Leo, I’ve been a regular viewer for a number of years now. I’m overdue in expressing my gratitude for the excellent work you do. For me, your explanation of passkeys is much easier to comprehend than any other I’ve found.
Thank you, Leo, getting ones head around the subtleties of how actually secure they are is a big step, but we will get there- slowly. Well done and looking forward to the next.
BUT if you use a PIN to open your phone and your phone gets stolen by someone who also figured out your PIN, you’re kind of screwed. Which is why I prefer to use a separate device like a YubiKey.
Unless I'm missing something, just having access to your phone doesn't matter if the method on your phone to authenticate (activate) your passkey is biometric (i.e. face ID) and not a PIN. But if they have your phone login PIN and that same PIN is used to activate your passkeys then yeah, you're in trouble.
@JJ_in_Raleigh this is why I am not happy with Google keeping and synching my passkeys and the main pin (and I don't trust PINs, I use a proper long password). I prefer third party passkey services, services like proton pass. I think the yubikey manager also might have something. We should really have a list of alternatives and their pros and cons.
If using passwords everybody needs me to log in. If using passkey and yubikey they can ditch me and have access. We really are putting security on external and easy to stole devices. Unless they can stole my brain.
Thanks Leo for answering my questions in this new video. I believe in passkeys, but currently it is not yet transparent enough where and how they are stored: google, microsoft, several password managers,... They all claim they will store the passkeys for you. How nice😊. I read the comments posted below this video and it is clear that a bigger effort is needed to explain the what and where. Your video really contributes.
This will take time. Older and younger folks that are technology-challenged have a problem managing simple passwords. Now we are asking these folks to select and use platforms to manage these passkeys on multiple devices and still hang on to the passwords, e.g., Chrome, Edge, 1Password, Apple iCloud keychain. This is very difficult for the average person. Another issue is the adoption of this technology by the business world. How long will it take for the smaller organizations to implement passkeys?
There is so much with technology now that is not understood when it comes to the death of a person. All it takes is stopping one thing, and it can mess up several others, especially when the person left to deal with it hasn't a clue what you did! My thanks to Leo for his help to understand better what my guru husband did. I have managed a back up ready for windows 11. NOW passkeys? ARGH!
I use 1password for my passwords and my passkeys. I think the passkey resides on the 1password app. I never created an other passkey with any of my other devices, (desktop, cell phone or laptop). Yet I can sign in with any of my devices.
Auth apps like 1password use syncable passkeys, Leo in this video is talking about 'on device' passkeys. I think we're transitioning to the syncable type because they are more convenient and cross-platform. Microsoft will support Syncable passkeys in the future, they don't currently.
Hi Leo, Thank you for your explanation of Passkeys- I have a greater understanding of them now. I just have one question: I was reading a BBC article a few days ago, about a guy who had his phone snatched off him on the underground, and although his banking app was secured with a facial ID passkey, the thief was able to access it, and empty out his account and also take a loan out with another bank in his name. How was this possible if passkeys are so secure?
You need to start with at least 2 devices. The other assumption is if you lose your devices, you will always have at least 1 device still in your possession. If you ever think that there’s a chance that you would lose all of your devices at the same time, then you’re back to the beginning where you need passwords. In that case, you need to write your passwords down on a piece of paper or store them in a password manager somewhere on the cloud.
You don't need to store in a password manager in the cloud. Many password managers today store passwords locally, such as Enpass. So, if I lose my phone, I can log in to Enpass on my Linux machine and get my password there. I will never trust a password manager that stores my passwords on the cloud.
PassKeys are for convenience. You'll need something else to login with to setup a passkey unless you signed up for an account using a passkey but then you'll need one of the devices with a passkey to that account to login to that account on another device but those devices will use a pin or password or maybe biometrics, which also uses a pin or password for backup, so we're really still using normal logins. This is just an alternative to a password manager.
4:06 I think what people are concerned about is: what if they set their account and their only method of authentication is the passkey on the lost phone and have no alternative authentication methods (To make their account "more secure" as there can't be a password hack or sim swap for text verification), is that scenario possible?
