 OK, well, we can start it. So yeah, my name is Smithy Jacobs. I'm a software developer at StellarWP, where I lead development of the ITU security plugin. Alongside of that, I'm also a WordPress core committer. So that means that I work and help work with the WordPress core project. And you can take me there on the rest API. So if you want to shout out any of those things in general, you can find me in the sponsor booth. We should have time for questions. I don't know exactly how long this is going to run. We'll see. But I hope we'll have time for questions if we run out of time. You can find me anywhere. If I may, that's an after party you find me over the sponsor section. But yeah, so we're going to, oops, I skipped like five slides. This is a mirror. So this is like a spoiler, spoiler, spoiler, spoiler, spoiler. Oh, no. OK, here we go. Forget what you saw. OK. So yeah, the China one talk is, let's kill the password. PASCII is the future of authentication from the web. So studies have shown that over 80% of all hacking related breaches are attributed to password compromises. These are passwords that have been lost. Type has said, hey, how do we get any passwords that we want and use them to further dive into someone's system? And 80% of hacking related breaches are attributed to passwords getting into the wrong hands. So passwords suck. They're like, horrible. No one likes using passwords. They're difficult. If you're doing it right, you have long, complex ones. But most people don't. They use weak passwords. They have reused passwords that they have on tons of different sites. And that's a huge, huge problem. Passwords get stolen. So if you're a password and you say, hey, I have this one password that I use all the time in every single service that I use. And one of those services gets hacked. When your password gets hacked, the taggers say, OK, let's try this password at Chase and Bank of America, Facebook, and every other possible site that they could to say, OK, what else can we do with these passwords that we've got in? And passwords also suck because they're super susceptible to phishing. So phishing takes multiple different forms. But a lot of it is like, how can I get your password from you without you knowing ahead and putting this into the attacker's hands? And so we have these kind of different tools. I don't know how exactly you can see while the screenshot of this. Passwords now have a horse battery state, but you may have seen this xkcd. So I picked four random words for a password, coming up with 25 random characters and memorizing it as impossible. But I checked my one password account the other day, and I have 970 entries in there. I can't memorize four different words for 970 different accounts. So I don't exactly know how good this advice is. So we've come up with this whole kind of methodology of, OK, we know passwords suck. So what can we do instead of passwords? How can we make this experience stronger? And for years now, we've had two factors. And it's the strongest protection that we have available, basically, up until the last couple of months. It's been two factors. But so if we look at adoption, we look at adoption, this is according to Microsoft's 2020 cyber signals report from last year. And they looked at all of their Azure directory accounts. And this is like enterprise accounts, where things actually matter. Only 22% of active directory installations for Microsoft had strong authentication, whether calling two-factor, passwordless technologies, things like that. 22% in the Enterprise X. This is the place where, like, you know, credit's getting stolen matters. It's not just your Twitter account or something like that, where, OK, we really, really care. According to a UK study across UK businesses from last year, only 37% of the businesses they surveyed had a policy in place for, hey, do we have accounts that mandate two-factor being set up? And I think there's probably, oh my god. I think there's probably a lot of different reasons why passwords have and why two-factor has taken a while to get off the ground, as you can say, and not really take off the enterprise. But I think one of them, it's probably that's a very confusing user experience. You kind of get this code, you have to type this code. We try to make it a little bit better with an email, but it's not great. Oh my god. And so I think probably one of these reasons is that, well, if we look at places where people voluntarily could use two-factor on their own, and there's very few businesses that actually publish what their numbers are. But Twitter is one of the ones that does, and only 2.6% of Twitter accounts have two-factor set up. So I think when we, as individuals, are just going by our day and our day to day lives, we think, hey, two-factor is really complicated, it's annoying, I don't want to use it. And some businesses are evaluating that, well, can we really effectively roll this out to everyone if they don't know how to use two-factor as complicated? It's not an easy process. I selected a couple of tweets that I found here that are funny. The average American weighs 66 