Another thing of note regarding passkeys is that the process of using them to sign in *_never_* involves transmitting the passkey itself. This means that unlike a password, your “secret” cannot be intercepted because it never leaves your computer (or hardware security key, etc)! It is simply used to cryptographically sign a “challenge” message sent by the service which is then sent back to the service, where it is decrypted by the other half of the key pair and compared to the original, thus proving that you are in possession of the correct key. Just like public key cryptography, it’s ingenious in its simplicity and strength. Not all services support multiple passkeys, or provide a comprehensible means of managing multiple passkeys if they do. You can avoid that problem by using something like Bitwarden (you mention password vaults, but didn’t really get into all the other benefits they have, and unless this has changed recently, Bitwarden is the only one with full passkey support on all devices).
As your normal stupid users, I just went through this with my son. He factory reset his phone which wiped his passkeys making it impossible to get into his google account (which he used for all of his college communication). Until learning about this technology about 2 days ago, I had no clue this is what happened. Safe maybe, but not "fool" proof if you have no idea that a passkey is automatically being set on your phone or that you are even setting up a passkey or what a passkey is. Nor would I call it less frustrating.
I always learn something from your videos Leo. Your full explanations and gentle pacing really help in communicating your knowledge. Thank you. Steve (in UK)
Who cares. Hackers will find a way to use them on the real website that is the target anyway. You can spoof an IP, you can spoof your GPS location. It might take slightly more effort, but you can also spoof my identity.
@@StijnHommes No, with a hardware key like Yubico the login is only possible with the key itself, no key, no login, is that simple.But even more important than that, is that there is nothing to hack because the only thing stored is public key that is complete useless, the private key is always in the hardware key itself in yours possession.
@@StijnHommes You are mistaken. With a passkey, a phishing site will only get your public key (not your private key). With only the public key, there is virtually no possibility that an attacker could reverse engineer your private key (which is what they would need to do in order to sign in to the real website).
I would have to better understand how the handshake works before changing to passkeys. Is the private key only ever on your device? Does your device do the comparison with the public key? (If so, couldn't the confirmation be spoofed to the server? And if not, couldn't someone pretend to be the server and request your private key?) Could someone spoof the public key after a data breach? I'm still not hearing the details.
@@freescape08 You can have only the key on the device, but I don't use that, I use hardware Yubikeys ( There is other brands but the principal is the same ), my keys can NOT be copy or replicated in any shape or form, no Yubikey no login as simple as that, obvious I have several so I don't get lock out in case I lose one, I have configured them with a pin also, wrong pin 3 times and that yubikey is blocked, security wise at the moment is the best method on the market, period.
Hello Leo, I liked your video explaining passkeys. You explained it very clearly. I have some questions concerning passkeys left, e, g, 1. Google may know that its definitely me, but how do I know that it's Google asking ? This is even worse with you saying passkeys might work in the background without me even knowing. Let's assume someone breaks into Google and steals my public key. Computers are able to ask my number thousands of times in seconds. With enough returned numbers they might be able to "assemble" my private key. 2. If a passkey is stored in my device: What happens if I change hardware or have a major operating system update or change my operating system on this device? After a major OS-update my husband was in trouble. To what part of my device is this passkey linked? Hardware or software or both? 3. I use a password management tool and they do a lot of advertising for passkeys. I think it is a good idea concerning websites, but I won't change my master password to a passkey. If someone breaks into one of my devices, he will have access to my password management. My master password is only in my head. 4. I have a friend who is a mathematician. He told me, encryption is all based on large prime numbers. Of course there are infinite prime numbers, but the larger the more diffcult to identify they are. So there might be "doubles" in the known and frequently used range of prime numbers. This is another gateway a backentrance not mathematicians never know and think about. What do you think about these questions, especially No 1? Kind Regards Sparkle_phoenix
1. For phishing and fake websites passkeys are such an improvement over passwords. For one they would need access to the public keys assuming these aren't even protected in another layer of encryption on the servers end but even with that it wouldn't work as passkeys are tied to the origin (website) so a fake website wouldn't be able to authorise this request. (I'm not sure to the extent at which this can be worked around, possibly a passkey API vulnerability for a browser allowing you to fake the origin but this may also be tied specific secrets on that end such as public site certificate, etc). Keys stored on separate platforms like apple, andoid, etc. also use bluetooth when signing in from lets say windows which is another form of protection against phishing as the device needs to be physically in range for the authentication to be successful while also behind the extra layers of security your device offers like biometrics. 2. Passkeys can either be device bound or synced. For example, device bound passkeys can't be exported such as with windows storing them in the TPM but can be lost by design, what your probably looking for is synced passkeys like with apple, passkeys are stored in icloud keychain which is synced between your devices as well as many password managers supporting synced passkeys. For most services, you can also setup multiple passkeys for other devices. 3. Some people like to store their passkeys and passwords in the same password manager together which can be good and bad but ideally if you have a master password and two factor for your password manager then you should be good especially if stored locally (which I believe all password managers that you use should be) just making sure you follow the 3-2-1 backup strategy so you don't lose access keeping encrypted backups of your databases, keys and 2fa backup codes. Furthermore, most password managers offer extensions so you can automatically sign in with the passkey (if they support it). Adding onto the security, since the authentication with your private key is done locally and never leaves your device, it can't be intercepted because it's never transmitted and no third party will have access to it. 4. Some services so far have adopted the passkey standard greatly while others are still a bit of a hassle such as google. Since passkeys are cryptographically signed and verified, these can be used to identify you so you don't even need to provide something for identification like a username or an email, you can just straight up use the passkey. Mathematically, yes a hash collision can happen where two inputs can produce the same output but statistically it's functionally "impossible" that the chances of it happening are pretty much zero.
