Best content on passkeys I've seen so far. Thank you! Regarding the Best Buy example, you say that you don't have to worry about Best Buy getting hacked but how is that the case if they don't give you an option to completely remove your password?
Correction: the private key answer to the challenge is checked on the server, not the client. It would be no security at all if the device was just sending "whether or not the challenge was successful" to the server. :D
Presumably the servers would also have to use the public key to encrypt a unique timecode in the data sent, and then verify the same timecode in the response, in order to prevent client playback attacks.
I love the idea of passkeys and their simplicity, but the biometric nature concerns me. In the US, the government/police can’t force you to reveal a password. That is because it’s considered a 1st and 5th amendment protection. Biometric based logins are NOT protected in the same way. That is why password managers w/ security keys still seems like the best to prevent government intrusion.
@@pinky6863 In germany both are protected under our "Grundgesetz"/ constitutional law, and also under the "Strafprozessordnung"/Code of Criminal Procedure. You don't have to give anything (information and things) to the government which *could* might incriminate yourself.
@@pinky6863not sure your right as you are required to give prints and DNA samples if your arrested in the UK. And we have new laws effectively going to make it illegal to use these because of the lack of government back door
Exactly, but also people near you that can use your finger or Face ID to get access. Somehow, brains are protected 😅 i would not use Face or Touch ID to confirm.
The biggest limitation of Passkeys is the small number of applications that offer the option and the users that adopt them. Hopefully those will grow with time and videos like this one.
To me the biggest limitation is losing control over my own Identity. PassKeys can be hacked just like LastPass, Comodo, Zero Ring, Golden Ticket, I mean... all this does is create a more valuable target... sure we might save the morons from being "hacked" but now even the geniuses will be forced into this ecosystem and they will now become less secure. Remember the old joke... if you are being chased by a bear... all you need to survive is be faster than the slowest person? It's the same concept. With "gimmicks" like this... it makes even the fast as slow as the slowest! Now... you have to rely on someone else's ability to to dictate your survival and you will not have any ability to understand this technology to fix it when it goes wrong... but the hackers will... they will know more about your own security than you ever will. You have a job to do and can't dedicate the attention necessary. But they have time... they have plenty of it since they get paid by their various governments to datamine your "identity" or just flat out NSL the data directly without any way for you to know or even challenge it. A day will come where an employee is fired because a government somewhere does something with their account and how is the poor sap going to be able to prove any of that? The entire ecosystem is completely outside of their ability to even "know" which means courts will throw out all of your challenges because you can't even prove harm... And just like that... the entire world is compromised. Especially as AI takes off. Nothing beats a personal password where your brain is the storage medium. These are only to fix the problems with the stupid and lazy.
Agreed. So far, even Amazon doesn't accept it (yet). However, because Google does, you can use it for any account you can access via Google including PayPal...which is pointless because PayPal accepts passkey.
All of the major email platforms and operating systems are supporting them (Apple, Google, MS, outlook, gmail). But true that most others services do not support them or hardware security keys. The banking industry is woefully behind on the security front.
Agree. This video explains the matter thoroughly and clearly. Helped me a bit further on grasping the passkey tech. Important to highlight though; - The ‘passkey technique’ is what it’s all about. Which hardware you use to make it happen is secondary. (you don’t need ‘security keys’ per see to be able to use the passkey authentication.) - For now it depends on the OS / browser version used, if it can handle passkeys QR codes. Hopefully third parties apps for devices will soon pick up the art of handling, syncing and storing of passkeys. - As an example of how the latter can bite you in the tail, is the nasty surprise for the Apple ecosystem; As for example using security keys, it needs all your devices to be running the latest OS. It’s all or nothing. If you implement security keys, any device not able to run the required OS is at loss. (booted out of the eco system)
Yubikeys are great, but due to their inherit limitations of 2FA secret storage on their keys I'm waiting for them to upgrade that storage and release their 6th series before I buy a handful.
I would highly recommend you don't buy security keys. If you enable googles highest level of security, and they detect a potential attempt to break into your account, google will immediately disable every way of logging into your account, and disable all of your security measures, including your password, then require you to reset your password via a link in your gmail, then only after reseting your password, will you be able to reset up your security keys. If google can't even trust a yubikey, a titan security key, 2fa via googles app, passkeys, and passwords, to verify who I am, you probably shouldn't trust them either.
I think passkeys are a great idea, and as (another) IT professional I understand the benefits. However, they are not without their issues. You have to consider adoption and compatibility, their adoption may not be universal across all platforms, applications, and devices, and some older systems or browsers might not support FIDO2/WebAuthN, limiting their widespread use. You also have the hardware dependency with the issues that brings (forgetting or losing your device, backup and recovery). Initial setup complexity - as has been pointed out in other comments, how do you get your non-IT literate friends onboard with this? Finally cost - not everyone can afford one (really).
Also, have you seen how many dependencies FIDO2/WebAuthN has? It is so much work that most websites will probably never provide it, unless forced by their government...
