Biometric Authentication with FusionAuth
JavaScript Jam Live explores WebAuthn biometric authentication for web apps with FusionAuth's Dan Moore, plus a lively GPT-3 sidebar discussion.
Episode Description
JavaScript Jam Live explores WebAuthn biometric authentication for web apps with FusionAuth's Dan Moore, plus a lively GPT-3 sidebar discussion.
Episode Summary
This JavaScript Jam Live episode features Dan Moore, head of DevRel at FusionAuth, explaining WebAuthn—a web standard for passwordless biometric authentication that ties browser JavaScript APIs to hardware authenticators like Touch ID, Face ID, and YubiKeys. Dan breaks down how WebAuthn uses public-private key cryptography, where the authenticator stores the private key and the server only holds the public key, eliminating the need for password hashing and removing centralized password databases as attack targets. The conversation covers how FusionAuth operates as an authorization server supporting OAuth, OIDC, SAML, and SSO, with deployment options ranging from self-hosted Docker containers to managed cloud. A significant tangent emerges around ChatGPT and GPT-3, with panelists sharing experiments building Slack bots, generating React components, and testing the AI's knowledge of JavaScript frameworks. The discussion returns to practical auth architecture, with Dan arguing that dedicated auth servers make sense once applications multiply beyond one, comparing auth to databases and message queues as infrastructure worth externalizing. Anthony Campolo discusses potential integration between FusionAuth and the Redwood framework, and the group debates serverless deployment, cloud provider experiences, and the importance of not rolling your own authentication. Dan closes by challenging listeners to try passkey-based login on services like GitHub.
Chapters
00:00:00 - Introduction and Biometric Authentication Excitement
Scott Steinlage opens JavaScript Jam Live, welcoming listeners and introducing the day's topic: biometric authentication for web applications. He reflects on how futuristic the technology feels, recalling childhood fascinations with fingerprint-scanning locks and noting how far things have come with Face ID and Touch ID on consumer devices.
Anthony Campolo joins as the newly official co-host, and the pair set the stage for guest Dan Moore from FusionAuth. Scott encourages audience participation and establishes the show's goal of creating accessible thought leadership around web development topics for developers of all experience levels.
00:04:29 - WebAuthn Fundamentals and Key Concepts
Dan Moore introduces WebAuthn as a web standard that connects browser JavaScript APIs to hardware authenticators through the CTAP2 protocol. He explains the two core ceremonies—registration, which associates a hardware device with a server-side account, and authentication, which verifies the user on subsequent logins. Key terminology like "authenticator" and "ceremony" is defined for the developer audience.
The conversation moves into how WebAuthn relates to FusionAuth's identity provider platform. Dan explains that while the registration and authentication flows are well standardized through the FIDO and W3C collaboration, significant implementation work remains around credential storage, user prompting, and session management—areas where an auth provider handles the complexity so developers don't have to.
00:09:30 - Public-Private Key Security and Password Elimination
Dan explains how WebAuthn's security model works through public-private key cryptography, where the authenticator stores the private key and the server only needs the public key. This eliminates the need for password salting and hashing because a stolen public key is useless to attackers, removing the risk of centralized password database breaches.
Anthony connects this to his experience in Web3 security, and the discussion touches on how WebAuthn can serve as either a first-factor replacement for passwords or as a multi-factor authentication method alongside existing login flows. Dan emphasizes that the standard is flexible—developers choose how to integrate it based on their application's security requirements, while users choose their preferred authentication method on their device.
00:14:06 - FusionAuth Business Model and Deployment Options
The group discusses FusionAuth's pricing structure, including its free tier and the fact that WebAuthn is a paid feature. Dan explains the dual deployment model: cloud-hosted instances where FusionAuth has visibility into usage, and self-hosted options via Docker, Homebrew, and package managers where usage is invisible to the company. This creates challenges in measuring total adoption.
A community member named Bro Nifty joins to discuss the open-core model and how self-hosting benefits both small developers and large enterprises with regulatory requirements. Dan responds by explaining when developers should use an auth library versus a dedicated auth server, arguing that the tipping point comes when you have multiple applications needing centralized identity management rather than just a single app.
00:26:57 - Auth as Infrastructure and Centralized Identity
Dan makes the case that authentication is becoming a specialized infrastructure component, similar to databases and message queues, that should be externalized from application code. He argues that login is undifferentiated functionality—no user celebrates a great login experience, they just want to reach the application's actual features—making it ideal for a dedicated solution.
The conversation explores how even a simple SaaS product quickly accumulates multiple applications needing auth: the core app, a forum, a support system, and employee tools. Dan credits Auth0 with pioneering this centralized identity approach in the 2010s and notes the current explosion of auth providers serving this need, positioning FusionAuth as one of many viable options.
00:29:54 - GPT-3 and ChatGPT Sidebar
The conversation takes a lively detour into GPT-3 and ChatGPT, with panelists sharing experiments. Dan mentions using GPT-3 to write content for his side project, while Anthony tested it on JavaScript framework knowledge and found it couldn't identify Remix due to the generic name and training data cutoff. Daniel from the audience shares building a Slack bot using GPT-3's API with minimal code modifications.
Jason demonstrates asking ChatGPT to explain WebAuthn with developer-level framing and describes iteratively building a React form component through conversational prompts. The group discusses prompt engineering as a skill, comparing it to knowing the right Google search terms, and briefly touches on the legal implications of AI-generated code before steering back to the main topic.
00:39:55 - SSO, OAuth, and Enterprise Integration
Scott asks about SSO capabilities, and Dan explains FusionAuth's support for social providers like Google, Facebook, and Twitter on the free tier, plus SAML and OIDC for enterprise integrations with Azure AD and Okta. He walks through the redirect flow where a user visits an application, gets sent to FusionAuth, potentially bounces to an external identity provider, and returns with authenticated tokens.
Anthony asks how FusionAuth relates to OAuth, and Dan clarifies that FusionAuth serves as the authorization server in the OAuth architecture, authenticating users and generating tokens that client applications can examine to determine identity and permissions. The discussion naturally transitions into potential integration with the Redwood framework's existing auth provider abstraction layer.
00:46:04 - WebAuthn Security Deep Dive and Audience Q&A
Yousef from the audience asks about biometric data integrity, prompting Dan to walk through the full WebAuthn authentication flow in detail: the server sends a challenge with a one-time code, the browser validates the hostname and HTTPS, the operating system passes it to the authenticator, and the user approves with their biometric. Critically, the website never receives fingerprint data or facial geometry—only a signed response.
Jason summarizes the public-private key foundation, and Dan adds nuance about the user experience challenge of lost devices. He explains that the upcoming third version of WebAuthn aims to address passkey portability between devices, with Apple and Google working on standardized solutions to replace their current proprietary approaches like iCloud Keychain.
00:52:01 - Password Managers, Two-Factor Auth, and Security Practices
The group shares personal experiences with biometric authentication and password managers. The LastPass breach comes up as a cautionary tale about centralized password storage, and Daniel makes the important point that storing two-factor authentication codes in the same password manager defeats the purpose of having a second factor.
Anthony and Daniel discuss practical strategies like keeping unique passwords, exporting password vaults as backups, and maintaining separate two-factor authentication apps. Dan expresses frustration at users who combine password storage and two-factor in one app, and the group agrees that password managers should warn users against this practice.
00:57:09 - Frontend SDKs, Framework Integrations, and React
Anthony asks about FusionAuth's frontend story, and Dan reveals the company is developing a React SDK as its first step into the JavaScript ecosystem. He acknowledges that as a backend-focused company, creating something frontend developers will enjoy is a stretch, and he welcomes community feedback once it launches.
The discussion expands into how Redwood handles auth provider integrations through a normalized API abstraction, with Anthony explaining that companies often contribute their own integrations via pull requests. Dan expresses interest in building a FusionAuth integration for Redwood, and the two agree to collaborate, demonstrating the kind of open ecosystem partnership that benefits developer communities.
01:04:00 - Technology Stack, Serverless Debate, and Cloud Platforms
Daniel asks about FusionAuth's community adoption, and Dan reveals strong usage from .NET, TypeScript, Python, and Java developers. Anthony asks whether FusionAuth could run serverless, sparking a debate about Lambda deployment. Anthony shares Redwood's cautionary tale of building around serverless Lambda architecture only to discover its limitations and having to retrofit server support.
The conversation broadens into a philosophical discussion about monoliths versus serverless, with Daniel and Dan both advocating for pragmatic architecture choices. Dan shares his experience running a Rails monolith since 2016 and discusses why FusionAuth chose Java, explaining it was the right tool when development started around 2006-2007 and that rewriting would be wasteful when users interact through language-agnostic APIs.
01:15:03 - Developer Experience, Documentation, and Community
Anthony asks about FusionAuth's onboarding experience, and Dan describes their product-led growth approach where developers self-filter through free downloads and documentation before ever contacting sales. He highlights the five-minute Node.js quickstart as a key entry point, despite its minimal visual design.
The conversation turns to community platforms, with Dan explaining his preference for forums over chat-based tools due to discoverability. Anthony advocates for Discord while acknowledging Slack's limitations for community use. Dan shares that FusionAuth maintains a forum, Slack, and active GitHub presence for tracking development and engaging with users.
01:22:19 - Closing Thoughts and the WebAuthn Challenge
Anthony shares a story from his coding bootcamp where every team project broke at the authentication layer, reinforcing Dan's argument that auth should be delegated to specialized solutions. Dan emphasizes that building custom auth is risky because even experienced framework authors have shipped security vulnerabilities, citing a recent Redwood self-hosted auth patch.
Dan closes with a challenge: try passkey-based biometric login on services like GitHub and NPM to experience the improved speed and security firsthand. Scott raises a thoughtful question about whether non-technical users will trust biometric web authentication, leaving it as an open discussion point. The hosts thank Dan and encourage listeners to follow both the guest and JavaScript Jam for future content.
