Rich Ziade Can I pitch a podcast before we get started?
Paul Ford Go!
RZ There is a podcast—I saw this, I think it was on Vice—where this guy is intentionally really boring and then—
PF Oh! Sleep With Me!
RZ And he—and it’s hugely popular—[yeah, no, no, no!] you just sort of—
PF I’ve loved Sleepy Time Media. He’s really good. He’ll talk about just utter nonsense until you fall asleep.
RZ That’s amazing.
PF No. I have better sources than that, frankly.
PF So he’s pretty good but then I’ll tell you what works: old news from like the seventies. Like a newscast. Like a Walter Cronkite on the radio kinda thing.
RZ Like re-aired.
PF The best I found—remember the 2008 financial crisis?
RZ Mm hmm.
PF Ok. There is a set of about 500 mp3s of interviews between like the FCC and federal investigators and bankers about various transactions—
RZ You’re gonna sleep.
PF They’re on mp3. I have never made it—I swear to God, I’ve never made it past the introductory remarks where it’s like, “I. Am. Uh. Sitting. In uh—”
RZ Are these available online?
PF They’re all available online.
RZ Ok. We’ve got a link to send.
PF [Chuckles] Yeah. We’ll put that up there.
RZ Yikes [music plays for 18 seconds, ramps down].
PF You wanna know what he talks about?
RZ . . . what?
PF And it’s a big deal. One of the biggest deals in our business.
RZ Define it, succinctly.
PF Well, I can do it in one word: login.
RZ Logging into a site.
PF Yes [music fades out].
RZ So, wait, now [stammers]—
PF Well not just a site, into anything!
PF This is one of the big—like—how much—
RZ [Crosstalks] I put some stuff—
PF How much energy goes towards, do you think, goes towards auth based issues in our entire industry?
RZ I’m guessing a lot less nowadays.
PF Hopefully less but it’s still a significant percentage.
RZ Ok. Well, let’s walk through the case. I put four things into a shopping cart [mm hmm] and I now want to purchase them.
PF That’s right.
RZ And now I’ve get—and this is interesting, ecommerce makes it real sloppy too. It’s like you can either buy it as a guest—
PF That’s right and then you put your stuff in but they—now they’re supposed to forget it.
RZ And then they ask you—the polite ones say, “Do you wanna create an account? [That’s right] You gave me all the info anyway [yeah]. You will be buying more sweaters.”
PF “We’d love to see you back here.”
RZ “We’d love to see you back and we’d love to email you everyday.”
PF Which is a little bit about deals [Rich snickers]. “Can we remember your credit card?” Yeah, “And can we continually harass you?”
RZ Correct. And so they wanna hook you in and make you quote/unquote member so you get deals and stuff.
PF So that’s about taking a anonymous account which isn’t really anonymous. It’s a guest account but they knew who you are [mm hmm]. They still track that information and send you your stuff [yes] but you can’t come back—you don’t establish a password and you’re not really a part of their overall system.
RZ That’s right and the motivation there is, “Geez, you know, I never wanna do that again.”
PF That’s ecommerce. Then there’s like logging into your email and you’re like, “That’s a big deal”. [Sure] Then there is all the stuff that Microsoft offers like they have various identity services.
PF Here’s a little anecdote: I once was working on a project with a giant entertainment company and I talked to someone and they said—I was like, “How long have you been working on this login project?” Cuz they were trying to consolidate all the different logins.
RZ So you can use one account to get across all sorts of properties.
PF That’s right, that’s right. And they said, “60 months!”
RZ That’s incredible.
PF Well, that’s the thing: it’s really hard to get one kind of login to another. And it seems really normal. Like, “Well my username is Bob.”
PF “And I should be able to jump over here and have the same username and authentic—” [Yeah!] But the systems are hard.
RZ The systems are hard and they’re really not designed to be lumped together. They’re usually kind of—there’s a single purpose around them. But now what people are used to, they’re not stomaching that. You can’t do that to people anymore. When’s the last time you signed on from scratch if you could do it with Google?
