I'm an old hand at computers in the workplace and at home (since 1976!) I build and maintain all my machines, work on them for others, etc. But this video explanation has my head spinning, and I can't make any sense of how I'd use passkeys. I currently use a password manager with a large number of very secure, complex passwords and, of course, a single master password to get into it. I can't understand how creating a passkey is going to eliminate the need for those passwords to get into the websites with which they are associated. This is a case where -- for me, anyway -- a video showing the creation of a passkey on a device would be preferable to listening to a verbal description, especially one that makes a contention early on and then comes back with an 'I lied' several minutes later. I don't mean to sound critical - I watch, appreciate and (for the most part) understand nearly all the content you've posted since discovering your channel earlier this year. You're very good, very listenable and obviously know your stuff. I just can't wrap my head around this one, seemingly simple, concept.
I agree that this new world of passkeys can be somewhat confusing. I have started using them and not had any issues. Here's another video I found which may be of help: th-cam.com/video/VuzddtQZeT8/w-d-xo.htmlsi=ZCPSbq8YGSRfB6sz
You and I are alike in the sense of responsibility and passwords and using a PW manager. Passkeys are for all those people who have no discipline wrt to passwords. (ie: thos with bad passwords, same password on multiple sites, etc).
@@AlanTheBeast100 But passkeys are great whether or not you use a PW manager. They obviate the need for passwords at all. They also eliminate tiresome 2FA (waiting for codes, etc). They really are the future of passwords. Like Leo, I opt in whenever passkeys are offered.
@@AlanTheBeast100 Passkeys are *much* safer than passwords. Passwords are sent in full, passkeys never are. Passwords are saved on the other website as well as on your computer, so they can be revealed in a data breach. Passkeys are a pair, and need to work together for decryption.
This was the BEST deep dive explanation of passkeys by far. I probably listened to 10 others and this was by far the easiest do you understand. Actually makes me feel safe about using past keys. Thank you!
I print out all of my user names and passwords and keep a copy in a sealed envelope with my will. As an executor who has been on the receiving end of such a list, please don't just print or save as you wish, but test them to ensure that they are current. Many web sites require that passwords be changed occasionally for a variety of reasons. I got handed a pretty nasty mess that my now deceased friend swore was the perfect list.
I urge you to heed Leo's advice. Use 1Password, and give a trusted party access to it. This way you can always use strong (like 14-character) passwords that you will never have to write down or key in. You really need strong passwords like that. And whenever possible, opt for passkeys. 1Password will store those too.
So you aren't 'passwordless' if you keep a recovery password vault. As an American, I'm one of the luckiest people on Earth. Someone in Gaza has a very real chance of all their devices being destroyed in an instant, a 30-second evacuation order, total disruption of their life. Much more likely than having their 2FA sim-swapped. Still, it's not unimaginable that I might have to jump out the window in my underwear, or end up in the Emergency room after a car crash or mugging. Even for me, that is more likely than getting sim-swapped. I like the idea of passkeys. But I will always want a Gaza Scenario recovery option.
Hi Leo, I, too, have been concerned about enabling family to access information should I croak it, more so because my wife isn't very computer savy. I think for a lot of us, learning & understanding is easier when we do it, see it, and can experience the benefits. It took me a while to embrace Password Managers, 2FA etc, and move away from a list of User Names and Passwords (that were not always updated). My wife still uses a written list of Passwords. Am I now across Passkeys? No. I'm still a bit clueless, but I am convinced that they are something I need to get my head around. I appreciate the information you provide and watch every video.
Excellent video as always! In a previous video, you praised passkeys’s ability to thwart malware and key loggers because you don’t have to type anything. Given this, I’m curious why you prefer to use a pin over biometrics. U da man!!!
On Apple devices, via AppleID and Keychain, setting up a passkey for a service using, eg: my iPhone, will be usable on all devices linked to that AppleID. (My Macs, ipads, etc).
Nice video. I was struggling with the "device" side of passkeys when it comes to vaults and I think you cleared that up. If I understand correctly, the vault ends up being your device with a passkey instead of something like your phone. Obviously the advantage being you can access your vault from other devices. The drawback I assume is that your vault needs to be secured, but that's really no different than passwords. The only thing I'm a bit suspect on is how this is "better" than a 2FA with something like Yubikey. If I tell an online account to only accept a password AND a physical key that I define, how is that not MORE secure than passkey?