@@marco31 This is a good solution, but if you also use a passkey for your email and only on the lost phone I'd think you would lose access forever. I of course would make certain to have a backup solution, but it's possible some people are going to set their accounts just like I described, if that is even possible.
I don't think you watched the (entire) video. There's ALWAYS a way back in. Consider: how did you set up the passkey in the first place? You had to authenticate some other way first.
@@askleonotenboom I did watch the whole video so there's no need to bash me, I posted my concern for the benefit and engaging of YOUR channel and audience and I don't think you understood me and I'll prove it. I once remember a Microsoft message offering to remove my password and setup a passkey. No password and passkey on lost phone (with no other backup) = no recovery (If this scenario is possible). Unless the system accepts the old "removed" password or forces you to have an alternative authentication method. Do you understand now?
@@Teisju And as I said in the video, there's ALWAYS another way to get in. With no password and a lost phone, you'll simply authenticate on a new device some other way, like a message sent to your alternate email address, your recovery phone number, a backup code you set up before hand, or something else. Like I (and the video) said, it's the exact same process you used to set up the passkey on the phone initially
I watched the video twice, but I am still wondering what your response is to the 2nd query: "When creating a passkey for an existing account, the old password could still be stolen from the server." If that is the case, how do passkeys actually enhance security, given that passwords can still be used to sign in, as is the case with my Google account.
Regarding question 2. Unfortunately, you have not answered it directly. Until the use of user/password is eradicated completely across all sites, the use of passkeys will only be for convenience, but not for better security. Your point was, we are gradually moving in that direction, I wish there was a better answer.
Hey Leo, nice explanation, thanks! I have a question though. Let's say I set up a Microsoft account on my phone without a password (i.e. passkey only) and that that phone is the only device on which I have that account setup. What happens if I lose my phone? I'm assuming there is a recovery process involving signing in via a magic link sent via an email or SMS etc., but assuming the phone was the only way to log in to those accounts as well, how do I bootstrap the process of logging into all my accounts while having access to NONE of them?
Exactly, the bootstrap process is as you describe. HOWEVER the missing point: you need to configured a DIFFERENT recovery email or phone number for the account for just this kind of situation.
Ok you have a passkey. So on the lost phone they cannot access your account due to passkey, but they have your telephone no. So they could use your number as alternative on another phone to access the account when sent a code. I have been trying to get rid of my telephone number from all my sensitive accounts, but this is impossible; most companies require a telephone no. to use as backup 2FA in the very case of cannot access account. I have been trying to setup email as backup but most companies will not accept. ( I have security Keys on Gmail and Microsoft) so I know email secure. Any comments?
Why are you still trying to make passkeys relevant? They're not user-friendly or secure and people can't even agree on an implementation. Users are left to figure out if they passkey is device-bound or syncable. 4:00 When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't). How is that secure or convenient? Signing in using another method isn't an option when, like you, someone was dumb enough to remove their password leaving the passkey as the only option. Similarly, you can't invalidate a passkey if you can't get into the account either. 6:22 Your takeaway is concerning too. Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits. We already have passwords for those accounts. Nothing to set up, no time wasted. And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager.
"people can't even agree on an implementation"? There's multiple ways to implement passkeys, and that is by design. Some implementations are more convenient, and some are more secure. A federal government agency website/app might require device-bound passkeys only, while a video game website/app might allow synced passkeys and device-bound passkeys. "Users are left to figure out if they passkey is device-bound or syncable." They'll learn, like they learned about how some of their passwords are synced (e.g. Google Password Manager), and some of their passwords are not synced (e.g. local offline accounts on desktop PCs and laptops). "When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't)" This is why you remotely deactivate your phone when your phone is lost. Android and iOS devices can be remotely deactivated from another device. "Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits" One benefit is that you can still log in if you lose a device or lose access to a password manager. Another benefit is that you don't have to remember your passkeys or write them down. "And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager." Your passkeys can be locked away in a password manager, too. Android 14 and iOS 17 and macOS 14 support third-party password managers (Strongbox, KeePassDX, Bitwarden, 1Password, Proton Pass, etc.). Windows is gonna have that same support, too, according to the "device support" page on the "passkeysdev" website.