PF So what we’re talking about there—what you’re talking about there is this technology, there’s a lot of different variations but like OAuth or OAuth 2 and what that means is that’s that thing where it says, “Login with Google”, “Login with Facebook”. And you go over there and they give you a little handshake but you don’t actually have to give them all of your information or—or set up a password with them. Right? [Yeah] So when’s the last time—I don’t know.
RZ Do you bother?
PF I’ll tell you what I like to use: I like to use Google. Because it’s very granular. When you use Facebook, I’m like, “I don’t know if I’ll ever be able to get away from what I just logged into.”
RZ I have stopped doing it because I gotta be frank, you know, I can’t tell—I can’t really read the consequences of doing it. So I just don’t do it. [So—] And you know, I don’t—I don’t know if that’s even fair cuz who the hell knows what Google is—
PF Oh you still login with like—you create a account when you’re doing something new, you make like a username and a—
RZ No, I just do Google.
PF Oh you just hit the button. You have very good privacy settings. They’re quite granular. It’s one of Google’s better products. It’s like, “You’re—these machine—these devices are connected to your Google account [mm hmm]. This is your Android phone [mm hmm] and your iOS and these accounts.”
RZ So, wait, what you’re talking about is if I go to a site that allows me store files, like a DropBox site, I can either sign up, so fill our a form of five or six fields: first name; last name; email; et cetera [mm hmm] or I could skip all of that and sign in with Google.
PF Yes. So that’s great if you’re an individual. That’s like, “Ok, I clicked a button,” and then Google pops up a window and says, “Hey, DropBox would like access to these aspects of your account?”
PF “Are you cool with that?” And if you say, “Yes,” now you are able to get logged into DropBox.
PF You are right in there and the next time you come to DropBox and you wanna login and if you’re not logged in, you’ll do the same, except you’ll already have been authenticated and it’s—
RZ Just, life’s easier. Right?
PF It’s pretty easy and it’s really good on mobile because [yeah] it’s hard to type passwords [yeah] and all those things. So I think that’s one of the reasons—
RZ Better on Android than iOS but yes.
PF Yeah! That’s one—but I think that’s one of the reasons why authentication has kinda gotten slicker is cuz it just sort of got impossible to put a secure password into that little text box.
RZ [Stammers] It a pain the ass but what people should now is every time you do that, you can go see the list of sites [that’s right] you’ve allowed Google to wave you in and actually control—you could actually remove their rights, in fact, altogether. You can delete the site. So next time you go there you’re gonna be like, “Ok. Who are you again?”
PF Well then there’s a magical thing here and this happens with Slack and this happens with DropBox and similar which is that the whole company—So we’re postlight.com.
PF And if you have a postlight.com email address, which is served by Google, you can get access to our DropBox.
RZ All of our services.
PF And our shared folders—
PF—and Slack. Yeah. And you—
PF That’s right.
RZ Pingboard which handles time off [trails off]—
PF So it becomes the master key and [yeah] I could be—there aren’t a lot of down sides.
RZ Not a lot of down sides. Actually a ton of up side. Controlling all of that; managing it with people; it’s hugely useful.
PF This is what’s tricky with Google is it’s like, you know, it’s a giant, monolithic organization. They don’t care about our email.
RZ You gotta bank on that! [Laughs]
PF Yeah. And, you know, you can get paranoid but like I just—it’s—
RZ Well, the model’s different, right? We’re paying.
PF Do you ever administer a mail server?
RZ I did.
PF Ah. Me too. It’s a nightmare [yeah]. I hate it.
RZ I felt good about though, I’m not gonna lie.
PF Me too but I, you know, it is—it is a joyless task.
RZ It’s joyless. It’s—it’s joyless. Fair enough.
PF And when something goes wrong [chuckles]—it’s not like, when something goes wrong on the web, I’m usually pretty confident I can fix it [yeah] but when something goes wrong with a mail server, [yeah] I’m like, “Well, that’s it. I’m never gettin’ [music fades in] anymore mail.”
RZ Lifting the lid on iMAP—
RZ—is something [music plays alone for six seconds, ramps down].
PF Ah! Rich, you know, I wanna [music fades out] interrupt this podcast for just a minute.
RZ Why, Paul?
