Next-Gen Account Security with Christiaan Brand

With phishing and password breaches on the rise, passkeys could offer a more secure, user-friendly solution that could reshape how we protect our online identities. Today's guest is Christiaan Brand. Christiaan is the co-founder of Entersekt, a financial services security firm and a key player at Google in their security and identity teams.

A respected voice in cybersecurity, Christian co-chairs the FIDO2 technical working group focusing on standardizing robust online security protocols in advancing the use of passkeys. He has been at the forefront of the shift toward more secure, password-free systems. We'll hear his insights on the challenges and opportunities of implementing passkeys to create safer online environments for users and organizations.

Show Notes:

• [00:52] - Christiaan is part of the security team for Google accounts. He's been with Google for 9 years. Prior to that he had a startup.
• [01:30] - He joined the FIDO Alliance around the same time Google joined in 2013. When he joined Google, he was able to continue with the same type of work.
• [02:35] - Each of the big tech companies represents a portion of the market when it comes to how we interact with the web and apps.
• [04:06] - He became interested in security when he started thinking about what could go wrong with new technology solutions. He wanted users to be able to access their financial information in a safe and secure way.
• [05:06] - 2FA began gaining traction with Google in 2011. It coincided with the launch of Google Authenticator. 2FA was also used by a gaming company.
• [07:54] - Usability is important, that's why having an app that displays the codes was one of the first forays into making the technology more accessible.
• [08:34] - Passkeys allow us to move beyond passwords, leaving the extra hassle of traditional multi-factor authentication behind.
• [11:05] - Key fobs were one of the earlier ways to try and bring usability to security. Now the technology is being moved to smartphones.
• [12:33] - Passkeys are a replacement for a password manager.
• [13:35] - Passkeys are extremely long and asymmetric in nature. You and the site you're going to both have the passkey.
• [14:27] - The service will have the public part of the passkey, and you'll have the private part. Even if the public part leaks out, your passkey will still be secure. Passkeys can never be revealed to phishing sites.
• [15:47] - FIDO brings the second authentication step in. The service also has to identify themselves.
• [20:04] - Password managers try to balance security and convenience. Logging in or accessing a passkey is a unique challenge for providers.
• [22:20] - Phone numbers are a way to get users back into their accounts.
• [25:19] - Single device users have extra challenges.
• [26:08] - There are pros and cons to external sources of identity.
• [29:44] - The FIDO website has many certified solutions.
• [33:21] - To get passkeys into daily users' lives, we need to start using them on daily applications where we log in frequently.
• [35:49] - Hopefully this passkey solution will stand the test of time.
• [37:34] - Attacks are beginning to shift to session hijacking.
• [38:24] - DBSC or device-based session credentials is a new standard parallel to FIDO.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.

Links and Resources:

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Entersekt
• Christiaan Brand on LinkedIn
• Christiaan Brand on Twitter
• Christiaan Brand on Facebook
• FIDO2 Technical Working Group
• Learn More About Passkeys
• Passkeys.Dev
• FIDO Alliance Passkeys