If you need a really good reason to consider a passkey here's a one big one. Last month (July) there was a record breach of data like some 2.7 billion folks. NPD, National Public Data was breached, things like S/S, passwords, email accnts, phone numbers are now out there on the dark net. Unfortunately I'm on that list some which is old data (28 yrs) but new as well. So yeah I'm really interested about how Passkeys can help with one aspect of breach involving passwords. I'm seeing it's not enough just to change them. Anyhow, I see Ask Leo has a video on this breach. See title : Social Security Numbers Compromised - What to Do? . I never even knew of NPD before this breach as it a 3rd party player that banks and financial companies use. Point is when you hear of a breach and you go "oh I don't use that company" "I'm okay" perhaps you may not be.
I like your hair 🙌 Also, sorry if I missed it, but what service would you recommend for storing passwords? Glad I found you too; your videos are very informative yet simplified enough for newcomers. Keep doing what your doing!
Great information thank you very much indeed. Can I suggest not to use fingerprints because they fade as you age or are taking meds and therefore will be locked out. Both my wife & I cannot use our fingerprints because they can not be read by any finger print scanner. For me it's caused by old age. For my wife it's her Chemo meds that have removed her finger prints.
I have a couple of questions. I'm new to passkeys. So, do you need a passkey on every device for each account you have? I.e. if you had a Coinbase account and access from your phone, home desktop, your laptop, and your office computer. Does each device need to have its own passkey? Also, what happens if you only have a passkey on your phone, but not your desktop? And even if you have a passkey setup, it seems if someone were able to hacker your login password or PIN for your phone of desktop, then they would have full access to whatever account uses the passkey... correct?
Basically replaces the password on subsequent visits to the site with the device you're using. Still need to provide your login "name" to the site (username or e-mail address). Your device sends the passkey response when prompted by the server - so you don't need to remember a password as long as you can get into your device. It's so simple it's hard to explain.
Kudos on your ability to explain matters! I understand that I can invalidate the key if someone has access to my device, but say my phone is stolen and I do not know it for some time. Couldn't the thief access my "keyed" websites? Of course, my phone has a pin number, but it must be relatively easy to hack a four-digit code. What if a burgler breaks into my home while I'm away and has access to my PC? Is my PIN secure enough to prevent mayhem? Am I missing something, Leo?
@@tomfriedrichshain Your passwords and 2FA codes can be phished; passkeys can't be phished because you can't type in your passkey anywhere, and the only place that your device unlock method (PIN/pattern/password/fingerprint/face scan) will work is on your device. You use your device for your passkeys, or can you use a password manager for your passkeys, or you can use both for your passkeys. If anyone wants your passkeys, they'll need to physically have your device, or get access to your password manager that stores your passkeys.
@@tomfriedrichshain _"So now we're supposed to replace the security of long, different passwords for each account with a single PIN for all? That's more secure, really? "_ I'm no expert but the key that this video helped me with is learning that "device" is important. A physical key helps keep your home safe so obviously sharing that key with your friend gives them access to your home. If you secure your phone or laptop, and it holds all your keys to your online sites, then your phone or laptop is your house key.
@@Wol747 _"I just don't get it then. What's the point?"_ The assumption is that your phone or laptop is a secured device that only you can access. That makes the device a secure key. If your phone has fingerprint security then I'm not able to use it as a key. If your phone has a secure pin, then it's still safe from me. So your phone is the device that holds all the keys to your account. And because you locked it, I cannot use your phone as a key. But if you setup your spouse with their fingerprint and something happened to you, they could use your phone and have access to all your keys. So the point is that instead of a password protecting all your "keys" to your accounts, you've set up a device with bio-metrics to protect your accounts.
So...in a public space, a criminal watches over my shoulder and catches me entering my pin to get into an account via passkey (a pin is shorter, less complicated then a password that I'd use to get into Dashlane), them comes over and grabs my computer - why do I feel like they now have access to ALL of my passkey-enabled accounts?
