 Hi, I'm Eji. If your app or website relies on passwords, maybe with a second factor to strengthen the security, now's the time to upgrade to a simpler and much safer authentication method called passkeys. Let me show you why. Passkeys are a new authentication method that solves a number of challenges developers and end-users face today and provides unique benefits. Passkeys replace both passwords and the second factor. This makes authentication easier, faster and safer which increases conversions and reduces costs for sending SMS. Passkeys are simpler. Users can visually pick an account instead of typing the username when signing in. This simplifies the steps to sign in and help users remember their username. Users can authenticate themselves just by using the device's screen lock including biometric authentication. Creating and remembering a unique complex password has been a big pain for many users while using a passkey is as simple as a single touch. Passkeys can replace cumbersome two-factor authentications as well. A single passkey is as strong as two separate factors. Passkeys work for both apps and websites and can be synchronized across devices via a password manager. Passkeys are safer. As a developer, you only store a public key instead of a password and the impact of a bad actor obtaining a public key is far less than that with a password as they can't sign in with just a public key. Passkeys protect users from phishing attacks because passkeys only work on the websites or apps that created them. We expect that passkeys will help reduce the number of account hijacks caused by phishing which is currently the most common threat. Apple, Google, Microsoft and many other organizations work together under FIDAR Alliance to develop this standard. Passkeys work almost everywhere, macOS, iOS, iPadOS, Windows and Android. Browser support is also broad with Safari, Chrome, Edge and some other Chromium-based browsers as well. Many organizations like Shopify have implemented passkeys for their shop app. Shopify has also enabled much of the e-commerce ecosystem to adopt passkeys. They empower more than 100 million users to easily and securely shop online across two million merchants with passkeys. Let me take you on a user journey and show you how a passkey works on Shopify. Imagine you have never used a passkey before and usually sign in with Google to the shop app. In the menu, you notice that there's a set up fingerprint unlock option. By tapping on set up, you can upgrade to a passkey. Creating a passkey is as easy as touching the fingerprint sensor on the device and the passkey is created. One day, you go shopping at an e-commerce website and select buy with shop pay but you need to sign in. Tapping on the email field suggests to use saved passkey to sign in. By continuing, you can sign in using the passkey you created on the app because it's shared between the app and the shop pay website. And you could easily continue shopping without any friction. Now, what if you switch to a new Android phone because biometric authentication used to require registration on every device? But don't worry, the passkey you created is stored in the Google password manager and automatically synchronized to new devices. That's why the passkey is already available on the shop app on the new device. And of course, you can sign in just with your fingerprint. As I mentioned earlier, passkeys are supported by Android, iOS, macOS, Windows and more. You can even use a passkey from an Android phone to sign in to a website on an iPhone, iPad, Mac or Windows PC. There are already a few flows to support cross-device synchronization and the Fido Alliance is working on more. One of the ways that's supported today is to show a QR code on the Mac Safari, scan it using the Android device and authenticate. Note that if you are using Chrome, this flow can be smoother without scanning the QR code and you are signed in. After a successful sign-in, create a new passkey that's only needed the first time. Starting from the next time, you'll be able to sign in directly without your phone. During a passkey user journey, a few interesting things are happening. A passkey is created locally by using the screen lock including touching the fingerprint sensor or facial recognition. The biometric data isn't stored or sent to your app, it's just used to unlock the cryptographic key material. The operating system creates a key pair storing the private key as a passkey to the password manager, returning the public key to your server. The passkey also includes metadata including the username and the server domain so that apps and websites know which passkey to ask for. The user can sign in in the same way by using the screen lock. A passkey authentication generates a signature which the server then verifies using the saved public key. With public key cryptography, passkeys provide significantly stronger security than symmetric credential-based authentication. Passkeys created on Android are stored in the Google Password Manager encrypted on device and synchronized across devices. Other companies have similar syncing capabilities for passkeys created on their operating systems. You can get started with passkeys at google slash passkeys. Now, let's look at how you can integrate passkeys into your service. For your web app, use the standard API called Web Authentication or WebAuthn in short. Using WebAuthn, all major browsers support passkeys within 2023. Creating a passkey is required per website. To create a passkey on the browser, call navigator credentials create. The sample code shows some key parameters you should provide. The RPID indicates the domain the passkey is associated with. This prevents phishing. The user information is used to display the account selector when the user tries to sign in. Setting require resident key to true indicates it needs to work without the user entering a username. To let the user sign in with a passkey, call navigator credentials get. Passing a challenge that's