Webauthn (FIDO2) and Project Fugu

Captions provided by White Coat Captioning (https://whitecoatcaptioning.com/). Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.

JASON: Hello, everyone, and welcome to another episode of Learn With Jason. Today on the show we have Joyce Park. How are you?

JOYCE: Great. How are you?

JASON: Great. We were sabotaged by technology last time but we didn't give up and are here and live. For folks who aren't familiar with you and your work, want to give a little background?

JOYCE: I was the front end lead at Friendster so in some sense this is all my fault. I came out of the PHP community in the JavaScript and was a do-jo who first came around. When dojo first started everybody said that's the JavaScript. Now a lot of ideas around modules and compiling which is something JavaScript people hated when we did it and all of those things are from Dojo. Then I joined the React community and recently I have been doing Remix which I think is a wonderful combination of the best ideas from PHP and React.

JASON: Yeah, yeah, it is interesting because we have talked about this a lot on the show but the general transition we have seen as web tech has matured it feels a little bit like we kind of explore an avenue as far as we can until he hit a wall and once we hit the wall we kind of go around it. And then we hit the wall on that next technology but in the meantime that wall doesn't exist any more and has been solved. Now we can go back and workaround this issue and it turns into what feels circular but is an upward spiral of progress. I have been heartened to see the discussions about it was great to have JavaScript first and then jQuery and Dojo and backbone and angular and React and Vue and so much good stuff happening out there where we are building on ideas and bringing back stuff that was great at the time but started hitting limitations and now we can go further and further to see how far we can push things. That actually feels like a good segue into what we are going to talk about today with authentication because I feel like this is one of those problems that is deeply challenging when we talk about authentication. Maybe I will let you kick us off with wherever you want to start as we lead toward WebAuthn.

JOYCE: One thing I want to make clear to people is this isn't just authentication technology. It is really about having a better user experience. That is something I feel like for the last 10 years or so our profession has had issues with because, you know, it has been sort of monopolistic and I think there was no thought anybody could take out Facebook or Twitter or LinkedIn. Any of those things. Those people have their own technical stacks and UX and are those the best we can do? I will give you an example. I don't know if you knew, Tom Trinka who recently passed away, but I hired him recently to think about what is the next gen message board. We haven't been able to ask those questions because most of us have been working, making money, whatever. But we need to ask those questions because that is in fact our job. If new message board technology doesn't come from us where it is going to come from? I was looking at a really great friends of mine, Aaron Bootman's Twitter and he had a little toss off thread where he said ajax or XML or fetch request was ignored for many years. It is possible to start doing ajax in 1999 but nobody did. It took five years for Google to pick it up and show what was possible with Gmail. We have many other capabilities today that most web devs don't know about. For instance, did you know it has been possible to store hundreds of megabytes locally in web apps? I didn't know that.

JASON: I also didn't. I thought we were capped at 5.

JOYCE: No, you can store 50% of the hard drive in your user's browser.

JASON: Whoa.

JOYCE: If you knew that, how would it change how you did things? So there is a lot of capabilities now in the browser that I feel like most people don't know about because most have been making money and good for you. I am not crapping on that. Most people don't know how many new things have been possible so that's really what my talk is about.

JASON: Yeah, yeah, and I think that really what I find interesting about this stuff is we are playing a fun game with the web right now where we are, as developers, building around limitations in an effort to prove these are the things we need to get our job done and at the same time the platform developers are doing the work to continually like make improvements on what they are seeing in the user needs and what's being implemented in user land. JQuery is probably the most famous example. We were all using jQuery and the browsers made a query selector and that was a huge power-up to the DOM APIs. It was something we desperately needed. That's why everybody was reaching for jQuery to do it. What I would like to see is this sort of symbiotic relationship between platform developers andb JavaScript developers where both groups are pushing each other forward and what I really like is when you can see people are paying attention to both groups. It is really easy to get into one group and ignore the other groups. We have seen this on both sides when there is an absolutist approach where you should only use JavaScript because the platform sucks or only use platform because JavaScript sucks.

JOYCE: In the end, we are here to serve the user, in my opinion. We are not here to serve each other and we aren't here to do cool stuff that only five of our colleagues are going to see. We are here to make the user's experience better. That is what I want to see. I feel like maybe we have stepped away from that because a lot of the things I see now are cool but there is no evidence it is going to help the user. I will give you an example. There is a lot of research that shows making things faster helps the user and the business. You make it faster to buy something the user and the business will like you better. But we have fallen off that and now we argue about things like should transitions be faster or should, you know, if the user doesn't care I don't care. There has never been research that the user cares transitions and things are faster. I have never seen it. I have asked for it on my feed. I have asked people I meet at conferences and there has never been any research as far as I know that shows that it matters whether transitions are smooth or fast or are like you know whatever. What users care about is things look like real, you know, and they are going to be fast, and they are going to maybe -- maybe what you are going to see on the screen is going to align with your values. That's what you care about in my view.

