 Hello everyone, how are you? So today we're gonna talk about the feature of identity. We process more than 8 billion logins per month We will gonna start with a demo by Schenkel Going through a story of Julia. Julia is an Argentinian citizen who wants to buy airplane tickets She wants to travel from Buenos Aires to New York and she's going to use an application called Gamma Air. Gamma Air is a non-existing airline, but we're going to prevent it's real And they're always on the cutting edge of technology So we're going to be using these two technologies that we're going to talk about for some of their features So she clicks next continue with Pasky and she's prompted with this other form And in this case once she wants to create a Pasky the phone in this case She's using Android will ask her. Hey, do you want to create one Pasky on your Google device using the Google password manager? That's part of the platform. This is not part of the applications functionality. This is part of Android And here what's going to happen in the background when she clicks continue is password manager will open up. This is a parallel of iPhone keychain for those that are familiar with Apple devices And she will have to use either her fingerprint or her phone pin to unlock password manager now a key thing here is that Her biometrics her face on her fingerprint. They never leave her device This is just used so that she can actually enable the creation of the Pasky on the local phone And in the background what's happening is that a Pasky which is essentially a private key on a public key That's associated to in this case. Let's say an application is created An account will be these applications also do what's known as KYC They want to know the customer and not just that you upload the data that looks real But they want to know that it's real and this is where another technology called verifiable credentials comes in Julia will be prompted. Do you want to submit all of this information? She has that credential on her phone She has to send it over to gamma air. She will say yes And gamma air will verify this credential They will make sure that the credential was actually issued by in this case the Argentinian State Department Without having to go through a convoluted process where she submits it to take the picture They go through a back-end check to make sure that everything works They have trust in the credential because of cryptography and how this was submitted But from Julia's perspective, this means that it's frictionless Now in the future what we can imagine is And this is even further ahead a single wallet a single application a single pane of glass in which you have everything you have all of your past keys The way in which you use to access applications and you have all of these verifiable credentials that are issued by different parties That you can present when appropriate. All right. Oh, that was a good Walkthrough of how this future might look like. Let's look at some of the Of the of the things that might have happened over the past You know decades for these to become a reality So first off passwords, we all have suffered passwords. We don't know what they look like, you know, how they work It's a simple solution, but clearly it came a long way, but it's it's not scalable anymore 11 billion passwords out there that were breached. There is more like 100 million fishing emails being blocked by Google every day dictionary attacks brute force attacks credential staffing attack So I think we it's time to say thank you passwords. You you serve your purpose, but it's time for something else now So in 2016 this first standard came in called web often Most of the vendors Adopted this but in order to hold that private key You had to have an external key like maybe you became you might have seen this in the past like this USB keys And that's not a very it's it's okay for enterprise users You know what you can hold the keys to your employees, but it's not fine for consumer use cases so when that this became a One of the blockers for adoption There was another Interation on these standards and this is what the phyto alliance came up with which is called past keys and Google and Apple and Microsoft were the ones adopting it Kind of right away and the key thing here is that your phone now becomes the holder of your private key your phone your laptop whatever device you have on your That you are using iPads whatever and that past key is stored in the iCloud key chain or the Google Drive In the case of Android and it's synchronized across your devices in that way when you are on your phone You are the same you have the same key that you you will have if you are in your laptop or if you're on your iPad So that's the key Innovation there and so as Damon said this has been today announced by Google You can now log into your Google account using a past key. You don't have to type your password anymore You can use essentially a pass a key that will be on your phone That will be unlocked with your face ID or touch ID Some of the good properties about this is it's fishing resistant it means that nobody can put up a website and Ask you for your past key and then use that past key is in some other Important website, so there is no way to fish the user in this case They are not breachable which means that these past keys are stored in the device the private keys So there is no way to steal Pass keys in the same way that you could steal passwords right in these breaches that happen in the past Um There are privacy preserving Which is also an important aspect of it when you use for example logging with Facebook Facebook knows That you are logging to a certain website Using their account in the case of past keys. Nobody knows which websites you are logging in except for the website themselves And finally that the UX is pretty good like it's the same UX you're using today like face ID touch ID And what's the same way in different devices? The second technology innovation that we showed in the demo is verified credentials So let's look at some of the properties about it. So the first thing is that a verify credential is essentially a set of attributes Jason That is signed with the private key as well In this case so that this university is signed a credential that says that Hanna. It's an electrical engineer That she would study there throughout these dates In the United States all that information is stored in a credential that is signed Which means that is cryptographically verifiable right and it's a standard so any anyone could check That Hanna actually has been issued this credential by this institution There is an issuance process in this case university at some point had to issue that credential when she finished her studies That credential we get on your on a wallet that you hold it could be in the future It could be Apple wallet Google wallet or some open source wallet When when you want to present that credential to a website It could be both offline or online if it's if it's a website you will be presenting the credential online And there is a verification process Get the the public key of the Socrates University. It will check that was signed with the private key of that That credential and that process happens every time So that's essentially how it works and the properties of verifiable credentials are also That are privacy preserving you can share only information That you want to share if you don't have to share all the information You can share for example that you're more than 18 years old, but not your birth date. That's a property of these standard you can It's also interoperably it works across many devices and website. That's the goal as we Adopted it will take time to to get there, but that's the idea And so today Apple and Google for example are supporting One standard of digital credentials called ISO mobile driver license So you will start seeing this happening more and more. Yeah, what are the problems? Well, there are a few and some of them are related to the fact that this is new But this is how it works today for pass keys. They are ecosystem specific meaning that if you have an iPhone They will be sent across all of your iCloud devices But if you also have a Chromebook, they won't be available there and the same thing of course for Microsoft devices You can't get around this by scanning QR codes are going through kind of like a bit of a complex dance But this is a problem We think that in the future will be able to get these pass keys to work across devices Not not work. Sorry to be backed up across devices so that you can have a single set of pass keys for all of your Application across all of your devices in a seamless manner The other thing that's very important is that for verifiable credentials a lot of the standards are very fast moving and not stable It's very new technology and it's changing quickly the standards on how to present and issue them change a lot They stand the recommendations on essentially How you should format schemas for them what you should put in them and not so it's a very fast-moving field That's okay. Like this happens with new technology But there are two things that we have to take into account if these technologies are going to become mainstream The first one is the user experience The first time Julia saw that screen. She was scared right like she saw hey all of these things are new I have no idea what they mean. Should I use a pass key? Should I continue using passwords? Those are things that we have to get people used to The same thing for verifiable credentials right when someone prompts me for my credential What does that mean? Do they keep it? Do I keep it? Where is my data going to be stored and so on? So there are a number of user experience things here to be figured out and we as builders are the ones that are Empowered to do so and on the other hand developer experience is also going to be key We are still dealing with security. We are still dealing with identity We are still in dealing with private information Even though it seems seamless to users there are very complex constructs under the covers that we have to take care of and Being able to build as developers with libraries that are secure that are battle tested that are built by experts is very very important All right, so with that Just saying that Public keys are at full rage now. The whole pki became now the Best way to authenticate and to become to create digital credentials and this is gonna be the future. Luckily passwords Should cease to exist and that's a very that's very good news And so just to recap some of the benefits of how this future of identity will look like fishing resistant better user experience Better security and privacy preserving We are working towards that future as an industry and as a company and so hopefully We're gonna get there if you want to try out Some of the stuff that we talked about in this talk You can scan the QR code and you can use the experimental environment of out zero out zero lab You can also join the discord channel where we are discussing all these topics And you can follow us on Twitter at out zero lab Thank you for coming and hope you enjoy the rest of the conference and the rest of the day