generated on the server which prevents replay attacks. Mediation conditional allows the authentication to only be displayed if a passkey is found. You can also add a WebAuthn token to the autocomplete attribute on the HTML's username input field on the same page. When the user taps on the input field, the combination of the JavaScript and HTML allows the browser to display saved passkeys as part of the form autofill. This helps users transition seamlessly from password to passkey. For cross-device authentication using QR code, no additional code is required because the browser takes care of that for you. To learn more, check out my workshop Learn how to implement passkeys with form autofill in a web app. There's also an accompanying code lab you can try without watching the video. To use passkeys on an Android app, we recommend using the credential manager library. It's supported on Android 9 and above. Before you play with the code, you need to associate the app with a web domain. You can do this by placing a JSON file as it links JSON under the well-known path of the web domain. This means you can share the same passkey between a web app and the Android app. To learn how to integrate passkeys on an Android app, check out Reduce Reliance on passwords in Android apps with passkey support. Passkeys are also supported on iOS and iPadOS 16 and above. To support passkeys on iOS and iPadOS, you have similar requirements to associate the app with a web domain. You can achieve that in the same way as Android by placing a JSON file called Apple AppSite Association under the well-known path of the web domain. To learn how to integrate passkeys on an iOS or an iPadOS, check out Meet Passkeys video from Apple. Passkeys make your user's journey much simpler and safer, and we are eager for a day when we can delete those old passwords entirely. But it's not necessarily true for all users just yet. Despite a broad support of passkeys, there are users who use older operating systems or unsupported browsers. Users might be hesitant to jump on a new technology or just reluctant to try a new thing. For the time being, we expect developers will keep their old authentication methods until passkeys are more prevalent. And this is a good chance for you to revisit your existing authentication methods such as passwords, two-factor authentication, and identity federation. Let me show you what you can do to make your existing authentication methods better alongside your passkey rollout. We know passwords should be long, complex, and unique for each website, but users create weak passwords and reuse them across different websites. This makes their accounts vulnerable to hijacking attacks like phishing. Some users use a password manager like Google Password Manager, which is available by default on Chrome and Android to protect themselves. It generates a strong password, autofills it to the right domains and apps, and synchronizes across devices. Ideally, users should rely on a password manager. And there's a few things your website can do to optimize itself for password managers just by tweaking the HTML. For example, on a sign-up form or a change password form. In the new password input field, pass a string new password in an autocomplete attribute. This will make password managers more stably generate a strong password. You can learn more form best practices from the session build better forms. While password managers are useful, many users still don't use one and continue using a weak password. To help protect such users, supporting an additional authentication step is highly recommended. An additional user verification to a password is called two-factor authentication. A typical second factor is an email, SMS, or an authentication app such as Google Authenticator, which we've just updated to support cloud synchronization. Generating a one-time password that expires in a short period makes hackant hijacks harder for attackers. If you choose SMS as a method for two-factor authentication, Android and Chrome can auto-fill the code for your users. Check out the video, SMS OTP Form Best Practices to learn how you can streamline the experience. Remember, these two-factor authentication methods are not as robust as pass keys, but much safer than just a password. Another great alternative that's better than passwords is Identity Federation. Identity Federation is a way for websites to delegate all the authentication-related complexity and security challenges to identity providers. Users can sign in to your website just by tapping on the Identity Providers Sign in button. For example, sign in with Google delivers great conversions for developers and users find it easier and preferable to password-based authentication. Identity Federation is also complementary to pass keys. It's great for signing up, while pass keys are great for streamlining re-authentication. One thing to be aware of is that Chrome is phasing out Solparty cookies in 2024. This may impact your Identity Federation system depending on how it's built. That's why we are working on Federated Credential Management API, FedCM in short, that enables Identity Federation without Solparty cookies. FedCM is shipped in Chrome. Mozilla is prototyping it in Firefox. Apple and Brave showed their support on this specification as well. Identity Providers, such as PayPal and Time's Internet, are working to implement this API. You can learn more and attract progress at Google slash FedCM. In this video, you have learned why pass keys are simpler and safer than passwords. How to integrate pass keys into your web app, Android app, and iOS and iPad OS app. Improving existing authentication options and how pass keys fit into the larger authentication story. Pass keys are ready for you to use today. I hope you'll start integrating them into your authentication system soon, and we'll continue improving pass key UX and compatibility. I'm sure pass keys will bring us to a much simpler and safer world without passwords. Thank you for watching.