What would happen if I were to take over using an email account for an organization from the previous person who held the position? How would a passkey be established on my computer instead of theirs?
If you need a password to validate your account and get a passkey......well, you still have a password which can be stolen so what's changed? Unless of course you need both the password and the passkey to gain access to your account. Which means life will become harder. I must be missing something here....
Passkeys are a precursor to going completely passwordless. So not only do you not use a password, there isn't even one associated with your account. This is the state of my Microsoft account right now, for example.
@@askleonotenboom Thanks for your reply. From videos I have seen it always seems that you have to have another way to access your account or at the very least you need a password to create the account. As you say, it is early days so we will see what happens.
@@Steve-PT It could be done without a password from the start, if providers wanted to. Initial Authorization could be via email or text confirmation, for example.
@@askleonotenboom Yes, that would make sense. Passkeys certainly sound quite 'comforting' with their approach to security. Let's hope more organisations take it up! Thanks Leo.
It still doesn't make sense. Passkeys create a huge messs. Suddenly you have sperate "password(key)s" per account and per device. You cannot save them in a flash card, you cannot even print them on a backup paper and on top of that you still need to keep the old passwords, for the case you loose/break/being stolen/or just buy new device. And in a passwordless world, loosing your device means looseng your digital life, because you cannot use your mail if you don't have a password that you can remember
I’d not heard of them until all of a sudden on the PC, after needing to log back in to certain sites, such as Coinbase and Microsoft I started seeing an option for using a passkey. So I started looking into them.
They’re one of those things where it takes a while to get a feel for them. That is, you’ll need to read a few things and watch a few videos. John Savill has a deep dive for example. An hour long video.
I have not yet understood "passkey". I have a couple of mobile devices. One of them I simply turn it on if I plan to use it. The other one I turn on if I plan to use it and I have set-up a code to unlock it for actually actively using it for anything. I do not remember at any time giving or making any passkey. Is that code I put in for unlocking the front screen of the second device actually called a "passkey"?
No, that's a PIN to simply use the phone. The password is the public key/private key and works behind the scenes. Public key on the server and private key on the device. Lose the device and it's not a problem since the server will generate a new private key for your new device.
Leo. Great Video. But there is a lot in it which is more a half truth: 1.) Passwords are also cryptography 2.) Passkeys can’t be stolen. You still have the password. Can be stolen. The message is again that passwords are like keys to locks. Be unique 3.) One passkey per account. We haven’t talked about limits - how many passkeys can be stored. Think of the amount of accounts we are talking about.
First of all, my phone is pin protected. I then use an app, which i set a password to open, then I choose any app on my device, i need protected. It even takes a photo of anyone who tries to unlock any app. with a wrong password. lol
I don't want a passkey to completely replace passwords, in case the key is physically stolen or a device containing the key is hacked! I'm happy having both a passkey and a password.
Leo, I’ve been a regular viewer for a number of years now. I’m overdue in expressing my gratitude for the excellent work you do. For me, your explanation of passkeys is much easier to comprehend than any other I’ve found.
Thank you, Leo, getting ones head around the subtleties of how actually secure they are is a big step, but we will get there- slowly. Well done and looking forward to the next.
You explain so clearly to understand passkey. Thank you.
BUT if you use a PIN to open your phone and your phone gets stolen by someone who also figured out your PIN, you’re kind of screwed. Which is why I prefer to use a separate device like a YubiKey.
At that point it’s not an issue with the technology, that’s a user problem.
Unless I'm missing something, just having access to your phone doesn't matter if the method on your phone to authenticate (activate) your passkey is biometric (i.e. face ID) and not a PIN. But if they have your phone login PIN and that same PIN is used to activate your passkeys then yeah, you're in trouble.
