Big FIDO2 fan and may I offer my favorite best practice with regards to "What if I lose my key?" You can register multiple keys with your servers. The key pair on the key is only used to protect the key pairs you make for each server. Once you're authenticated, your server will allow you create another key pair for the additional FIDO key. Keep one in a safe and use the other for daily use. Love your videos! Keep up the great work.
Not all sites allow multiple keys though. Would be good if the keys have some kind of backup tool to a paired key (although it increases risk for extraction)
Yubikeys with a good backup plan in case you should be so unlucky to lose one is the way to go. I love all my Yubi's with a dear heart after an incident 6 years ago where I was targeted by some skillfull individuals. Not saying it's unhackable, but all the precautions I have implemented in my digital life will sure make it very hard for someone to hack'attack me at that scale that I was attacked. Keep up the great and important videoes @jeffcrume and @IBMTecknology 👍
Totally agree! With a Yubikey the private key never leaves the device, unlike multi-device passkeys from the likes of 1Password and Apple which store your private key in the cloud waiting for hackers to exploit it. A Yubikey is much less hackable than a phone or laptop/desktop, and you can air-gap it when not needed, and it is cheaper to have a backup. I have my own Yubikey, and my wife has another so we replicate each account with both. Hardware keys are not that well supported yet though
Great video, thanks, Jeff. I have been wondering about passkeys, have watched vids on TH-cam, and this is the best concise video that explains it in human language. Well done, IBM! I am lucky enough to have worked there, so it is gratifying to see they're still doing a great job.
We’ve come along way with passwords. Hind sight is 2020. Just thinking back at how great a tech this is and its importance. Great job keeping it open and secure. Threats shouldn’t be able to keep up. Just a thought security sure is my number1. Trust one of the keys to security. There sure is a lot of great tech in the process. Thanks for the points.
Thanks for the kind words! I can take no credit for standard but, as you said, a lot of “giants” contributed to this and thought through all the hard stuff for us
IMHO, the first two questions are as important as what currently FIDO is trying to standardise. Without addressing or standardising those two, it just cannot be counted as a complete solution. And, "eliminating the needs for password entirely" sounds quite ambitious.
They don’t really have to be covered in the standard since existing solutions already exist. For instance, 1Password and iCloud Keychain are just two examples of tools that already have this covered. I’m sure there are many more
Account recovery is always going to be the achilles heel. Even among the few sites that support passkeys, most force the user to enable a weak recovery method before they'll enable passkeys.
@@jeffcrume Exaclty nothing is safer than the weakest link in the chain. I thought that when FIDO started on this project they would also address a secure standard for recovery of passkeys, but now its basically everyone can implement there own way to recover passkeys and no technological enforcement that prevent a service from using paskeys without implementing the secure passkey recovery method. One example could have been done in a way like you have to scan qr recovery code and the new device would prompt you to authenticate. You then follow a set of steps and it takes a picture of you. Using your NFC antenna in your phone you are asked to place your phone on your electronically readable passport the device gets the information and compares your information from the passport including the picture and compares that to information you entered in the previous steps and does a face analysis of the pictures, compares them and if they are matching then lets you create a new passkey and store it the same place or another place that supports storing passkeys. You could also have a option two after scanning the qr recovery code to instead send a SMS or email to your number or account with a security number/PIN that expire in 30 minutes you enter to authenticate you then get the option to save a new passkey.
This depends on the level of security you are looking for. I do use FIDO 2 USB tokens since the beginning BUT... I still pair them with passwords and passphrases. Just in case someone steals my devices...
Does the FIDO 2 USB tokens don't authenticate based on any biometric? I have not used one, so asking. Here FIDO private key is locked by biometric authentication of the device
@@dinesharunachalamyou really don’t need to use passwords as a backup because you can have multiple private keys for each device on each account and those can be sync’d through a password manager, iCloud Keychain, etc.. This provides a recovery mechanism. As for USB tokens, they can vary but typically they could leverage a fingerprint to unlock them. Or, in most cases, you can just use your phone, tablet or laptop as the FIDO device since they probably have biometric support and secure storage of the keys
Using a passkey without username (known as a resident key or discoverable credential) usually requires user verification using either a biometric or pin entry (pin length depends on the key).
FIDO addresses the sync problem by making some suggestions, but leaving the actual implementation up to the actual device or OS manufacturer: fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases-March24.pdf
The major concern I have regarding the password-to-passkey transition period, is that the site (e.g., Amazon) I am accessing will actually have both the new public key for specific device(s) AND my original password. I mention this because I have created a few passkeys but have not seen an option to have the site permanently delete my password once the passkey was created; therefore, even if I create or share passkeys for all my devices to a particular site, a data breach of that site will cause the same pain it does with or without passkeys because my passwords are stored in the same old way "alongside" my public key. What am I missing? Thanks for the excellent video! Karl
Unfortunately, that will be true until they retire the password option for your account and that’s up to each web site to do that as they see fit. Hopefully, they will clean this up over time
Problem 1, only 4 accounts I have use passkeys Problem 2, websites still asking for an email address or even a password when using a passkey. Problem 3, it takes longer to logon using a passkey Problem 4, website still want to use another method of 2FA rather than a yubikey etc where the passkey is stored i.e. email code, text code or authenticator app code Problem 5 many will not use passkeys as they have been poorly implement & are less convenient than a password.
The best security is when you use all THREE: 1. something you KNOW, 2. something you HAVE and 3. something YOU ARE. For example a password + device + fingerprint. Passkey violates this. To get access to you online banking, a bad guy can catch you unconcious (or help you with that), grab your phone, unlock passkey with your finger and thats it. I know real case. Although password managers also violate the first mean. Therefore for critical services I don't use password managers.