Transcript
00:00:00 - Scott Steinlage
Welcome to JavaScript Jam Live. What's up, y'all? Jason, thanks for joining us, man, as always. Super excited for today. Yes, we're going to be speaking with Dan Moore here. He should be joining us very shortly. There's Anthony and Matt. Get Anthony up here. Oh, there's the co-host. Invite Anthony. Official. Oh, there's Dan. Let's get him up here to speak. Hello. All right, guys, you know how Twitter Spaces is — it's super delayed, but look at that, they're up here. All right, very good. Dan is soon to join. I'll send another invite to speak there just in case it didn't go through. Welcome, y'all, to JavaScript Jam Live. It is Wednesday. It's 12 p.m. Pacific Standard Time, 12:02 to be exact. Looking forward to everything we have coming up here. This is some really cool tech we're going to be talking about today. Biometric authentication for web apps — I mean, this is the kind of stuff that, I don't know about you guys, but if you're techy like myself, when you're younger — I don't know, teenage years, maybe even before that — I was always thinking of these cool futuristic things, and this makes me think of that stuff.
00:01:45 - Scott Steinlage
I don't know why, but maybe it's just me. I mean, we already have bio stuff, like fingerprints for getting into your phone and things like that, and facial recognition and blah, blah, blah. But I don't know — I think I used to have this lock when I was a kid, and the lock would scan your fingerprint, and that was super dope back then. So for this to be working with web apps is really cool. It just is.
00:02:19 - Anthony Campolo
Yeah, I feel like I didn't really think about it until I started seeing it on MacBooks and things like that. Aside from that, I've been fingerprinted before, but never used biometric fingerprinting.
00:02:30 - Scott Steinlage
Yeah, it's awesome. So I'm really excited to hear more about this. Hey, everyone. What's up, Dan? Thanks for joining us, man. I'm just going to do a quick intro and then we'll get rolling. Thank you all for joining us. Like I said, if you're new here, or even if you're new to development or you've been doing development for a long time, it doesn't matter. We'd love to hear from everybody. So if you're in the audience and you'd love to come up and state your opinion, ask a question, whatever it might be, please request to speak. I'll bring you up here. We want to get as much participation as possible, because really it's about you guys. It's about giving as much value as possible and creating thought leadership around all these different topics — web development and JavaScript. So here is Dan Moore. And real quick, before Dan begins to talk, I do want to introduce you.
00:03:41 - Scott Steinlage
Well, if you don't know him already, then you haven't been around. But hey, this is our co-host, Anthony. Thank you so much for joining us, Anthony. So excited, man, to be sitting here with you, co-hosting this show. Really cool that we get to be doing this together today and in the future. So really excited for that.
00:04:07 - Anthony Campolo
Yeah, I feel like I've been a co-host for a while. Pretty much just now it's official.
00:04:11 - Scott Steinlage
It's official. Official, yeah, for sure. I see it under your name. It says co-host there.
00:04:17 - Dan Moore
It does.
00:04:17 - Anthony Campolo
I have the power to mute you.
00:04:20 - Scott Steinlage
Yes, do it. Okay. All right, Dan, thanks for joining us, man. What's up?
00:04:29 - Dan Moore
Yeah, thanks so much for having me. I'm looking forward to chatting about biometrics and WebAuthn and anything else that we cover today.
00:04:38 - Scott Steinlage
Awesome. Very excited. Anthony, I know that you've been actually digging into WebAuthn a bit here, so maybe you might have some good ways to start this conversation off.
00:04:52 - Anthony Campolo
Yeah, I mean, with a topic like this, cryptography and security is its own world unto itself. So I would be curious to first get some broad terms that you think describe it, and then we can get more into the nitty-gritty, like implementations and stuff like that. But I know it's a web standard for auth, which is something that's been tricky historically.
00:05:18 - Dan Moore
Sure, yeah. And just so I level set, is the audience mostly developers? Because there are consumer-facing terms and dev-facing terms, so dev-facing terms are fine.
00:05:31 - Scott Steinlage
Great, great.
00:05:32 - Anthony Campolo
Yeah. I mean, when in doubt, explain, but people should be able to keep up with you.
00:05:37 - Dan Moore
Yeah, no worries. Okay, so WebAuthn is a way of, as you mentioned, authenticating people on the web. What it does is it ties some other standards to the browser and therefore, via a JavaScript API, to your website. That other standard is called CTAP or CTAP2, and that is what actually talks to your Touch ID, your Face ID, whatever else. So as a web dev, you get the power of these hardware authentication processes without having to do anything other than call JavaScript. At a high level, there are two big pieces. There's the registration of that hardware device, which basically says, hey, I'm associating this hardware device with my account — where the account is something managed by the web server. And then there's authentication, which happens many times. They're two distinct things. WebAuthn calls them ceremonies, which is kind of fancy for saying a flow. So if you see everyone talking about WebAuthn ceremonies, that's what they mean. The other piece of jargon that might be helpful: that piece of hardware I mentioned — Touch ID, Face ID, et cetera — is called an authenticator.
00:07:02 - Dan Moore
So a YubiKey is also an authenticator.
00:07:05 - Anthony Campolo
Yeah, I saw that this was actually part of the FIDO project and they created YubiKeys. I had a YubiKey many, many years ago because Google sold me one at a certain point, like, you should use this, it's a little bit more secure. And so this isn't for passwords?
00:07:22 - Dan Moore
Correct. I mean, it is the same way that a magic link is a replacement for a password, right? Because by owning the email inbox or the phone the SMS link goes to, you're proving your identity. Here it's having the fingerprint or having the YubiKey or having the facial recognition that proves who you are. So it's a passwordless means of authentication.
00:07:54 - Anthony Campolo
Okay, yeah, that made a lot of sense to me. If anyone has any questions, feel free. But then the next logical question is: how does that fit into FusionAuth?
00:08:04 - Dan Moore
Sure. And this is not an ad for FusionAuth, so I don't want to rep it too hard, but we actually recently... We are an identity provider, similar to Auth0 or Firebase Auth or Cognito, some of your listeners might use. We recently implemented WebAuthn so that you can use that by flipping a switch on the FusionAuth admin panel. Then we've basically implemented the workflows. And it's maybe worth taking a step back and saying there are two main pieces... I talked about registration and authentication, and those are very well defined by the WebAuthn standard, which, as you mentioned, is part of FIDO. It's actually a co-standard between FIDO and the W3C, which is responsible for a lot of web standards. That flow is very well standardized. There's also a whole bunch of stuff that surrounds it, like when do you prompt a user for their passkey? How do you know they have a passkey associated with them? How do you store that on the server side? That stuff isn't well defined. We figured it out, and if you wanted to implement WebAuthn yourself, you'd have to do both pieces: the standardized piece about registration and authentication, and then all the other stuff around figuring out how to store the credentials.
00:09:30 - Anthony Campolo
And it's not salting and hashing and things like that?
00:09:34 - Dan Moore
That's actually one nice thing about WebAuthn. The hardware, the authenticator, stores the private key, essentially.
00:09:43 - Anthony Campolo
And then the server database, like what gets saved in your database then?
00:09:48 - Dan Moore
Sure. There's basically the public key. There are one or two other things, but it's basically a public key. And the nice thing about that, you mentioned salting and hashing, and that's what we often do for passwords, or absolutely everyone should do it for passwords, excuse me. But you don't have to salt and hash a public key because by definition it's public.
00:10:10 - Anthony Campolo
Right. This goes back to getting away from passwords. It's simpler for devs and for users in a lot of ways.
00:10:15 - Dan Moore
Well, and for sysadmins or ops people. I mean, obviously you still need to secure PII. But if someone steals my public key, I don't give a rip, right? Because it's a public key. They have to steal the authenticator and get access to that private key somehow. And that's a much bigger lift. There's no more centralized repository of precious passwords.
00:10:38 - Anthony Campolo
Speaking my language.
00:10:39 - Dan Moore
Yeah, yeah.
00:10:40 - Anthony Campolo
Because I'm about to start working at Edgio, but I was working at a Web3 company previously, and all these ideas of how do you make something secure, how do you have multiple fail-safes and two-factor auth and all that kind of stuff... Yeah, this is interesting for me also because in the Redwood framework, we have like 10 auth providers, and we have one that's called our self-hosted auth, which uses WebAuthn. So I haven't used it a ton, but I like the fact that you're building a product on top of a web standard. That's pretty cool.
00:11:16 - Dan Moore
Yeah. One thing that's actually interesting is you can use WebAuthn... You kind of mentioned MFA. You can use WebAuthn for a first factor, where it's essentially a replacement for a username and password, or you can use it as an MFA piece where it's a replacement for Google Authenticator, an email code, or some other thing. So you can kind of pick what would be most appropriate for your application. The standard doesn't care. All it does is say, give me these things and I will send a message to my authenticator, and then the user has to put in their fingerprint or however else they authenticate, and then I'll send you back a response. As a web dev, you're responsible for kind of everything past that.
00:12:05 - Anthony Campolo
Yeah, I can just think of so many ways I log in to things. I think the most bespoke is opening the GitHub mobile app and inputting a two-digit code to verify. But I find some people like having a one-click service, and some people prefer not to have to integrate with that. So it sounds like you're giving people a lot of choice in what you use, which is also nice because if you had to implement all of that yourself, that's a ton of dev time.
00:12:34 - Dan Moore
Yeah, I mean, that's really the win for FusionAuth, or frankly any auth provider or any framework, right? It's going to help accelerate you toward your goals.
00:12:44 - Anthony Campolo
Awesome. And I'm not sure if you went into this very much, but what is your role at the company and your history with it and all that?
00:12:51 - Dan Moore
Sure. I am head of DevRel at FusionAuth. I've been here for a couple of years, and in typical DevRel fashion I work across a bunch of things — everything from sales calls to a little bit of customer support to writing blog posts to speaking. I've done a ton of our example apps and integrations, both super basic ones and more complex ones, and I get called in on some of our support calls where they want architecture advice about how to architect their identity solutions. We scale from people using us for 10 or 20 users — we have a free plan — all the way up to people who have millions of users.