Physical security always maters, no mater what you do. In your scenario PIN codes are definitely the easiest to grab (equivalent of cash machines - protect yourself from shoulder-surfing). Facial or fingerprint recognition, on the other hand, are other approaches that are more secure.
That's why you should save the passkeys into your password manager (Dashlane) rather than to Windows or Mac. Then your passkeys are hidden behind your own master password and not the weak user login credential. From that point on, passkeys become much, much safer than passwords.
(sorry, already posted the same comment but by mistake on another unrelated video) This is nice as long as passkeys stored on an android device keeps working. It suddenly stopped for me on my phone and my tablet just after having factory reset my phone (but not the tablet!). Login using passkeys worked before phone reset. Error message is "No passkeys available" and I've not found how to make it works again since then. I've tried everything, even logging out and back on from my Google account on the phone. Still not working. Using passkey stored on my Windows PC works though. I have googled a bit on that issue and found some other uses facing the same problem, but no solution. Since passkeys are just an alternative login method, and I've others working (even a hardware key) I consider this not a big deal. I just a bit disappointed not to be able to understand what's going on there.
Passkeys are never the only way in. Additional methods to sign in must be available. Typically they're more cumbersome, but for that one time it doesn't matter. Once in you set up a new passkey.
If you accessed 95% of my user names and passwords, they would be of zero value to you - metal working, motorcycles, computer forums, etc; all the usual stuff. My financial type sites are a different matter and they all have strong passwords and user names along with 2FA. So, to change everything to protect 5% of what really needs to be protected is a bit like the proverbial swatting a fly with a sledge hammer.
I don't know but I believe passkey started after it was proven that quantum computer can crack most password in less than 5mins. which is why the idea of passkey is now being implemented slowly before we get to the ERA in which quantum computer are a consumer product. which is probably going to happen like 40yrs from now? LOOL anyway I'm trying to understand passkey right now if it's a good thing of not and I'm not in a hurry either.
At the 9:45 mark, you spoke of 1Password saving your passkeys. My first thought was if passkeys became so popular, & they put password managers out of business, how would you then save your passkeys?
Passkeys saved into a password manager are **much** safer than those saved to Windows or Mac. The latter hide your passkeys behind your user account login. Password managers use a master password that's separate from your user login. Passkeys + password manager are the current state of the art.
This is one of the most confusing and contradictory videos I've ever watched. So, someone steals my laptop while I'm out at work. It is locked BUT they can easily use a bootable USB drive to access it - I know this because I have had both the blue and black screen of death on different devices and used this method to recover access. The last time was difficult because ASUS was insisting on a password that didn't exist! However, I was able to get around everything by making a Windows 10 bootable flash drive. If I can manage that then so can a thief. They could then get into my Google or Microsoft account and take complete control. A passkey sounds more of a liability than a secure solution!
That's why you should save the passkeys to a password manager instead of to Windows or Mac. If you have a password manager installed, then the browser should ask you where to save the passkeys.
@@pierres_blog my passwords I deal offcloud and without any browser extension ... No cloud will have my database and no browser will touch it. Not even my clipboard. I fill the fields directly from the app
Ah yes! I have a key to the box that holds the key to my house where I have a key to the box that holds the keys to the car........ Best way is a nice little book with the passwords written in it. Of course if the house burns down that is a problem. So I will have a book that describes where another book is kept that describes where...... HE, HE, HE!
The big exception here is when there is a data breach likle the NPD breach that happened in August then ie your password, your email, username etc. are out there on the dark web. With using a passkey if someone tries to use your exposed password it would render your password useless. That's really a big thing. The NPD breach involved 2.7 billon people. Most of use here is the USA were exposed in one way or another. NPD is a 3rd party company that banks and financial company's use to check your credentials etc. My some data is out there even going back 25 yrs ago. Best to change your passwords and rethink this passkey.
4:41 So instead of 300 passwords, I would need 1200 passkeys. NO thanks. That is neither easy, nor practical and it is NOT SECURE. 6:50 That is not true. Hackers that steal the passwords from a big website can still use them to sign into accounts and if they get the public key of a website, they can still use it to phish information from people. The data they steal is NEVER useless. 9:14 This is troubling. Sure it's great that your heirs can access your accounts, but they can also do that when you're not yet dead and so can anyone else who should never have access in the first place and since you're not warned about new passkeys getting created, you won't know someone has access until it's too late. 12:30 Great idea. Unfortunately, someone will have accessed your account long before you've cancelled all the relevant passkeys from a stolen device as you'll be website hopping for hours to cancel them all.