Great video Leo. Explaining the situation really well. I like that you also welcome challenges and it made it perfectly clear that there is no perfect system. Like risk in general, you can't get rid of it completely but you can try to reduce it.
I would like to see sensitive data such as banking apps & websites protected by 2 factor biometrics, face ID plus fingerprint, making sure that it can only be me accessing these accounts.
I think maybe they're suggesting that banks and other such places that store highly sensitive info often use SMS or email based 2FA which are far less secure than TOTP or Passkeys.
If you use password/passphrase vault (be it an extension for browser or desktop), it makes password less of a headache and can combo easily with passkeys. Setting it to clear clipboard after pasting where needed and combining with passkeys makes for solid security. Passkeys alone with traditional password usage (typing it) is very strong already.
Great video. I like how you talk about different attack vectors to have different levels of relevance and mitigations. It's crucial for people to understand the efficacy of security features like passkey.
You make really good points, but Microsoft's system glitches now and again and they prompt you to sign in. It happens too often for me and I don't know why. It is possible for Microsoft themselves to fail and you might have to work a little to get signed in. If the time arrived when their system didn't work, I would be unable to sign in, The break down of systems you described is not very likely, but Microsoft itself is subject to frequent glitches that leave you stuck until they are satisfied you are who you say you are.
Thank you for this Leo. You have a new sub here ❤ I so far have 2 passkey protected accounts. I was prompted to activate the passing so I think the platform you're using has to implement it. Maybe Meta should think about introducing a passkey log on for users.
If I understand, the real advantage I see, is just that passkey’s are device specific. Is that always the case by definition? Also can they really replace passwords? Doesn’t the account need it anyways for the scenario of not having the original device anymore? Can’t malware get device info to allow it to be spoofed?
Passwords are not needed, as long as there's a different way to authenticate -- like an email sent to the account of record, or a message sent to a phone.
@@askleonotenboom I guess I am thinking of very critical items and odd situations. In another country, phone stolen, need to get into my email… can’t if its a passkey only. With a memorized password I have a chance. (Ignoring the hail mary of “question based password reset”)
To add to that, it seems from what I see… we can’t export passkeys… meaning if I built up all this history of passkeys with windows hello (or whoever)… I’m pretty dang locked in… if they change policies or I don’t want windows apps installed on my linux box, or move to macos… issues!
I don't see how you're locked in at all. Basically you set up a passkey on a new device, or you can invalidate the passkey on the current device and set it up anew.
@@askleonotenboom so say I have 30 passkeys for 30 websites with windows hello. I decide I don’t want windows hello anymore I want to use bitwarden instead. I now need to 1 by 1 set this up all anew for each of the 30 sites because there is no “export/import” standard for the passkey… that friction is so high it may as well be lock-in, no?
What I don't understand is why discussions about Passkeys never seem to compare them with Password + second factor authentication. It seems to me that passkeys mainly remove one factor: the password. How is that safer?
Cookies I don't think do anything with passwords. Cookies are what is used to track your movement inside the site and that data is aggregated and sold off to other marketers who then can try to get you to buy something that is similar to what you just browsed for. That's it as far as I know.
Unfortunately if your session cookies are stolen, they can get access to your account specifically if you don't log out of the account after using it !!
Very interesting but it sadly went right over my head. This is an area of IT that I struggle to understand. This and pretty much everything related to how the web works... IPs, ports, end points, URLs, TCP, etc.
Question. First, nice job explaining things. You provide a lot helpful information. Don’t you need/have a username and password to create an an account on a website? So, even if you have a passkey, couldn’t someone use your username and password to sign in? Even if you set the default sign in to be a passkey? Or, if you don’t have your phone handy and want to sign in on a friends computer to check your email. What happens in that case? I think passkeys are a great idea but before I start using them I want to know the “what if” scenarios. And what do you do when you get a new phone? Thanks.
Not necessarily. Services are moving to being passwordless. When you attempt to sign in the first time they authenticate you some other way, like an email to an alternate email address, or a text message, or a notification on an app.
What is the difference between a password vault and a password manager? And if conceptual the same thing, would it not be easier to understand only mentioning a password manager?
Assuming you use the same PIN everywhere, it can be, yes. Hence biometrics is preferred. But the PIN can be different for every device/computer. (And Windows PINs can also be as complex as you like, much like a password, if you're concerned.)
What I'm worried about is this: now the same PIN that unlocks my device can unlock my accounts. So if you give your PIN to a family member to play some games or in case you're driving and you want somebody else to look something up on Google Maps (or, worst case scenario, if you need to give your PIN to a robber) they'll have access to everything. I think I'd miss the option to have at least two access levels to my stuff.