JASON: I think we are technologists and therefore we focus on the details of what we are building but when I go to book a flight, I am not not going to use the flight booking app because it is frustrating to use because I want that service. If there was an equivalent service that had better performance sure I had choose that and we see that sometimes where there is a mass shift from one platform to another. We definitely are looking and users want something that feels better to use but I think the minutia is less critical than we make it out to be and instead we should be looking at, you know, what are people doing today that frustrates them. One of the things I find deeply frustrating is password management. So like I think and I watch this happen at several companies where you join a company and at first the way the password management is done is somebody will DM you the password if you need it which is terrifying and maybe not the way we want that to roll. As you grow you start looking into one password or key pass or some solution where your going to actually centrally manage the passwords in an encrypted way. Any shared login is a shared problem and if you have people joining the company you have to roll them all of the time and nobody does and you end up with challenges of constantly leaky while also being cumbersome password management. Then the team says in order to make it really secure we will add a second factor so you need to add your cellphone or an authenticator app or whatever the thing is. None of these is necessarily bad, right?

Maybe we should have done this from the beginning.

JASON: This is the part where I find exciting is that technology is catching up to the point where we can do it better and that is where I think FIDO2 is fascinating because what -- I am going to -- maybe can you give us a quick overview of what WebAuthn and FIDO2 are?

JOYCE: Yes. WebAuthn and FIDO2. You may have noticed that for a while now you could authenticate your apps on your phone with your finger or face or whatever. Some biometric thing. When I go to QFC, the grocery store, their app I authenticate with my finger to buy groceries. There has been a whole effort to try to make everything that you can do on apps also possible with the web and that is what Project Fugu is. It has been a long journey. It is not over yet. The whole point of Project Fugu is to give you the power in your web browser to do everything that you can do in your apps. WebAuthn is the part of FIDO2 that is about having your browser be able to call out to the OS and say look, is this persona -- authenticated?

JASON: My experience with FIDO2 is back maybe even years ago, I can't remember when I first heard about them, but I would see folks who were like, you know, turbo nerds would have ubikeys and my only experience with them is every once in a while on Slack someone on the team would drop a lot of nonsense stuff in the chat and say whoops, I activated my Yubikeys. Is a yubi key FIDO2? Yubikey --

JOYCE: FIDO2 is the overarching API which works with Yubikeys, it works on the web, it works, you know, it is the overarching thing. Unfortunately, on the web in familiar, there are a lot of issues. You have to make sure that your browsers supports authentication. You have to make sure that it is going to link up great with your iOS or with any OS. So the Yubikey thing, they are trying to make it to where if you have a physical device you can authenticate anywhere and that is FIDO2.

JASON: Right.

JOYCE: WebAuthn says you should be able to authenticate with whatever your device has already been setup to authenticate on. For instance, on my phone, my phone is a Pixel and so I can use the fingerprint thing but maybe my -- and actually this particular computer I am on is also a -- you can use your fingerprint but on iOS a lot of iOS phones make you use your face. Any biometric availability that you have on your device should be available on the browser is what WebAuthn is. The FIDO2 is whatever is on your device you can authenticate but the WebAuthn part is that it is from your browser.

JASON: If I can zoom out and repeat this so I can understand, the way this works is what we have done before and you get a six-digit authenticator code from an app like Google authenticator or something like that. That was used as a way to two-step verify I have my username and password and I have access oo to the app that does the one time codes and that's proof I am me. Someone can't just steal the password and get into the my account. They have to get the second factor making it more difficult for someone to get information. The challenge of this and shortcoming is through social engineering someone can spoof a text and say this is the support for your bank you have send us the one time code for your bank and unluck it and unfortunately they are really good and sound convincing and trick people into do it. The second factor is --

Companies are not good at this also. Ge once worked at a FinTech company. They had the most horrible login system. I couldn't imagine this is a professional thing. It was based on, you know, like a Ruby gem that had already been -- I can't remember the name but it had already been like declared not very safe. They wanted to move to a React-based login. I was like well, I mean based on what? You need to have like better crypto for this to work. They were pretty mad about it. So the main thing I got out of that was realizing even really good senior devs don't understand crypto so they will tell you to do things that are not good. One of the things these people wanted to do was just send an email to everyone of their users saying you have to change your password. I was like, you know, I was pretty sure, look for those kind of emails and they send them themselves, you know, because that's how things work now. You have to think about the worst possible scenario where people are going to use your stuff. The worst scenario, if you have the device physically and you have your finger or your face, is that this is the best we can do now.

