I gave an opening keynote at the FIDO Alliance’s “Authenticate” conference a few weeks ago! Although it featured timely strategies and tips for professionals deploying passkeys, my primary goal was to explain, as clearly as I can, why passkeys are important and how we should use them to reduce the harm that passwords cause.

YouTube link: https://www.youtube.com/watch?v=otObbUSxcqs

I’m really proud of this talk and I hope you’ll watch it and share it with others. I put care in to making it approachable while still delivering my perspective and insights to security professionals. If you don’t get the “why” behind passkeys, this talk will help fill that gap.

Exciting news! The Authentication Experience team at Apple, which brings you the Passwords app, passkeys, AutoFill of codes from Messages and Mail, and more, is hiring a software engineer!

This is the team that I founded, grew, and managed for years that I still work with daily. It’s a phenomenal team.

If you are interested, please apply through the website. People of all backgrounds are encouraged to apply. The role is in Cupertino, California. https://jobs.apple.com/en-us/details/200577341/software-engineer-authentication-experience?team=SFTWR

Security researchers: am I overly cynical, or are all the "content authenticity" initiatives meant to prove a photo is real a giant waste of time?

If the photo is cryptographically signed by the camera, the private key will just get pulled from the device.

Even if the photos are signed, you can just strip the metadata. Users will default to trust.

Even if the photo maintains a chain of trust, you can just fake a photo by taking a photo of a screen.

What am I missing?