On this episode of the Cybersecurity Hot Takes podcast the group discusses how Threads made a mistake launching with its current authentication flow. 

Transcription

Reece

You heard the jingle, and you know what time it is. It's a new week. It's a new "Cybersecurity Hot takes." It's me, your host, Reece Guida, enterprise saleswoman extraordinaire. To my left in the office today, which is very hot by the way, we have Joshua. 

Joshua, tell the people who you are. 

Joshua

Hello, everyone. I am back on the podcast. Another rare appearance. Normally, I am the producer of this podcast. But today, I'll be talking with these fine folks. 

Reece

Yes, we're letting him talk. And we're also letting HB talk. HB, remind the listeners who you are and why they should care about what you have to say. 

HB

I'm HB. I am responsible for product strategy here at Beyond Identity. And today, I'm super eager to learn from the young folk what's cool and hip in the world of social media. 

Reece

Well, you're out of luck because there are absolutely no Gen Zs on this podcast. But we are joined by a Gen Z at heart, Joshua. 

Joshua

Yes. 

Reece

So the hot take is that when Instagram launched Threads yesterday, which is Twitter's competitor, rival, their authentication flow sucks. Joshua, give us your insight here. 

Joshua

So, you know, my first-hand experience, you know, you download the app from the App Store, that was great, easy, fun. It was already preloaded on my phone, ready to go for when Threads launched. And the way that you log in to Threads is, because it's tied to your Instagram account, you basically have to log in to your Instagram account. And so that is by the old username, password. 

You can have two-factor authentication if you want, which is great. We love to see that level of security. But I just was so disappointed and so frustrated that a whole new huge, huge app by one of the biggest tech companies in the world in the year 2023 did not have a passkey implemented system. 

Reece

Shameful and disappointing. And, Joshua, why were you on Threads in the first place? Is there something you want to promote and/or brag about really quick? 

Joshua

Sure, why not? So I was on Threads at launch because I'm also a social media manager here at Beyond Identity, and so Beyond Identity is on Threads. So I was logging in and setting up two accounts, a personal one for me and for the company. So I'm switching accounts and switching devices, juggling all these passwords. I had to reset two passwords, two separate times. 

It was so annoying and frustrating. And I just... I can't anymore. I can't anymore. 

Reece

I imagine that, HB, you are similarly dismayed because you, like Joshua, are one of the 20 million users to sign up yesterday. Tell me how you felt about this hot take. 

HB

You know, I'm having a hard time focusing on just thinking about whether or not Joshua's password is "July2023password!" 

Joshua

It will not be once this podcast airs. 

HB

I love the fact that Microsoft discloses, during some of their passwordless launches last year, that something like 1% of the accounts that they see that require password rotation use some sort of pattern like that. 

Then all of the guys who put together PassGPT to demonstrate what GPT could do with a password library, they were able to show that, you know, people are so predictable that these LLMs are able to figure out what your password is in an additional, like, 20% to 30% of cases even beyond what the dictionaries and rainbows have. 

So it's kind of entertaining. 

Reece

Twenty million new users, 20 million awful passwords. We'd love to get our hands on that treasure trove of terrible, terrible passwords. You know, when you guys were telling me about your experience, I was honestly shocked that Meta didn't use passkeys. Also not that shocked because, even though Meta's in the social media space, they now think that they're the epicenter of reality, a new reality. 

So competitively, I'm sure they don't want Google and Apple and Microsoft to be able to plant a flag in their shiny new app. They just want to make it pretty much like a parallel to Instagram. I don't think they are really necessarily trying to do anything cool with authentication here. They're just trying to shuffle those Instagram people over to their new application. 

So there is a mutual login process, from what I understand. Like, it just uses your Instagram login. But why did you have to create a new password? Because, to me, it sounded and felt like Instagram is a version of a social single sign-on. Can you paint in more detail what that was like? 

Joshua

It's less of a social single sign-on, and it's more of you just log in to Threads with your Instagram credentials. Unfortunately, I have a few different devices. And again, I do manage so many accounts, both personal and/or work. And so for this moment in time, I just forgot my password, one of the passwords for the accounts. 