Yeah that seems to be one the main concerns (especially revolving around biometric laws pertaining to breach of a persons device) however you can use third party solutions like password managers and store passkeys there behind a master password and forms of MFA, these aren't device bound and can be synced as well allowing you to share certain passkeys if needed or easily backup. These apps can also be installed on your mobile device however I prefer not to sync things in the cloud and keep everything local and backed up.
According to Chat GPT / Gemini answers, Passkeys are designed with security in mind, and by default, there currently isn't a way for a surviving spouse/partner to access your data directly if you pass away. This is because passkeys rely on biometric authentication (like fingerprint or facial recognition) or a physical security key for verification. Any thoughts on that?
Or a PIN, on Windows machines. Not sure what thought you'd want me to have? Disaster planning is important, and I have videos/articles on the topic. Passkeys don't alter that.
As Leo suggested, you want to plan these things with your partner. You can set up a password manager with shared access in which you store very long & complicated passwords for certain systems like email and banking. And then if you store Passkeys in them, that should get you in without needing biometrics. Windows Hello and other systems that do the back end authentication can usually take multiple fingerprints, so you could store prints from both of you. The backup Windows pin could be a long phrase like "apple zebra sander ketchup beach horse 385326$" that you store in the shared password manager so even if biometrics don't work, you can still access the computer.
Leo Sir, Scenario 3 : Mobile owner created passkeys on the mobile, then if somebody creat his fingerprints clone or duplicate fingerprints then in that case, websites can be logged in with fake fingerprints with passkeys on it. is it possible? Thanks 🙏
Pretty extreme scenario that I don't worry about, but sure. Once you realize your phone is missing you can disable all the passkeys stored on it, though.
@@askleonotenboomto be fair, that may present a challenge. For example, if you're traveling with only your phone and your computer is hundreds of miles away, how do you access your Passkeys, passwords, or email? Sure, it's an edge case, but one i think about sometimes. I've run into cases where my phone dies while I'm away from other tech, then i inevitably need some kind of access for some reason, and i feel paralyzed.
@@ma3xiu1 that's a good point. I have one! My cloud password manager's password is something I don't know, as it's stored in a local password manager on my laptop, but I just had an idea of using the yubikey to store its password.
I think pure passwordless will not happen for the forseeable future admins will always use passwords as a backup. What happens when the user loses the passkey or access to the passkey.
16:00 Sending an email to an account and expecting someone to hit a link to login ignores that you should never click in links in an email. (and those emails often take not just a little while but more than 24 hours, or they simply never show up) 20:00 If I can't even use my password vault on a computer that doesn't have it installed, using it to store passkeys is not going to help me sign in, since you can't even practically type them. I still need to type in my password after opening my vault and keep my password storage offline.
Hi Leo, My concern is when someone hits you over the head. You're now lying on the floor, and the thief holds your phone, up to your face, and unlocks it. Now they have access to everything, that you setup to allow face ID to unlock.
What I don't understand is why systems don't ability to only be allowed from a device you authorized and added. Even if password got stolen then nobody else can log in.
Upon creating the passkey, when the public key is generated/sent/stored on the service servers, and there happens to be a data breach that render that public key useless, what then happens with public key. Is it regenerated upon login attempt or how does that work.
For the most part, the public key is still useless as you will need the private key in order to complete the authentication on the legitimate website preventing phishing. The authentication request can't be made on a separate website (for example a phishing website) as the passkey is tied to the origin and I believe checked against the websites public certification for validation.
how about scenario when someone goes to internet caffe and uses their PC to login to a server ? the private pass key is stored on that pc right ? then if other person logs is they potentially can be authenticated to same server ?
@@askleonotenboom if you device E.g PC has been bootstraped already and you are logged in to Gmail. Then when you log out of Gmail and try to log back in how does it work ? If you don't need password etc you just browse for Gmail and it logs you in automatically?
Would there be a way of using them to authenticate emails, meaning they couldn't be faked/spoofed. I really hate spam emails & would really like to see a time when not only could thy not be faked but also traceable back to whoever sent them, so I only receive them from genuine, identifiable sources. IMPO everyone using the internet should be 100% accountable for everything they say or do on it.
There's already technology in place for email verification. No one's using it because it's too cumbersome. (Passkeys are related only in that they use cryptography as well, but they don't apply to email.)
Am I right: once set up, passkeys switch the default task of identifying you to a local device, instead of piping your payload of info requesting authentication over the cloud. So if I set up a passkey PIN of 12345 on a Windows machine, by default that PIN works for me only on that device.
@@askleonotenboom Thanks! Also, it seems my user account / password will still exist, so the benefit of passkeys is mostly the reduced incidence of keying and transmitting account names/pwds, because when keyed, they can be intercepted either on-device or in transit and used anywhere. But an intercepted passkey is useless beyond the device it was created on. Right?
@@askleonotenboom Very good! Last question (for now): if my account name/password still exist, with all their foibles, what's to stop someone from logging in and removing my created passkeys, or even creating their own on my account? I guess I'm starting to think the userID/password remains the threat it always was...minus a reduced exposure surface.