00:13:42 - Scott Steinlage
And—
00:13:44 - Dan Moore
—it may not shock your audience to learn, but they have different needs and different requirements, so we try to meet them all.
00:13:51 - Anthony Campolo
Yeah. Are there any big names that are public that you could mention that use you?
00:13:56 - Dan Moore
Yeah, let me see who's on the website. That's the safest thing. Box.
00:14:02 - Anthony Campolo
Culture Amp.
00:14:03 - Dan Moore
Culture Amp.
00:14:04 - Anthony Campolo
Clover.
00:14:06 - Dan Moore
Elf on the Shelf. Take-Two Games. Frontdoor is another one I'm trying to think of.
00:14:14 - Scott Steinlage
Yeah.
00:14:14 - Anthony Campolo
So, yeah, responsibilities. I'm like, you do the exact same job as me, right?
00:14:23 - Scott Steinlage
Elf on the Shelf, man, that's kind of fitting for the season, huh? That's pretty cool, man. I mean, that's a lot of different interesting ways you could use it, right? And I totally lost my train of thought. I had a really good thing that I was going into and...
00:14:46 - Anthony Campolo
How do you like to sign in, Scott?
00:14:49 - Scott Steinlage
You know, that's interesting. I always try to have a secondary on there if I can, if the software allows for it, because I do like that extra bit of security. I have had an account compromised before in the past, and so it's really nice to have that second piece to it all. As far as signing into my phone, it's a piece of hardware and not really necessarily a web app, but that's actually something I was thinking of when you were explaining all this. I was thinking about it from a user perspective. When I use my phone, I have Face ID on Apple, on the iPhone. I wasn't very sure about it when it came out several years ago, and I didn't use it for the longest time. Then it just makes life so much easier. When I started using it, it's so much faster.
00:15:51 - Anthony Campolo
You may or may not know this, Dan, but something I'd heard, and this is a while ago so this might not be true, is that people could trick facial recognition by using pictures of you.
00:16:04 - Dan Moore
I've heard that too. And I know that it's kind of an arms race like anything, right? Because your phone can... I definitely know people who are looking for higher assurances won't just take a picture. It'll be a video, and...
00:16:20 - Anthony Campolo
But someone can't steal your thumbprint. So I feel like that's kind of different because you can't hide your face from the world.
00:16:26 - Dan Moore
Right.
00:16:27 - Scott Steinlage
You know, one thing I was thinking with the technology, though, with iPhones, for example, right? Like the newer ones, like the 13, or even the 12 Plus, I think 12 and up, have LiDAR, right? So they have the ability to get three dimensions.
00:16:45 - Anthony Campolo
So make sure you have a skull, not just a face.
00:16:47 - Scott Steinlage
Yeah, right. I don't know.
00:16:49 - Dan Moore
It's interesting, and I think this is really interesting. I will say it's a little out of my area of expertise, for sure.
00:16:56 - Anthony Campolo
That's what I figured. Yeah.
00:16:57 - Dan Moore
But the nice thing about this is that you as a web dev get to leverage Apple's and Google's resources, right? They are continuously trying to make facial recognition or Touch ID or fingerprint recognition better. And you just get to say, hey, authenticate however you want, user, and the user gets to choose: do I want a fingerprint or face recognition? Honestly, sometimes my fingerprint reader gets a little dirty, and so I use my PIN. At the end of the day, those are all strong forms of authentication that aren't phishable, that I as a web dev get access to.
00:17:38 - Scott Steinlage
Yeah.
00:17:39 - Anthony Campolo
If you're reminded of your questions, Scott, feel free to hop back in. But I was curious, it looks like FusionAuth is what, just a Docker container?
00:17:50 - Dan Moore
So it's not open source, but we have a free edition that is pretty unlimited. We basically have features that we hold back.
00:18:03 - Anthony Campolo
It's not on GitHub. Yeah, I see.
00:18:04 - Dan Moore
Yeah. Yeah.
00:18:05 - Scott Steinlage
So that actually reminds me of my question.
00:18:08 - Dan Moore
Oh, wow.
00:18:10 - Scott Steinlage
Yeah, no, that's perfect. So it was a good segue. As far as the free tier, I love it when a company does have a free tier available because you get to mess around with it. You get to see what it's like before you have to pay to get in, right? And not just that, but it's good for you guys too because I feel like it opens up the door for PLG, product-led growth. So I'm just curious if you can share what that looks like for you guys right now as far as free tier. Not necessarily exact users, but is there a healthy amount of users on the free tier, and has that turned into paying customers down the road?
00:18:55 - Dan Moore
Sure, yeah. And I want to be totally transparent. You can go to our website, you can look at pricing. We try to be very transparent about everything. And I want to be totally upfront: the WebAuthn feature is not actually available on the free tier. So we hold some features back, and WebAuthn happens to be one of them. I just don't want any of your listeners to be unpleasantly surprised. I would say we have thousands of customers using our software. Where it gets a little bit difficult is we have two main deployment options. The first is in our own cloud, where we run FusionAuth for you, and there we have a lot of insight. We also have, as Anthony discovered, Docker Hub, and we have .deb files and RPM files and zip files, and we're available on Homebrew.
00:19:53 - Scott Steinlage
All of those.
00:19:55 - Anthony Campolo
You're like six options on the homepage.
00:19:59 - Dan Moore
And when you install, like if one of you were to install via Homebrew, we wouldn't have any idea how many people you had in your system because we don't know that, right? It's a piece of software that you run on your own. We know how many Docker downloads we have, but how many actual users are logging into the systems that we support and run, versus the ones people self-host, we don't know.
00:20:29 - Anthony Campolo
Yeah, you need to make a CLI like Warp to figure that out.
00:20:34 - Dan Moore
I know. Scott, I don't want to hem—
00:20:36 - Scott Steinlage
—and haw.
00:20:37 - Dan Moore
I'll just say there are some aspects where the ability to download and install it yourself is really powerful as a dev. There's a reason a lot of companies right now are doing SaaS only: it's a lot easier to put in telemetry and understand what users are doing.
00:20:55 - Scott Steinlage
Absolutely. Yeah, there are many facets to all of what you just said, so I can appreciate it for sure. It would be cool to see something on the free tier there, but I understand — when it comes to certain things you just can't.
00:21:19 - Dan Moore
I hear you.
00:21:20 - Scott Steinlage
Yeah, absolutely. Hey, Bro Nifty, what's up, man? Let's bring someone up real quick and see if he has a question, comment, or opinion. There we go.
00:21:37 - Dan Moore
Oh, hey.
00:21:37 - Bro Nifty
Thank you.
00:21:39 - Dan Moore
Appreciate it.
00:21:39 - Bro Nifty
I hope I'm not interrupting anything, but this is great.
00:21:41 - Scott Steinlage
No. Love to hear from you.
00:21:42 - Bro Nifty
So excited that Anthony is gonna work for you guys. That's great. It seems like it'd be such a match made in heaven.
00:21:49 - Jason
You guys are gonna love...
00:21:50 - Bro Nifty
It's going to be great to work together for you guys. And this is really fascinating, Dan. One thing I was thinking was... and it made me realize something. There's another vendor whose full product suite I wanted to use, and I'm not able to because it's just too expensive for me. But for some reason, until this conversation right here, I had a mental block about realizing that, yeah, like what Anthony said about the Docker download or whatever various formats, you could download it and self-host it and have access to all the features. I don't remember exactly what the product-speak for that is, but it's something like open core maybe? Is that what you guys call it, Open Core or something like that, where you can self-host and get all the features, or if you want the SaaS version, it's limited?
00:22:40 - Dan Moore
Is that... I don't know what that's called. Just to be totally clear, like open...
00:22:46 - Anthony Campolo
Open Core is usually what people say. MongoDB is a good example. You can run the database yourself or you could use Mongo's cloud.
00:22:54 - Scott Steinlage
Yep.
00:22:57 - Dan Moore
Yeah. And I think the nice thing about that model is it does let you... We actually have people that start out self-hosted because maybe it's a side project or something like that, and then they move to the cloud if they want to offload that because they've raised some money or something. Or we have other people going the other way, where they just want to get started. They don't mind paying 40 bucks a month to kick the tires. And then later, when they scale up, they say, we have a DevOps team, we know what we're doing, we want to run it ourselves because we have regulatory or governance or data sovereignty requirements that mean that we want to run the software in-house.
00:23:32 - Bro Nifty
Yes, yes. I feel like there's a funny donut hole where SaaS is almost something where, yes, of course the biggest companies of all use SaaS products all the time, but in certain circumstances it's almost like the smallest devs who can't afford a SaaS product and the largest enterprises who need, like you were saying, to fulfill observability, enterprise reporting, or whatever regulatory requirements, need to keep track of everything and can't allow a third party to control the infrastructure. So it's kind of like the smallest and the largest both need that self-host option. What it really made me think of, and this is something I'm really just breaking into, so I'm not going to make a production out of this or take over your whole session here, sorry, is the whole thing where anybody can download a Node program or run React, or maybe do a monorepo and have a Next.js or Remix app with the back end and the front end together.
00:24:44 - Bro Nifty
But it gets a little confusing, gets a little complicated when you have a separate program, let's say for FusionAuth. It's its own application, its own runtime, its own whatever. Now it starts to get confusing, like how do I manage both of these in some kind of deployment where I have a user base and I want them to go to this app to get authenticated and then go back over to this app, and how do I keep track of it all? I feel like that kind of integration pattern for developers is almost something that could be a niche in and of itself, because it could be just for this, but it also could be for any similar scenario where you need to integrate the two. Something comes to mind... something, something YAML files, configuration, right? You start thinking, can I inject this as a sidecar into a pod and have them run together? Can I do something else with Docker Compose or Kubernetes or something?