years of their life on two-factor authentication. Obviously, a bit over the top, it certainly feels that way. Despite its two-factor authentication feel like 17-factor authentication, you're checking in all these different sources. And this last one, two-factor has been one thing that I hate, everything was better and easier when we used only pure passwords. And I don't think that's good. I don't think that's unreasonable to feel that way, that, hey, this is a process that really sucks. I guess I intellectually understand this. It makes my account more secure. I found this illustrated in a cool Bob article, a satirical take, but point-counterpoint two-factor authentication is the only thing between me and hackers trying to ruin my life versus, well, it's annoying to do. We've tried to say, oh, well, you have to use two-factor. You should use two-factor. If you're not using two-factor, you're at risk. And these kinds of argument, while this is a humorous take on it, I think is kind of the general attitude that we've had as a security industry to say, hey, you just shouldn't be using two-factor. If you're not, you're doing it wrong. And yeah, it's annoying that's so much sucked with it, deal with it. The other problem here is that even when you have two-factor, you can still be susceptible to phishing. And I've mentioned phishing a couple of different times. And what do I mean by phishing? What I mean is tricking users into giving up their passwords. So you giving your password over to an attacker to someone you don't mean to. This takes a lot of different forms. This is a clever one that I saw the other day, which is a pop-up. And so we all know like pop-ups are bad or whatever. But this is a pop-up where you kind of see it in the usual technique of, hey, I want to sign in with Microsoft account. And a pop-up comes up that looks like the Microsoft account page, but that's not the Microsoft account page. It's not a real pop-up. It's a pop-up that is popped up in the browser window you're on. It says, hey, we know this is a window user. We know what browser they're using. So we're going to copy all of their styles. And it looks really, really good. You can actually play around with this. And if you don't pay extra close attention, it looks like you're actually interacting with login.Microsoft or login.Google.com or whatever. It looks like the actual Google page because they can steal all of that. It can get more scary, though. This is my favorite demo. So what we usually say is, well, if we're going to be phished, look for key clues and indicators that this site isn't who you think it is. Maybe they spelled something wrong. Or if I have two factoring on my site's protected. This is what looks like a real Microsoft account, the real Microsoft login process, everything. And it actually is. When this user is entering in their information, they're entering it into what is the pixel-perfect copy of Microsoft's login system. The only thing that's changed is the domain name. Essentially, the attacker is using this cool tool called Evil Engine X that sits between the attacker control site and Microsoft. And they say, OK, you input your two factor. You go to your email and password. We'll send it over to Microsoft. And Microsoft says, hey, give me your two factor code. And the attacker says, OK, we want your two factor code. And they send you back the exact page that Microsoft sent in. But the only difference was that they got to see everything that happened in between. So even if you're super vigilant and looking like, OK, is this actually behaving correctly? I have two factor set up. I have all the extra tools available. If you're not 100% vigilant, then the attacker is going to win. And they only have to succeed once. Once you type in your password into an attacker controlled account, that's kind of game. They have your password. Now you have to change it, figure out are there any other things that they got into. Particularly if there's something like your email where they get into your email account, they can pivot that access to having tons and tons of other sites. So we have to be vigilant every single time. But attackers only need to succeed once. So we kind of came up with, and this might be for a lot of y'all that use Slack and business environments, it's kind of been one of the first times you've seen it, this kind of passwordless login experience. And this lets us skip passwords. It lets us skip two factor. We have a simpler user experience. We get an email. We have a code. We type in the code. And that's kind of all we need to know. The problem is email is still kind of slow. I don't know how many times I've waited five minutes for a magic link that's telling me, oh, sign into your account instantly while I'm checking my email and checking my email and checking my email. I'm trying to log in instantly to interact with someone's product. And that's not a great user experience. Another problem is that while these are kind of phishing resistant, they're not perfect. So this is a screenshot. This is one of the slides that I added as I was up on the train. And I was from New York