JASON: To kind of move on, we were at one-time codes and one-time codes can be socially engineered. We can get them stolen, we can get them lifted. So the idea of using a Yubikey or using biometrics is now we are saying it is not like you can't socially engineer me into give you my face through a text message. It doesn't work that way. It makes the social engineering attacks less likely to work because you have to have a physical device and in the case of biometrics --

JOYCE: It is like something you know, something you are, or something you are are the things that you can build security around. So a password is something you know. But that is less secure than something you have. So there are rules about this. One of the things I learned the hard way from working at a security company is like you don't need to understand every single thing. There are people, it is like people who make databases. Do you understand everything about how a database works? I do not. [Laughter] But you have to trust the people who make the databases because they have expertise in that area. One of the things I learned from working at a security company is, you know, they know a lot more than you about security and the various kinds of attacks and so on and so forth. I am very happy to say my former company fusion auth just shipped their WebAuthn server and if they believe in it I believe in it.

JASON: Like you said this is the best we can do now. So if the primary risk is if your second factor is something that can also be stolen like your phone number or email, then you are in big trouble because if someone can spoof your sim card and get your text message they can get your second factor auth. The authenticator app is harder to spoof but you can socially engineer into getting that code and then somebody can workaround your security and get in it.

JOYCE: And people don't like authenticator apps.

JASON: I think people don't like multi-factor authenticators in general. But if it as it difficult to spoof a fingerprint or face in the actual device because you can fake a fingerprint in isolation, you can trick a face in isolation, but the likelihood someone is going to spend the effort to steal your device, copy your fingerprint, and copy your face --

JOYCE: And usually they only have 10 minutes to do it.

JASON: Right. It is very low somebody would do that because most of us aren't dealing -- maybe billionaires need to worry about this because there is a high value to stealing accounts but for me the $15 in the bank account -- [Laughter]

JOYCE: All of us have something we want to keep secret and because of apps we are used to dealing with it with the fingerprint or face. So, you know, it is a -- I think moving away from username and password logins is a really good thing for our whole --

JASON: Is the intention then with WebAuthn that I not only -- because what I have tried is we use Octa at Netlify and you have a username and password and scan your fingerprint to get it.

JOYCE: You should not have to have an a username and password.

JASON: Ah, OK.

JOYCE: Here is the -- I will send this to you. Click that staging 5.io.

JASON: Before we switch over let me move us into this other view here. Camera 2. All right. I will start us off with a new tab. I just switched to arc browser and I am still learning it.

JOYCE: What is arc browser?

JASON: It has side tabs but also has this ability to do very cool things like a split browser where you can do things like this if I can spell. Check it out. You can kind of have your browser going in two ways at once which is good for side by side work. Lots of good reasons to try it out. It is currently invite-only but I got hooked up with an invite by one of my coworkers so thank you. We are live with live captioning. That live captioning is being provided by White Coat Captioning. We have Maggie here with us today. Thank you so much, Maggie.

JOYCE: Hi, Maggie.

JASON: That's made possible through your sponsors Netlify, NX, New Relic who has disappeared off the list. I don't know what happened. My website... [Laughter] yeah. We will fix that. We are talking to Joyce today. Joyce is on Twitter. Are you on Mastodon? You are. Let me open that one up as well. We will drop some links. Let's get back to the Twitter. You wanted me to open up and I am going open it up here. What are we looking at before we start moving? We built

You need to choose pass key.

JASON: And that's the WebAuth and the device?

JOYCE: Well, in your case, I think it will be your fingerprint. And then we will do create. Adding the key. So it wants to use my Bluetooth. So the USB security key would be a Yubikey. This device would be this whole thing. And phone with QR code I don't know what that is?

JOYCE: It would be a phone that you had the scan the QR code but I think you should choose this device.

JASON: Now it is asking for my fingerprint so I am just going to fingerprint here.

JOYCE: OK. It registered you. So login with pass key. Registered and logged in. It was that easy. This is great. What I like about this is that I use my fingerprint to unlock my device every day. I use my fingerprint to like open my laptop. I use my face to unlock my phone and so what and also in doing this, I am now able to like use this without having to open my password manager and, you know, a bunch of complicated stuff that gets in my way and just prevents me from doing the things I am trying to do on the web. The one question that comes up with this is, OK, I have logged in here. How do I login on my phone if I want to do two devices?

JOYCE: Ah. In fact, it should work just fine but you may have to register another device. Let's try it.

JASON: Here is my phone. Do I go to the same website?

JOYCE: Yeah.

JASON: Staging.panda.5.io/join. I am now on the site here and so I am going to put in my Jason link and do a store and do pass key. It says a user already exist with this email. How is this? Come on. Focus. I don't have this device registered and so it says here what it is showing me is choose how you would like to login and it says iPhone, iPad or Android and let me hit continue for iPhone iPad and it says scan the QR code with the device running iOS 16 or later or another compatible device to sign into panda 5.