6:50 - do some reading on PGP cryptography. Someone can advertise their public key on a billboard or the side of their house, but that isn't going to help an attacker accomplish anything because of how PGP works. It's called the public key because it's expected to be accessible by the public. 9:14 - password managers can be set up with an emergency contact who can take over in situations where the user is incapacitated. This feature often relies on a notification & configurable delay process. "Your sister has requested access to your vault. If you don't reject this request, she will be granted access in 48 hours." If you're online every day, you will see this message and say no she can't have it. But if you really are in a coma in the hospital (or dead), then your sister can start the process of taking control of your accounts to manage your affairs. 12:15 - it's also going to take the thief some time to do the work of locking you out of your accounts, especially if your laptop was locked when they grabbed it. So update the Passkeys & passwords for your email, then password vault, then banking, then on down the list. Ensuring your email is first will help to ensure that they can't request password resets.
How they work to ensure others have access if and when needed.
I'm an old hand at computers in the workplace and at home (since 1976!) I build and maintain all my machines, work on them for others, etc. But this video explanation has my head spinning, and I can't make any sense of how I'd use passkeys. I currently use a password manager with a large number of very secure, complex passwords and, of course, a single master password to get into it. I can't understand how creating a passkey is going to eliminate the need for those passwords to get into the websites with which they are associated.
This is a case where -- for me, anyway -- a video showing the creation of a passkey on a device would be preferable to listening to a verbal description, especially one that makes a contention early on and then comes back with an 'I lied' several minutes later.
I don't mean to sound critical - I watch, appreciate and (for the most part) understand nearly all the content you've posted since discovering your channel earlier this year. You're very good, very listenable and obviously know your stuff. I just can't wrap my head around this one, seemingly simple, concept.
I agree that this new world of passkeys can be somewhat confusing. I have started using them and not had any issues. Here's another video I found which may be of help: th-cam.com/video/VuzddtQZeT8/w-d-xo.htmlsi=ZCPSbq8YGSRfB6sz
@@Oregonian1 Thank you for your suggestion -- I'll have a look!
You and I are alike in the sense of responsibility and passwords and using a PW manager. Passkeys are for all those people who have no discipline wrt to passwords. (ie: thos with bad passwords, same password on multiple sites, etc).
@@AlanTheBeast100 But passkeys are great whether or not you use a PW manager. They obviate the need for passwords at all. They also eliminate tiresome 2FA (waiting for codes, etc). They really are the future of passwords. Like Leo, I opt in whenever passkeys are offered.
@@AlanTheBeast100 Passkeys are *much* safer than passwords.
Passwords are sent in full, passkeys never are.
Passwords are saved on the other website as well as on your computer, so they can be revealed in a data breach. Passkeys are a pair, and need to work together for decryption.
This was the BEST deep dive explanation of passkeys by far. I probably listened to 10 others and this was by far the easiest do you understand. Actually makes me feel safe about using past keys. Thank you!
I print out all of my user names and passwords and keep a copy in a sealed envelope with my will. As an executor who has been on the receiving end of such a list, please don't just print or save as you wish, but test them to ensure that they are current. Many web sites require that passwords be changed occasionally for a variety of reasons. I got handed a pretty nasty mess that my now deceased friend swore was the perfect list.
Find 3 trustworthy friends and give each 2/3 of the password so that 2 can unlock your password manager.
I urge you to heed Leo's advice. Use 1Password, and give a trusted party access to it. This way you can always use strong (like 14-character) passwords that you will never have to write down or key in. You really need strong passwords like that. And whenever possible, opt for passkeys. 1Password will store those too.
This is so helpful. At last I understand the end to end use of passkeys. Thank you so much for taking the time to explain!!!
So you aren't 'passwordless' if you keep a recovery password vault. As an American, I'm one of the luckiest people on Earth. Someone in Gaza has a very real chance of all their devices being destroyed in an instant, a 30-second evacuation order, total disruption of their life. Much more likely than having their 2FA sim-swapped. Still, it's not unimaginable that I might have to jump out the window in my underwear, or end up in the Emergency room after a car crash or mugging. Even for me, that is more likely than getting sim-swapped. I like the idea of passkeys. But I will always want a Gaza Scenario recovery option.
