's harder to hack a pass key and it. If a company's website gets hacked, which happens about every day, it seems like then those public keys, if they have public keys, it doesn't matter. They still need the private key, which is a thing.

I will have to say, while this [00:10:00] does sound exciting and it sounds like, Oh, I'm just going to go out and create past keys for all my sites that not all your sites are out there right now. And there's a link in the show notes to a website called passkeys.directory and there is right now as of this recording there is a hundred and five different results on there And these are the hundred five big name websites that are using passkeys.

So Adobe, Amazon, Apple Let's see. What else is on here and Best Buy like I referenced CVS Specialty, Discourse, eBay, Google, GitHub Kayak. There's a whole bunch that are on here that you've probably heard of Microsoft. Let's see what else is on here. One Password has it kind of built in. PayPal, Roblox, Shopify, Shoppay.

Synology has Passkeys in. TikTok, Uber has it now and WhatsApp, Yahoo, Hyatt. com. So those are kind of a list of some of the big ones. They are going to be for big sites that are out there that are certainly using them. And in order to use them, you can use a A tool [00:11:00] like one password. I think past keys now are built into like the password saving mechanism inside of the apple computers and whatnot.

I'll also leave a link in the show notes for this blog post over on 1password.com of how to save passkeys either on the web or with iOS. And there's a video on here and it talks about the process, but basically you don't have to memorize anything. You don't have to figure it all out, but one password will prompt you to save a passkey and it'll save your passkey to automatically generate it and you basically can click the button and say, save, and then the next time when you go to log in, you can use one password and you can just apply that private key to your account, and it will automatically be logged in.

Now, I don't have all of the knowledge, and I don't have all the things. And how can we bring it to our WordPress site? And that's where I want to talk just a little bit about over on Solid WP. And so Solid WP used to be iThemes. It's they have a plugin called iThemes Security Pro.

They just added the biometric logins like Face ID, Touch ID and Windows Hello [00:12:00] and Passkey technology to all major browsers, including Chrome, Firefox and Safari to use with your wordpress login. So I'll have a link to this article as well. And basically what you can do is if you have I theme security pro, you have the ability to turn on passkeys with your WordPress login.

So then you can log in with your passkey and then you just click the button and it'll automatically, you put your username in, you click, I want to install, or I want to log in with my passkey and it will automatically do that. There's a checkbox inside of iTheme Security Pro that you can turn it on.

You can turn on passkeys and you can turn on passwordless login and then basically it'll come up with a QR code. That will allow you to register your device with, whether it be an iPhone or Android, if you're doing this on the web, you can point your camera to that and then it'll save your past keys.

And so I think we're on the infancy of like getting this on our own personal WordPress sites. And indeed, if you are running a membership site or some sort of subscription service where people are logging in regularly, like probably want to [00:13:00] hold off making this a mandatory thing.

It could be something that you can experiment and try, but I just wanted to give you some information as we start 2024, as we'll be hearing more and more about past keys as the year goes on. And so not necessarily WordPress specific, we can start using it and maybe we'll by the end of 2024, it'll be more prevalent and we'll be able to start using it more frequently on just regular WordPress sites and our own sites.

But I think the technology is going to be very, very slick and not having to remember passwords and generate passwords and like all of those banking websites. It says, oh, you can only have 20 characters or eight characters and they have to have this, you know, all of those like mumbo jumbo things that we now have to do to make sure that we have a password that meets their criteria.

I think getting rid of all that is going to be a huge win when it comes to everybody using computers everywhere. And so that's what I wanted to share just a little bit more about pass keys and next week we'll talk more about WordPress.

That's all I got for you this week. Take care and we'll talk again soon. Bye bye. For more [00:14:00] great WordPress information, head on over to YourWebsiteEngineer. com