@@johnbaker2810 I expect this to be step one to a password-less future. No password, no password based threat. One thing you can do that gets you close it to make your password ridiculously long (since you'd never use it). Save it in your password vault, of course, but simply never use it. The huge things Passkeys prevent is falling for many types of phishing attacks. No password to type means phishing has nothing to capture.
I couldn't care less about Google or Microsoft. The real disaster is that almost every banking/financial institution website in the US doesn't offer passkey 2FA.
Windows Hello face recognition has been cracked insofar as someone with a very specific intent to access your computer can take a picture of you, convert it into a special type of image, and use some specialized hardware to trick your computer that a new webcam has been plugged in and that you're sitting in front of the computer. But this is a very targeted attack vs one that can be launched across the world automatically, so it's less likely to occur. But yes, with this attack, whatever Passkeys that Hello is securing would be made available. You could instead secure Windows Hello with a security key like a Yubikey (and secure that with a strong PIN you've not used anywhere else).
I don’t think one’s own passkey is sent to the service as you say. That’s the major feature that gives the improved security. I think you misinformed and spreading that misinformation.
@@askleonotenboom How can you know? Most high value targets are not techies. And I think HVT is a very important concept that people need to know about. Some people who are not a HVT know one or more.
@@Samy-ck8ooTrue. However, it’s important to note session cookie theft is a vulnerability that applies to just about every other form of secure authentication including password coupled with MFA using SMS-based or authentication app login.
This is incorrect. You will not lose access to your account if you lose your passkeys. See "Passkeys are never the only way in" in askleo.com/passkeys-and-disaster-planning/
@@askleonotenboom So the other ways in can get leaked as well. As long as there are recovery options, they will be abused, so effectively, it's no safer than using a PIN number on the account itself. And if the device carrying your passkey is ever lost, broken or stolen, you have to reauthenticate to all your accounts with the new device to get new passkeys. And that is skipping another important point, logging into Windows with a PIN is much, MUCH less secure than a well-chosen long and unique password, because a PIN has a much more limited character set that can easily be brute-forced. [and no, not every device has a camera or fingerprint scanner, and even if they do, those things can also break -- and we should have to leak biometrics to get into our accounts.]
@@askleonotenboom Let me be clear: if someone knows your Windows Hello PIN number and is thus able to unlock your PC, a passkey offers no additional protection because it opens with the EXACT same credentials. The passkey itself might be entirely unique, but it is sent based on the exact same code you enter. Using a password means they need to know your Windows Hello PIN AND the password to the account they want to sign into. Two [different] steps is automatically more secure than one.
@@askleonotenboom Can we keep the hacker from using those other methods of getting in? To use a less secure method it would be nice to use some authentication.
![[TH] VALORANT Champions Seoul - Lower Bracket Final - LEV vs TH](http://i.ytimg.com/vi/fyYkI80GG4o/mqdefault.jpg)
![ฮักเทื่อสุดท้าย - บอย ศิริชัย [OFFICIAL MV]](http://i.ytimg.com/vi/-1PoPoQ-B-k/mqdefault.jpg)
Watch next ▶ What is a Passkey? ▶ th-cam.com/video/6lBixL_qpro/w-d-xo.html
Another thing of note regarding passkeys is that the process of using them to sign in *_never_* involves transmitting the passkey itself. This means that unlike a password, your “secret” cannot be intercepted because it never leaves your computer (or hardware security key, etc)! It is simply used to cryptographically sign a “challenge” message sent by the service which is then sent back to the service, where it is decrypted by the other half of the key pair and compared to the original, thus proving that you are in possession of the correct key. Just like public key cryptography, it’s ingenious in its simplicity and strength.
Not all services support multiple passkeys, or provide a comprehensible means of managing multiple passkeys if they do.
You can avoid that problem by using something like Bitwarden (you mention password vaults, but didn’t really get into all the other benefits they have, and unless this has changed recently, Bitwarden is the only one with full passkey support on all devices).
As your normal stupid users, I just went through this with my son. He factory reset his phone which wiped his passkeys making it impossible to get into his google account (which he used for all of his college communication). Until learning about this technology about 2 days ago, I had no clue this is what happened. Safe maybe, but not "fool" proof if you have no idea that a passkey is automatically being set on your phone or that you are even setting up a passkey or what a passkey is. Nor would I call it less frustrating.
I think public key cryptography using your face or fingerprint for the private key is pretty close to perfection, Leo.
I always learn something from your videos Leo. Your full explanations and gentle pacing really help in communicating your knowledge. Thank you.
Steve (in UK)
You forgot that also with passkeys, no more Phishing as the key will not work on a fake website.
Who cares. Hackers will find a way to use them on the real website that is the target anyway. You can spoof an IP, you can spoof your GPS location. It might take slightly more effort, but you can also spoof my identity.
@@StijnHommes No, with a hardware key like Yubico the login is only possible with the key itself, no key, no login, is that simple.But even more important than that, is that there is nothing to hack because the only thing stored is public key that is complete useless, the private key is always in the hardware key itself in yours possession.
@@StijnHommes You are mistaken. With a passkey, a phishing site will only get your public key (not your private key). With only the public key, there is virtually no possibility that an attacker could reverse engineer your private key (which is what they would need to do in order to sign in to the real website).