Hi Leo,
I, too, have been concerned about enabling family to access information should I croak it, more so because my wife isn't very computer savy.
I think for a lot of us, learning & understanding is easier when we do it, see it, and can experience the benefits. It took me a while to embrace Password Managers, 2FA etc, and move away from a list of User Names and Passwords (that were not always updated). My wife still uses a written list of Passwords.
Am I now across Passkeys? No. I'm still a bit clueless, but I am convinced that they are something I need to get my head around.
I appreciate the information you provide and watch every video.
Excellent video as always! In a previous video, you praised passkeys’s ability to thwart malware and key loggers because you don’t have to type anything. Given this, I’m curious why you prefer to use a pin over biometrics. U da man!!!
It's not a preference. I use what my device(s) offer. My phone and laptop use fingerprint, for example. My other computers can't do biometrics.
@@askleonotenboom oh I see! Thanks so much for the reply!
On Apple devices, via AppleID and Keychain, setting up a passkey for a service using, eg: my iPhone, will be usable on all devices linked to that AppleID. (My Macs, ipads, etc).
Nice video. I was struggling with the "device" side of passkeys when it comes to vaults and I think you cleared that up. If I understand correctly, the vault ends up being your device with a passkey instead of something like your phone. Obviously the advantage being you can access your vault from other devices. The drawback I assume is that your vault needs to be secured, but that's really no different than passwords. The only thing I'm a bit suspect on is how this is "better" than a 2FA with something like Yubikey. If I tell an online account to only accept a password AND a physical key that I define, how is that not MORE secure than passkey?
If you need a really good reason to consider a passkey here's a one big one. Last month (July) there was a record breach of data like some 2.7 billion folks. NPD, National Public Data was breached, things like S/S, passwords, email accnts, phone numbers are now out there on the dark net. Unfortunately I'm on that list some which is old data (28 yrs) but new as well. So yeah I'm really interested about how Passkeys can help with one aspect of breach involving passwords. I'm seeing it's not enough just to change them. Anyhow, I see Ask Leo has a video on this breach. See title : Social Security Numbers Compromised - What to Do? . I never even knew of NPD before this breach as it a 3rd party player that banks and financial companies use. Point is when you hear of a breach and you go "oh I don't use that company" "I'm okay" perhaps you may not be.
I like your hair 🙌 Also, sorry if I missed it, but what service would you recommend for storing passwords? Glad I found you too; your videos are very informative yet simplified enough for newcomers. Keep doing what your doing!
askleo.com/best-password-manager/ - I use 1Password myself.
I use LastPass.
Great information thank you very much indeed. Can I suggest not to use fingerprints because they fade as you age or are taking meds and therefore will be locked out. Both my wife & I cannot use our fingerprints because they can not be read by any finger print scanner. For me it's caused by old age. For my wife it's her Chemo meds that have removed her finger prints.
I have a couple of questions. I'm new to passkeys. So, do you need a passkey on every device for each account you have? I.e. if you had a Coinbase account and access from your phone, home desktop, your laptop, and your office computer. Does each device need to have its own passkey?
Also, what happens if you only have a passkey on your phone, but not your desktop?
And even if you have a passkey setup, it seems if someone were able to hacker your login password or PIN for your phone of desktop, then they would have full access to whatever account uses the passkey... correct?
Completely baffled now way to complex for the average user I think I will stick to passwords😮
Basically replaces the password on subsequent visits to the site with the device you're using.
Still need to provide your login "name" to the site (username or e-mail address).
Your device sends the passkey response when prompted by the server - so you don't need to remember a password as long as you can get into your device.
It's so simple it's hard to explain.
I only seems complex because we've been using passwords. People who grow up without passwords will find life easier.
Kudos on your ability to explain matters!
I understand that I can invalidate the key if someone has access to my device, but say my phone is stolen and I do not know it for some time. Couldn't the thief access my "keyed" websites? Of course, my phone has a pin number, but it must be relatively easy to hack a four-digit code.