Same thing if someone got your password so it's not so different. In most cases you would be using biometric so passkey are still more secure.
@JJ_in_Raleigh this is why I am not happy with Google keeping and synching my passkeys and the main pin (and I don't trust PINs, I use a proper long password). I prefer third party passkey services, services like proton pass. I think the yubikey manager also might have something. We should really have a list of alternatives and their pros and cons.
If using passwords everybody needs me to log in. If using passkey and yubikey they can ditch me and have access. We really are putting security on external and easy to stole devices. Unless they can stole my brain.
Thanks Leo for answering my questions in this new video. I believe in passkeys, but currently it is not yet transparent enough where and how they are stored: google, microsoft, several password managers,... They all claim they will store the passkeys for you. How nice😊. I read the comments posted below this video and it is clear that a bigger effort is needed to explain the what and where. Your video really contributes.
This will take time. Older and younger folks that are technology-challenged have a problem managing simple passwords. Now we are asking these folks to select and use platforms to manage these passkeys on multiple devices and still hang on to the passwords, e.g., Chrome, Edge, 1Password, Apple iCloud keychain. This is very difficult for the average person. Another issue is the adoption of this technology by the business world. How long will it take for the smaller organizations to implement passkeys?
Given that some services still have a six character minimum for their passwords(!), I expect it will take a very long time.
There is so much with technology now that is not understood when it comes to the death of a person. All it takes is stopping one thing, and it can mess up several others, especially when the person left to deal with it hasn't a clue what you did! My thanks to Leo for his help to understand better what my guru husband did. I have managed a back up ready for windows 11. NOW passkeys? ARGH!
Helpful! Otherwise a mysterious process. Regards from Baltimore.
I use 1password for my passwords and my passkeys. I think the passkey resides on the 1password app. I never created an other passkey with any of my other devices, (desktop, cell phone or laptop). Yet I can sign in with any of my devices.
Auth apps like 1password use syncable passkeys, Leo in this video is talking about 'on device' passkeys. I think we're transitioning to the syncable type because they are more convenient and cross-platform. Microsoft will support Syncable passkeys in the future, they don't currently.
Hi Leo,
Thank you for your explanation of Passkeys- I have a greater understanding of them now.
I just have one question: I was reading a BBC article a few days ago, about a guy who had his phone snatched off him on the underground, and although his banking app was secured with a facial ID passkey, the thief was able to access it, and empty out his account and also take a loan out with another bank in his name. How was this possible if passkeys are so secure?
You need to start with at least 2 devices. The other assumption is if you lose your devices, you will always have at least 1 device still in your possession. If you ever think that there’s a chance that you would lose all of your devices at the same time, then you’re back to the beginning where you need passwords. In that case, you need to write your passwords down on a piece of paper or store them in a password manager somewhere on the cloud.
You don't need to store in a password manager in the cloud. Many password managers today store passwords locally, such as Enpass. So, if I lose my phone, I can log in to Enpass on my Linux machine and get my password there. I will never trust a password manager that stores my passwords on the cloud.
PassKeys are for convenience. You'll need something else to login with to setup a passkey unless you signed up for an account using a passkey but then you'll need one of the devices with a passkey to that account to login to that account on another device but those devices will use a pin or password or maybe biometrics, which also uses a pin or password for backup, so we're really still using normal logins. This is just an alternative to a password manager.
4:06 I think what people are concerned about is: what if they set their account and their only method of authentication is the passkey on the lost phone and have no alternative authentication methods (To make their account "more secure" as there can't be a password hack or sim swap for text verification), is that scenario possible?
@@marco31 This is a good solution, but if you also use a passkey for your email and only on the lost phone I'd think you would lose access forever. I of course would make certain to have a backup solution, but it's possible some people are going to set their accounts just like I described, if that is even possible.
I don't think you watched the (entire) video. There's ALWAYS a way back in. Consider: how did you set up the passkey in the first place? You had to authenticate some other way first.
