A

Business is evolving fast, and hearing how others are adapting can make all the difference. Hear perspectives from global executives as they share what's working, what's changing, and what they think lies ahead on the Executive Insights podcast, available on all major podcast platforms.

B

Welcome to Tech News briefing. It's Tuesday, September 2nd. I'm Julie Chang for the Wall Street Journal. Today we bring you a show focused on user verification. First up, we'll get you up to speed on how tech are navigating the new age verification mandates. Then, what are passkeys and how do you use them? We're diving into the technology that promises to make logging in simpler and more secure, starting with age verification. Lawmakers want tech companies to limit young people's access to social media by verifying their age. That's anything but simple. Age verification is typically outsourced to third party providers like Yodi, Encode and Persona to prevent excessive data collection. But the tech isn't perfect. WSJ reporter Annemarie Alcantara has looked at the different methods companies use to verify age, and she's with me now. Annemarie, can you start by briefly telling us what new rules around age verification exist at the moment?

C

Yes. So, depending on if whether you're domestically or if you're international, there's a variety of bills and laws in effect. In the US in particular, some states have passed it where you need parental permission before a child can download apps or make in app purchases. And in other states, like Mississippi want social media companies to verify the user age. So it differs between whether they want the control at the app store level versus like the actual app, like Facebook or Instagram.

B

And in your piece, you highlight several ways tech companies are verifying user age, including photo IDs and parent permission. You also mentioned video selfies and artificial intelligence. Those are the two I want to focus on. Can you tell us the pros and cons of video selfies?

C

Yeah. So as you can imagine, everyone who owns a computer or phone, they own different varieties of it, right? Some are older models, some are the latest models. And so that's, for example, the first issue that video selfies can present. These tools that verify someone's age usually need someone to be in a brightly lit room. They need the camera to be really good so that it captures your face accurately. So that's one of the first problems. And so of course, as well, we all live in the age of AI. It's all we're talking about lately. And deep fakes are also presenting another problem for these companies who are Verifying ages of minors. These deepfakes, as we've probably all seen at this point, are just getting really good at faking a real human. And so that's another issue that can come up there.

B

Yeah. On the flip side of AI, some companies are using AI to verify user ages. What are the pros and cons to that approach?

C

A lot of these companies are kind of trying to use these indirect signals to figure out your age, what you search, what types of videos you're watching, like if you're on YouTube or something like that. But as I'm sure some of our listeners do this, not every family has separate accounts for their children. Some share an account as a family. And so it's hard for the signals to say, like, oh, well, this is a kid, perhaps, versus an adult. So it's just kind of hard to estimate the age of someone. It's hard. Hard enough to do that for adults, let alone trying to figure out for.

B

A child, broadly speaking, why is getting age verification right so challenging?

C

A lot of these rules and regulations define a child between there's like different brackets. It's like 13 to 16, 16 to 17. And so first and foremost, understanding you know, what a child is and what sort of content between those ages they should be allowed to is very difficult. And then secondly, the technology, even though it's really good, it's not 100% accurate. A lot of users online have talked about how they've been gated, even though they are of age, then they have to go through an appeals process. And so it's also, the technology itself isn't quite there yet. Another reason it's so challenging is because you have to be accurate without collecting too much data. Basically, a lot of these companies are trying to figure out your age. Maybe sometimes they collect at your government id, et cetera, but they also want to make sure they don't retain that data. Or, you know, some companies have set it up where they'll send it to the social media or app store platform, whatever it is, but they won't share the government id, they'll just verify your age. So a lot of it's just trying to make sure they can actually figure out who you are, your age, but then also minimize the amount of data that's being shared about potentially a minor.

B

That was WSJ reporter Annmarie Alcantara. Coming up, passkeys promise safer and easier logins to websites and apps. But if you're wondering what they are or how they work, you are not alone. We've got answers after the break.

D

Get out of the headlines and into real conversations happening inside global organizations with the Executive Insights Podcast brought to you by aws. Listen in on the Executive Insights Podcast.

A

Available on all major podcast platforms.

B

You may have seen companies suggesting you use a passkey to log onto their site, site or app in lieu of the traditional username and password. To those who hate having to remember passwords, this new tech is a godsend. But with all new tech, it raises a lot of questions about how it works, how secure it is, and so on. WSJ contributor Sean Captain has been looking into passkeys and spoke to our colleague Liz Young about them.