PF Well, you know, not everybody realizes that this podcast is a pure marketing vehicle for an agency.
RZ You know, you don’t have to apologize for this—
PF [Crosstalks] I’m not apologizing. I love it!
RZ We put a good podcast out.
PF I love it. I love the hustle.
RZ Postlight is a New York based product and services studio. We’re a collection of designers, engineers, and product leads that build really amazing experiences. Sometimes we go in and we do the facelift, the nip and tuck. Sometimes it’s green field and we just build something out of thin air and it’s lovely. And it’s a great group. Very talented.
PF It’s true. If you need someone to sit down with you [music fades in] and get that plan right, so that you can build this thing, let’s do it: [email protected] [music plays alone for six seconds, ramps down]. So the thing that’s changed in our world is that [music faded out] I would say that [chuckles] 20 percent of every project up until about ten years ago, five yea—maybe seven years ago, was how are people gonna login and what can they do once they’re logged in? [The problem has been solved. That’s right] How do you log them out? Security was really, really hard and like all of that stuff [mm hmm] and probably driven by mobile and driven by simplicity. It is now a much, much smaller part of your project.
RZ Yes. And, look, it’s worth noting: if you’re paying money—we pay money for Google Suite. If you’re paying money, Google is—their alignment is now around our monthly bill [that’s right]. It is not around amassing where all of our employees are going to different places and drawing these profiles, these data profiles so they can push lawn mowers and—
PF [Crosstalks] That’s right yeah you don’t get the ads, right?
RZ—and other services.
PF It really is a different world where if Google is a service provider offering like direct services to you that you pay for—
RZ It’s different. It’s—it’s a whole different—
PF It’s just very convenient.
RZ The—the—the incentive is completely different. And that’s worth noting because if you’re using sort of a plainville Gmail account, I don’t know exactly what to do and I don’t wanna take the leap and say like, you know, they’re following you, they’re standing over your shoulder wherever you go but, without a doubt, the incentive then, at that point, is not the five dollars you pay every month, the incentive at that point is to really triangulate on your life and do things with that data and—
PF Honestly, with Gmail, I don’t think people that care that much. They’re like, “I get these two ads at the top, that’s life. Whatever. Onward.”
RZ Yeah but then there’s like you don’t know where else that’s going.
PF It’s weird.
PF It’s a little much. The larger issue here—
RZ If you can pay, pay! Is what I would recommend.
PF I would—I think that’s right.
RZ You know?
PF So the thing that’s fascinating to me though is like this used—to build a web thing, you used to have to roll this yourself all the time, and now it’s beautifully abstracted [mm hmm] away.
RZ There were, I mean, IT managers in large companies who had to manage mail servers. I mean that’s real [oh yeah]. Some still do, by the way, let’s be very clear.
PF [Crosstalks] It wasn’t just—if you’re at a certain scale, like if you’re a university, you might have—even if you’re using Gmail, you’re still, someone is administering all that.
RZ Yeah. Ah—also, uh I mean, look: let’s be real. I’m not login with Google to my bank account. That’s not happening.
PF I’m ok with that.
PF But I’m not—let’s not even worry about ourselves for a minute.
PF What blows my mind is how something like that—something really fundamental like who am I on a system is now just a product that you can plug into anything new that you build.
RZ That’s right. If you’re—Right, if you’re a product manager or a product lead who’s thinking about a new tech, you really should not be building that from scratch.
PF That’s the thing like anyone who builds authentication independently without carefully having a really, really good case [yeah] is not doing a good job for you.
PF Like someone should be saying, “Are they login through Google, Twitter, or Facebook or something else?”
PF It’s strange how that fundamental aspect of everything online has been kind of taken out of our hands.
RZ Is that bad?
PF It’s not bad or good it’s just a really big change and it makes me wonder well like to see that get abstracted away—cuz you used to have an independent identity on different systems.
PF And now you have one identity that is centralized and it’s like if you take Twitter, Facebook, and Google and you put them together—and GitHub! That’s the fourth one that kind of a lot of people use, if they’re—if they’re in our community [yup]. If you put those four together that’s everything I access is accessed through those four servers.
RZ Through four companies.
PF That’s right.