City over to Buffalo. And when I was logging into LinkedIn for some unknown reason, you can see the approximate location that's all the way down at the bottom that's trying to tell me, hey, was this really you who logged in? That says, the approximate location of that person was Philadelphia. I knew I wasn't in Philadelphia when I got that email. I was somewhere in upstate New York. But this location safety thing that's trying to say, hey, be super careful. We even this is an attacker. I'm sure if that said Russia, I may feel like, OK, this is a sign that I shouldn't click on this link. But so often, we can't pay attention to these warnings if you have been sawed in the first place. The tiniest point of the text is like 15 paragraphs down from the sign into LinkedIn. And that's what's meaning to protect me to say, hey, make sure you don't click this link accidentally. So income pass keys. And so this is the five second demo video of me logging into now Google with a pass key. And that was the entire log experience. I clicked the button and I logged in. Let's see if we can replay that because it is very simple. And it's kind of hard to almost take in that this is the most secure possible login. I didn't have to type in a password. I didn't have to type in a two factor code. I didn't have to do anything. All I need to click a button was saying, hey, do you want to log in? Log in. So what are pass keys? Pass keys are another way to authenticate with a site that you want to connect with. You don't have to use passwords. You don't have to do two factor authentication. It's really a one click login. In this example, I'm clicking log in and putting my face on my phone. It's authenticating with me and I'm into my site. And it's phishing proof. Phishing proof is the phrase that Apple used when they were discussing this. But it makes me a little more comfortable to say this is phishing proof. But it's actually phishing proof and we'll kind of get into why in a second. So pass keys are, you may have heard of this in another game which is called Web Authent. So if you've heard of this developing over the past few years, it's been in progress for six years as part of Fido, which is this standards organization that comes up with all these different ways that we can improve the weather. And the important thing is that it's backed by Apple, Google, and Microsoft. This isn't just, hey, here's a little thing that is just from some little company over to the site that's saying, hey, use us. This is something that has been backed by the major players. And at this point it's now supported by all major browsers. If you're on the latest MacOS, the latest Safari, the latest iOS, latest Windows, all that stuff, latest Android, you now have access to pass them. And a big thing here is, yeah, those methods are showing you the different pages. So the big thing is how they work is using something called public key cryptography. This is something that you don't really have to understand and we're not gonna get into like, here's the 10,000 pages on how public key cryptography works. But this is something that you're already using every day. It's in the technology for SSL, HTTPS, that kind of stuff, keeping your site safe if you're accepting online payments. Or really, if you just have a blog, you should be using HTTPS. It's for software updates. So any time you download a new version of your operating system in your phone, your phone's checking to make sure that that is built by the people that the phone thinks it was built by and it's keeping you safe. And so we don't really think about how those technologies work. And it's the same thing here for pass keys. All of this is happening in the background. You don't need to know what public key cryptography is. But we're gonna add a little bit more into it for a second. So this is kind of the flow for registering and creating new pass keys. And the way this works is I say to my site that I wanna visit, hey, I wanna create a new account. And the website replies back, send me a public key. So my phone for me, I don't need to do anything. I just say, okay, I wanna log in, I wanna create my account. Here it's gonna create this pass key for me in the background. And it's gonna send this public key up into the cloud and into the website that I'm connecting with. And in process, in practice, this is what that process looks like. So this is me creating a pass key for Google. So I've already logged into my account. I say, hey, I wanna create a pass key. I create my pass key and I'm done. That's it, that's my entire process. I now have a pass key that I've created. It means the next time that I wanna log into Google, I can do it with one click. And so how does that login process work? So again, it's a kind of similar flow. I ask this website, hey, it's me, I wanna sign in. But it needs a little bit more proof. So it asks me to sign this random bit of information with that key that we generated earlier. It says, okay, is this signature that you signed? Does it look good? If it does, they let you in. And so what this means is that there's no private or sensitive