00:25:55 - Dan Moore
Yeah. I think there are a lot of people out there running FusionAuth or other auth servers where it's just an application and an auth server. But honestly, if someone came to me and said I only have one application, what should I do about auth? And auth, for anybody who's listening, is a term I sling around, but it basically stands for authentication and authorization: who are you and what can you do in my application? I would probably say don't start out using an auth server like FusionAuth. I'd say use a library, right? I'm familiar with Rails. Devise is a great library. With Node.js I'm less familiar, but Passport is a library. Those libraries are battle-tested and open source, and they have a lot of configuration, and I would start out there. Where we start to see people wanting to break out an auth server is if they have 2, 3, 10, or 20 applications.
00:26:57 - Scott Steinlage
Right?
00:26:57 - Dan Moore
And that happens quicker than you think. Because even if you're just building a single-purpose SaaS, like something that lets people add to-dos to a list, you're going to have the core app, which probably will be custom built on something. Then you might have a forum, you might have a support ticketing system. Hopefully you have employees, and you can leverage identity solutions for some of these. Google Workspace is a great option for employees, but you're not going to give every customer a Google Workspace account. Having a centralized identity store when you have n applications is where it starts making a lot of sense. I think we're starting to see Auth0, to their credit, kind of pioneer this in the 2010s, and we're seeing an explosion of that. FusionAuth is one of many options. Your listeners can definitely find others. But in my mind it's very similar to a database server. You could absolutely incorporate your database into your application, and by database at this point I mean a data store, but it makes a lot more sense to push it out to a specialized component.
00:28:11 - Dan Moore
Same with a message queue, same with email sending, et cetera. Auth is becoming one of those things where people realize it's necessary because everyone needs to be able to log in. It's a little bit risky because there's PII, there are security concerns, there are definitely performance concerns. But critically, it's undifferentiated. No one ever says, oh man, I love that login experience. That was so awesome. Everyone's trying to get through the login experience to get to the features your application has. So if you can find a snap-in solution like FusionAuth, or again there are others out there, and get on with building your application and the features you actually want, but have the authentication be taken care of by people who think about this every single day, then I think that's a win for everybody.
00:29:05 - Scott Steinlage
Yeah. Awesome, Bro Nifty. Does that answer your question, man?
00:29:12 - Bro Nifty
Yes, thank you.
00:29:13 - Scott Steinlage
Awesome. Thanks for coming up and chatting. Feel free to stay up here. If more things come to mind, feel free to say them. Dan, thank you so much for answering that, for taking... You know, funny enough, I was thinking a great thing that you guys maybe should look into would be the new GPT-3 chat API for phishing people.
00:29:54 - Anthony Campolo
Dude, that thing's absolutely crazy. Phishing tool.
00:29:59 - Scott Steinlage
It's scary.
00:29:59 - Anthony Campolo
People don't even know. It's crazy.
00:30:01 - Scott Steinlage
Oh my gosh. You know, there are things out there that can be used for good, really, really good, and those same things can also be used for bad. It's terrible. People are going to use them for both anyway forever.
00:30:21 - Anthony Campolo
Have you played with it at all yet, Dan?
00:30:24 - Dan Moore
I have. I actually have a side project called Letters to a New Developer, which is all about advice that I wish I'd had when I was starting out as a developer. I actually used GPT-3 to write a letter for that site. And then I also had it write a poem about OIDC and SAML, which are two authentication standards. It's real fun and real interesting. Not always 100% accurate, but really fascinating technology. How about you all?
00:30:54 - Anthony Campolo
Yeah. So I asked it some web dev questions. First I asked it what it thought of different frameworks. I asked it about Next.js, RedwoodJS, and Remix. I felt very proud because it obviously knew what Next was and gave a thorough answer. It kind of pretended to know what Redwood was, and then it said it had never heard of Remix.
00:31:15 - Scott Steinlage
What, it never heard of Remix? Because...
00:31:18 - Anthony Campolo
Remix is too generic a term to be caught up in a statistical algorithm to find out that that's the JavaScript framework, and it only has data trained up to 2021.
00:31:27 - Scott Steinlage
Interesting.
00:31:28 - Dan Moore
I wonder whether that's going to play into naming. Right now I think people pick names based on Google-ability, but I wonder if they'll pick names based on GPT-ability going forward.
00:31:40 - Scott Steinlage
Yeah. Oh my gosh. How crazy would that be? That's crazy.
00:31:46 - Anthony Campolo
Yeah. And then I asked it some political questions. I asked, could a country be running... I asked if democracy and communism are in conflict, or something like that. And it gave a coherent answer. It's kind of like a high school essay type thing, but it's very clear and well written, so it's impressive. The craziest thing I saw, though, is that you can give it Linux commands and then it responds back like a terminal.
00:32:17 - Scott Steinlage
Oh my gosh. Daniel in the audience, yeah, that would be nuts. Daniel's like a Linux...
00:32:24 - Anthony Campolo
Yeah. Apparently the dude walks through building a virtual machine in ChatGPT. I'll pin this to the Space. This is getting shared around a lot.
00:32:34 - Scott Steinlage
Yeah, do it. Yeah. Not to try and hijack the combo with GPT-3. I just thought it was an interesting topic at hand recently. A lot of traction on Twitter.
00:32:47 - Dan Moore
Yeah. Well, I mean, it's fascinating for sure. Do you want to talk about what your listeners might need to do? Do you want to talk about the actual WebAuthn ceremony? Guide the conversation.
00:33:02 - Scott Steinlage
No.
00:33:03 - Daniel
I used the GPT-3 API this morning and I built a Slack bot that answers a bunch of random queries based on phrases. It wrote its own... So I thought, yeah, it's really, really nice. I had to modify it a little bit because it was using legacy documentation to write it, but I mean maybe like six lines of code difference.
00:33:24 - Dan Moore
What's the legality of that code, Daniel?
00:33:27 - Daniel
I don't know.
00:33:30 - Dan Moore
Fair. Okay.
00:33:31 - Anthony Campolo
The laws were written before this.
00:33:33 - Daniel
Yeah. For example, what I was telling it to do was, write a Slack bot using the Bolt JavaScript framework by Slack and create a block using Block Kit that answers queries and questions using GPT-3 and OpenAI npm packages. And it wrote exactly that.
00:33:58 - Anthony Campolo
This is where being able to actually write that prompt requires more specialization and knowledge than we realize. This is where people are using this term like you're casting spells with these things. You find very specific ways to make them work. Oh yeah, something insane.
00:34:16 - Daniel
I mean, now I've done some other stuff. I'm putting together some demos with it related to it. But once again, it requires specialized knowledge to get the most you can out of the tool.
00:34:27 - Scott Steinlage
That actually is very, very similar to something we all already use, and that's Google. You have to know what the heck to type in there to get your answer, especially when it comes to coding.
00:34:41 - Anthony Campolo
Sometimes Google just knows. Yeah.
00:34:45 - Daniel
I did a series of little MVPs over the last couple of days just messing with it, and you can do some crazy stuff that people just would never think about.
00:34:58 - Scott Steinlage
Absolutely. Jason, one last thing if this is GPT-3 related, but I want to get back to the biometrics, WebAuthn stuff and things like that. What's up, Jason?
00:35:07 - Jason
Oh yeah, no, I was just going to mention that I just now typed into ChatGPT to explain WebAuthn to me, and it gave me a pretty good answer.
00:35:18 - Scott Steinlage
Let's hear it.
00:35:19 - Jason
Well, I don't want to read it. It's a whole paragraph.
00:35:23 - Dan Moore
Okay.
00:35:23 - Anthony Campolo
Yeah, it gives you thorough answers, and for stuff like that, because it's a web standard, there's lots of material online that is very clearly written and structured. So stuff like that, it gives you really good answers.
00:35:36 - Scott Steinlage
Well, feel free to screenshot it and tweet us if you want. And don't forget to put your alt text in.
00:35:44 - Jason
You can say... I told it, I'm a software developer. I essentially said, phrase your answer as though I'm a software developer, right? So it gave me more technical details than, let's say, if I said I was an end user or a reporter or some non-technical person. So it does seem to know how to phrase its answers for the audience if you, as you were saying, cast the spell.
00:36:08 - Anthony Campolo
Oh yeah, yeah.
00:36:11 - Daniel
For the Slack bot, I updated it so that it explains everything in an entertaining way. Ask Snoop Dogg.
00:36:18 - Anthony Campolo
You can do it as a teenage valley girl also.
00:36:22 - Scott Steinlage
Yeah. Oh my gosh. I'm sure there's a lot that's crazy.
00:36:25 - Dan Moore
Wow.
00:36:26 - Scott Steinlage
I mean, this thing... you could just sit here all day and throw things at it and unravel all different kinds of crazy things and go down rabbit holes, I'm sure.
00:36:37 - Jason
One of the things, just on the last thing on ChatGPT, yeah, I was asking it a series of questions. I said, well, can you build me a React view that gives me... I was asking about a form essentially, and it built a nice little form and it was all just nicely hard-coded inline. I was like, well, what if... can you extract the elements of the form into an array so they're not hard-coded anymore? And it did it. It put them in an array. The crazier thing was that it named all the keys correctly for the name of the input, and it came up with reasonable camelCase names for everything. Then it turned the component into a map that mapped over the array and spit out the elements. So it was surprisingly clever. I was genuinely shocked.
00:37:33 - Daniel
Yeah, if you get really detailed, like create a React component that's a responsive grid using styled... I mean, you can go on and on and on and it will write it. You might have to split your request up into multiple lines, but you can get it to do pretty good.
00:37:49 - Scott Steinlage
Super impressive.
00:37:51 - Daniel
You can also, one pro tip if you're trying to write code with it: let's say that you break a request up into multiple lines. You can also add to the prompt with the response from the previous question. It just keeps adding to the same document.
00:38:05 - Scott Steinlage
Pro tip here, watch out. Daniel, man, I thought you might be on that thing.