What if a burgler breaks into my home while I'm away and has access to my PC? Is my PIN secure enough to prevent mayhem?
Am I missing something, Leo?
Use a longer PIN, or better, use fingerprint or Face ID. You'll still need the PIN, of course, so use a 6-digit PIN.
I’m a bit slow but Leo seems to say that once you’ve set up this on a device it just lets whoever is using it will get in without a password?
Not really. You WILL need to provide the PIN or other device-level authorization when you attempt to use a Passkey.
I just don't get it then. What's the point?@@askleonotenboom
@@tomfriedrichshain Your passwords and 2FA codes can be phished; passkeys can't be phished because you can't type in your passkey anywhere, and the only place that your device unlock method (PIN/pattern/password/fingerprint/face scan) will work is on your device. You use your device for your passkeys, or can you use a password manager for your passkeys, or you can use both for your passkeys.
If anyone wants your passkeys, they'll need to physically have your device, or get access to your password manager that stores your passkeys.
@@tomfriedrichshain _"So now we're supposed to replace the security of long, different passwords for each account with a single PIN for all? That's more secure, really? "_ I'm no expert but the key that this video helped me with is learning that "device" is important. A physical key helps keep your home safe so obviously sharing that key with your friend gives them access to your home. If you secure your phone or laptop, and it holds all your keys to your online sites, then your phone or laptop is your house key.
@@Wol747 _"I just don't get it then. What's the point?"_ The assumption is that your phone or laptop is a secured device that only you can access. That makes the device a secure key. If your phone has fingerprint security then I'm not able to use it as a key. If your phone has a secure pin, then it's still safe from me. So your phone is the device that holds all the keys to your account. And because you locked it, I cannot use your phone as a key. But if you setup your spouse with their fingerprint and something happened to you, they could use your phone and have access to all your keys.
So the point is that instead of a password protecting all your "keys" to your accounts, you've set up a device with bio-metrics to protect your accounts.
Nice to know!
So...in a public space, a criminal watches over my shoulder and catches me entering my pin to get into an account via passkey (a pin is shorter, less complicated then a password that I'd use to get into Dashlane), them comes over and grabs my computer - why do I feel like they now have access to ALL of my passkey-enabled accounts?
Physical security always maters, no mater what you do. In your scenario PIN codes are definitely the easiest to grab (equivalent of cash machines - protect yourself from shoulder-surfing). Facial or fingerprint recognition, on the other hand, are other approaches that are more secure.
Perfect. And a new phrase (to me): shoulder surfing.@@askleonotenboom
You can use biometrics to login, or avoid using computers in public
That's why you should save the passkeys into your password manager (Dashlane) rather than to Windows or Mac. Then your passkeys are hidden behind your own master password and not the weak user login credential. From that point on, passkeys become much, much safer than passwords.
So you need to generate a passkey for each device you log on with. (you PC and your phone)? I have neither wondows nor apple machines.
"Need"? No, it's a convenience. For each device? Yes.
(sorry, already posted the same comment but by mistake on another unrelated video)
This is nice as long as passkeys stored on an android device keeps working.
It suddenly stopped for me on my phone and my tablet just after having factory reset my phone (but not the tablet!). Login using passkeys worked before phone reset.
Error message is "No passkeys available" and I've not found how to make it works again since then.
I've tried everything, even logging out and back on from my Google account on the phone. Still not working.
Using passkey stored on my Windows PC works though.
I have googled a bit on that issue and found some other uses facing the same problem, but no solution.
Since passkeys are just an alternative login method, and I've others working (even a hardware key) I consider this not a big deal.
I just a bit disappointed not to be able to understand what's going on there.
Passkeys are never the only way in. Additional methods to sign in must be available. Typically they're more cumbersome, but for that one time it doesn't matter. Once in you set up a new passkey.
If you accessed 95% of my user names and passwords, they would be of zero value to you - metal working, motorcycles, computer forums, etc; all the usual stuff. My financial type sites are a different matter and they all have strong passwords and user names along with 2FA. So, to change everything to protect 5% of what really needs to be protected is a bit like the proverbial swatting a fly with a sledge hammer.
Your passwords and 2FA can both be phished. Passkeys cannot be phished.