JOYCE: This is the weird thing. You may have to -- this whole QR code thing which I have not quite figured out yet to be honest and one of the things about FIDO2 is that they want you to have a relationship with each website so they want you to use a Yubikey and have a specific code for each website and I have not exactly figured out how it works when you are using two different --

JASON: You would almost need to -- so I know that the way I have logged into say, I don't know, some service, you can login with your Gmail account and then you can also log in with our Twitter account and also --

JOYCE: That's Oauth.

JASON: Right and they let you add multiple things. Does it work like that with WebAuthn where I can say on the browser I logged in with this but I want to add another one?

JOYCE: It depends on how the authserver is set-up but I think in general most people aren't going to do that. I think most people want just to be able to login on one device or on one website and that's the really hard part -- do you make it so you can do it on a device or so you can do it on a website?

JASON: It looks like what Cruz X 9 is saying in the chat is there is a way for Apple to create a pass key on iCloud and that credential means any device on the same iCloud will work which is pretty cool but I don't think that is how this particular site is itch -- implemented which is OK. Works with 16 and Ventura. I don't think I am on there.

JOYCE: I am not either. I am on Monterey. Did Ventura just come out?

JASON: Yeah, and I also feel like -- I am such a laggard with tech. I like new tech but I never, ever adopt it.

JOYCE: Me too and you know why? When I was younger, DevOps people would constantly tell me don't do anything too new because we will not let you do it any way so, you know, they were pretty honest about it. They were like, you know, don't do it. We are not going to let you do it.

JASON: Yeah, so that sound like one way to solve it is you kind of associate the passkey with a cloud account which is interesting because then it is sort of acting as both. Then I guess opens the follow-up question about like OK, if you can get into an icloud account but Apple has 9-million factor iCloud login. Please find every Apple device you own and touch it.

JOYCE: Every Apple device you have ever owned!

JASON: [Laughter]

JOYCE: They always have these ones that have -- I haven't seen. What is this? 2005? It is a lot. Definitely the intent of FIDO2 is to let you login to a particular website from anywhere but it depends on having a Yubikey.

JASON: Right now it is a Yubikey or it sounds like an iauth16 ventura account is how you would do that with FIDO2.

JOYCE: Yes. I don't of a way to do it without a Yubikey on Android which is what I have.

JASON: I have one of these. Let me go grab it real quick. So for anybody who has never seen one of these before, this is a Yubikey. It is this little device and I can plug it into the USBC but it also has NFC on it, the way you tap to pay. So it can plug it into my computer or tap it to the back of the phone and that let's me log into multiple accounts. That's the sort of the story of these. What makes them cool is this is my authentication. It is a thing I have like you said which is a great way to, you know, it is very difficult to get this from me. You would have to be very crafty to be able to like be logging in and also like steal the code off of this and get it to your device within a short enough time span it hasn't reset and that is all and very good for security and very easy to lose. When I first got this Yubikey I managed to lose it within three hours and had not even set it up.

JOYCE: [Laughter]

JASON: And weeks later, not joking, we got the house clean and it appeared on a shelf. It must have fallen and it reappeared and I had a Yubikey again. A question from charley. Magic lunks sent via email.

JOYCE: There will be people who lose their credentials. Things like the grocery store, and my bank, I have not lost one yet. It would be catastrophic. I just use my finger. I don't actually use the Yubikey for much of this stuff except just to test. I prefer the finger because unless you -- like what was that movie where they cut people's fingers off?

JASON: I have no idea.

JOYCE: Judge Dread. Remember?

JASON: I actually didn't see judge dread.

JOYCE: It was a long time ago. You may be too young. It was a Sylvester Stalone movie and what is his name?

JASON: That has been a recent introduction of gore into movies, this idea of biometrics and people do really gross things to steal somebody's like retinal scan or whatever. It is like maybe that is not something I needed.

JOYCE: Wesley Snipes played the villain and cut off the guy's finger and took his eyeball out but it was about we will have this biometic stuff that nobody had imagined then. Anyway, I have not figured out exactly how to deal with -- because Android and my computer make it so easy to just use the fingerprint. And I should mention some of those Yubikeys make you press something.

JASON: In order to make it work I have to touch the logo on it.

JOYCE: And some Yubikeys do not. When you buy a Yubikey just look for FIDO2.

JASON: Got it. If you want to be a turbo nerd you can get one of these Yubikeys and this lets you use any device that you have setup any account with the Yubikey it will work on any device as long as that device can take a Yubikey as a USBC or can do the near field communication like tap to pick which I think most phones do. You are able to use it across all of your devices. The future we are looking at here is we won't even need that. We will be able to just use like me existing in my body is the authentication. I am me. We know that. So the biometics let me prove that in a way that is difficult to spoof and allows me to access stuff without passwords and dongles on the key chain.