00:38:15 - Daniel
Somebody told me about it yesterday, and I was like, oh, it's just OpenAI. Then I got into it and I was like, oh no, this is actually pretty good. The new Davinci model is just really nice.
00:38:25 - Scott Steinlage
You're like, I ran through all my credits, I gave them 5,000 more. Oh yeah, nice. There's some really cool talk about this. I'm loving it. So we'll definitely have to bring up GPT-3 in another talk down the road as well. Obviously I'm sure we'll continue to speak about it. Maybe even bring in some people about that. So that'll be cool. But yeah, Dan, another question I actually had, forgive my ignorance if this is obvious to some. The reason what made me think of this was you said there was great use case for different things. Like, hey, if you have one application and then you've got another application, then you start actually using this and you would want to expand upon that. But also not just apps that you're building out, but what about SSO? A lot of enterprise companies have solutions for that that they're utilizing, but they only use two-factor authentication through like... what the heck is that app that a lot of enterprises use?
00:39:55 - Scott Steinlage
It's like... I'm talking about for two-factor.
00:40:01 - Dan Moore
Oh, Duo.
00:40:02 - Scott Steinlage
Duo, yeah, yeah, Duo. So there's a big thing there. I was curious, for SSO do you guys have, or are you planning, or creating some sort of software platform for SSO specifically?
00:40:20 - Dan Moore
Yeah, yeah. So we have a couple options. We support, and this is all in the free tier, a number of different social providers like Google, Facebook, LinkedIn, and Twitter. And then for the more enterprise-focused integration, we support SAML and OIDC. So Azure AD, Okta, all of those. You can basically drop in FusionAuth and then offer that to them.
00:40:59 - Scott Steinlage
Interesting.
00:41:00 - Dan Moore
And that's actually... there are a few identity providers, that's what we call them, that are on the paid tier, but those are super specialized, like Nintendo and PlayStation and some of the gaming ones. But straight-up SAML and OIDC, which if you don't want to implement that, bless your heart, I understand, you can drop in FusionAuth. Then you configure some fields in FusionAuth and then it's like a one-click for your customers to add... not one click, I should be careful here. Your customers need to configure their SAML provider, but then FusionAuth presents that on the login screen, people can click on it and access it there. Basically, I don't want to dig... well, I can dig in as deep as you all want. Someone comes to your application, you send them to FusionAuth, they log in at FusionAuth, but within that they could actually click on a button and get sent back to Azure AD or Okta. Then after they log in there and meet whatever requirements that has, they get sent back to FusionAuth, and then FusionAuth sends them back to your application.
00:42:13 - Dan Moore
So it's a hop, skip, and a jump kind of situation.
00:42:18 - Scott Steinlage
Interesting. Yeah, I'd like to see how that would work from the user perspective. I can envision it, but actually going and using it...
00:42:29 - Dan Moore
Happy to give you a demo anytime you want, Scott.
00:42:32 - Scott Steinlage
Yeah, man, totally. We'll have to work something out. Or maybe you have a video you can point me to already. But Yousef, thanks for coming up, man. How's it going? You got a question, opinion?
00:42:45 - Yousef
Yeah, how's it going? I know I just came into the Space. Dan, is the application... this is like a third-party biometric authentication app?
00:42:57 - Dan Moore
So with WebAuthn you're actually leveraging the browser. The browser is integrated with the operating system, and the operating system provides that authentication app called an authenticator. It could either be something built in, like Touch ID or Windows Hello, or it could be a third-party system like a YubiKey or some kind of external device. Either one of those, as long as they speak the right protocol, should work with WebAuthn.
00:43:28 - Yousef
What's the data integrity of biometric data? Would the apps that you're logging on to have access to your data, or is it all protected by Fusion?
00:43:42 - Dan Moore
So when, with the WebAuthn scenario, FusionAuth actually doesn't see very much either. Basically, the high-level way the authentication flow works is FusionAuth, or any other site that has WebAuthn, like RedwoodJS, etc., says, hey, I want to start a WebAuthn authentication. They send some data, which includes some options, a one-time code so you can prevent replay attacks, and some other things, and they send that down to the browser. The browser does some checks on it. It says, does this request match the correct hostname, and is this over HTTPS? It does some other things. If that all checks out, then it passes it to the operating system, which then passes it to the authenticator. The authenticator pops something below the screen that says, hey, do you want to authenticate with FusionAuth.io or whatever the website is? Then the user can say yes or no. If they say yes, then they have to authenticate in whatever means they've set up on their device: fingerprint, Face ID, PIN, etc.
00:45:02 - Dan Moore
Then the authenticator, after the user successfully authenticates, signs that whole bundle with the private key and sends it up to the operating system, which then sends it up to the browser, which then sends it up to you, the website. Now you need to verify that that response was signed with the private key that corresponds to the public key they previously provided through the registration ceremony. So in general, as a website, you're not receiving the fingerprint data, you're not receiving the Face ID geometries. It's just kind of a yes or no option. That's good in some ways because it protects the users from having their biometric data spread around any place. It's kind of a downside in other ways because you can't use that data in any way. But that's kind of what the WebAuthn standard allows for. Does that compute?
00:46:04 - Yousef
Yeah, no, that answers a lot. Is it like... I'm just thinking, as you were saying all this, are you familiar with Dashlane, the password manager?
00:46:12 - Dan Moore
I'm not. I've used other password managers like 1Password or Password Safe. Is that similar? It's like a centralized password manager?
00:46:19 - Scott Steinlage
Yeah.
00:46:20 - Yousef
Is that like a biometric version of one of those?
00:46:24 - Dan Moore
So the nice thing about WebAuthn is it's super distributed, right? We've all heard about... I think it was LastPass that got hacked, or 1Password... I think it was LastPass. I can see why that would be an interesting target for a hacker because it has everything, you know?
00:46:40 - Anthony Campolo
It's all protected, all your passwords, right?
00:46:42 - Dan Moore
I mean, it is to some extent. I'm sure they encrypt the heck out of it in their database and things like that, but if you can get the encrypted version, then you can try to break it with your own hardware. But with WebAuthn, every different authenticator has a number of different private keys, and they're each distinct and they're each for each individual website. In fact, it can be multiple private keys for one website if you want. Each website holds the public keys that correspond to private keys. The authenticators hold the private keys that correspond to the public keys. But it's super distributed, so there's no centralized location. If someone wants to hack me, they have to get access to my authenticators. If they want to hack Yousef, they have to get access to Yousef's authenticators. So it's a little more distributed than a Dashlane or a centralized password manager.
00:47:43 - Daniel
Got it.
00:47:43 - Yousef
No, that answered everything. I like that.
00:47:47 - Dan Moore
Awesome.
00:47:48 - Jason
Yes. So this is, and I did verify this with ChatGPT, so if I'm saying anything wrong then I'll blame ChatGPT. But this is just an additional layer on top of existing public-private key cryptography that's been around since, I think, the '90s, if I recall correctly. You've got a private key on your system that never leaves your device, and you have a public key that's derived from that private key. You can share that public key with whoever, with everyone. So, overly simplified, your public key sits on, you know, foo.com, where you have an account. You can't do anything with that other than verify that messages coming from your private key are truly from that private key. So there's nothing to hack, there's nothing to lose. If a hacker gets into the system, they're not going to have anything other than your public key, which is truly public. You could put it in your email signature, you could host it on your website, you could put it on your DNS.
00:48:58 - Jason
It doesn't matter. No one can do anything with it other than verify signatures that come from you. I think that's what... And then all the biometrics and all that other layering is placed on top of that. The biometrics are purely to secure the private key on your device. Nothing ever leaves your device other than signed messages from your private key.
00:49:22 - Anthony Campolo
So...
00:49:22 - Dan Moore
So that is correct-ish.
00:49:25 - Scott Steinlage
Ish.
00:49:25 - Dan Moore
I just want to... well, no, no, no. I mean, it's correct, but there are some shades, right? So I just want to be careful to add a little more context. The first thing is you said this has been around since the '90s, and I absolutely agree. I don't know how many of you all have signed something with PGP. I've done that maybe once or 10 times in my life, not often. It was a total pain in the butt.
00:49:51 - Scott Steinlage
Right.
00:49:51 - Dan Moore
It was really hard to do. It was complicated. I had to look up how to do it every time. This has a significant UX advantage, but it does build on top of public-private key cryptography. The other thing I wanted to mention is, you said the private key doesn't ever leave your device, and that is true-ish. Let me take a step back. The reason why that's great is because it has an immense amount of security. If the private key never leaves your device and you hold onto it and you don't lose it, then it's really hard for it to get hacked. The downside is, if you lose your private key, if you lose your device or you spill water on it...
00:50:36 - Scott Steinlage
your money, you're broke.
00:50:37 - Dan Moore
Right, right. So there are a couple ways around that. The first is you make it easier for people to register multiple devices or multiple private keys that all give you access to the same account on the web server. But Google and Apple are taking some other steps and they're working with the W3C. It's actually the third version of WebAuthn. What we're talking about right now is the second version. The third version is going to be a way to securely deal with the situation of lost passkeys, basically. So maybe there's a way to share a passkey between my Mac and my iOS device or things like that. I can't speak too much to the details of that because I don't know them, but I do know that is an outstanding user experience issue that some of the folks behind the standards are trying to fix.
00:51:27 - Jason
Yeah, you're totally correct. I completely agree. Apple and Google both have their ways of doing this today in a proprietary manner.
00:51:37 - Dan Moore
So just like if you're using iCloud...
00:51:39 - Jason
Keychain, or whenever you restore your device from iCloud and all that kind of stuff, that's all proprietary to Apple. They're now trying to standardize this with Google and others to make this a shared standard so that you can essentially share your private keys among devices that you control.
00:52:00 - Scott Steinlage
Cool.
00:52:01 - Dan Moore
Great question, or great comments. Thank you.