@@jeffcrume Thanks for your answer! You are right, I tried a few pages and 2FA is still in place in addition to Passkeys. Still, the idea behind passwords is to keep the secret in your brain and passkeys eliminate this. Of course, this factor is present (if configured) when a user has to unlock the vault holding passkeys (phone or password manager) with the pin or password. My best experience is one service where I have to enter a password in the app for second factor auth. Then I have all three factors in place: Passkeys is something I HAVE, for 2FA I unlock my phone with biometric auth (something YOU ARE) and then I type my password which I do not store in a password manager (something I KNOW). A bit annoying but security should not be simple. And thanks for the video - it's just great! Subscribed :)
I think you can use cloud-based password manager for non-important accounts + FIDO2 security key for important accounts + most important account such as bank website which not relies on password manager. Also you can lock your device through applicable app, then biometrics won't work.
I'm excited about Passkeys, but a little leery about synchronizing them across devices using a password manager with Passkey support, especially after the LastPass breach. My concern is putting all my eggs in one basket. With passwords, I could at least keep the 2FA information for the accounts in a separate authenticator, so that even if the password vault was decrypted the bad guys still couldn't log in to my accounts. But, if I use the password manager to synchronize Passkeys, and the vault or the synchronization process is somehow compromised, then the bad guys have everything they need to log in to my accounts. Or, maybe I don't understand how Passkeys are synchronized and this isn't a potential vulnerability. But, until I know better I'll probably just use device-bound Passkeys for logging in and regular passwords in a password manager (plus separate 2FA) for the case of a lost or new device.
I really like your contend and I appreciate the advantages of PKI and FIDO2, but I believe this video doesn't present a complete picture of modern password managers (PMs) that actually generates and stores unique, high-entropy passwords for each site automatically. With that in mind I'd like to clarify the two points: 1. In the phishing scenario (7:56): With properly configured PMs generating unique passwords per site, a compromised password from a phishing site doesn't put other sites at risk. 2. Regarding the offline attack (8:34): Cracking a properly generated password with 180+ bits of entropy is practically infeasible, and even if successful, would only compromise one site's credentials. While Passkeys may offer better protection for the average person, the video would benefit from a more balanced discussion of their limitations. Also worth noting that the current Passkey implementations are still in their infancy - most sites simply replace passwords with Passkeys while still requiring email verification and 2FA, rather than fully utilising the technology's potential. A thorough comparison should consider the pros and cons of both approaches, as each has its place depending on user needs and circumstances.
Great question - sorry if this sounds like a commercial but I’ll use this to illustrate the point - IBM Security Verify Access is a tool that web sites can use to add FIDO/passkey support to their systems without having to recode everything. Without a tool like this, the web site will need to add support for FIDO on its own, and that can involve more cost.That said, the savings resulting from fewer security incidents and fewer help desk calls (no lost passwords) could easily offset the cost. The organization just has to be willing to make the initial investment and many are. IBM, Google, Amazon, Twitter/X, Meta, Microsoft, Apple, etc. all support it today
With secret questions (your Mother's name, your favorite pet, whatever) just give a bogus answer that can't be found in your social media feeds (better even: don't put all these details online, unless you like identity theft). And I'm not switching to Passkeys, but will keep using my Yubikeys.
I usually don't loose my passwords but phones break from time to time. I switched back from bitwarden to an encrypted keepass container in the cloud because of security concerns. This feels like going back to a single point of failure.
I know what you mean. I used to use a PW manager which could sync across a LAN to only my devices (no cloud needed), which I preferred, but everything has moved to the cloud now, it seems. That said, a good cloud provider lowers the risk and you encrypt the pws (or better yet, passkeys) in the pw manager client BEFORE it goes to the cloud. That way you can retrieve the info from anywhere and it isn’t exposed
If you do not control the security, assume everything you send to that system, it is available to third parties allowed by that system. Keep your private keys private! Period!
I'm sorry this could sound like a silly question. But... if I'm able to create a new passkey for each device I own and trust, why would I need to sync them to the cloud? Am I missing something?
I recommend watching this video - th-cam.com/video/SWocv4BhCNg/w-d-xo.html (FIDO Alliance - Passkeys in Action). It shows cases for both re-using passkeys and creating new ones afresh.
ok so private key on the device is used to decrypt the message sent by the server and send that message back for identification right ? what if this decrypted message is intercepted by a bad guy ? now they have public key and the decrypted message is this enough to cause a trouble ? or to event figure out the private key ?
You just said the key phrase, “they have the PUBLIC key” - which is PUBLIC in the first place. In other words, the public key reveals nothing about the private key other than the fact that the message was encrypted with it
@@jeffcrume I want to add that the the message/challenge sent by the server/website to the device is encrypted, then the device decrypt the challenge, verify it comes from the public key it is expecting and then signs the challenge/message, encrypts the message/challenge again and sends it back to the website/server to be verified.