I would have to better understand how the handshake works before changing to passkeys. Is the private key only ever on your device? Does your device do the comparison with the public key? (If so, couldn't the confirmation be spoofed to the server? And if not, couldn't someone pretend to be the server and request your private key?) Could someone spoof the public key after a data breach? I'm still not hearing the details.
@@freescape08 You can have only the key on the device, but I don't use that, I use hardware Yubikeys ( There is other brands but the principal is the same ), my keys can NOT be copy or replicated in any shape or form, no Yubikey no login as simple as that, obvious I have several so I don't get lock out in case I lose one, I have configured them with a pin also, wrong pin 3 times and that yubikey is blocked, security wise at the moment is the best method on the market, period.
Hello Leo,
I liked your video explaining passkeys. You explained it very clearly.
I have some questions concerning passkeys left, e, g,
1. Google may know that its definitely me, but how do I know that it's Google asking ? This is even worse with you saying passkeys might work in the background without me even knowing. Let's assume someone breaks into Google and steals my public key. Computers are able to ask my number thousands of times in seconds. With enough returned numbers they might be able to "assemble" my private key.
2. If a passkey is stored in my device: What happens if I change hardware or have a major operating system update or change my operating system on this device? After a major OS-update my husband was in trouble. To what part of my device is this passkey linked? Hardware or software or both?
3. I use a password management tool and they do a lot of advertising for passkeys. I think it is a good idea concerning websites, but I won't change my master password to a passkey. If someone breaks into one of my devices, he will have access to my password management. My master password is only in my head.
4. I have a friend who is a mathematician. He told me, encryption is all based on large prime numbers. Of course there are infinite prime numbers, but the larger the more diffcult to identify they are. So there might be "doubles" in the known and frequently used range of prime numbers. This is another gateway a backentrance not mathematicians never know and think about.
What do you think about these questions, especially No 1?
Kind Regards
Sparkle_phoenix
1. For phishing and fake websites passkeys are such an improvement over passwords. For one they would need access to the public keys assuming these aren't even protected in another layer of encryption on the servers end but even with that it wouldn't work as passkeys are tied to the origin (website) so a fake website wouldn't be able to authorise this request. (I'm not sure to the extent at which this can be worked around, possibly a passkey API vulnerability for a browser allowing you to fake the origin but this may also be tied specific secrets on that end such as public site certificate, etc). Keys stored on separate platforms like apple, andoid, etc. also use bluetooth when signing in from lets say windows which is another form of protection against phishing as the device needs to be physically in range for the authentication to be successful while also behind the extra layers of security your device offers like biometrics.
2. Passkeys can either be device bound or synced. For example, device bound passkeys can't be exported such as with windows storing them in the TPM but can be lost by design, what your probably looking for is synced passkeys like with apple, passkeys are stored in icloud keychain which is synced between your devices as well as many password managers supporting synced passkeys. For most services, you can also setup multiple passkeys for other devices.
3. Some people like to store their passkeys and passwords in the same password manager together which can be good and bad but ideally if you have a master password and two factor for your password manager then you should be good especially if stored locally (which I believe all password managers that you use should be) just making sure you follow the 3-2-1 backup strategy so you don't lose access keeping encrypted backups of your databases, keys and 2fa backup codes. Furthermore, most password managers offer extensions so you can automatically sign in with the passkey (if they support it). Adding onto the security, since the authentication with your private key is done locally and never leaves your device, it can't be intercepted because it's never transmitted and no third party will have access to it.
4. Some services so far have adopted the passkey standard greatly while others are still a bit of a hassle such as google. Since passkeys are cryptographically signed and verified, these can be used to identify you so you don't even need to provide something for identification like a username or an email, you can just straight up use the passkey.
Mathematically, yes a hash collision can happen where two inputs can produce the same output but statistically it's functionally "impossible" that the chances of it happening are pretty much zero.
Great video Leo. Explaining the situation really well. I like that you also welcome challenges and it made it perfectly clear that there is no perfect system. Like risk in general, you can't get rid of it completely but you can try to reduce it.
Thank you. The role of passkeys in the security ecosystem had never been really clear to me.
I would like to see sensitive data such as banking apps & websites protected by 2 factor biometrics, face ID plus fingerprint, making sure that it can only be me accessing these accounts.
That's in a sense what Passkeys provide. If you have biometrics support on your device, that's how you unlock it so a passkey can be used.
I think maybe they're suggesting that banks and other such places that store highly sensitive info often use SMS or email based 2FA which are far less secure than TOTP or Passkeys.
If you use password/passphrase vault (be it an extension for browser or desktop), it makes password less of a headache and can combo easily with passkeys. Setting it to clear clipboard after pasting where needed and combining with passkeys makes for solid security. Passkeys alone with traditional password usage (typing it) is very strong already.
Great video. I like how you talk about different attack vectors to have different levels of relevance and mitigations. It's crucial for people to understand the efficacy of security features like passkey.
Wow Leo, you've just opened a new door for me to check out and see what's in there for me. This sounds very intriguing. Thanks Leo!
You make really good points, but Microsoft's system glitches now and again and they prompt you to sign in. It happens too often for me and I don't know why. It is possible for Microsoft themselves to fail and you might have to work a little to get signed in. If the time arrived when their system didn't work, I would be unable to sign in, The break down of systems you described is not very likely, but Microsoft itself is subject to frequent glitches that leave you stuck until they are satisfied you are who you say you are.