PF And actually Microsoft owns—is the last one, right? And that owns GitHub now.
RZ Do you have a problem with that?
PF I think that it is something that is a—it’s a giant, secret sea change that rarely gets observed.
RZ I—I think that’s true.
PF I think that’s the point I’m making is just sort of like as product people I would be—and working for clients, and working for ourselves [mm hmm], it would be incredibly difficult for me to advocate for anything else because users want it; it is secure; and there’s a wonderful principle which is like if Google—if Google can’t make it secure, then we’re screwed. Like I mean they are—[yeah] I love our company but Google has given much more focus and attention to login based security than Postlight has.
RZ That’s right.
PF And I wanna take advantage of that.
RZ We do have a client, Paul, that for various reasons really, by design, did not want to fall into this, they didn’t wanna cede control over what their community was gonna look like to one of these companies. And, frankly, the case wasn’t hard to press. We got it, right away, as to why they didn’t and we appreciated it—in fact, we built it, by the way. We built the actual authentication [trails off].
PF Let’s think of some of those cases, right? Cuz there’s a lot of them. One would be privacy. Just, “Our organization needs true privacy for all of its members and we’re at a scale where [mm hmm] we’re going to invest to preserve that privacy.
PF And, actually, government is another one, right?
RZ There’s no way you’re gonna hand over, I mean, logging into the DMV to renew your driver’s licence is not gonna happen through Facebook.
PF No, that’s right. They’re gonna have their own authentication system.
RZ They’re gonna have their own authentication system.
PF That’s right. So things like that—like large—
RZ I think like—
PF Large religious organizations might be another—like there’s sort of like—
RZ Ahh! That one’s fine.
PF No, because people care about their privacy—
RZ I think—I think like financial transactions.
PF That’s another one.
RZ Trading stock. I’m not gonna go to Goog—I’m not auth through Google.
PF Well this is the thing, Facebook, right? You auth into Facebook, you’re letting Facebook know that even if there’s nothing else, you’re letting Facebook know that a certain number of people are logging into a given service.
PF That is a lot of information for Facebook to have [yes] about who is using what, where, when, why.
RZ And, look, let’s be frank—
PF Not why.
RZ—I think there is a lot of positive that comes out of Facebook like my family, my mom really doesn’t get all of the like drama and just is really happy to see my kids.
PF Well, it’s vast, right?
RZ It’s vast.
PF It’s just vast.
RZ And then there’s a lot of, I mean, the focus is on the bad stuff but there are families that are dispersed and communities that are dispersed that actually connect on the platform—
PF What’s tricky with tech is that when the criticism comes, everybody’s like, “What do you mean?!?” And it’s [yeah] just sort of like, “No, you now are—you’re like a nation state and so you’re gonna get criticized like a nation state.”
RZ I mean it’s—and—and as I’ve read up about a lot of their challenges, it’s just scale.
PF It is.
RZ It’s just, “I can’t keep track of two billion people.”
PF Well, well, with two or three key moments that could’ve gone a lot better.
RZ Alright, let’s keep this optimistic, Paul.
PF We’re gonna keep going.
RZ I don’t disagree with that but I mean—So—
PF [Laughs] But I think there are valid reasons to say, “We are going to go our own way and have our own system.”
RZ Oh it happened and it’s gonna continue to happen.
PF Now in that case, there are a lot of really great open source libraries and tools and technologies that you can use and you can actually—
RZ Pick ‘em up off the shelf and—
PF And I don’t think people know this: so that service that Google provides, that authentication services where you click and you hit the button and now you’re suddenly logged into some other app through Google [uh huh]. Anyone can provide that service.
PF Like you could set up The Grey Box Foundation [mm hm] and the, you know, or Basil Financial or something. I’m literally looking around the room at things to come up with names.
RZ You found some fresh Basil?
PF No, there’s a Basil Hayden bottle of—
RZ An excellent bourbon.
PF It’s a lovely bourbon. The Orange Post It Note Society, right? You can not just create your own login point, you can create your own authentication endpoint and people can then build apps on top of you.
RZ Yes. Anybody can do that. Do you have any platforms off hand that you wanna share with people? In case they wanna look at this possibility.