Phishing question: why can't a phishing website act as a live man in the middle? A user sign in request goes to the phish site, who passes it on unchanged to the real site. When the challenge request comes back, the phish site sends it to the user unchanged. The user challenge response gets sent back to the phish site, which again passes it on to the website, which successfully decrypts the response. Both ends assume authentication is successful, except now the phish site prevents further communication to the user and continues in the user's place. No passkey encryption/decryption by the phish site was needed. I must be missing something. (I'm assuming the passkeys are only for authentication purposes, but, if not, this would still be a problem.)
yes, passkeys are just for authentication, not confidentiality. TLS/SSL can help ensure that the site you are interacting with is authentic and not a MITM
Thanks. Now I have another scenario. One unknowingly goes to an invalid website to login using passkeys. The website provides a junk challenge to the user. The user decrypts and re-encrypts the challenge using its own private passkey and passes back the response to the challenge. The website accepts the challenge without decrypting and provides the user with a screen the user uses to provide valuable info back to the website. Thus a theft occurred. How does FIDO stop this? @@jeffcrume
Passkeys are usually bound to the origin as a relying party (RP ID), which prevents any phishing domain from being capable to do this challenge response process.
It depends on how the web site is setup and your tolerance for risk, but, in general, I would say that if your devices are FIDO compliant and you don’t use trivial passcodes on them, then, yes, passkeys should be sufficient because they would already include MFA (i.e., the device with the private key - something you have - and a biometric to unlock it - something you are)
I am shocked to hear that a ”Security Expert” says it’s ok to put your private key in the cloud. There are no guarantees on how your keys are stored there. A private key must be private for real. It shall be stored in protected hardware (enclave on your mobile phone, USB token etcetera) and all crypto related functions must be executed by that specific hardware. This is true 2FA since you now are in posession of that hardware. Account recovery can be solved by using other solutions e.g using a unique key pair for each device. There are unique key pairs for every site you login to anyway. Why decrease the level of security? To make it more user friendly? Well, here we go again. 😕
Both FIDO2 USB tokens and passkeys offer robust security, leveraging public key cryptography. The choice between them often depends on the user's specific needs, preferences, and the types of threats they are most concerned about. USB tokens offer strong security with the inconvenience of a physical device, while passkeys provide a more integrated and user-friendly experience with security that is largely dependent on the security of the user's device. Passkeys are not the same as putting your private key in the cloud. They are a more secure and user-friendly form of authentication that replaces traditional passwords. Passkeys use public key cryptography. They generate a pair of keys: a private key that stays on your device and a public key that is shared with the service you're accessing. The private key in a passkey system never leaves your device, which makes it more secure. It is not stored in the cloud. This contrasts with storing a private key in the cloud, which would be less secure because it could potentially be accessed by others When you authenticate with a passkey, the service you're logging into challenges your device. Your device responds by using the private key to sign the challenge, proving that you possess the corresponding private key without actually transmitting it. FIDO2 Tokens**: Require the user to carry the token and plug it into a device. This can be less convenient, especially for mobile users or those using multiple devices. - **Passkeys**: Generally offer a more seamless user experience, especially with features like cloud synchronization across devices. FIDO2 Tokens**: Might not be supported by all services and can require users to purchase the token. Passkeys**: Increasingly supported and often built into operating systems and browsers, making them more accessible. FIDO2 Tokens**: If you lose the token without a backup, you could be locked out of your accounts. Passkeys**: Typically have recovery methods associated with the user's account, like cloud synchronization or recovery codes Passkeys are designed to be more user-friendly than traditional password systems. They often work with biometric authentication (like a fingerprint or facial recognition) on your device, adding an extra layer of security without the need for complex passwords.
What you described is, indeed, better and is the way a lot of implementations of FIDO work. That said, iCloud Keychain, 1Password and plenty of other password managers have leveraged encrypted cloud storage/sync for many years
I was wondering the same thing. I don't believe he is writing backwards. I think the recording system he's using is specifically built for see-through "whiteboard" teleconferencing presentations... it's inverting the video in realtime or doing it in post. The other option is he's using some type of high-tech, 2-layer/2-way, whiteboard that's doing the inversion.
Same for your password but your password would be far easier to guess in most cases and since it also resides on the server, it could be hacked from that side as well
Is there any service available to say, my password wallet root password got exposed, so does anyone have my email@address stop accepting login from anywhere and provide me a password challenge to my email account
The key (pun) to all this is to note that passkeys do not provide absolute security. Nothing does. But they provide much better security than the existing paradigm. Also, it's going to be a gradual process. In the transition you'll use both "legacy" passwords with or without 2FA and passkeys. In fact, I inadvertently tested that the other day when I set up my first passkey in the browser and password manager. But it couldn't find it on my phone, so I had to use password + 2FA. Though the passkey did work on my iPad. I discovered later that this was because Google was the default passkey provider for Android. I've since changed that to my password manager, but haven't retested. I've spent a fair bit of time reading and watching stuff in the past couple of weeks or so and I've only now just tried a passkey on a relatively minor site, in that it's public for reading anyway. The best thing to do is to keep watching and reading and then proceed gingerly. I only started exploring this stuff when a few of my websites started popping up "would you like to use a passkey?" I answered No but then later started Googling about them. There are also a few interactive test sites you can try them out on. I did that too.
@jeffcrume is this correct though? The passkey in this case is derived from my biometric data, no? Which is unique to me and cant be recreated in a new way. So once I lose that, I would be vulnerable to all passkey enabled sites, like my bank accounts?
The problem with passwords is NOT people. It's websites and software shifting the responsibility and accountability of security to their users. Again from the last video. Passwords are not inherently insecure. The ENTIRE process of logging in is just totally mismanaged by both software and website hosts.
I take your point but I would say that passwords are inherently less secure that passkeys because they have no time limit and can be discovered by hacking the web site. Passkeys are time bound and there’s no secret stored in the web server so those are at least two aspects of risk reduction
You're still thinking about passwords statically. Think more dynamically along the lines of rolling encryption standards, but better. Every time the user logs in, the fully encrypted password that is stored there should be different. The server should never even know what the password is if everything is done right. In no way shape or form should a server remain static in regards to username and password entries. This was always the mistake and frankly it's shocking that it persists. Static stored logins will never be secure.