information that is being passed along here. The only thing that is happening is happening on your device is completely private. And again, in process, this is what that looks like. I say, hey, I wanna log in. I hit the login button and I say I'm good. And I'm logging using a pass key. So to kind of summarize that process, your pass key, what that actually is, is a public private key pair. And your device, your phone, your computer, your tablet, your watch, that's what keeps your private key safe. You don't need to memorize that, remember it like a password. There's nothing for you to do. Your device is taking care of everything for you. Your device oftentimes will guard that. So if you're using a kind of more modern device that has a touch ID or a face ID sensor, it uses those biometrics to protect that private key. But those biometrics are never sent to that website. That's all just happening in your device to say, hey, we have this private key. I wanna make sure as your iPhone or as your Mac or as your Google phone that okay, that's really you. And so it checks your biometrics. So as I kind of concerned that people have, I said, am I sending my face to Google when I log in like this? Absolutely not. The website then receives your public key. And whenever you need to log in, the site asks you to sign a challenge with your private key. The private key that is being kept safe by your phone. You don't have to do anything. It all happens in the background. So the big win here with pass keys is that no personal information leaves your device. This means that account takeovers and phishing are way less possible. There's nothing for an attacker to steal. If we saw what we actually sent if we look back at public slides, all we sent to the site we're trying to sign in with is our public key. There's no sense of information about us. There's nothing private. There's nothing that even if they stole those public keys that you can do anything with because they're public keys. So the fact that an attacker was able to steal that information doesn't even matter even if you have a board to hack. The big thing here is that you can't be tricked into giving up your password. So if you look at these screen tests here if you're paying super close attention to some of those videos, you may have seen in these sign-on prompts that we have this like text to this. It says, hey, are you sure you want to sign in to secure that test as an admin? Or into Google as team.exe.btj.com is my email. If you want to sign in, and if you look at that you might say, oh, is this the only thing that's keeping me safe? Is the fact that I have to look at this text and make sure I'm not signing into somewhere malicious? The answer though is no. All of these different prompts, they say, hey, just so you're aware, this is where you are going to log into, but it's not possible for them to log into an account that you don't know about. They can't say, hey, we're trying to be Gmail. And you just have to be super visual and say, oh my God, am I sure I'm logging into Gmail? I think it's Gmail, but the domain name was like a million characters long, I don't know. Your device won't let you give it up unless you're actually authenticating with a site that you authenticated with before. So there's no way for someone to send you a link that says, this is really me, gmail.com, and you get tripped and now your Gmail password's gone. Your device is doing all of the hard work, and that's the way it looks like with Microsoft. So there are two kinds of pass keys, and there's kind of like the geeky option and the option that everyone else is gonna use. We've had this geeky option which are roaming authenticators. These are separate hardware devices they connect to Bluetooth or USB or NFC's, things like that. So those are these like Yuba keys and Titan keys. You may have seen people use before that they carry them around with them and they plug them into the computer and then light up. And that's what kind of web off-hand had been like for years and years and years. But the new advancement are these Pachmore authenticators. And these are things that are built into your computer, they're built into your smart phone. They're often protected by biometrics and they're just available for you that everyone can use and they're available now. This is the browser support. Basically, if you're using a modern browser or a modern operating system, you have support for this. If you're a Linux user, and I gotta go with a more geeky route, but for the Pachmore authenticators, they're supported everywhere basically. So you have this technology now. How pass keys work are kind of different in different environments. So I'm gonna take a kind of 10,000, excuse me, 10,000 foot overview at these different platforms. For Apple, pass keys are stored in your iCloud account. So this means they automatically get synced across all your devices. If you sign into an account and create an account on your iPhone, you'll be able to log in on your iPad, on your MacBook without doing any work whatsoever. They all just get synced into your iCloud account. In this experience, they