2024-09-23 –, Grand Ballroom III
Password have been the nightmare of website admins for decades. Nobody wants to risk breaches compromising passwords, that are likely to be reused on sites that might be even more important than yours. We've tried a bunch of techniques, all with annoying usability or security trade-offs. But now there's a new tool, and one that brings the goods that can make passwords a relic of a bygone era.
We'll start at the beginning, with a simple username and password login form, and explore various approaches that the web has taken to try to solve it.
We'll explore briefly OpenID (remember that?), Federation, Single Sign-on, Magic Links, and Login Codes, and why each of them has usability drawbacks that often mean that the username and password, especially combined with a password manager, just can't be beat for its user experience.
Passkeys, however, are the better option that we've been waiting for. There are still some important trade-offs, but are a much better fit for consumer applications, with a user experience that is quite comparable to using a password manager.
They can be a simple login button, or they can augment a username and password dialog very similarly to a password manager's autocomplete. Finally, we have a way that gives a good user experience and doesn't have us storing a potentially shared secret!
Now that we've motivated passkeys, we'll explore how we can integrate them into Django. We'll see how we can use them to log into the Django admin. Then we'll see if we can disable them entirely for Django, and how we can bootstrap our superuser account creation, so that our new Django project never has a username and password form at all!
Along the way, we'll also cover some important challenges that can come up with Passkeys in development and how to address them, including dealing with localhost, and remote development environments like Codespaces.
Ryan has been using Django professionally for over a decade, but he got started with it even earlier, with the Django book for Django 0.96. He has worked all over the stack, and loves to empower other developers to simplify their stack so that they can feel confident to make changes quickly that empower their users.