What you say about multiple devices is wrong. It's not something you can choose to use if you enable it. The system you're choosing to store your passkeys needs to support it too and right now, support for this is thin. Besides, putting your login details in the cloud makes the whole thing less secure. Just like putting your passwords in the cloud.
I’m doing it every day and the site you log into has no idea whether the keys were synced across devices or not. Granted, it would be best if you don’t put any of this in the cloud and you don’t have to if you want separate keys for each device but most people will opt for the sync and even if they do it’s far lower risk than what most do today in choosing their own passwords and setting them all to the same thing
@@StijnHommes security isn't only about protecting one user. One user being hacked can have drastic consequences for the entire system and every user on it.
I just modernized my desktop and created a pin. Microsoft allows the pin to be used as a passkey. My question is where is this information so that it can be manually backed up? I know onedrive would back up settings. But, i don't trust one drive.
A PIN is not a passkey. It may let you use a PIN to unlock a passkey or a PIN instead of a password but in either case, the strength of the security would be only as strong as its weakest link and that would be the PIN
@@jeffcrumethanks. I should not have said used as a passkey.. . But rather created or generated using the MS pin as one ingredient. The MS pin is not the traditional random pin you are thinking of. It is based on credentials and machine ID. This is why I want to know how to back this stuff up ... Where this security info is stored? Ultimately, I know you can store passkeys in bitwarden.
You are saying that I have to presume that the security is public knowledge if I am not in control of it. Like how, BY LAW, Google, Microsoft, Amazon, Facebook, and so on must implement backdoors and I have no control over their security? That is literally worse than a safe password in my head or offline password manager...
That’s not at all what I said. I said that the public key is public. Your private key is private. Only you know it. Therefore, only you can answer the challenge which is encrypted with your public key.
TERRIBLE idea. Once they figure out how to "spoof" the passkeys? We're ALL fucked. Now, I have dozens of passwords, so if hackers manage to find one, they don't have ALL OF THEM. If they spoof my passkey, they have access to EVERYTHING I have access to... banks, investments, social media... everything.
You can't "spoof" a passkey. Passkeys are UNIQUELY generated (ie. unique per website) "key PAIRS" creating FROM a DEVICE BOUND "Master Key". The Master Key and the Private key half of the Public/Private key PAIRs it generates is LOCALLY stored. In fact the Master Key is hardware bound inside a hardware security module (HSM) , a physical security chip inside your device, which cannot be divulged. Only the Public key half of the Public/Private Key PAIR is ever shared. Jeff isn't explaining the intricacies b/c frankly nobody on YT would understand the full crypto/authentication flow. The spec has been around for well over a decade and has been slowing evolving/expanding ever since. You can go read it for yourself, but you won't bc there's VOLUMES and VOLUMES of documents composing the FIDO, FIDO2/WebAuthn (Passkeys) spec.... and simply reading the spec won't get you "there" b/c you 1st need a DEEP technical foundation in cryptography basics... Authenticated Encryption (secure message signing), knowing the difference between symmetric vs asymmetric ciphers and their strength/weakness use cases, integer factorization and the discrete log problem and how this relates to PKI implementations leveraging RSA, DSA, DH, and ECC vs a symmetric cypher like AES-256 in CCM mode which passkeys also utilizes. The bottom line is you can't simply "spoof" a passkey. It's literally a UNIQUE 256-bit random number bound to a hardware device, bound to an AppID (a website domain or app), and linked to a EPHEMERAL challenge generated randomly & in REAL-TIME by the Relying Party(RP)/website.
Big FIDO2 fan and may I offer my favorite best practice with regards to "What if I lose my key?" You can register multiple keys with your servers. The key pair on the key is only used to protect the key pairs you make for each server. Once you're authenticated, your server will allow you create another key pair for the additional FIDO key. Keep one in a safe and use the other for daily use. Love your videos! Keep up the great work.
Exactly right! I meant to include that in the video
Not all sites allow multiple keys though. Would be good if the keys have some kind of backup tool to a paired key (although it increases risk for extraction)
Yubikeys with a good backup plan in case you should be so unlucky to lose one is the way to go. I love all my Yubi's with a dear heart after an incident 6 years ago where I was targeted by some skillfull individuals. Not saying it's unhackable, but all the precautions I have implemented in my digital life will sure make it very hard for someone to hack'attack me at that scale that I was attacked. Keep up the great and important videoes @jeffcrume and @IBMTecknology 👍
Totally agree! With a Yubikey the private key never leaves the device, unlike multi-device passkeys from the likes of 1Password and Apple which store your private key in the cloud waiting for hackers to exploit it. A Yubikey is much less hackable than a phone or laptop/desktop, and you can air-gap it when not needed, and it is cheaper to have a backup. I have my own Yubikey, and my wife has another so we replicate each account with both. Hardware keys are not that well supported yet though
Great video, thanks, Jeff. I have been wondering about passkeys, have watched vids on TH-cam, and this is the best concise video that explains it in human language. Well done, IBM! I am lucky enough to have worked there, so it is gratifying to see they're still doing a great job.
Thank you Professor Jeff ! Your videos on Cyber security have helped me ace some interview questions i've been asked recently.
Awesome! I love hearing that!
As a PKI engineer, this warms my heart
I love it!