@@askleonotenboom I did watch the whole video so there's no need to bash me, I posted my concern for the benefit and engaging of YOUR channel and audience and I don't think you understood me and I'll prove it. I once remember a Microsoft message offering to remove my password and setup a passkey. No password and passkey on lost phone (with no other backup) = no recovery (If this scenario is possible). Unless the system accepts the old "removed" password or forces you to have an alternative authentication method. Do you understand now?
@@Teisjuit took me two seconds to google: Microsoft account recovery.
@@Teisju And as I said in the video, there's ALWAYS another way to get in. With no password and a lost phone, you'll simply authenticate on a new device some other way, like a message sent to your alternate email address, your recovery phone number, a backup code you set up before hand, or something else. Like I (and the video) said, it's the exact same process you used to set up the passkey on the phone initially
I watched the video twice, but I am still wondering what your response is to the 2nd query: "When creating a passkey for an existing account, the old password could still be stolen from the server." If that is the case, how do passkeys actually enhance security, given that passwords can still be used to sign in, as is the case with my Google account.
You're right. Passwords eventually have to go away for passkeys to be fully effective.
Great presentation of this new tool. One question, why is there a creeper clip of the lady on the bus? Totes inaprops.
Regarding question 2. Unfortunately, you have not answered it directly. Until the use of user/password is eradicated completely across all sites, the use of passkeys will only be for convenience, but not for better security. Your point was, we are gradually moving in that direction, I wish there was a better answer.
Hey Leo, nice explanation, thanks! I have a question though. Let's say I set up a Microsoft account on my phone without a password (i.e. passkey only) and that that phone is the only device on which I have that account setup.
What happens if I lose my phone?
I'm assuming there is a recovery process involving signing in via a magic link sent via an email or SMS etc., but assuming the phone was the only way to log in to those accounts as well, how do I bootstrap the process of logging into all my accounts while having access to NONE of them?
Exactly, the bootstrap process is as you describe. HOWEVER the missing point: you need to configured a DIFFERENT recovery email or phone number for the account for just this kind of situation.
Does this stand now that passkeys are going to sync between devices, and also be transferable between providers?
Passkeys only sync between devices if you're using a password manager that does that. They're not transferable between providers.
@@askleonotenboom " going to ... and also be"
Ok you have a passkey. So on the lost phone they cannot access your account due to passkey, but they have your telephone no. So they could use your number as alternative on another phone to access the account when sent a code. I have been trying to get rid of my telephone number from all my sensitive accounts, but this is impossible; most companies require a telephone no. to use as backup 2FA in the very case of cannot access account. I have been trying to setup email as backup but most companies will not accept. ( I have security Keys on Gmail and Microsoft) so I know email secure.
Any comments?
nice leo
I sort of understand? What happens if I access my Citibank account from a friends computer and I don't have my phone with me?
You'll have to sign in using one of the other, less convenient ways.
Why are you still trying to make passkeys relevant? They're not user-friendly or secure and people can't even agree on an implementation. Users are left to figure out if they passkey is device-bound or syncable.
4:00 When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't). How is that secure or convenient? Signing in using another method isn't an option when, like you, someone was dumb enough to remove their password leaving the passkey as the only option. Similarly, you can't invalidate a passkey if you can't get into the account either.
6:22 Your takeaway is concerning too. Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits. We already have passwords for those accounts. Nothing to set up, no time wasted.
And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager.
"people can't even agree on an implementation"?
There's multiple ways to implement passkeys, and that is by design. Some implementations are more convenient, and some are more secure.
A federal government agency website/app might require device-bound passkeys only, while a video game website/app might allow synced passkeys and device-bound passkeys.
"Users are left to figure out if they passkey is device-bound or syncable."
They'll learn, like they learned about how some of their passwords are synced (e.g. Google Password Manager), and some of their passwords are not synced (e.g. local offline accounts on desktop PCs and laptops).