And I didn't have it saved anywhere that I could find in the moment, and I was trying to kind of hurry it along because, like, you know, I wanted to be on the app, one of the first people. And so I just went through the password reset phase. And, of course, like it was in a book or one of those infomercials where everything is going awful, I get to the final "Confirm your new password," and, of course, I get the message of "New password cannot be your old password." 

And I screamed, and my roommate was like, "What's going on? What's going on?" And I was like, "New password cannot be old password." And he was like, "Oh, no." 

Reece

And then your brain just exploded in your skull. HB, as our, you know, market... 

HB

And that's how my "July2023password!" is. 

Reece

Yes. An immense level of thought behind it. So, Joshua, thank you for explaining that to me a little more clearly. And with that context in mind, HB, you know, you like markets. You like strategy. It's what we pay you big bucks for. Are you surprised that Meta didn't use passkeys here? 

Do you think it's kind of like a competitive thing, like I was mentioning? What's your theory behind this disappointing decision of theirs? 

HB

I think it's a reflection of how authentication and that part of the user experience remains an afterthought. So for so many years, when people build cool applications, it's sort of like my daughter likes to... my seven-year-old likes to say that she eats the worst first and saves the best for last, or whatever that, like, saying is. 

Joshua

Yeah. 

HB

And I feel like developers basically continue to do this with security. And initial access is one of these threats that should be super obvious at this point. Credential risk and credential compromise is enormous. And we're already seeing that with other popular viral tools, right? Like, this launch has been impressive, but so was the launch of ChatGPT. 

And with ChatGPT, we're seeing so many compromised accounts with their fantastic history capability acting as a great insight into the minds of the users that they're able to compromise, which is, itself, such a challenging problem to deal with, right? 

Like, you're able to appeal to people's, like, most basic sort of communication styles and understand what they're asking the world about. It's one of the most intrusive things that a person could get access to, along with someone's browser history. So the fact that this is still ongoing, I think it just reflects the product owners' and decision-makers' need to prioritize security. 

And security, and stability, reliability, and API performance, and choices like rate limits, these are things that they treated as asides or nonfunctional requirements that are just being handled. So I think it's really important that people start thinking about taking security and availability out of their sort of de facto somebody must be dealing with it in architecture mindset and start actually dealing with it. 

And I think this would have been a great time to do a large-scale launch of passwordless solutions. 

Joshua

I have a question for you, HB, still along these lines. Since you probably have the most knowledge out of the three of us here, I mean, I don't want to speak for Reece, but do you... 

Reece

How dare you? 

Joshua

How big of a lift, engineering or technological-wise, do you think that would have been to have a passkey authentication system at launch? 

HB

These aren't difficult things to integrate for companies that have the appropriate focus. There's really no scaling limit or challenge to these technologies at this point. You look at the largest vendors who deployed solutions. 

Using a username and password is a lazy solution for offering people what they're familiar with. I don't think that there's a real friction challenge with embedding a passkey credential in a person's mobile browser or their desktop browser and allowing that to be their primary login method. 

There are countless ways to secure the experience and make it super easy to use. People get to make their own decisions in terms of what works for them, and we just need to remind people that this is something that needs to be at the top of their list. 

Right now, Threads is probably not going to experience as much compromise because it doesn't have as many rich search features and account-switching features today. But as it develops all of those capabilities and becomes a central part of people's daily and weekly workflow, I think it's really important that we start thinking about how to eliminate credential compromise, especially for these hybrid technologies like ChatGPT and Threads that are just obviously serving users who have corporate intellectual property and corporate risk to consider as well. 

Joshua

One thing struck me there, when you said that you don't anticipate, you know, Threads being attacked that much right now. But I think one of the reasons why we're shocked that there wasn't more secure or different authentication for Threads was because it's both your Instagram account and your Threads account. So, like, if they steal credentials for one, they also have the other. 

HB

Yeah. I think that when you look at sophisticated kind of retail eCommerce and social media platforms, especially these massive organizations like Facebook, they've done a good job, over time, of implementing web application firewalls and bot detection tools. 