We’ve come along way with passwords. Hind sight is 2020. Just thinking back at how great a tech this is and its importance. Great job keeping it open and secure. Threats shouldn’t be able to keep up. Just a thought security sure is my number1. Trust one of the keys to security. There sure is a lot of great tech in the process. Thanks for the points.
infrastructure on the shoulder of giants. Nice work folks.
Thanks for the kind words! I can take no credit for standard but, as you said, a lot of “giants” contributed to this and thought through all the hard stuff for us
Good teaching. He explain very important concept with easy example. Thanks.
IMHO, the first two questions are as important as what currently FIDO is trying to standardise. Without addressing or standardising those two, it just cannot be counted as a complete solution. And, "eliminating the needs for password entirely" sounds quite ambitious.
They don’t really have to be covered in the standard since existing solutions already exist. For instance, 1Password and iCloud Keychain are just two examples of tools that already have this covered. I’m sure there are many more
It's funny how he says he's addressed SSH and PGP, but has done all but.
Excellent best describes this presentation. I could listen all day.
Account recovery is always going to be the achilles heel. Even among the few sites that support passkeys, most force the user to enable a weak recovery method before they'll enable passkeys.
Very true. I think there are better methods based upon the way that credit bureaus authenticate users based on historical info they have
@@jeffcrume Exaclty nothing is safer than the weakest link in the chain. I thought that when FIDO started on this project they would also address a secure standard for recovery of passkeys, but now its basically everyone can implement there own way to recover passkeys and no technological enforcement that prevent a service from using paskeys without implementing the secure passkey recovery method. One example could have been done in a way like you have to scan qr recovery code and the new device would prompt you to authenticate. You then follow a set of steps and it takes a picture of you. Using your NFC antenna in your phone you are asked to place your phone on your electronically readable passport the device gets the information and compares your information from the passport including the picture and compares that to information you entered in the previous steps and does a face analysis of the pictures, compares them and if they are matching then lets you create a new passkey and store it the same place or another place that supports storing passkeys. You could also have a option two after scanning the qr recovery code to instead send a SMS or email to your number or account with a security number/PIN that expire in 30 minutes you enter to authenticate you then get the option to save a new passkey.
This depends on the level of security you are looking for. I do use FIDO 2 USB tokens since the beginning BUT... I still pair them with passwords and passphrases. Just in case someone steals my devices...
Does the FIDO 2 USB tokens don't authenticate based on any biometric? I have not used one, so asking. Here FIDO private key is locked by biometric authentication of the device
@@dinesharunachalamyou really don’t need to use passwords as a backup because you can have multiple private keys for each device on each account and those can be sync’d through a password manager, iCloud Keychain, etc.. This provides a recovery mechanism. As for USB tokens, they can vary but typically they could leverage a fingerprint to unlock them. Or, in most cases, you can just use your phone, tablet or laptop as the FIDO device since they probably have biometric support and secure storage of the keys
Fido2 hardware key which doesn't have biometric usually ask you a pin code to unlock the device (with auto erase after 3 attempt)
Using a passkey without username (known as a resident key or discoverable credential) usually requires user verification using either a biometric or pin entry (pin length depends on the key).
congrats to the promotion to CTO
Thanks!
What do I use to sync the passkeys. A password manager like 1Password?
If you don't trust something like iCloud then yes. If you don't trust a password manager then don't sync, and use your Yubikey everywhere.
FIDO addresses the sync problem by making some suggestions, but leaving the actual implementation up to the actual device or OS manufacturer: fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases-March24.pdf
@@kevinmcfarlane2752 i think YubiKeys can store a maximum of 25 passkeys, though
The major concern I have regarding the password-to-passkey transition period, is that the site (e.g., Amazon) I am accessing will actually have both the new public key for specific device(s) AND my original password. I mention this because I have created a few passkeys but have not seen an option to have the site permanently delete my password once the passkey was created; therefore, even if I create or share passkeys for all my devices to a particular site, a data breach of that site will cause the same pain it does with or without passkeys because my passwords are stored in the same old way "alongside" my public key.
What am I missing?
Thanks for the excellent video!
Karl
Unfortunately, that will be true until they retire the password option for your account and that’s up to each web site to do that as they see fit. Hopefully, they will clean this up over time
4:35 This guy knew exactly what he had done when he did it
LOL😅
Problem 1, only 4 accounts I have use passkeys
Problem 2, websites still asking for an email address or even a password when using a passkey.
Problem 3, it takes longer to logon using a passkey
Problem 4, website still want to use another method of 2FA rather than a yubikey etc where the passkey is stored i.e. email code, text code or authenticator app code
Problem 5 many will not use passkeys as they have been poorly implement & are less convenient than a password.
The best security is when you use all THREE: 1. something you KNOW, 2. something you HAVE and 3. something YOU ARE. For example a password + device + fingerprint. Passkey violates this. To get access to you online banking, a bad guy can catch you unconcious (or help you with that), grab your phone, unlock passkey with your finger and thats it. I know real case. Although password managers also violate the first mean. Therefore for critical services I don't use password managers.
You’re describing multi-factor authentication and passkeys leverage it as well. Check out the previous video to see how it works
@@jeffcrume Thanks for your answer! You are right, I tried a few pages and 2FA is still in place in addition to Passkeys. Still, the idea behind passwords is to keep the secret in your brain and passkeys eliminate this. Of course, this factor is present (if configured) when a user has to unlock the vault holding passkeys (phone or password manager) with the pin or password. My best experience is one service where I have to enter a password in the app for second factor auth. Then I have all three factors in place: Passkeys is something I HAVE, for 2FA I unlock my phone with biometric auth (something YOU ARE) and then I type my password which I do not store in a password manager (something I KNOW). A bit annoying but security should not be simple. And thanks for the video - it's just great! Subscribed :)
I think you can use cloud-based password manager for non-important accounts + FIDO2 security key for important accounts + most important account such as bank website which not relies on password manager. Also you can lock your device through applicable app, then biometrics won't work.