JOYCE: Every system built on computers agree if you have physical access they can't really stop you. If you have physical access, we are screwed so there you go. The main thing I want to point out is WebAuthn is part of an effort a lot of people have been working on for a long time to try to make the web as useful to users as native apps. I don't think most people know that much about Project Fugu because it has been I don't know exactly why. Their websites are terrible. It is bad. I like this one. Developer.Chrome.com/blog/ -- that is a much better site. It will show you like a lot of the -- this is the APIs that they have.

JASON: Wow. These are the APIs. This is a lot.

JOYCE: Yeah, it is a lot.

JASON: It feels like you kind of see the authand you are like that's already a pretty big thing and then you can see here there is quite a bit going on. Let's see. We have local font access that's very cool. Gyroscope so phone orientation is really cool.

JOYCE: We have the share API which is a really big one which allows you to share on the phone or device in exactly the same way that native apps share.

JASON: Very cool.

JOYCE: It has been a big thing, as I am sure you know. The share thing lets you just have a view, share, delete API on the device which is exactly the same so you know, I am sure people know how to do that. Also, another one that's really important is web USB so I don't know if you have seen dev charley's thing but she figured out how to get information from planes going overhead. This is amazing because you are interacting with things in the real world and I think the web should be able to interact with things in the real world. And file system access is really important. That was a big part of how Photoshop did their thing when they put their thing on the web. This site, you know, will give you a lot of great ideas for how to use these new and also, you need to understand that there is one thing that is holding us all back which is Apple not supporting these things.

JASON: Safari isn't going to support these.

JOYCE: Safari has supported some. There is a website called canIuse.com which will help you figure out, you know, what the support situation is. It is interesting because when I was young and coming up as a coder we would code something and then test it. These days I tell people you need to test it before you code it to make sure it is going to work on your platform because I have looked at jobs where you know for a fact everybody is going to be able to use the same browser so all you have to do is build for that one browser. On the other side of the issue, you have things that you really, really want to do but it can only work on one browser now. Like if you need it to be public and all of those things like what are you going to do? I think the Photoshop thing was like that because it does not work on every browser. It certainly does not work on every and they are using a lot of [indiscernible] which is problematic. My sign up does use WASM because you need a WebAuth server and client and we have one in rust so it is a WASM thing. I am excited about the new capabilities that are going to come online in the next little bit because there is a lot of pressure on Apple right now to let this happen.

JASON: And it looks like too, I just searched the file system, looks like safari has got it but Firefox is missing. Yeah. I think depending on what you are trying to accomplish, so let's look at web USB. No safari support at all. But also no Firefox support.

JOYCE: Chromium is definitely the best for all of this stuff.

JASON: For support? Yeah.

JOYCE: That's who is paying for these things. I feel like it is very important for us as web devs to learn, you know, to keep on top of what's possible so that we can make things awesome because that's our job.

JASON: Yeah, and I think the other piece of it too is that by knowing these things exist we can make our requests known. I think one of the best drivers of progress is, you know, like, back in the day and I am not saying we should do this again, but you would go to websites and they would say this doesn't work on the browser and you should use this browser. You have websites you want to use driving migration to other browsers because the browsers aren't supporting the features needed to build the experience people want. You know, the trick with Safari of course is you can't put alternative browsers into an iPhone so there is no choice but, you know, people only wait so long before they make different choices. They will start buying Android devices or somebody will figure out how to workaround these issues in other ways or things like that because it is just kind of the way this stuff happens. The community finds a way forward. The more pressure we are applying to Apple to support an open web the more we are showing that the web needs to function on all devices the more likely it is to get that support prioritized.

JOYCE: Yes, and I should point out it has largely been European counties that are doing the most work here. We have not been super good. Do you have time to talk about ML?

JASON: We do. We have about another 25 minutes or so.

JOYCE: Perfect. Let's look at some ML because this is another area where I feel like people don't -- shoot. People don't necessarily understand. There is a lot that you can do today that maybe you never thought of in terms of UX and making better user experiences for your users. This is the Google thing that helps you. It is called teachable machine. What teachable machine does is it setup everything so that you can -- all you have to do is provide the data which is largely photos or videos. The example is a tutorial called banana meter which if you upload photos of bananas or videos of bananas in different stages of ripeness and say how ripe you think they are you can train this model to say this banana is very ripe or not very ripe or you need to eat it today or whatever. You can use this with different photos and videos. I know people who have done bird watching and also weeds in their yard. Anything where you can train a model to know. There it is. This banana is overripe, not ripe, perfectly ripe?

JASON: I would like to challenge the author's decision of when a banana passed prime because that banana looks fine to me.

JOYCE: You would eat that banana?

JASON: Oh, yeah, that's not even squishy. That is when you know the banana will have banana flavor. When you eat them too early they taste like cardboard.