E

Sean, what are passkeys and why are online companies pushing us to use them?

D

In simple terms, it's a kind of encryption technology, the same kind of thing that gives you a secure connection to a website when you see the little lock icon, they're leveraging that same kind of security to give you a more secure way to get into a site. Like someone can't steal your password, for instance, because there is no password. In this case, it's a more complicated kind of connection. At least on the back end, it's complicated. The question is, does it get complicated on the front end for the user?

E

How are these different from typical passwords?

D

Typical password Essentially, everyone knows the secret because you know your username and password and so does the site or the app that you're logging into. So there's a lot of opportunity there for things to get stolen or passwords get guessed. People often reuse the same password. The passkey is basically handing the whole process over to some very sophisticated technology using mathematics. The gist is it's able to verify that you are who you are without there having to be something that everyone knows, which is this password. And also the process of logging in, you generally have to authorize it, ideally with like a face scan or fingerprint reader or at the very least a pass code, so no one can just grab your device and take advantage of that.

E

If I wanted to start using passkeys, how would I go about doing that?

D

So the easiest way is just to wait until they pop up in front of your nose. Because certain sites, bigger sites, like Google, for instance, are really pushing that. When you log in, they'll say, hey, why don't you set up a passkey? It'll be easier, more secure, et cetera, and they'll give you screens to click through. Make it happen. A lot of other sites offer it, but don't advertise it well, and in that case, you're digging through settings for quite some time. That could be rather tricky if there's a site that you're interested in using it on and you don't see it advertised clearly. There are a few registries online where people keep lists of passkey supporting sites. There is no master list, unfortunately. We looked at actually four different registries to try to come up with about the 320, some globally that do it. But some good places to start is one called the Fido Alliance. It's the industry consortium for the technology. Also the Password Manager app. 1Password and Dashlane both maintain really good online lists.

E

So it sounds like these can be a little complicated to use. What do you find are some of the drawbacks to passkeys?

D

One of the tricky things is knowing if you even have one. It's so easy to click through on a website and accidentally set one up. And then the next time you log in they said, hey, use your passkey. But beyond that, it is really deciding where you want to keep these things. They're stored in apps that we call password managers, which is a bit of an outdated term now because they're also managing pass keys. So if all you own and all you will ever own is made by Apple, it's really easy. Apple has a built in passwords app and they all synchronize the passkeys across all your devices and you're set once you stray out of that environment so you pick up like an Android phone or a Windows computer, then you're looking at a lot of complexity about apps that will go across different devices. Apple's system will not go across all devices. Google's Password Manager and then some what we call third party apps, companies like 1Password, Bitwarden, Dashlane, they can be installed across all different devices.

E

Are you expecting we're going to start seeing different websites require us to use passkeys instead of passwords?

D

We're a long way from requiring. I mean think about how long it took just to get people to do two factor authentication. And that's pretty simple. We send you a text and you enter or a number. This is the headache of trying to figure out what are these things? And then you know, where do I keep them, how do I store them?

E

What else do you expect is next on this front? What should we be watching for in the next couple of years?

D

Certainly more support. Like I said, we found under 400 sites globally that do it and only around 30 of the top US sites doing it. Conspicuous absence is most financial institutions, they just tend to be more conservative, and even though this is a more secure technology, they're just slow to roll things out. So seeing it on a lot more important sites and apps is one thing. We're going to see another good thing coming up. In terms of compatibility, there's going to be a standard that allows password manager apps to import and export passkeys. So say you do have all Apple devices and then you buy that Android phone, if you want, you would be able to just export your passkeys from Apple to Google Password Manager or any other manager. And actually Apple's going to bring that capability out in September with its new operating systems like macOS and iOS, and then other companies will be following suit. Once that's enabled, then other apps can take advantage of that.

B

That was the WSJ's Liz Young speaking with contributing writer Sean Kapton. And that's it for Tech News Briefing. Today's show was produced by me, Julie Chang, with supervising producer Melanie Roy. We'll be back this afternoon with TNB Tech Minute. Thanks for listening.

A

Business is evolving fast, and hearing how others are adapting can make all the difference. Hear perspectives from global executives as they share what's working, what's changing, and what they think lies ahead on the Executive Insights podcast, available on all major podcast platforms.