I'm excited about Passkeys, but a little leery about synchronizing them across devices using a password manager with Passkey support, especially after the LastPass breach. My concern is putting all my eggs in one basket. With passwords, I could at least keep the 2FA information for the accounts in a separate authenticator, so that even if the password vault was decrypted the bad guys still couldn't log in to my accounts. But, if I use the password manager to synchronize Passkeys, and the vault or the synchronization process is somehow compromised, then the bad guys have everything they need to log in to my accounts. Or, maybe I don't understand how Passkeys are synchronized and this isn't a potential vulnerability. But, until I know better I'll probably just use device-bound Passkeys for logging in and regular passwords in a password manager (plus separate 2FA) for the case of a lost or new device.
It’s a risk, for sure, but IMHO it’s far less of a risk than the one posed by passwords, which are a badly broken and outdated approach
I really like your contend and I appreciate the advantages of PKI and FIDO2, but I believe this video doesn't present a complete picture of modern password managers (PMs) that actually generates and stores unique, high-entropy passwords for each site automatically. With that in mind I'd like to clarify the two points:
1. In the phishing scenario (7:56): With properly configured PMs generating unique passwords per site, a compromised password from a phishing site doesn't put other sites at risk.
2. Regarding the offline attack (8:34): Cracking a properly generated password with 180+ bits of entropy is practically infeasible, and even if successful, would only compromise one site's credentials.
While Passkeys may offer better protection for the average person, the video would benefit from a more balanced discussion of their limitations. Also worth noting that the current Passkey implementations are still in their infancy - most sites simply replace passwords with Passkeys while still requiring email verification and 2FA, rather than fully utilising the technology's potential. A thorough comparison should consider the pros and cons of both approaches, as each has its place depending on user needs and circumstances.
@Jeff, what is the cost involved? Both from new installation perspective and also migrating existing password based authentication
Great question - sorry if this sounds like a commercial but I’ll use this to illustrate the point - IBM Security Verify Access is a tool that web sites can use to add FIDO/passkey support to their systems without having to recode everything. Without a tool like this, the web site will need to add support for FIDO on its own, and that can involve more cost.That said, the savings resulting from fewer security incidents and fewer help desk calls (no lost passwords) could easily offset the cost. The organization just has to be willing to make the initial investment and many are. IBM, Google, Amazon, Twitter/X, Meta, Microsoft, Apple, etc. all support it today
With secret questions (your Mother's name, your favorite pet, whatever) just give a bogus answer that can't be found in your social media feeds (better even: don't put all these details online, unless you like identity theft). And I'm not switching to Passkeys, but will keep using my Yubikeys.
Yubikeys support passkeys, BTW
I usually don't loose my passwords but phones break from time to time.
I switched back from bitwarden to an encrypted keepass container in the cloud because of security concerns. This feels like going back to a single point of failure.
I know what you mean. I used to use a PW manager which could sync across a LAN to only my devices (no cloud needed), which I preferred, but everything has moved to the cloud now, it seems. That said, a good cloud provider lowers the risk and you encrypt the pws (or better yet, passkeys) in the pw manager client BEFORE it goes to the cloud. That way you can retrieve the info from anywhere and it isn’t exposed
If you do not control the security, assume everything you send to that system, it is available to third parties allowed by that system. Keep your private keys private! Period!
I'm sorry this could sound like a silly question. But... if I'm able to create a new passkey for each device I own and trust, why would I need to sync them to the cloud? Am I missing something?
You could do it that way but the implementations I’ve seen seem not to. It could also be an approach of both/and rather than either/or, it seems to me
I recommend watching this video - th-cam.com/video/SWocv4BhCNg/w-d-xo.html (FIDO Alliance - Passkeys in Action). It shows cases for both re-using passkeys and creating new ones afresh.
Malware? Vulnerabilities? Session Hijacking?
All far more likely to impact passwords than passkeys
Will employing the use of a Passkey AND a Password offer even more security?
I suppose it could but I think it would add more complexity than it’s worth
ok so private key on the device is used to decrypt the message sent by the server and send that message back for identification right ? what if this decrypted message is intercepted by a bad guy ? now they have public key and the decrypted message is this enough to cause a trouble ? or to event figure out the private key ?
You just said the key phrase, “they have the PUBLIC key” - which is PUBLIC in the first place. In other words, the public key reveals nothing about the private key other than the fact that the message was encrypted with it
@@jeffcrume I want to add that the the message/challenge sent by the server/website to the device is encrypted, then the device decrypt the challenge, verify it comes from the public key it is expecting and then signs the challenge/message, encrypts the message/challenge again and sends it back to the website/server to be verified.
Great content always following to learn more about security. Can I offer my services to put this content into an article for you?
TY!