JOYCE: Or something... the main thing to understand about ML and how it is going to help web developers is that your job becomes collecting the data which in this case is visual. I have another example here where it is auditory. Here is a voice recognition. It has been pre-trained on these words already. There should be a demo here.

JASON: If I turn this on, and it wants me to access my microphone so I will allow it.

JOYCE: It recognizes what you are saying. It is picking up a little blow become from my headphones and that's causing a bit of chaos but this is extremely cool. This was done -- you didn't have to get into TensorFlow itself? You use the teachable machine?

JOYCE: Yeah.

JASON: That's very cool.

JOYCE: TensorFlow is not that hard to setup but obviously most people prefer not to do it. Here is the thing I showed at Cascadia which I thought was really cool. It as a litm -- little demo. Try the demo.

JASON: I am grabbing the link address. An app to help you count things.

JOYCE: Yes, it helps you count things. This is great UX. I don't think it is necessarily getting the perfect answer every time but it is showing you how it got that answer which I think is almost cooler because ML is hard to interpret sometimes. These are all things that we need to be thinking about as we are thinking about what our next moves are in terms of UX because look what happened with Twitter. Like Twitter started kind of going downhill and people were worried about it. They started building Twitter replacements or Twitter clones or whatever. But is that, you know, are these the clones we want? We have become open to alternatives.

JASON: The conversation about React, for example, is very different today than even a year ago. The conversation about Twitter, obviously, is very different over the last week or two but it feels like people are starting to entertain these ideas and maybe there is something different. What would it be like if we did it again? Do we need to build exactly this? Or should we build something new and different that evolves and leaves out the stuff we didn't like and keeps out the stuff we did like. I think what I get excited about in spaces like these is it feels like these are the moments where something cool can happen because there is a general interest with the community in trying new things so if somebody has an idea, now is the moment because this is the moment where people try it. They are not resistant to change because they are looking for something better, right? I am really excited to see what happens here. It feels like we are in a great moment for the webs next great leap forward.

JOYCE: Yeah. And I have been through -- this is my third major like web

JASON: Event. [Laughter]

JOYCE: Event. Web recession. The thing that I have seen every time is that it is not all bad. People who want to build new things, this is your moment. You know? This is the blue ocean. Also, you have to remember, like a lot of the businesses is that people worked for, the bigger companies, were monopolists and were keeping down other alternatives. If they are not doing that well, and they are playing off a lot of people -- laying -- that's a lot of people who don't have time to come after you. Monopolies are terrible for the user. Everybody knows this. Even though it is sad to see colleagues losing their job monopolies are not good for business in the long run. Look at Facebook. How has their UX gotten better? You know? They came up in what? 2004? It has been almost 020 years. How has their UX gotten better? I don't think it has gotten better.

JASON: You have a good point. We can't control what is happening in the macro no matter how hard we fight we can't change what everybody is doing but we do have some control over what happens next. We can choose how we respond to this moment. Is our response going to be see if we can push the envelope and imagine something better? Or are we looking to kind of re-create the things that we missed about the past. I think this is kind of the fundamental tension. Some of us want to keep things the way they were when we felt they were best and we will fight that fight forever. That becomes the get off my lawn and others see it as an opportunity to imagine something better and that's where you get innovative next steps and UIs and things you didn't thunk you would like or enjoy that have been impactful. Twitter was a lower barrier entry to full blogging and it was centralized and discovery building and all these things that didn't exist on a blog. That was exciting. You would learn something and see something new. Now, as we are seeing I think what might come after Twitter, there is a lot to keep about. I don't think this is the time to go back to RSS and say the last few years was a big mistake and we should go back to RSS. But like, what is RSS and Twitter and like some of these newer capabilities look like? What does the world look like when you build an app that is really built on owning your own data so something sort of like Mastodon but that is, you know, maybe a little easier to setup so like RSS but has the delight of Twitter with the sort of aadjacentant discovery. -- adjacent. Not just a feed of everybody you follow but what are they interested in and talking about. Let me discover a little bit more beyond my immediate circle and can we make that better so it is not driven by the outrage but by delight. What could the future of the web really look like and that is an exciting opportunity and I really hope somebody builds it because I am too tired. [Laughter]

JOYCE: I feel ya, man. [Laughter] I want to say to people even though it is a very scary time because people are losing their jobs, it is very exciting time because we can imagine a new, you know, going forward a new realm. And that's really what I wanted to say to people. Look, let's make shit awesome. And maybe our definition of awesome today is different than the definition of awesome 18 years ago. How are we going to learn how to make it awesome? How are we going to, you know, have the opportunity to make it awesome? And how are we going to find the users to make it awesome? I run a Meetup for entrepreneurial engineers and that's what why all talking about now. -- what we. How do we make it awesome? I hear, you know, people saying, I am going to make a new Twitter. If it is a new Twitter it is already lame. Let's make something awesome.