RZ Alright. Some tips, real quick, I mean we talked in terms, which I think is good advice for product leadership and people thinking about their platforms and how they’re gonna handle authentication.
PF Well the reason I wanted to bring this up for this podcast is I think it’s a weird afterthought that’s actually core to everything.
RZ It is! And—
PF It’s that first experience and—
RZ It’s the first experience and, look, it’s extremely—the argument for you’re gonna get more users if you’re trying [yeah] to amass users, if they can tap one button instead of fill out a form, is incredibly strong. It’s hard to fight. I mean the burden of proof is on not doing that because you’re gonna get more signups.
PF There’s another part here, too, which is it’s kind of a pain. It’s a thankless task—
RZ It’s more software.
PF And it’s tons of security risk. This is like the most vulnerable part of your application. That’s why it’s hard. You have to be really paranoid and you have to make sure things can be trusted and—and you have to kind of be on the defensive all the time and most product teams and most software companies are not, they’re actually very much like, “Let’s go! Let’s get it done! We’re under the gun!” Auth is one of those things where everybody has to sit in a room for awhile and go, “Now, wait a minute, what if this happens?”
PF It’s one of the more thankless tasks of software engineering.
RZ Yeah and if it’s low risk, in terms of, ok, if something happens how bad is it? Like if you’re trading images or—
RZ You know, whatever. That’s much less painful than, you know, if there’s real sensitive information in there.
PF Well and there’s baselines—
PF There’s baselines there, right? Like number one that’s really bad is unencrypted connection and then you save the passwords in plain text [yeah]. So somebody gets your database and that’s it, it’s over. They know everybody username and password [correct]. There is a great site called Have I Been Pwned? Which is this guy, I believe his name is Troy Hunt, I think he now works for Microsoft, I’m not sure. He’s Australian. But as giant database dumps of people’s usernames and passwords have come out into the world, he’s created this big relatively secure database where you can go see [if—if you’ve been compromised] which leaks you’ve been part of. Yeah. So like I remember I got hit by the Adobe leak and a few others. And he has something like a billion password leaks in there now. Like it’s hit everybody.
PF His user base is roughly the [chuckles] size of Facebook, they just don’t know it yet.
RZ I’m doing it now, I’ve never done this before.
PF Oh, you’ve never—oh, ok, everybody, Rich is gonna put his username into haveibeenpwned.com, let’s see what happens. Let’s see how many times you have been leaked [hums an elevator music like tune].
RZ Ok but I—I don’t think he actually just went and found my name.
RZ I think he’s just saying—
PF He knows your username and then it’s aligned with a certain password.
RZ Oh that’s nonsense. There’s every company in the world is on here—
PF No but—that’s right, it lets you know how badly your passwords have been leaked.
RZ I’m cool with all of this.
PF Do you have different passwords for different accounts?
RZ This is a huge piece of advice. I don’t. I’m pretty good. I have probably seven that I keep distributing out.
RZ And that’s better than one.
PF That’s ok.
RZ That’s ok. But this is a huge point: if you are exposed through one leak, people will take that password and check everything else.
PF I had one password that I used all the time years ago and I definitely got—I got hit, I got a server hacked into. It was a mess [yeah]. Nobody ever got my email but like you’re always vulnerable.
RZ Yeah, you are.
PF So I now use 1Password. Do you use a password manager?
RZ I do use 1Password.
PF It is really good.
RZ Yes. The “number one” password [1Password]. It’s a pitch. They are not paying us any money. It’s really—
PF [Crosstalks] No, but God it’s—
RZ It’s really good.
PF The only unsettling thing about 1Password—it’s also gotten better, by the way, at auditing your passwords. It’ll tell you if you’re using something twice.
RZ Yes and their cloud services are excellent now.
PF The cloud service is very good and integration into mobile is getting better. The only thing is you look at it and you realize how many goddamn nonsense things . . . it takes for you to live your life in 2019.
RZ It’s something, isn’t it?
PF I must be logged into 2,000 different websites.
RZ I just need them all like to look at my face.
PF Oh yeah.
RZ And my—not just my face but if I’m clenching my teeth—
RZ Then open up my bank account.