Phishing question: why can't a phishing website act as a live man in the middle? A user sign in request goes to the phish site, who passes it on unchanged to the real site. When the challenge request comes back, the phish site sends it to the user unchanged. The user challenge response gets sent back to the phish site, which again passes it on to the website, which successfully decrypts the response. Both ends assume authentication is successful, except now the phish site prevents further communication to the user and continues in the user's place. No passkey encryption/decryption by the phish site was needed. I must be missing something. (I'm assuming the passkeys are only for authentication purposes, but, if not, this would still be a problem.)
yes, passkeys are just for authentication, not confidentiality. TLS/SSL can help ensure that the site you are interacting with is authentic and not a MITM
Thanks. Now I have another scenario. One unknowingly goes to an invalid website to login using passkeys. The website provides a junk challenge to the user. The user decrypts and re-encrypts the challenge using its own private passkey and passes back the response to the challenge. The website accepts the challenge without decrypting and provides the user with a screen the user uses to provide valuable info back to the website. Thus a theft occurred. How does FIDO stop this? @@jeffcrume
Passkeys are usually bound to the origin as a relying party (RP ID), which prevents any phishing domain from being capable to do this challenge response process.
I would like to know if once a Passkey is setup, can I remove the 2FA for that site?
It depends on how the web site is setup and your tolerance for risk, but, in general, I would say that if your devices are FIDO compliant and you don’t use trivial passcodes on them, then, yes, passkeys should be sufficient because they would already include MFA (i.e., the device with the private key - something you have - and a biometric to unlock it - something you are)
@@jeffcrumewas wondering if you can pair the passkey with a FIDO2 security key for sensitive websites like for your finances/banking?
Is Fido2 quantum safe?
Not yet, but that’s in the works
I am shocked to hear that a ”Security Expert” says it’s ok to put your private key in the cloud. There are no guarantees on how your keys are stored there. A private key must be private for real. It shall be stored in protected hardware (enclave on your mobile phone, USB token etcetera) and all crypto related functions must be executed by that specific hardware. This is true 2FA since you now are in posession of that hardware. Account recovery can be solved by using other solutions e.g using a unique key pair for each device. There are unique key pairs for every site you login to anyway. Why decrease the level of security? To make it more user friendly? Well, here we go again. 😕
I think blockchain can do all those things. I believe iBM would have a solution for that. These folks know their stuff.
After listening to him for a While I would give him the benefit of the doubt. He probably has some reasoning behind his answer, there always is.
I'm shocked to hear that someone has another opinion than me
Both FIDO2 USB tokens and passkeys offer robust security, leveraging public key cryptography. The choice between them often depends on the user's specific needs, preferences, and the types of threats they are most concerned about. USB tokens offer strong security with the inconvenience of a physical device, while passkeys provide a more integrated and user-friendly experience with security that is largely dependent on the security of the user's device.
Passkeys are not the same as putting your private key in the cloud. They are a more secure and user-friendly form of authentication that replaces traditional passwords.
Passkeys use public key cryptography. They generate a pair of keys: a private key that stays on your device and a public key that is shared with the service you're accessing.
The private key in a passkey system never leaves your device, which makes it more secure. It is not stored in the cloud. This contrasts with storing a private key in the cloud, which would be less secure because it could potentially be accessed by others
When you authenticate with a passkey, the service you're logging into challenges your device. Your device responds by using the private key to sign the challenge, proving that you possess the corresponding private key without actually transmitting it.
FIDO2 Tokens**: Require the user to carry the token and plug it into a device. This can be less convenient, especially for mobile users or those using multiple devices.
- **Passkeys**: Generally offer a more seamless user experience, especially with features like cloud synchronization across devices.
FIDO2 Tokens**: Might not be supported by all services and can require users to purchase the token.
Passkeys**: Increasingly supported and often built into operating systems and browsers, making them more accessible.
FIDO2 Tokens**: If you lose the token without a backup, you could be locked out of your accounts.
Passkeys**: Typically have recovery methods associated with the user's account, like cloud synchronization or recovery codes
Passkeys are designed to be more user-friendly than traditional password systems. They often work with biometric authentication (like a fingerprint or facial recognition) on your device, adding an extra layer of security without the need for complex passwords.
What you described is, indeed, better and is the way a lot of implementations of FIDO work. That said, iCloud Keychain, 1Password and plenty of other password managers have leveraged encrypted cloud storage/sync for many years
Gadgets no. They get lost broken. Good luck with recovery. PW can work if you’re not just “people”. Massively complex PW. Done.
As I said in the video, these can be sync securely in the cloud so that you aren’t dependent upon a single device
phone/tab option is not available in mac safari! phone/tab is not available in android chrome
Not sure what you mean. iCloud Keychain syncs these across MacBook, iPad and iPhone today
How can he write backwards so easily?
I can’t. Search this channel for “how we make them” and you’ll learn the secret
I was wondering the same thing. I don't believe he is writing backwards. I think the recording system he's using is specifically built for see-through "whiteboard" teleconferencing presentations... it's inverting the video in realtime or doing it in post. The other option is he's using some type of high-tech, 2-layer/2-way, whiteboard that's doing the inversion.
its called lightboard. creator's website - lightboard[.]info
One data breach of my private key, I am screwed
Same for your password but your password would be far easier to guess in most cases and since it also resides on the server, it could be hacked from that side as well
Besides, you have a different key for each site so the impact would be limited
Is there any service available to say, my password wallet root password got exposed, so does anyone have my email@address stop accepting login from anywhere and provide me a password challenge to my email account
The key (pun) to all this is to note that passkeys do not provide absolute security. Nothing does. But they provide much better security than the existing paradigm. Also, it's going to be a gradual process. In the transition you'll use both "legacy" passwords with or without 2FA and passkeys. In fact, I inadvertently tested that the other day when I set up my first passkey in the browser and password manager. But it couldn't find it on my phone, so I had to use password + 2FA. Though the passkey did work on my iPad. I discovered later that this was because Google was the default passkey provider for Android. I've since changed that to my password manager, but haven't retested.