Thank you for your explanation. Now I'm confident enough to use a passkey.
One of your best, thank you.
Thank you for this Leo. You have a new sub here ❤ I so far have 2 passkey protected accounts. I was prompted to activate the passing so I think the platform you're using has to implement it. Maybe Meta should think about introducing a passkey log on for users.
If I understand, the real advantage I see, is just that passkey’s are device specific. Is that always the case by definition? Also can they really replace passwords? Doesn’t the account need it anyways for the scenario of not having the original device anymore? Can’t malware get device info to allow it to be spoofed?
Passwords are not needed, as long as there's a different way to authenticate -- like an email sent to the account of record, or a message sent to a phone.
@@askleonotenboom I guess I am thinking of very critical items and odd situations. In another country, phone stolen, need to get into my email… can’t if its a passkey only. With a memorized password I have a chance. (Ignoring the hail mary of “question based password reset”)
To add to that, it seems from what I see… we can’t export passkeys… meaning if I built up all this history of passkeys with windows hello (or whoever)… I’m pretty dang locked in… if they change policies or I don’t want windows apps installed on my linux box, or move to macos… issues!
I don't see how you're locked in at all. Basically you set up a passkey on a new device, or you can invalidate the passkey on the current device and set it up anew.
@@askleonotenboom so say I have 30 passkeys for 30 websites with windows hello. I decide I don’t want windows hello anymore I want to use bitwarden instead. I now need to 1 by 1 set this up all anew for each of the 30 sites because there is no “export/import” standard for the passkey… that friction is so high it may as well be lock-in, no?
What I don't understand is why discussions about Passkeys never seem to compare them with Password + second factor authentication. It seems to me that passkeys mainly remove one factor: the password. How is that safer?
Great information, thanks Leo.
Can't the malware steal the cookies and get into the account even with passkeys?
Cookies I don't think do anything with passwords. Cookies are what is used to track your movement inside the site and that data is aggregated and sold off to other marketers who then can try to get you to buy something that is similar to what you just browsed for. That's it as far as I know.
Unfortunately if your session cookies are stolen, they can get access to your account specifically if you don't log out of the account after using it !!
@@Samy-ck8oo exactly, keeping the account open at all times is how they are doing it now a days.
Thanks for your explanation, Sir. 💟💟🎀🎀
What happens when you drop your phone (with passkey) into a toilet and lose its contents completely?
Very interesting but it sadly went right over my head. This is an area of IT that I struggle to understand. This and pretty much everything related to how the web works... IPs, ports, end points, URLs, TCP, etc.
Question. First, nice job explaining things. You provide a lot helpful information. Don’t you need/have a username and password to create an an account on a website? So, even if you have a passkey, couldn’t someone use your username and password to sign in? Even if you set the default sign in to be a passkey? Or, if you don’t have your phone handy and want to sign in on a friends computer to check your email. What happens in that case? I think passkeys are a great idea but before I start using them I want to know the “what if” scenarios. And what do you do when you get a new phone? Thanks.
Not necessarily. Services are moving to being passwordless. When you attempt to sign in the first time they authenticate you some other way, like an email to an alternate email address, or a text message, or a notification on an app.
@@askleonotenboomThanks for the info.
Great explanation, leo!
i love passkey just not alot of apps and sites dont use it yet
What is the difference between a password vault and a password manager? And if conceptual the same thing, would it not be easier to understand only mentioning a password manager?
Same thing. Unfortunately both terms are used interchangeably throughout the industry,
Isn't your Windows Hello PIN now a single point of failure?
Assuming you use the same PIN everywhere, it can be, yes. Hence biometrics is preferred. But the PIN can be different for every device/computer. (And Windows PINs can also be as complex as you like, much like a password, if you're concerned.)
Passkeys should also be portable between different password managers. I don’t want to be held hostage by a service.
They are. Bitwarden started using passkeys 😊
@@Flexin010 Can it be exported to other password managers like we do for passwords and notes?
@@albatross7 yes. I've tested last pass and keepass xc. They both can import/export vaults
What I'm worried about is this: now the same PIN that unlocks my device can unlock my accounts. So if you give your PIN to a family member to play some games or in case you're driving and you want somebody else to look something up on Google Maps (or, worst case scenario, if you need to give your PIN to a robber) they'll have access to everything. I think I'd miss the option to have at least two access levels to my stuff.
Yeah that seems to be one the main concerns (especially revolving around biometric laws pertaining to breach of a persons device) however you can use third party solutions like password managers and store passkeys there behind a master password and forms of MFA, these aren't device bound and can be synced as well allowing you to share certain passkeys if needed or easily backup. These apps can also be installed on your mobile device however I prefer not to sync things in the cloud and keep everything local and backed up.
According to Chat GPT / Gemini answers, Passkeys are designed with security in mind, and by default, there currently isn't a way for a surviving spouse/partner to access your data directly if you pass away. This is because passkeys rely on biometric authentication (like fingerprint or facial recognition) or a physical security key for verification. Any thoughts on that?