work best with Safari right now. Safari's kind of like, you know, the main browser that Apple's like, yeah, who's this with? So it's where pass keys are best integrated for if you're in the macOS experience, but there are other options. You can also share pass keys with AirDrop. So if you're thinking, hey, sometimes I give someone else my password, how can I share with you right now? So if you do have a scenario and you need to give someone else access to your account, this is built in. You can just share your pass with AirDrop, and they'll be able to log in on that site and they don't need to learn a password or anything like that either. In Google, pass keys are stored in Google Password Manager and they're synced across all your devices. So again, if you log in on your Android phone and then you want to use the desktop Google Chrome on your Mac or on your PC, you can do that without any trouble. This is kind of what that flow looks like. And again, for Google, the works best in Chrome is kind of two different ecosystems there, basically. In Windows, Windows is sort of a little bit different. It's managed by Windows Hello. So Windows has kind of their own Windows Hello security system that's been built in for a long time. Your pass key right now in Windows is stored on your device itself. So if you create a pass key on your Windows tablet, you won't be able to, well, I think I'm gonna say Windows phone. If you still have a Windows phone, congratulations. If you have a computer, a third Windows computer, you wouldn't be able to use that right now. Cross-device sync is something that Microsoft has said is gonna be coming soon to Windows natively. But for now, I'm gonna say use Google Chrome for the best support, and you can sync it with Google Chrome's Password Manager, which you might already be using. So what about multi-platform families? So I all am more in the Apple ecosystem, but some people have an Android phone and a Mac device or an Apple phone and a Windows computer. How does that work? So browsers support using a pass key from a nearby device. So what this means is this is kind of the login flow where I'm logging into, let's say, my desktop computer and I'm logging in using Google Chrome, and then with my iPhone, I'm signing in. So what's happening here is I'm saying, okay, I wanna log in. I don't have my pass key built into this computer. So I said, Google Chrome's gonna say, okay, how do we know it's you? What they're gonna do is they're gonna present this little pop-up that says, hey, scan this with your phone. My phone has the pass key. And so when I scan that QR code, my phone talks to the computer over Bluetooth actually, and they say, okay, we agree that this is the right person, send the information up into the server, and you get logged in. So this means that you can use whatever ecosystem you want to. The other thing though is that user accounts can have multiple pass keys. So if we saw back earlier, I had a iCloud pass key that was sort of my Google account, but you could also create a pass key for your Android phone, for your Chrome device, you know, as many of them as you want. So if you're not in a scenario where, hey, my Apple pass keys sync perfectly with my Windows computer, you can create a pass key for both of them, and the first time you do that, you can kind of use this flow. So here's another example of what this looks like in the Microsoft Windows ecosystem. So this is a Windows computer, and I cut out the audio from this, but they're talking about how they're putting up a prompt to say, okay, I want to make sure they want to log in. You get a nice little QR code, and then with your phone, you can scan that QR code. Just speed this video up. And we're signing in at summer, then you can check the continue button, there we go. And we've now logged into that site. And so this experience is implemented with all of the different implementations, basically. So this is the same experience, but doing this with a Google phone and a Google Chrome device. They all have these options built in that say, hey, we know that you're not always gonna have a pass key with you, let's say you're traveling, you wanna use a work computer, or you wanna use the computer in the hotel room, things like that is actually kind of has a better experience. Previously, if you're saying, okay, well, I've got a 24 character random password that I have in one password, maybe I'm gonna open it up in my phone and type out all 24 characters, and that's the thing that I can do now is just point my phone at it with a pre-picture. So where can you use pass keys? This was the cool news that I woke up to a couple of days ago for World Password Day, is that Google has announced support for, Google accounts themselves to actually support pass keys. So right now, if you use a Google account, you can go to your Google account center and say, hey, I wanna set up a pass key, you can try it out today right now. There are also a bunch of other services that are using it. Some popular ones are Microsoft, PayPal, and eBay also have support for it, and WordPress has support for it as