I've spent a fair bit of time reading and watching stuff in the past couple of weeks or so and I've only now just tried a passkey on a relatively minor site, in that it's public for reading anyway. The best thing to do is to keep watching and reading and then proceed gingerly. I only started exploring this stuff when a few of my websites started popping up "would you like to use a passkey?" I answered No but then later started Googling about them. There are also a few interactive test sites you can try them out on. I did that too.
@jeffcrume is this correct though? The passkey in this case is derived from my biometric data, no? Which is unique to me and cant be recreated in a new way. So once I lose that, I would be vulnerable to all passkey enabled sites, like my bank accounts?
The problem with passwords is NOT people. It's websites and software shifting the responsibility and accountability of security to their users.
Again from the last video. Passwords are not inherently insecure. The ENTIRE process of logging in is just totally mismanaged by both software and website hosts.
I take your point but I would say that passwords are inherently less secure that passkeys because they have no time limit and can be discovered by hacking the web site. Passkeys are time bound and there’s no secret stored in the web server so those are at least two aspects of risk reduction
You're still thinking about passwords statically. Think more dynamically along the lines of rolling encryption standards, but better. Every time the user logs in, the fully encrypted password that is stored there should be different. The server should never even know what the password is if everything is done right.
In no way shape or form should a server remain static in regards to username and password entries. This was always the mistake and frankly it's shocking that it persists. Static stored logins will never be secure.
What you say about multiple devices is wrong. It's not something you can choose to use if you enable it. The system you're choosing to store your passkeys needs to support it too and right now, support for this is thin. Besides, putting your login details in the cloud makes the whole thing less secure. Just like putting your passwords in the cloud.
I’m doing it every day and the site you log into has no idea whether the keys were synced across devices or not. Granted, it would be best if you don’t put any of this in the cloud and you don’t have to if you want separate keys for each device but most people will opt for the sync and even if they do it’s far lower risk than what most do today in choosing their own passwords and setting them all to the same thing
@@jeffcrume If people decide to use the same password for every single site instead of using proper password hygiene, they deserve to get hacked.
@@StijnHommes security isn't only about protecting one user. One user being hacked can have drastic consequences for the entire system and every user on it.
i think you need to find a different way to draw a pipe + server
Sometimes a cigar is just a cigar, Dr. Freud...
The website should generate a random password / passphrase instead of asking us to create one.
That’s essentially what is happening in the generation of the public/private key pair. You don’t have to remember these
Yeah, Google is so trustworthy....
That’s the value in the standard. You don’t have to trust the service provider. You trust the protocol
I just modernized my desktop and created a pin. Microsoft allows the pin to be used as a passkey.
My question is where is this information so that it can be manually backed up?
I know onedrive would back up settings. But, i don't trust one drive.
A PIN is not a passkey. It may let you use a PIN to unlock a passkey or a PIN instead of a password but in either case, the strength of the security would be only as strong as its weakest link and that would be the PIN
@@jeffcrumethanks. I should not have said used as a passkey.. . But rather created or generated using the MS pin as one ingredient. The MS pin is not the traditional random pin you are thinking of. It is based on credentials and machine ID.
This is why I want to know how to back this stuff up ... Where this security info is stored? Ultimately, I know you can store passkeys in bitwarden.
You are saying that I have to presume that the security is public knowledge if I am not in control of it. Like how, BY LAW, Google, Microsoft, Amazon, Facebook, and so on must implement backdoors and I have no control over their security? That is literally worse than a safe password in my head or offline password manager...
That’s not at all what I said. I said that the public key is public. Your private key is private. Only you know it. Therefore, only you can answer the challenge which is encrypted with your public key.
TERRIBLE idea. Once they figure out how to "spoof" the passkeys? We're ALL fucked. Now, I have dozens of passwords, so if hackers manage to find one, they don't have ALL OF THEM. If they spoof my passkey, they have access to EVERYTHING I have access to... banks, investments, social media... everything.
Passkeys are unique for each site (just like passwords) and time limited (unlike passwords), making them even more secure
You can't "spoof" a passkey. Passkeys are UNIQUELY generated (ie. unique per website) "key PAIRS" creating FROM a DEVICE BOUND "Master Key". The Master Key and the Private key half of the Public/Private key PAIRs it generates is LOCALLY stored. In fact the Master Key is hardware bound inside a hardware security module (HSM) , a physical security chip inside your device, which cannot be divulged. Only the Public key half of the Public/Private Key PAIR is ever shared. Jeff isn't explaining the intricacies b/c frankly nobody on YT would understand the full crypto/authentication flow. The spec has been around for well over a decade and has been slowing evolving/expanding ever since. You can go read it for yourself, but you won't bc there's VOLUMES and VOLUMES of documents composing the FIDO, FIDO2/WebAuthn (Passkeys) spec.... and simply reading the spec won't get you "there" b/c you 1st need a DEEP technical foundation in cryptography basics... Authenticated Encryption (secure message signing), knowing the difference between symmetric vs asymmetric ciphers and their strength/weakness use cases, integer factorization and the discrete log problem and how this relates to PKI implementations leveraging RSA, DSA, DH, and ECC vs a symmetric cypher like AES-256 in CCM mode which passkeys also utilizes. The bottom line is you can't simply "spoof" a passkey. It's literally a UNIQUE 256-bit random number bound to a hardware device, bound to an AppID (a website domain or app), and linked to a EPHEMERAL challenge generated randomly & in REAL-TIME by the Relying Party(RP)/website.