Bot detection and bot mitigation is hardly as difficult as Elon Musk sometimes makes it out to see him on Twitter. But this isn't panacea. I think you need to have solutions that go beyond the current controls. And there's just so much great technology out there that people can adopt. 

And I think it would be great for folks like Facebook to show that they're trying to be this new town square kind of solution, and it would be great for that to be something that comes with a strong digital identity that's decentralized and based on a cryptographic credential. 

Reece

Let's talk about the elephant in the room here, Elon Musk. I have a funny question that I'd love to wrap up the episode with, but before I get to that, what about Twitter? Are they talking about any plans to use or unveil passkeys? It's been a while since I've logged into the platform. I see it as a matter of time before Facebook makes the pivot and starts to leverage that feature. 

But are you guys aware of Twitter going down that path as well? 

Joshua

Twitter has actually... I mean, we all know it's been a very bumpy road, so we don't know what is actually going on half the time in the past six months in Twitter, because they'll say one thing, they'll do another thing. They'll do a thing, they'll say another thing. They say that they're walking back on it. For a while there, they actually... 

There's been no mention of passkeys. So that's first. 

Reece

Okay. 

Joshua

Two, for a minute there, they actually turned off two-factor authentication for, like, a month or so. I think that's back on. I know that's back on. But I think that is the least of all of their troubles and worries at this point. Again, you know, authentication is often an afterthought, and Twitter right now is focused on a lot of other things. 

Reece

They've got a lot of other thoughts going through their head. 

Joshua

I guess. HB, would you agree? 

HB

Yeah. I mean, there's no point in adding to sort of the list of disappointments that people might have after Twitter was acquired by Elon. But, like, I thought that the initial idea of mitigating bots and coming up with more sophisticated solutions to ensure that individuals, even with anonymous or pseudonymous identities, could be verified to be humans. 

I think that was a great idea, and it just hasn't taken off. It just hasn't materialized in the form of some concrete strategy. I think it would be great, and I think the best platforms will definitely have to adopt approaches that eliminate the problem of bots. Like, we see all of the stuff about the fake radical liberal with 150,000 followers or whatever it was on Twitter, and it turned out to be a fake account designed to just sort of encourage more radicalized debate and make a mockery out of the conversation. 

I don't think you're ever going to be able to eliminate all of that, but there's so many great tools and just having someone or a group of entities sort of focused on that aspect of it, it would be really great, and it's a problem that's going to ultimately exponentially increase with all of these LLMs out there. 

Bots look and sound more like confident, discerning professionals or really any voice or writing style that a person chooses to enter into their LLM of choice. And so I think it's incumbent upon people to push the envelope on how protection can occur today, and that's the only way that you can begin to battle to stay in front of the adversaries as they keep evolving. 

Reece

That is a big problem to grapple with. And speaking of grappling, it's an excellent segue into my question that lies at the heart of Threads versus Twitter. Elon and Zuck cage match. Who is going to win? 

Joshua, you go first. 

Joshua

I will say if that does happen, I think a lot of people will lose, is what I will say. 

Reece

Oh, quit dodging the question. I'll give the audience a straight-up answer. I think Zuck will win because he's been down and out for a long time, and all of that rage will accumulate in the cage. 

Joshua

No. For-real answer, I do think Zuck would win because he's been training. He's been training for a long time in various martial arts styles. Like, he actually... I think he'll win. 

Reece

HB, what say you? 

HB

For sake of argument, I'll go with size over scrappiness. 

Joshua

Okay. 

HB

But I think it'll be great to see that match up along with Jack and Bluesky doing some vipassana or some ancient meditation to counter the negativity created by, you know, offering meta to all. 

Reece

What a way to end the conversation. 

HB

Yeah, a different kind of meta. 

Reece

Very different kind of meta, especially when ayahuasca is involved, which it probably is. So, Joshua, man, it's great to have our media producer on the podcast. Thank you for your insights that only you would know about the networks and their inner workings. 

Joshua

Thank you. Thank you for having me. 

Reece

Yes. And, HB, I'll see you in the regular crew soon. Thanks for listening, audience. Like and subscribe.