PF Yeah. That’s a great idea. That’s really—that sounds flawless.
RZ If I’m a little—if I’m a little sad, like the brow is a little down, then show me animated GIFs.
PF Banking is terrifying, man. It’s like here’s this plastic card with a number that’s kind of ok and then a four-digit number—
RZ On the back—
PF Which you can like, you know—
RZ Yeah. It’s a sloppy mess.
PF And then once every, like, three months AMEX is like, “Hey, hey! You bought a soda.”
RZ Yeah [chuckles], yeah.
PF Or a Balenciaga bag [yeah] and I’m like, “That—that wasn’t me. No, the soda was me.”
RZ Gas station in Texas.
PF Oh! That’s a good one too [yeah]. So we’re in a world where there is not a lot of security. 1Password is pretty good, it’ll make these giant long garbage passwords that you’ll never remember.
RZ Competitor’s LastPass is also pretty good.
PF Yeah, it’s fine too. I mean, this is—on a personal level, I think everybody’s gotten this message by now but my God, use one! Because [yeah] you’re not aware of how much garbage you’re plugged into and it’s also pretty good, especially with the cloud service between like mobile, home, web and [yes] it’s hard to keep that locked up between browsers.
RZ That’s right. 1Password, if you have a newer iPhone will open with your—with your face.
PF Does it do that?! It does—
RZ Yeah, you have to smear your face on the phone, just very awkward.
PF Lick the phone. That’s right.
RZ Uh tongue detection has not kicked in yet.
PF No, that’s next. That is good. It’ll be for dogs when dogs iPhones.
RZ Pewwww [high pitched, in disbelief].
PF That’s probably Apple’s next big step cuz—
RZ That’s the big announcement?
PF Self-driving car isn’t working.
RZ No, no.
PF Tim Cook is gonna come out with an old blood hound and everyone’s gonna go, “This is great!!!”
RZ You know what they should launch is self-driven individuals.
PF Oh that’s right! [Laughs boisterously] That’s right—
RZ [Laughs] Just really motivated people.
PF They just get four Apple watches [Rich laughs]. One for—one for each extremity and they put you on that paddle board [Rich laughs again]. So um—
RZ Alright. Good advice for both consumer and really decision-maker within companies as you make these kinds of calls.
PF And let’s bring it back home, right? Like what do you need to do—I come to you Rich and I say, “Rich, I need to build a giant thing. It’s gonna [yeah] have—we’re gonna have a hundred thousand users. I’m nervous about giving all my data to Facebook [mm hmm] because—and I’m nervous about giving it all to Google because, you know, it’s our data, it matters to us. What do I need to do about authentication?”
RZ I would scrutinize that a bit and I would say well let’s run through those like catastrophic scenarios and let’s see how bad they really are because, frankly, if you can auth through one of these platforms and it’s not a big deal, then you should do it because ultimately the user experience is gonna be dominant. If you’re not looking to get new users then do whatever you want. You could just send out sign ups and they’re gonna do it, they’re a captive audience. But if you’re looking to grow an audience, there better be a compelling reason not to do it because less people will sign up if they have to fill out a form. That’s real.
PF [Jinx with Rich] That’s real. And the other thing I would say is just if you are working with someone; or hiring someone; or talking to a firm like ours or—or just whatever you’re doing, and they’re like, “Don’t worry about auth,” that is a red flag.
RZ Yes, yes, nobody should be saying that.
PF It is a horrible, real part of building anything [that’s right] and if you’re trying to get into this field [music fades], being really aware of it and understanding like how a user gets authenticated, tracked through the system, how they can become like [yeah]—how they get more permissions or less permissions. That’s the horrible, real work of product development along with all the cool flashy stuff [yeah] and it’s something to fall backwards into that moist pool of stuff.
RZ Yeah, you gotta be careful.
PF Alright, well, that is our podcast for today. Let’s—let’s do another podcast really soon.
RZ Ok. Everyone, have a lovely week and watch your back!
PF Yeah [chuckles], have fun logging into 5,000 things before we see again!
RZ Bye [music ramps up, plays alone for six seconds, fades out to end].