JASON: What's the thing that pushes things forward, right? For people that want to go out and push it forward, where should somebody go if they want to write the code or build out an example or take apart a demo? We looked at the showcase and I will drop a link.

JOYCE: I think that's a really good place to start for Project Fugu stuff.

JASON: There is teachable machine and a get started button which always looks good. Anywhere else you recommend for people who want to actually start getting their hands dirty with code?

JOYCE: So I like this WebAuthn site. It is a little bit -- how can I put it nicely? It is a little bit, I will give you an A on the paper but this isn't what we need to learn. If you want to learn all about WebAuthn, but the main thing is don't just keep going to react.org. Things are changing really fast in web development. I told you before the call I recently moved to Phoenix partly because I feel like -- when I was young and a PHP developer, it was so fun. You can test and everything was fun. For a new years, I have been feeling like this is not fun any more. Remix I found is very fun. It is kind of -- it is taking away some of the complexity.

JASON: I found the joy comes from finding the tools that are properly suited to my prior experience. One of the things that I noticed about remix is that for someone like me who has spent a lot of time working with like the web primitive. Plain CSS and HTML, remix feels like coming home after doing a lot of component stuff and JavaScript abstractions.

JOYCE: And CSS abstractions.

JASON: Right. CSS and JS and the tail wind and the utility based CSS in general. I don't dislike those solutions but I don't like using them. They don't feel -- to your point, it is not a joyful experience to write. I do it because it is easier for the team to understand. Does make you want to open up the text editor on a Saturday night and whip something out? Kind of thinking no.

JASON: To somebody who hasn't worked with the low level APIs remix might be overwhelming because you have to learn a lot about the web to use remix as a platform. It really depends on where you are coming from. If you were born and raised and that's where you started and lived something like next JS feels great because it is built entirely on the React structure. If you are trying to branch outside of that and see what's coming and the slow start of being legacy tech maybe something like solid will be familiar. Or if you want to get more fundamentals than something like remix, quick. I am really happy to see the platform is playing a bigger role in the next generation frameworks. I am really happy to see it feels more collaborative than maybe it has in the past. It kind of always felt like, I think you talked about it in the beginning. Two camps. It feels less like two camps. It feels like we are building things together again for the first time in a long time. That, honestly, that's part of what puts the joy back in it for me. It is thought fun to build something and put it on the internet and have everybody say I didn't use my favorite. I felt like using this one. [Laughter]

JOYCE: It is true. It is like look, I feel like there is a whole generation of youngs, I am 53.

JASON: Youngs. The yoots.

JOYCE: Yeah, who maybe came from a different example. I have a couple guys I am working with that came up with cloud was everything. They didn't have to put anything on a server or make sure they were linked up. They had AWS from day one. I didn't have AWS from day one. It is a completely different mindset. Who is going to solve your problems? Who is going to be responsible for your problems? Half AWS and half developer wearing a pager who doesn't know shoe shit. It happens.

JASON: This is the balance to strike. We can always say learn the fundamentals and I think that is a valid thing to pursue, right? The more of your stack you understand from top to bottom, the more capable you will be, and in the same breath recognizing that you cannot learn all the fundamentals because it is turtles all of the way down.

JOYCE: Also, I had like 25 years to learn the fundamentals and I learned them as I went.

JASON: And the other thing that I have noticed, I am at like about 20 years, and some of the things that I considered fundamental in 2001 are no longer fundamentals. Are they are foe things if I do them it is sort of because I am doing it for nu -- nostalgia and that's been interesting. Some of my best practices are not best practices now and there are better ways. When I am talking to the Yutes, I am trying to go do I not like this because it is new? Or because it is actually a bad idea? That's a really challenging thing. I don't know half the time I think I am just being grumpy but at the same time sometimes I do see issues and I am like I don't think this is going to work the way everybody wants it to work.

JOYCE: This is why I often said I feel like the best job interview that could possibly do for a web dev is to ask them to make a little form where like maybe you save like an and ask them why. There are so many ways to do things. You still want to know why the person made the decisions they did. I also feel like that's a kind of the reason they made that decision.

JASON: One reason a love a tech interview is instead of a whiteboard instead have them show me something they are excited about and talk me through what they built and why. What I find is when somebody goes in and actually starts explaining the code you will see quickly this person really loves the front of the front end. They are talking about the cool CSS techniques and the accessibility and the other person looks at the same project and spends time talking about the serverless and how cool it is. You start seeing you need someone pumped about CSS and accessibility. You are talkingb ut -- about serverless and this is a bad match. It isn't like you didn't clear the arbitrary bar but you showed expertise in the thing you are excited about.