Or a PIN, on Windows machines. Not sure what thought you'd want me to have? Disaster planning is important, and I have videos/articles on the topic. Passkeys don't alter that.
As Leo suggested, you want to plan these things with your partner. You can set up a password manager with shared access in which you store very long & complicated passwords for certain systems like email and banking. And then if you store Passkeys in them, that should get you in without needing biometrics.
Windows Hello and other systems that do the back end authentication can usually take multiple fingerprints, so you could store prints from both of you. The backup Windows pin could be a long phrase like "apple zebra sander ketchup beach horse 385326$" that you store in the shared password manager so even if biometrics don't work, you can still access the computer.
Thanks, Leo!
Leo Sir, Scenario 3 : Mobile owner created passkeys on the mobile, then if somebody creat his fingerprints clone or duplicate fingerprints then in that case, websites can be logged in with fake fingerprints with passkeys on it. is it possible? Thanks 🙏
Pretty extreme scenario that I don't worry about, but sure. Once you realize your phone is missing you can disable all the passkeys stored on it, though.
@@askleonotenboomto be fair, that may present a challenge. For example, if you're traveling with only your phone and your computer is hundreds of miles away, how do you access your Passkeys, passwords, or email? Sure, it's an edge case, but one i think about sometimes. I've run into cases where my phone dies while I'm away from other tech, then i inevitably need some kind of access for some reason, and i feel paralyzed.
@@Ck87JF You can carry a physical security key (eg. like a yubikey) as a backup. They are small and light, and don't have any battery inside.
@@ma3xiu1 that's a good point. I have one! My cloud password manager's password is something I don't know, as it's stored in a local password manager on my laptop, but I just had an idea of using the yubikey to store its password.
I think pure passwordless will not happen for the forseeable future admins will always use passwords as a backup. What happens when the user loses the passkey or access to the passkey.
16:00 Sending an email to an account and expecting someone to hit a link to login ignores that you should never click in links in an email. (and those emails often take not just a little while but more than 24 hours, or they simply never show up)
20:00 If I can't even use my password vault on a computer that doesn't have it installed, using it to store passkeys is not going to help me sign in, since you can't even practically type them.
I still need to type in my password after opening my vault and keep my password storage offline.
Hi Leo,
My concern is when someone hits you over the head. You're now lying on the floor, and the thief holds your phone, up to your face, and unlocks it. Now they have access to everything, that you setup to allow face ID to unlock.
Do you hear of that happening often? I mean, other than in (fictional) television shows? It's not something I worry about.
@@askleonotenboomThat actually happens in my country 😢
@@tablettablete186 You should probably be more concerned about your physical safety than securing your PH account LMAO
I'm not sure the facial expression you would have while knocked out (e.g. eyes closed) would satisfy face ID.
Is automatic password on chrome considered pass vault ? can I use a key pass for it ?
Chrome can create a passkey for you that is only on your device.
What I don't understand is why systems don't ability to only be allowed from a device you authorized and added. Even if password got stolen then nobody else can log in.
That's exactly what passkeys do.
excellent, thank you.
Nice and how to administrate Passkeys for a company with 2000 People, so I don't have to configure each one of those manually?
Upon creating the passkey, when the public key is generated/sent/stored on the service servers, and there happens to be a data breach that render that public key useless, what then happens with public key. Is it regenerated upon login attempt or how does that work.
For the most part, the public key is still useless as you will need the private key in order to complete the authentication on the legitimate website preventing phishing. The authentication request can't be made on a separate website (for example a phishing website) as the passkey is tied to the origin and I believe checked against the websites public certification for validation.
I swear, if a combination lock had a voice it would sound like Leo 😂
"Access Denied"
🤨 .... Better Ask Leo, to figure out why
could you make a video on malware / anti virus protection?
Like this? th-cam.com/video/ecRPfN7k0zw/w-d-xo.html
how about scenario when someone goes to internet caffe and uses their PC to login to a server ? the private pass key is stored on that pc right ? then if other person logs is they potentially can be authenticated to same server ?
I don't see how, no.
@@askleonotenboom if you device E.g PC has been bootstraped already and you are logged in to Gmail. Then when you log out of Gmail and try to log back in how does it work ? If you don't need password etc you just browse for Gmail and it logs you in automatically?
Would there be a way of using them to authenticate emails, meaning they couldn't be faked/spoofed. I really hate spam emails & would really like to see a time when not only could thy not be faked but also traceable back to whoever sent them, so I only receive them from genuine, identifiable sources. IMPO everyone using the internet should be 100% accountable for everything they say or do on it.
There's already technology in place for email verification. No one's using it because it's too cumbersome. (Passkeys are related only in that they use cryptography as well, but they don't apply to email.)
OK, Leo, I'm convinced. But how can I initiate this?
One way, do a little research on how.
Just check to see which of your services have it as an option. Google does, for example.
Eg Google log out and in, and it will offer pass key as an option. Or should be in account settings.
@@johnhpalmer6098 Such as asking an expert whoo has just posted a youtube video, you mean?
@@mikepanchaud1 Thanks
Do we still need 2FA with passkeys or can we turn it off?
You still want it on.
I like bitwarden. If my device is stolen, i can login from another computer and revoke and log out all devices.