I don't know but I believe passkey started after it was proven that quantum computer can crack most password in less than 5mins.
which is why the idea of passkey is now being implemented slowly before we get to the ERA in which quantum computer are a consumer product. which is probably going to happen like 40yrs from now? LOOL
anyway I'm trying to understand passkey right now if it's a good thing of not and I'm not in a hurry either.
What happens if/when passkeys result in password managers becoming obsolete?
Seems unlikely, but what you concerned about? You could live a password-free life.
At the 9:45 mark, you spoke of 1Password saving your passkeys. My first thought was if passkeys became so popular, & they put password managers out of business, how would you then save your passkeys?
@@askleonotenboom Plus I love the fact that 1Password stores my passkeys as well as my complex passwords.
Passkeys saved into a password manager are **much** safer than those saved to Windows or Mac. The latter hide your passkeys behind your user account login. Password managers use a master password that's separate from your user login. Passkeys + password manager are the current state of the art.
Great
This is one of the most confusing and contradictory videos I've ever watched. So, someone steals my laptop while I'm out at work. It is locked BUT they can easily use a bootable USB drive to access it - I know this because I have had both the blue and black screen of death on different devices and used this method to recover access. The last time was difficult because ASUS was insisting on a password that didn't exist! However, I was able to get around everything by making a Windows 10 bootable flash drive. If I can manage that then so can a thief. They could then get into my Google or Microsoft account and take complete control. A passkey sounds more of a liability than a secure solution!
It's not "disaster planning" it's "continuity of access" planning
Leo, who said that Windows credential wallet is secure? If passkeys rely on windows security than, sorry, I will pass
That's why you should save the passkeys to a password manager instead of to Windows or Mac. If you have a password manager installed, then the browser should ask you where to save the passkeys.
@@pierres_blog my passwords I deal offcloud and without any browser extension ... No cloud will have my database and no browser will touch it. Not even my clipboard.
I fill the fields directly from the app
Ah yes! I have a key to the box that holds the key to my house where I have a key to the box that holds the keys to the car........
Best way is a nice little book with the passwords written in it. Of course if the house burns down that is a problem. So I will have a book that describes where another book is kept that describes where...... HE, HE, HE!
The big exception here is when there is a data breach likle the NPD breach that happened in August then ie your password, your email, username etc. are out there on the dark web. With using a passkey if someone tries to use your exposed password it would render your password useless. That's really a big thing. The NPD breach involved 2.7 billon people. Most of use here is the USA were exposed in one way or another. NPD is a 3rd party company that banks and financial company's use to check your credentials etc. My some data is out there even going back 25 yrs ago. Best to change your passwords and rethink this passkey.
4:41 So instead of 300 passwords, I would need 1200 passkeys. NO thanks. That is neither easy, nor practical and it is NOT SECURE.
6:50 That is not true. Hackers that steal the passwords from a big website can still use them to sign into accounts and if they get the public key of a website, they can still use it to phish information from people. The data they steal is NEVER useless.
9:14 This is troubling. Sure it's great that your heirs can access your accounts, but they can also do that when you're not yet dead and so can anyone else who should never have access in the first place and since you're not warned about new passkeys getting created, you won't know someone has access until it's too late.
12:30 Great idea. Unfortunately, someone will have accessed your account long before you've cancelled all the relevant passkeys from a stolen device as you'll be website hopping for hours to cancel them all.
6:50 - do some reading on PGP cryptography. Someone can advertise their public key on a billboard or the side of their house, but that isn't going to help an attacker accomplish anything because of how PGP works. It's called the public key because it's expected to be accessible by the public.
9:14 - password managers can be set up with an emergency contact who can take over in situations where the user is incapacitated. This feature often relies on a notification & configurable delay process. "Your sister has requested access to your vault. If you don't reject this request, she will be granted access in 48 hours."
If you're online every day, you will see this message and say no she can't have it. But if you really are in a coma in the hospital (or dead), then your sister can start the process of taking control of your accounts to manage your affairs.
12:15 - it's also going to take the thief some time to do the work of locking you out of your accounts, especially if your laptop was locked when they grabbed it. So update the Passkeys & passwords for your email, then password vault, then banking, then on down the list. Ensuring your email is first will help to ensure that they can't request password resets.
Surely you should have explained what it is at the very start