well. Over on the bottom there, there's a link in, I'll post the slides for these online called passkeys.directory, and this is basically a directory of all the sites that they know about, it's actually sponsored by one password that are keeping track of here are the places where you can use pass keys. So if you're like, okay, is my server's up there? Are they supporting it yet? You can go on to the site and check it out. So if you do wanna use this in WordPress, you've got a couple of different options. I think SecurityPro, which is the plugin that I work on, we've supported pass keys now for, I think we were the first ones to do it, we launched support for it in September. There's also a couple of other plugins, WP Web Offend should let you do this, as well as password list WP. So if you're thinking, why should I adopt this now? Could you just move back to that screen? Yeah, we'll get back to it in a second. So if you're thinking why do I wanna adopt pass keys now, they're way faster to use than passwords and two-factor. They'll have shown you, you open up your phone, you click okay, I wanna sign in and you're there. You don't need to type in your long password, you don't need to type in a separate two-factor code. If you've got clients, you can help keep your clients secure. As kind of more technical folks, oftentimes we're the ones with the best security on the WordPress site that we're logging into. But then maybe you're client, you're with meeting them when they see them typing their password and it sticks here. If there's a no, oh my God, this is ridiculous. Your son's gonna get hacked. You can help keep your clients secure by teaching them how to adopt pass keys. You can also be on the forefront of new technology. This is kind of new tech. And so if your clients are asking you, hey, they're coming to you, what's the best advice for tech on my WordPress site? I hear about all these WordPress sites getting hacked. You can tell them, hey, here's this new technology that I learned about that Google is adopting, and everyone is adopting. And that was the time that you can try it on your WordPress site too. So is the password then? Well, not yet, but we're getting there. We're close. Until then, keep using strong passwords, set up two-factor whenever it's available. If you aren't already using a password manager, you might be without knowing it. They're built into all of our devices now. Google Chrome has them, Apple has them. But if you aren't using passwords, and you're writing them down or kind of keep one in your head for every single site, start using a password manager. That's me. I'm Timothy Jacobs. I'm a lead developer at iThemes Security. Like I mentioned, I'm a WordPress core committer and organizer of the WordPress New York City Meetup Group. You can find more about me at timethedjacobs.com or find out about iThemes Security over at iThemes.com slash security. So open up to any questions. Or you can also give me a call. Yeah. I'm still wrapping my hammer. Yeah, it's a lot. Do you still have passwords for these, you know, the very complex ones, but now you don't have to punch them in? Exactly. So right now, that's kind of the, are we there yet? Not yet. So most of these accounts, Google, if you go there, they'll say, hey, you want to set up a passkey and you can. But you still have a password for your account. Microsoft, they're actually the pioneers in this. You've been able to remove your password from your Microsoft account like for like two years or so. So this is kind of the first step, which is let's get people using passkeys, but you still need to create a strong password for now. But in a couple of years, hopefully the idea is everyone uses passkeys, it's adopted everywhere. You don't have to use passwords anymore. And accounts can say, okay, you don't need to set up a password if you don't want to. So that's kind of the vaulting term of that. And one other thing. So one thing we do often as people take care of other people's sites is, can you create an account for me? And how do you get that information? Like you're still creating a user account for somebody more impressed. You still have a password, but then that person on their device, the user's been actually set this up. Yeah, so this is kind of like the tricky flow. And it's one of the things that we do and the way we handle this with I think security is that we've had pass for this login support since before passkeys were saying. Passkeys were kind of the new feature that we added a couple of months ago. So the way that I see this kind of approaching is that the first time someone is setting up their account, they're going to get an email and say, okay, hey, we wanna make sure that your email address is real, et cetera. And that gets them in the same way that they could receive, let's say a password reset email. But once they log in for the first time, then we can prompt them to set up a passkey. So when you're setting up an account for someone, you're still gonna need them to enter an email address or something like that. But when they get an welcome email, it'll be, hey, welcome to my site.com, we