00:52:08 - Scott Steinlage
Yes, awesome. It's all exciting stuff. I love this kind of stuff. I don't know why. I totally nerd out when it comes to talking about access, authentication, all that stuff. I don't know, it's just really cool. I've always been pretty big on advocating for higher security standards and things like that. I just think it's really neat. All right, well, we've got a few minutes left here. Although actually, no, I think... Anthony, are we taking this out another half an hour?
00:52:44 - Anthony Campolo
Well, I would say we should ask Dan. Do you have a hard stop at the hour?
00:52:48 - Scott Steinlage
Yeah, true. Yeah.
00:52:51 - Dan Moore
Let me look real quick. I know I'm good for another 30 minutes. Actually, I have a hard stop at the bottom of the hour. I guess that's a technical term, but yeah, I'm good for hanging out for a while longer.
00:53:03 - Anthony Campolo
Yeah, I mean, if people still have questions, feel free to keep asking them and then we'll close out once we're all done.
00:53:11 - Scott Steinlage
Absolutely. So if you're in the audience and you haven't asked a question yet, or you haven't shared an opinion or any of that, feel free. Now is your opportunity to do so. Just click on the request button there and we'll bring you up. No problem at all.
00:53:28 - Dan Moore
And I would actually like to ask everyone a question. Have you used biometric authentication on a website? If you have, I'd love to hear your experience with it.
00:53:38 - Scott Steinlage
Yeah, let's get some use cases. I'd love to hear it too.
00:53:40 - Anthony Campolo
I don't know about a website. I use it to log into 1Password, which is a desktop app.
00:53:50 - Yousef
I actually haven't used it in a while. I want to say a couple years. I just stopped using it for my phone.
00:53:59 - Daniel
I love it. I've had so many mobile app projects where they didn't know how to actually implement it. Then you implement it and think it's like magic. It's literally a couple of lines, good to go. But I use it all the time.
00:54:21 - Scott Steinlage
Awesome. Yeah. I mean, I personally just, like Anthony, use it for LastPass. And yeah, unfortunately they got hacked, but...
00:54:36 - Dan Moore
Supposedly my stuff's okay.
00:54:39 - Scott Steinlage
Supposedly my stuff's okay. Oh my gosh. You know, it's crazy. I've never cleaned out my passwords in there, so it's like, dude, I don't know how many freaking application passwords...
00:54:53 - Anthony Campolo
As long as you always have a unique one, then if it's accounts that you don't really use anymore, it doesn't really matter. The main thing is you should just think of what you actually don't want to get compromised, which is probably like five to ten things.
00:55:06 - Scott Steinlage
That's what I should... see, that's a good thing that I have all those in there. There are a bunch of accounts that I don't use anymore, and so that way if they're hacked, then...
00:55:19 - Anthony Campolo
You can also export it and save it as an Excel file on your computer and then delete it from the cloud. Then make sure you don't lose that computer.
00:55:27 - Scott Steinlage
Right. Oh, that would be terrible.
00:55:29 - Yousef
You could do cold storage.
00:55:33 - Scott Steinlage
Yeah.
00:55:33 - Anthony Campolo
Write it on a piece of paper. Put that piece of paper in a bank. That's the only way.
00:55:39 - Scott Steinlage
Yes, I do have my main password written down for my wife just in case I die.
00:55:47 - Dan Moore
Yeah.
00:55:50 - Daniel
Anyway, I feel like the most important part of using things like LastPass is keeping your two factors separate from the actual LastPass. It's great for passwords, but I don't do any two-factor with it.
00:56:02 - Dan Moore
It drives me nuts when I see people do that, because I'm like, wait, you've just destroyed the point of two-factor.
00:56:07 - Scott Steinlage
Right.
00:56:07 - Dan Moore
The whole point of two-factor is that there's something else that's not tied to the same database in the same application.
00:56:14 - Daniel
Exactly.
00:56:15 - Anthony Campolo
I almost think those apps should give you a warning when you're doing that because, yeah, you're right about that.
00:56:21 - Scott Steinlage
They should give you a warning. That's kind of stupid, or just disallow it. I use Google Authenticator for that. It kind of sucks though when you're on an iPhone, having to transfer it every time.
00:56:38 - Daniel
The reason I don't change my number is because I have so many two-factors linked to my phone number. I would never remember everything I have to change.
00:56:46 - Anthony Campolo
Yeah, I kept my old phone around for like an extra year, and then every month or so I'd be like, oh, I need to go find another two-factor auth from my old phone.
00:56:55 - Dan Moore
I'm the same way.
00:56:56 - Daniel
I have two lines because one of them is linked to so many things that I just can't get rid of it.
00:57:00 - Scott Steinlage
Yeah. Oh my gosh. The problems we all have.
00:57:09 - Anthony Campolo
It sounds like with FusionAuth it's mostly the back end, but are there front-end integrations or templates or starters or things like that?
00:57:22 - Dan Moore
Yeah. So we have two ways you can use FusionAuth. The first is what we call our hosted login pages, where we have like 15 or 20 different common login workflows: sign-up, forgot password, two-factor authentication, WebAuthn, email verification. Those are all taken care of for you. Those can be customized by basically writing HTML and CSS. Then we have some APIs that that front end uses. We are actually just working on releasing a React SDK — our first steps into...
00:58:07 - Anthony Campolo
Anything for React yet?
00:58:09 - Dan Moore
Yep. We actually just finished it up, and we're going to be releasing it internally to get some feedback. But we definitely are a backend-focused company, and stepping in and building something that JavaScript and frontend developers are going to find delightful was a bit of a step for us. I'll let you all know when it's released. It's definitely a v1, and I definitely want to get some feedback from people who have expertise. If you've ever looked at my personal website, which is mooreds.com, it's my handle, I have not just zero design sense, I have negative design sense. So I definitely want to get this out in front of some folks to give us some feedback.
00:58:57 - Anthony Campolo
Yeah, that'd be fun. I can get you on my stream to run through it.
00:59:04 - Scott Steinlage
Yeah, that would be awesome.
00:59:06 - Dan Moore
But one thing I will say about FusionAuth is that it is kind of OAuth- and OIDC-compatible, so there are lots of libraries out there, open-source libraries.
00:59:13 - Anthony Campolo
One of my other questions is, does it integrate with OAuth? Does it replace it? Does it supplement it? How does it relate to it?
00:59:24 - Dan Moore
So we're, in the parlance of OAuth, the authorization server. We are the thing that... your application is going to be called a client, and the client sends the user over to the authorization server. The authorization server authenticates the user, and again that's to whatever assurance is needed. It might be just a username and password, it might be calling out to some SAML provider, it might be doing additional factors of authentication. At the end of the day, the authorization server does this check and then it generates tokens and hands them back to the client. The client can now examine that token and know that the user has been authenticated and is authorized to do whatever.
01:00:12 - Scott Steinlage
Right?
01:00:12 - Dan Moore
Because they can look at that token. They can say, oh, this person has these roles. Or they can present that token to other services that can then be assured that the user was authenticated.
01:00:25 - Anthony Campolo
So I'm curious, have you ever used Netlify's GoTrue?
01:00:30 - Dan Moore
I have not. What is that?
01:00:32 - Anthony Campolo
Yeah, so it's also, I think, an open-source auth server in that mold. I'm thinking you should check out the Redwood authentication integrations because we have an abstraction that lets us have a single API for all the different providers. I feel like yours would fit in really well. But I'd be curious, if you're looking for ways that this stuff can integrate into a JavaScript React thing, we did like 10 of them.
01:01:05 - Dan Moore
So yeah, I see it right now. Auth0, Azure AD, Clerk. Do you build those yourself? Do people pay you to build them? Is it more like people contribute them? How do those integrations work?
01:01:19 - Anthony Campolo
Companies that really want developers to use them show up and open a PR. Integrating it for us is how it usually goes. The ones that go well — they understand that it's like bringing something to the table. Sometimes a company will come and open a PR and be like, we should write an integration for this, do you want us to do that now?
01:01:43 - Daniel
Is it just like a client-side wrapper for whatever you're using?
01:01:47 - Anthony Campolo
Which one was it?
01:01:49 - Daniel
Is the Redwood... is it just a client-side authorization wrapper? You can just plug your auth service in and it just wraps it?
01:01:56 - Anthony Campolo
Well, Redwood has a back end, so you have a GraphQL handler and then there's all this auth managed between the client and the server. You have some hooks, then you have a way to grab the context, which can give you your current user and things like that. So it's the conventions of the framework in a way that is really interesting. NextAuth is kind of similar, but usually you have to build that yourself, whereas this is just part of Redwood. That allows us to basically normalize across all these different things. It's like, you have a user, you have a token, you have some way of verifying that, and then there's a clean boundary between the services we integrate with and what is the Redwood auth API. Although we're actually rewriting it internally to make it even more decoupled. I'm not really close enough to that to understand exactly what's going on there. But we're about to refactor how we do it, and it'll probably allow even more people to get in on the game.
01:02:56 - Daniel
That makes sense.
01:02:59 - Dan Moore
Yeah, that'd be awesome. I'll definitely take a deeper look into that. That's definitely a space we want to do more with, and to use the business term, sorry, that's definitely something we're interested in engaging with, those kinds of frameworks more. It looks like you have a pretty good set of existing solutions, and we'd love to... we should definitely investigate opening a PR or figuring some way to get in there. I promise you we will not post an issue saying please write this for us. That's one thing I can promise you.
01:03:35 - Anthony Campolo
It seems like you'll probably do a good job. For us, I actually enjoy these processes a lot because you get to collaborate with a lot of different teams on a lot of different things. So yeah, just feel free to shoot me a message whenever. We can start working something out.
01:03:52 - Dan Moore
Definitely.
01:03:52 - Scott Steinlage
Thanks. Love the collaboration.
01:03:55 - Daniel
Hey Dan, what communities do you guys see the most adoption from?