"When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't)"
This is why you remotely deactivate your phone when your phone is lost. Android and iOS devices can be remotely deactivated from another device.
"Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits"
One benefit is that you can still log in if you lose a device or lose access to a password manager. Another benefit is that you don't have to remember your passkeys or write them down.
"And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager."
Your passkeys can be locked away in a password manager, too. Android 14 and iOS 17 and macOS 14 support third-party password managers (Strongbox, KeePassDX, Bitwarden, 1Password, Proton Pass, etc.). Windows is gonna have that same support, too, according to the "device support" page on the "passkeysdev" website.
What would happen if I were to take over using an email account for an organization from the previous person who held the position? How would a passkey be established on my computer instead of theirs?
You would set up the passkey like any other first time use of a device: signing in some other way first.
If you can set up passkeys using something other than passkeys, then someone else who gains access to the same information can do so too.
This is correct. But you should already be securing those "other things", like your mobile phone and email account and whatnot.
If you need a password to validate your account and get a passkey......well, you still have a password which can be stolen so what's changed? Unless of course you need both the password and the passkey to gain access to your account. Which means life will become harder. I must be missing something here....
Passkeys are a precursor to going completely passwordless. So not only do you not use a password, there isn't even one associated with your account. This is the state of my Microsoft account right now, for example.
@@askleonotenboom Thanks for your reply. From videos I have seen it always seems that you have to have another way to access your account or at the very least you need a password to create the account. As you say, it is early days so we will see what happens.
@@Steve-PT It could be done without a password from the start, if providers wanted to. Initial Authorization could be via email or text confirmation, for example.
@@askleonotenboom Yes, that would make sense. Passkeys certainly sound quite 'comforting' with their approach to security. Let's hope more organisations take it up! Thanks Leo.
It still doesn't make sense. Passkeys create a huge messs. Suddenly you have sperate "password(key)s" per account and per device. You cannot save them in a flash card, you cannot even print them on a backup paper and on top of that you still need to keep the old passwords, for the case you loose/break/being stolen/or just buy new device. And in a passwordless world, loosing your device means looseng your digital life, because you cannot use your mail if you don't have a password that you can remember
Interesting video. I'd never heard of a passkey before. Probably because I don't have a phone.
I’d not heard of them until all of a sudden on the PC, after needing to log back in to certain sites, such as Coinbase and Microsoft I started seeing an option for using a passkey. So I started looking into them.
Still unclear what it is
They’re one of those things where it takes a while to get a feel for them. That is, you’ll need to read a few things and watch a few videos. John Savill has a deep dive for example. An hour long video.
I have not yet understood "passkey". I have a couple of mobile devices. One of them I simply turn it on if I plan to use it. The other one I turn on if I plan to use it and I have set-up a code to unlock it for actually actively using it for anything. I do not remember at any time giving or making any passkey. Is that code I put in for unlocking the front screen of the second device actually called a "passkey"?
No, that's a PIN to simply use the phone. The password is the public key/private key and works behind the scenes. Public key on the server and private key on the device. Lose the device and it's not a problem since the server will generate a new private key for your new device.
Leo. Great Video. But there is a lot in it which is more a half truth:
1.) Passwords are also cryptography
2.) Passkeys can’t be stolen. You still have the password. Can be stolen. The message is again that passwords are like keys to locks. Be unique
3.) One passkey per account. We haven’t talked about limits - how many passkeys can be stored. Think of the amount of accounts we are talking about.
Based on all the confusion in the comments section, it suggests the video didn't explain the topic well enough?
First of all, my phone is pin protected. I then use an app, which i set a password to open, then I choose any app on my device, i need protected. It even takes a photo of anyone who tries to unlock any app. with a wrong password. lol
Microsoft says passwordless accounts are safer. They do offer passwordless account or passkey
I don't want a passkey to completely replace passwords, in case the key is physically stolen or a device containing the key is hacked! I'm happy having both a passkey and a password.
The key is not hacked. It's still secured by the security of the device it was on. AND you can immediately deactivate that key remotely if you like.