see you've logged in, let's set up a passkey so you can get it next time. So I think that's kind of how the flow is gonna work is that as we get into this, there's gonna be kind of a partnership between passkeys and also an email-based login. But the first time that happens, hopefully it's not, hey, I need to be waiting for this email all the time so I just tried to sign in and all that kind of stuff. So that's kind of how I see that flow. Yeah. Well, how does it feel to lose your device? Great question. So what if I lose my device? So platforms sync passkeys across all of your devices. So the big thing is that if I lose my iPhone, my passkey is in my MacBook, it's in my iMac at home, it's in all of those different places. But also all of these different platforms, they have account recovery options. So if I go to Apple and I say, hey, I lost my iPhone and I lost my Mac and I lost my watch and everything I've gone, which I do, they usually have different account recovery options and some of those are, hey, they give you a code that you should store with your birth certificate type of things. So those are kind of your options there. Again, like they talk about, you can have multiple passkeys. So if you have different ecosystems, you can create multiple of them. If you are one of the people who is like really techy and wants to use it, you can use a UB key, for instance, and say, hey, I'm gonna put my passkey over there and save it. But basically you shouldn't really need to, but the different services that you're already thinking, hey, if I lose access to everything, how do I get access to those other passwords? It's a similar kind of system, use their account recovery procedure, stuff like that. But the big thing is that you wanna make sure that you're using a passkey ecosystem where it's not just on your phone, that it's synced to the web, it's synced across all of my devices. So that's kind of like the big takeaway. Until we get to the point where we're talking about, we're like, okay, everything's gone, you can still have passwords. So that's kind of your back and back and back and back. Does that make sense? Yeah, I have a couple of frequently asked questions Any others, yes? Yeah, so I'm trying to understand the linking between the identity and the password login. So obviously, so when you set up with either Google or Apple, for example, does that get, when you go then login, one of those is always gonna send, for example, Google, the Google, for the username part. So you're gonna send an email address of that, or like in the WordPress case, is it, once you get through that provisioning flow, has the WordPress thing sort of set up its own version with whatever username you use in WordPress? I guess, could you use a different, could you use the Google passkey and then have a different email login for? It's a great question. So the biggest analog that we have currently, I think is like social login, right? We're like, hey, I have a Gmail account, so any single time I wanna sign in, somewhere I'm gonna look for the sign in with Google account, passkeys are completely different. So the ecosystem that you live in doesn't really matter from the service perspective. When I create a new passkey, this is like, it's a simplified version, but it's literally the steps. So the only thing that I'm sending to WordPress, let's say, is this public key that my device generated. They don't know that I'm a Google user or an Apple user, that I have a Gmail account or any of that. You don't have to say, hey, I need to make sure that I'm doing this in my work Gmail or my personal Gmail or anything like that. You type in the email address that you'd wanna type in with and say, hey, I wanna register as this user, and then you say, okay, I'm gonna use my device to create a passkey. The actual ecosystem that you're a part of doesn't matter, and it's kind of what's the cool thing from a privacy perspective. If you were using like signing with Google, Google has all the sites that you're signing in with, but now, really, they don't know anything. Does that make sense? Yeah, yeah, so when you go to WordPress, there's still gonna be a prompt that's typing your username, but just no password box. Exactly, you don't have a password box, so you're still saying, this is who I am. Exactly. But then, and then all the other stuff you have to move back on. So there's also an even cooler option that you don't need to type in your username. You just say, hey, I wanna type in my, I wanna use a passkey. And your device knows, okay, these are all the passkeys that we have for this site. And it'll actually prompt you if you have, let's say, for my testing account, I have like 15 different WordPress users that I've created passkeys for, and I'll say, hey, which of these 15 users do you wanna sign into this WordPress site but then I get to pick one? If you only have one, it'll just do it for you. So you don't even need to enter your username, and in the future, you're gonna not have, you could have a completely username-less option, so if you don't wanna collect someone's email address, you wouldn't have to.