Am I right: once set up, passkeys switch the default task of identifying you to a local device, instead of piping your payload of info requesting authentication over the cloud. So if I set up a passkey PIN of 12345 on a Windows machine, by default that PIN works for me only on that device.
That's my understanding, yes.
@@askleonotenboom Thanks! Also, it seems my user account / password will still exist, so the benefit of passkeys is mostly the reduced incidence of keying and transmitting account names/pwds, because when keyed, they can be intercepted either on-device or in transit and used anywhere. But an intercepted passkey is useless beyond the device it was created on. Right?
@@johnbaker2810 Yes, and even better, it's EXTREMELY difficult to intercept a passkey. (For one thing, that would require malware on your machine.)
@@askleonotenboom Very good! Last question (for now): if my account name/password still exist, with all their foibles, what's to stop someone from logging in and removing my created passkeys, or even creating their own on my account? I guess I'm starting to think the userID/password remains the threat it always was...minus a reduced exposure surface.
@@johnbaker2810 I expect this to be step one to a password-less future. No password, no password based threat. One thing you can do that gets you close it to make your password ridiculously long (since you'd never use it). Save it in your password vault, of course, but simply never use it. The huge things Passkeys prevent is falling for many types of phishing attacks. No password to type means phishing has nothing to capture.
I couldn't care less about Google or Microsoft. The real disaster is that almost every banking/financial institution website in the US doesn't offer passkey 2FA.
Agreed. They should offer 2FA options beyond SMS ... and yet, here we are.
so should someone manage to crack Windows Hello, access to a myriad of passkeys would be accessible?
Windows Hello face recognition has been cracked insofar as someone with a very specific intent to access your computer can take a picture of you, convert it into a special type of image, and use some specialized hardware to trick your computer that a new webcam has been plugged in and that you're sitting in front of the computer. But this is a very targeted attack vs one that can be launched across the world automatically, so it's less likely to occur.
But yes, with this attack, whatever Passkeys that Hello is securing would be made available. You could instead secure Windows Hello with a security key like a Yubikey (and secure that with a strong PIN you've not used anywhere else).
How can pass keys be made on Android devices?
Depends on the service you want to use Passkeys with. Check with them.
If you phone is your passkey is it vulnerable to sim swapping?
Had my SIM swapped last week. And I’m diligent. Cam out of nowhere.
No. Passkeys are safe from SIM swapping as they are tied to the device, not the SIM.
GREAT.
I don’t think one’s own passkey is sent to the service as you say. That’s the major feature that gives the improved security. I think you misinformed and spreading that misinformation.
Then I wasn't clear, because you are correct, passkeys are not sent. They are USED, cryptographically.
“Extremely unlikely” does not apply for a person who is a high value target.
Which is generally not my viewers or readers.
@@askleonotenboom How can you know? Most high value targets are not techies. And I think HVT is a very important concept that people need to know about. Some people who are not a HVT know one or more.
question can passkey be hacked
Bypassed by session cookies theft
@@Samy-ck8oo really
@@Samy-ck8ooTrue. However, it’s important to note session cookie theft is a vulnerability that applies to just about every other form of secure authentication including password coupled with MFA using SMS-based or authentication app login.
@@Samy-ck8oo yes, but so can practically any other form of secure authentication.
Passkey itself cannot, no. (Well, yes, but it would take thousands of years of cryptographic analysis / brute force.)
I will NEVER sign to any service on my phone, NO BIG BROTHER FOR ME!!!!!!!!!!!!!!!!!!!!!!
It's not a good system when it takes 22 min to explain.
Not true. I set up my Google account with my finger print in a minute before I saw this video. I now feel secure and educated, having watched it!
Ideally, end users don't need to know how it works behind the scenes. It's already that way with sessions cookies and similar tokens.
Passkeys can't be safe, but more importantly, they increase the risk of the account owner not being able to get in and that is a serious problem.
This is incorrect. You will not lose access to your account if you lose your passkeys. See "Passkeys are never the only way in" in askleo.com/passkeys-and-disaster-planning/
@@askleonotenboom So the other ways in can get leaked as well. As long as there are recovery options, they will be abused, so effectively, it's no safer than using a PIN number on the account itself.
And if the device carrying your passkey is ever lost, broken or stolen, you have to reauthenticate to all your accounts with the new device to get new passkeys. And that is skipping another important point, logging into Windows with a PIN is much, MUCH less secure than a well-chosen long and unique password, because a PIN has a much more limited character set that can easily be brute-forced. [and no, not every device has a camera or fingerprint scanner, and even if they do, those things can also break -- and we should have to leak biometrics to get into our accounts.]
@@askleonotenboom Let me be clear: if someone knows your Windows Hello PIN number and is thus able to unlock your PC, a passkey offers no additional protection because it opens with the EXACT same credentials. The passkey itself might be entirely unique, but it is sent based on the exact same code you enter. Using a password means they need to know your Windows Hello PIN AND the password to the account they want to sign into.
Two [different] steps is automatically more secure than one.
@@askleonotenboom Can we keep the hacker from using those other methods of getting in? To use a less secure method it would be nice to use some authentication.
@@CraigLongsome sites allow you to disable some methods of authentication, but other sites are much less configurable.
xkcd comic 538 is relevant here.