01:04:00 - Dan Moore
It's a great question. It's a Java piece of software, but because we play well with open standards, it's pretty agnostic. If you look at our SDKs, which we call client libraries, .NET actually has a fair amount of adoption. Dart... I wouldn't say we have a ton of adoption there.
01:04:27 - Anthony Campolo
That's me last on the list.
01:04:30 - Dan Moore
TypeScript, a lot of people use it, and that obviously covers kind of the gamut of people who are using it on the front end, but also people who are just managing their FusionAuth instances via the TypeScript client library. I think Python is second, or Java. Because of our backend roots, and because people can stand it up and run it on their own EC2 instance or whatnot, we definitely have a lot of folks coming from that angle, where they're like, hey, I just want an OAuth server. I want to take this off my plate and I don't mind running an additional piece of infrastructure.
01:05:14 - Anthony Campolo
Can you do this in a serverless way?
01:05:18 - Dan Moore
Can you do this in a serverless way? Define serverless.
01:05:21 - Anthony Campolo
Like, can you run FusionAuth on a Lambda function?
01:05:25 - Dan Moore
So could you run FusionAuth in a Lambda function? I think yes. The fact is that just because you can do something, I'm not sure whether you should.
01:05:36 - Anthony Campolo
I would just be curious to see what would happen.
01:05:38 - Dan Moore
Although I know at AWS re:Invent they just announced a lot fewer cold start issues with Lambda. So it's possible. Java, right?
01:05:48 - Anthony Campolo
Now for Java, compared to the other languages, that was the easiest one to make faster.
01:05:54 - Dan Moore
But we're a Java app, so... that's actually huge for us then. Yeah. We don't have a ton of people who say they want to run this serverless, mostly because auth tends to be one of those things that people want up and running most of the time. I understand why people want it. We've actually had one or two people ask about a serverless implementation. We do leverage a relational database quite heavily. You're describing Redwood right now.
01:06:25 - Anthony Campolo
Because Redwood is a serverless GraphQL API that hooks into a Postgres database. So that's why I know it's a bad idea.
01:06:34 - Dan Moore
Oh, have you run Redwood in Lambda?
01:06:39 - Anthony Campolo
Redwood only ran in a Lambda for years. We built it around serverless technology in the first place. The idea was that it would progress along with the framework and, like, five years into the framework you wouldn't have the issues that you have now with Lambda. And that didn't happen. So we ended up kind of reverse-hacking it into something that worked on a server. So now you can run it on a Lambda function or a Docker container or straight-up EC2.
01:07:10 - Dan Moore
Gotcha. Yeah, sorry, go ahead, man.
01:07:14 - Scott Steinlage
No, that's all right.
01:07:15 - Dan Moore
I was just gonna say, if we wanted to run FusionAuth in a Lambda, I know where to go. It sounds like you all have the scars to prove it.
01:07:26 - Anthony Campolo
Exactly.
01:07:28 - Daniel
I mean, to be fair, serverless adoption isn't as strong in any other ecosystem other than JavaScript.
01:07:35 - Scott Steinlage
Like, you don't.
01:07:36 - Daniel
It's not nearly as much of a thing.
01:07:38 - Anthony Campolo
I think Python has somewhat of a presence. But you're right that when people think of it, a lot of the time they're just thinking of writing Node code.
01:07:48 - Daniel
Yeah, exactly. It's funny, whenever I've worked with more legacy engineers who are just stuck in their ways or running some massive Spring monolith, I'm always like, I'm happy to do things, but I usually just deploy them to a Lambda separately. They're totally fine with that as long as I don't touch what they're doing or have been doing for the last 10 years.
01:08:11 - Dan Moore
Yeah, I definitely know. I have a friend who works for a company that's all in on serverless and building entirely on top of AWS. I think for greenfield development and places where you have carte blanche and you're willing to make that marriage to the architecture, and you have the right skill set, and you're willing to spend the time on DevOps and deployment and traceability, it makes a lot of sense. I actually am one of those legacy engineers, Daniel. I did a startup in 2016 and used Rails. It was a web app, and I used a monolith for Rails, and they're still going strong. This is probably not the place to have an architectural argument. I do feel like some people...
01:09:04 - Anthony Campolo
Want to use full-stack frameworks.
01:09:08 - Dan Moore
Well, I love Rails, yeah. But I mean, my point is, I think it really needs to fit the problem. Small serverless-focused solutions can work great. I also think a lot of people jump to them first.
01:09:28 - Anthony Campolo
Yeah. Also, it's not as hard to use both at the same time and buy into things in bits and pieces for different parts of your application or use cases, because at this point all of this stuff is integrated into deployment platforms to be pretty dang simple. You can deploy things to serverless or to server-full without changing a whole lot of code a lot of the time, if you know your Node versioning and stuff like that. So that's kind of the dream, that people just don't have to think about it too much and can figure out what fits their actual use case instead of shoving all their use cases into one or the other.
01:10:03 - Dan Moore
Well, I mean, it's just like, should you do everything in a relational database? Probably not, right? It's a great general-purpose tool, but there are definitely other places to store data that make a lot more sense.
01:10:15 - Daniel
Absolutely. I'm on the same mindset. I come from Spring, Rails, Laravel. In most cases, a lot of the times where serverless is being used, especially with smaller projects, it's a complete waste of time and you would have been better off going with something more monolithic, at least at the start. But that's just from experience. I want something that's going to get the solution out as fast as possible with the least amount of headache. Not everybody's of the same mindset, but I like both sides at the same time.
01:10:48 - Scott Steinlage
So that's actually a good segue into a question here. As far as your guys' stack goes over there, Dan, why did you guys choose Java, and maybe what are some other things...
01:11:02 - Dan Moore
Yeah, so that's a great question. Actually, I think Jen's on the call. I gave a talk at Denver Startup Week because I'm based in Colorado, and somebody did ask... and Jen was there, that's why it made me think of it. Somebody asked, why didn't you write it in language X? Right, or Zig, the hipster... hipper than Rust?
01:11:31 - Anthony Campolo
That's right.
01:11:34 - Dan Moore
I guess. And the answer is that this is actually a pretty battle-tested product. This came out of a product that started in 2006 or 2007, and then it was code that we built that we extracted out in, I want to say, 2015 or 2016. When we started, Java was the right tool for the job. It's a mature language that people know how to optimize and people know how to run. The amount of time and effort it would take to rewrite it in a different language, it just wouldn't make sense. It's better to spend that time building features that our customers want. That said, if we were starting from ground zero today, we might choose a different language.
01:12:21 - Scott Steinlage
But sure, I mean, it's all about the time frame of when it happened, right? The initialization of things was in the time frame of, hey, Java's hot, let's use Java. If it was 2013, 2014, 2015, it might have been Rails, right? Or something else. Who knows, right?
01:12:37 - Dan Moore
Well, and the honest truth is, now most people don't care, right? Some people are like, oh gosh, it's Java, but people care about the APIs they use to interact with it and that it's available as a Docker container. Other than that, they only care...
01:12:52 - Anthony Campolo
It's surprising for a Java project. But people aren't writing Java code when they're using you for the most part, right?
01:12:58 - Dan Moore
They don't have to.
01:12:59 - Anthony Campolo
Most people probably don't, so that's fine.
01:13:03 - Dan Moore
Yep.
01:13:04 - Scott Steinlage
Yeah. I was just curious about the internal stack.
01:13:06 - Anthony Campolo
No acceptable level of Java. I'll allow it. I had to write Java for a brief period of time.
01:13:13 - Dan Moore
It's not as bad as it was.
01:13:15 - Anthony Campolo
No, it was only a couple years ago. I was new, so I had to both learn a programming language while also learning their own stupid specific ideas.
01:13:36 - Dan Moore
Yeah, we have an officially supported Helm chart, and we definitely have users that are running in all the three major public clouds.
01:13:48 - Anthony Campolo
So which one is the worst and why is it Azure?
01:13:50 - Dan Moore
Which one is the worst to run FusionAuth on, or just in general?
01:13:57 - Anthony Campolo
Just in general as clouds.
01:14:02 - Dan Moore
I mean, I would say... So we have users doing it. I don't have direct experience with Azure.
01:14:09 - Anthony Campolo
So the correct answer is Azure.
01:14:14 - Dan Moore
I have definitely heard hard things about Azure. Actually, I taught AWS certifications for a year or two, so I have a deep fondness for AWS technology. Amazon the company I'm more ambivalent about, but AWS technology...
01:14:32 - Anthony Campolo
It's defining of a generation of software, 100%.
01:14:37 - Dan Moore
It is amazing.
01:14:39 - Anthony Campolo
So this was interesting about Kubernetes, though. Kubernetes was created by Google, so that's why Google obviously has good Kubernetes support. Amazon had the resources to make good Kubernetes support. And Azure, their cloud in general, their DX just isn't very good. So we also have Kubernetes, and it's going to be worse than both other options.
01:14:59 - Dan Moore
Fair enough. I'll say no comment.
01:15:03 - Anthony Campolo
So if you were to spin up an example app to show someone FusionAuth, how would you develop it with this whole myriad of different tools we've talked about and ways to do this?
01:15:15 - Dan Moore
Yeah. So if I was going to show you what FusionAuth was capable of, I'd probably start out with what you wanted.
01:15:24 - Scott Steinlage
Right.
01:15:24 - Dan Moore
Because people can look at an auth server and say, I just want authentication, or I want SSO, or I want sophisticated permissioning, or I want consent management, or I want registration, or I want MFA.
01:15:39 - Anthony Campolo
So I guess I'm curious, when you start with clients, do you give them a list of everything and they check them off? How does that work?
01:15:47 - Dan Moore
Yeah, yeah. So our go-to-market really is... and this gets back to something I think Scott said a while ago. By making it free, we let clients self-filter. A lot of our clients don't actually talk to us until they're midway through their process. Then they might say...
01:16:07 - Anthony Campolo
Since you wrote docs that didn't make them immediately leave.