JOYCE: I think you absolutely right and I love what you are saying but I have noticed that in, you know, front end web dev interviews, like, they are often very opaque about what they are looking for. I have been guilty of this. You may know a 1,000% what you want is someone that knows tail wind well but you put that in there with 60,000 other things.

JASON: This is definitely something that I have noticed. I think there are many factors that contribute to this. Ultimately, I have started to give the advice and this is terrible but pretend that the job description doesn't exist because it was probably written by somebody who is not doing the job. You are going to figure out what the job is by talking to the first person. Get past the initial interviewer because it is going to be a recruiter. Try to get to the hiring manager because there hiring manager will tell you about the job and that suck because it makes a challenging but if you want to work in front end everybody describes it as every technology invented since 1982. That's a bummer because it is not how the vast majority of companies are saying we need a front end and the hiring are manager doesn't have time to write the job description.

JOYCE: And we cut and pace and use the one I just used for a Java server pages and I will use the same one for a tail wind person.

JASON: If you can get to the hiring manager and just ask the question, so if I get this job, what does the day to day look like? We are working on a design system and need somebody to help smooth out this thing and you will realize what skill set they are looking for quickly. If it sounds exciting you keep going and otherwise you say that's not for me.

JOYCE: Juniors are desperate to get that first job often and whatever. I just want to say, don't waste your time. I couldn't get this job. Maybe I am not good enough at like tail wind. Don't waste your time and move on.

JASON: I think the trick with getting that first job is I always say to folks keep showing up because so much of succeeding in this industry is continuing to be present and continuing to make connections and even if it feels like nothing is happening you are starting to get the bolder rolling. You stay in long enough and it feels frustrating and hopeless and now you have five job offers because you staid at it. Once you hit the critical mass you just need the first person to see your value and then everybody can sense it. There is probably some psychological phenomenon that drives this but everybody that gets the first job it is never one offer. They are in the late stage offerings of multiple companies and sometimes they take the first but they are on track to get multiple.

JOYCE: Particularly has a woman of color you will have bad interviews. Sorry but that's how it is going to go. The main thing I tell myself when I am in a bad interview is I am not going to take myself out. I am staying in this to win it. It is hard. You are demormized as soon as you get the question. One time I showed up for a Google interview and I had been at the park near the Google campus to walk around and my car died. It won't start any more.

JASON: When it rains it pours.

JOYCE: 10 minutes before the interview, I had to get on one of those stupid bikes wearing a pencil skirt and high heels and I get on one and as I am halfway there I realize the seat is not fixed so it is spinning around under my butt. It was harsh. That was not one of my greatest interviews but I told myself don't take yourself out. You don't know what these people want. You need to just hang in there. Maybe that should be our real goal. Hanging into the interview.

JASON: I think it is a lot like building any relationship where it has to be two-sided. You can feel when you have a great interview and fine the person who needs what they want to do and you are excited and they are excited and you walk out feeling like this is the job. But it does take that patience. I also think that sometimes you just have to take the job to get into the industry. My first job was working as production engineer in a book publishing house. My job was to tweak the copy on the website. I didn't really write any code. I was just capable of opening an HTML file.

JOYCE: We have all done those string changes.

JASON: It turns into now I have something on my resume and each builds confidence and builds the strings of success.

JOYCE: I wish as hiring managers we could be more transparent about what with we are actually looking for.

JASON: Very much agree.

JOYCE: I have had so many friends, colleagues and protege that the reason they got hired was a specific skill they had. I had one who got hired because he had done he did TensorFlow and got hired because of that. We had another with React native and he got a job because his company needed somebody to build React native apps. Those are really specific things that they were looking for. I feel like a lot of times I wish that I could, instead of saying, you have to have a degree, and you have to have done React for five years and done this that and other thing, I wish I could say what I need is someone to build this React native app.

JASON: I get you. It is very difficult to articulate. Unfortunately, that brings us to the end of our time. I am going to send everybody to your Mastodon again. Let me drop that in the link. I will also drop the Twitter.

JASON: Charley brought up a career advice Q&A idea. Chat, shoot me a message if you want that. DM me on Twitter or Mastodon or publicly ask me. Week put one of those together. -- we can. I think it would be a lot of fun and I think helpful for folks. While we are talking about things happening on the show let's actually jump over and do another shout-out. We have had Maggie here from White Coat Captioning all day. Thank you very much for being here. That is made possible through our sponsors. Netlify, NX, New Relic all kicking in to make some show more accessible to more people. We have a lot of good stuff coming up and more getting booked all of the time. So jump over there and see what's cooking. We have Shonde coming back. It will be React app performance tuning and Sebastian is coming about docusource 2.0. We are going to net a next three and sounds like a career show. Follow on Twitch, subscribe on YouTube or add the Google Calender. We are going to find somebody to raid. Joyce, thank you so much for taking time. This has been an absolute blast. Thank you all very much.