01:16:09 - Dan Moore
Also. We have people that point out flaws in our docs, and our docs definitely have issues, but we also have people who rave about them. So I would...
01:16:20 - Anthony Campolo
Nice. They seem very well organized.
01:16:23 - Dan Moore
Thank you. Yeah, it's something you can always improve. I'm sure the Redwood folks feel the same way.
01:16:29 - Anthony Campolo
Right.
01:16:29 - Dan Moore
There's always more stuff you can do.
01:16:31 - Anthony Campolo
But our docs are like four years in.
01:16:35 - Scott Steinlage
Yeah.
01:16:36 - Dan Moore
Yeah. But I think a lot of devs, especially since we're a dev-focused tool, want to download something and just kick the tires on it and run through the basic integration. We have a five-minute Node.js option that is super... Again, you look at it and you'll say, oh my God, who had the design sense of this? Because it's just stark white and not pretty. But it does show that crucial flow of how do I set up a configuration in FusionAuth, and then how do I stand up an app, and then what happens? The user clicks on the button, they get sent to FusionAuth, they log in, and they come back. Now I know who they are. People will kind of troll through the docs, use as much of the free features as they want. And again, we have people that are running thousands of... we call them applications, which are basically different things you can log into, or hundreds of thousands of users, that we only hear about anecdotally until they decide, okay, this is a production-critical service, we want support, or we want this feature like SCIM or WebAuthn that is only in the paid editions. Then we hear about them.
01:17:51 - Dan Moore
But when I joined the company, I kind of thought, well, this is an interesting opportunity to help allow every developer to have a better auth experience, whether they want to pay us money or not. And I still think we do a good job of fulfilling that promise.
01:18:12 - Anthony Campolo
Let me give a quick story about auth. I did a bootcamp like three years ago, and every month there'd be a build week, or you'd get a group of people together who were in first month, second month, third month, fourth month. Each month you would be deeper into the back end. So you'd start on HTML, then do a basic React thing, then do a Redux integration with the login form, and then do the database or the back end. Every single project I did, every single time, it always broke at the login, with the Redux part getting into the database. It was always CORS or, how is the password even moving? None of these people even know how JavaScript works — we're all total noobs. It blew my mind because it broke down in such similar ways every time. I was like, why isn't there an easier way to do this? Then I realized that now, seeing this three years later, there are like 10 companies building solutions to address this.
01:19:16 - Dan Moore
Yeah, I mean, and again, back to what I said before, not to sound like... And by the way, I just want to be totally clear with y'all, I'm not hawking FusionAuth entirely.
01:19:25 - Scott Steinlage
Right.
01:19:25 - Dan Moore
I think FusionAuth is a great solution, but there are other great solutions out there too. But building your own solution is not a good solution, except if it's an experiment. Use a library, use an auth server, use something. Because it's a known problem.
01:19:42 - Anthony Campolo
What's known from Redwood is that we integrate with like 10 auth providers, and then we have our own do-your-own-auth version. Guess which out of all of those we had a security patch we needed to put in because our thing was hackable. The self-hosted auth one. This happened like a month ago. So even the framework authors building supposedly these most high-level frameworks... And this is also the developer who is always saying, why do we gotta use all these third-party services? Why can't I just do this myself like I did in Rails? And it's like, this is why.
01:20:19 - Dan Moore
Yep, yep. There's a lot of things to think about. And again, it's undifferentiated, right? No one cares about your login system, except for when it breaks.
01:20:33 - Anthony Campolo
Cool. I'm not sure if you mentioned yet if there are community spaces or places people should go to learn more and things like that.
01:20:42 - Dan Moore
Sure, yeah. You can go to FusionAuth.io to look at our pricing, to download the free edition, to look at our customer list. There's a community section, so there's a forum and a Slack. Then we're very active on GitHub. That's kind of where we track all of our development. You can see issues other people are having, bugs, how responsive the team is to that. Those are probably the three main places to go to interact with FusionAuth and...
01:21:15 - Anthony Campolo
Because your company is a little old, so I'm in Discord. But that's okay. You got GitHub at least.
01:21:21 - Dan Moore
Well, honestly, we had a long discussion, and I'm happy to talk about this ad nauseam, about whether we should even do a Slack.
01:21:29 - Scott Steinlage
Right.
01:21:30 - Dan Moore
Because I love forums. They help people discover solutions other people have had.
01:21:39 - Anthony Campolo
Because I love Google, I love Discord, yeah. I am in a single Slack right now for Redwood, and I'll be in another Slack when I'm at my next job. Those are the only Slacks I'm in. I don't do other Slacks.
01:21:50 - Dan Moore
But how is Discord for searching? That's always been my worry.
01:21:55 - Anthony Campolo
It lets you search for specific terms, lets you search for things users say, lets you search different channels. You don't get particularly good fuzzy search. That's the only problem.
01:22:07 - Dan Moore
Okay. Well, maybe I'll look into doing a Discord, but probably not because I'm a little bit legacy, as you said.
01:22:19 - Scott Steinlage
Well, it sounds like a forum is a great solution for what you guys have, what you're trying to accomplish with that. Like you said, discoverability is a big thing, so it's important. Awesome. Thank you so much for joining us. I think if nobody else has any questions... If you do, please, this is it. This is your time. Come on up now because we only got a couple minutes left here. But we have a hard stop. So if you have any other questions for Dan, please come up now. Looks like Jen's wanting to come up. I'll bring her up. There we go. Anybody else, feel free as well. Jen, what's happening? How are you? Sounds like you hung out with Dan in Colorado. So what's up?
01:23:03 - Jen
I was actually surprised when I looked down and the Twitter Space was still going because I muted it and I was going to an interview. Then I saw, oh hey, it's still going, I can say hi.
01:23:23 - Anthony Campolo
How did it go?
01:23:24 - Jen
Because you guys are so cool, and it was all so many dope humans. Dan, I do have a question for you. What is the term, the one word people had to use to cross the river to see if they were from their city or not, for authentication?
01:23:48 - Dan Moore
So Jen's referring to the talk I gave at Denver Startup Week, and it was called A History of Authentication. In 1100 B.C., I think it was 1100, there were two tribes fighting. There was a river that one of the tribes was trying to retreat across, and the other tribe obviously didn't want people to retreat across. They discovered that one of the tribes pronounced a word differently than the other. So as you were trying to cross the river, they would ask you to pronounce this word, and if you pronounced it the wrong way, they would kill you. This is an example of one of the kinds of factors, which is something you know. The word was shibboleth. So there's your trivia for the day.
01:24:44 - Scott Steinlage
You said it wrong, Dan. Sorry, brother.
01:24:46 - Dan Moore
Oh, no, I'm kicked off, actually.
01:24:49 - Anthony Campolo
Shibboleth.
01:24:50 - Scott Steinlage
Who knew, right? Nice.
01:24:54 - Jen
And y'all thought I was just coming up to say hi. I came with a question. I am excited.
01:24:58 - Dan Moore
That's awesome, Jen. Thank you.
01:25:01 - Scott Steinlage
Thanks, Jen, as always, for real. All right, well, thank you all so much. If nobody else has any questions, I think we're probably going to go ahead...
01:25:11 - Dan Moore
Can I just say something real quick? I would say, to tie it back to the original topic, if you see login with biometrics, login with [unclear], or login with passkeys, and you're on your phone or you have a biometric-enabled device, I would challenge you to give that a try and see how it is. I was on a podcast the other day and during the podcast, one of the hosts just set up Touch ID for his GitHub and for his NPM and et cetera, et cetera. I think it's a safer, easier, more secure way to log in. So that'd be my final challenge. JavaScript Jam.
01:25:50 - Anthony Campolo
That's a good one. So I've done it twice.
01:25:53 - Dan Moore
Yeah, it's a fun one. But anyway, just give WebAuthn a try and see if it makes your life better.
01:25:59 - Scott Steinlage
That's awesome. Yeah, totally do it. Try it out. I know it definitely makes things quicker and easier for me and, hey, more secure. That's even better. Just to leave you with a last thought, I'm curious: those who are not as familiar with this technology and maybe not tech people to begin with, and they're more of a user base, and you're giving your users the option to choose biometric or PIN or whatever, are people going to be willing, how many are going to use biometric on an online web application? Will they understand the technology? Or will they be fearful?
01:26:49 - Anthony Campolo
We wouldn't do it in China, that's for sure.
01:26:51 - Scott Steinlage
Right? Use that VPN, bro. But yeah, anyway, just something to think about.
01:27:01 - Dan Moore
Open question, for sure. Open question. Well, thank you.
01:27:07 - Anthony Campolo
Thanks so much, Dan. This is a super interesting conversation, and I'm really curious to check this out more — this is one of the more DX-friendly auth tools I've seen while also being very deep, protocol-level type stuff. So it's pretty sweet.
01:27:25 - Scott Steinlage
And it'll be cool to see that new frontend-friendly piece, the React piece. Yeah, that'll be cool. Let us know when that comes out, Dan.
01:27:38 - Dan Moore
Definitely will. And thank you again. Really interesting conversation. Thanks to everyone who asked questions. The GPT sidebar was really interesting too. Thanks for having me. Really appreciate it.
01:27:50 - Scott Steinlage
Yeah, no, thank you so much for joining us today. Hey, if you're out there in the audience still and you are still listening to us, then obviously you enjoyed this. Therefore, if you got value from us and Dan as well, please click on Dan there. Follow him. Give JavaScript Jam a good follow. We would appreciate that as well. We love y'all. Thank you so much for joining us. Hey, if you're listening to a recording of this, yeah, do the same thing. Give us a follow, give Dan a follow. Why? Well, because if you got value from us here, you're probably going to get value from us in other places as well. All right, thanks y'all so much. We love y'all. We'll see you in the next one. Oh yeah, thanks guys. See you in the next one. Peace. Wednesday, 12 p.m. Pacific Standard Time. See you there.