Jones' Law: "Anything hit with a large enough hammer will break." All security mechanisms have limitations which should be considered when deciding whether or not to apply them in a particular environment. That said, Passkeys offer a balance of security and convenience that works for a broad range of applications and environments. As to "too much work," there are, or will be plug-n-play implementations for most environments. Compared to doing nothing, they are "work." Many, not to say most, managers of websites are reluctant to do any work until they get slammed. I never cease to be amazed at the number of managers who opt for cure over prevention. However, the environment is becoming increasingly hostile and password reuse is a favored method of attack. Perhaps, keeping one's resume up to date is the least work. However, being associated with the victim of an extortion attack may blot an otherwise spotless record.
I'm a (yet another) IT professional. I work in education. Shared computers are a common device deployment method for cost savings, so hardware-tied private keys would not work in this environment. There's also the problem of personal devices. 2FA implementation is always a controversial topic as for one, smartphone use tends to be discouraged, and two, staff are always against using their personal devices for work purposes, and schools do not have the budgets for hardware tokens.
@@HarmonicaMustang Admittedly, Passkeys are neither as convenient or secure on multi-user systems. On the other hand, the majority of modern computer users have never used a shared computer, not even a PC. Most have only used a mobile computer, a single user system. Many of our security risks today are relicts of shared systems. As the cost and scale of computers continue to shrink, solutions like Passkeys will become increasingly convenient and secure.
@@williamhughmurraycissp8405 This misses the knowledge that there are lots of situations both in work and at home where shared devices make lots and lots of sense. I'm thinking a shared public PC in a living area where random visitors might well need to check their e-mail, but don't carry a laptop (and find a full desktop a lot easier than their phone), a roku TV where a visitor would like to load their Netflix profile for one movie, etc. In the work environment I'm thinking all sorts of kiosks where you have manufacturing, scientific experiments, library style public access systems, projection control computers - anything needing walk up access that might require authentication as different users for cloud services, work processes, etc. And in work locations this is going to be even harder because you'll want to give access via many to many matrix for users - both if their laptop dies you want to hand a new one they can start using immediately, but also access to the corporate cloud e-mail, cloud storage, local services, plenty of shared systems you remote into for various reasons like terminal servers and more. And from a work location there's the reverse issue of many of these hardware things just not being available to all OSs - if you use Linux you can't (as far as I can tell) use a TPM to unlock FDE, and worse, the management is completely different between MacOS, Windows and Linux. Passwords have converged to it working the same across all platforms. Not to say passkeys won't potentially get there, but we have these special proprietary "secure enclaves" that often aren't as secure as we are told. So Apple doesn't use TPM from what I can tell, neither does Android. So we already have more Windows only, or Mac only, or Android only implementations.
This is a great video, but couple of suggestions: I understand this tech really well (I’ve been an app security architect for roughly 15+ years, and went into platform architecture), but I tried to consider how my parents (in their 60/70’s) would take it. There’s still some assumptions made, like salted passwords, how key exchanges work, etc. So it’s kind of a decent primer for someone who already knows tech, and how FIDO/TOTP already work. I can’t say I could do any better though, because these can be difficult subjects to explain…but I think it’s something to consider, because it’s these groups (like my parents) who are the most vulnerable. Overall, this is a great video. It calls attn to a huge problem (and timely because I am forcing my parents to use a password manager this week). Thank you for creating the video!
Agreed. It was a bit confusing and I came out of the video still not certain about what it is and what it does. Simplicity is the passkey for many of us.
I watched this video and al it did was convince me to not use passkeys until I have to. What happens if you lose you smart phone or don't even have one?
@@jamestemple8970 it's not a great answer, but the idea is that any passkeys on your smartphone are synced with the mobile ecosystem owners cloud password sync provider. So if you happen to have multiple e.g. Google or Apple devices already enrolled with Google or Apple's cloud password syncing service, they'll all magically have all of the passkeys either device has every created. If one device breaks, you can use another device to enroll a new device into ur ecosystem account, and it'll magically get all the passkeys synced up. This has obvious implications which are kinda concerning (mobile ecosystem vendor lock-in), but it is what it is. If a passkey is only on one of the devices from an ecosystem (e.g. if you made an account somewhere, provisioned a passkey on your solitary Android phone, and never enrolled a passkey elsewhere for that site) if you lose that device, you have two options: Option 1: Start the recovery process for the mobile ecosystem account tied to the device: So continuing the example, if you lost your solitary Android phone, buy a new Android phone, and use the recovery options for your Google account to sign back into into it. Then it'll magically have all the passkeys previously provisioned. Option 2: Buy a new other device (iPhone or Windows device with Microsoft Hello, or any device plus compatible hardware security keys), then go down your list of actual passkey protected accounts and invoke each one's recovery process to enroll new passkeys. At least for now, it's a great idea to enroll your convenient to use (but breakable/stealable) mobile device *and also* additional hardware security keys that you can lock up somewhere. Passkey auth requires some different factor (mobile device pin or biometric lock, or hardware key PIN) so the idea is that even if someone stole your backup, they won't be able to log into anything. BUT if they destroyed all ur backups and your main device, you're in trouble. The same trouble you'd be in if you lost your password pre-Passkeys. The crap thing is that you cannot simply remember ur passkey, and you can't practically write it down. Practically, each passkey's private key will be hidden (even in some cases totally inaccessible) on a physical device, so you just need to make backups in the form of ... enrolled devices upfront.
@@jamestemple8970 One thing he highlighted is that password managers now allowing management of passkeys. I think a password manager secured with a hardware key is more secure for managing you passkeys, vice a device or Apple keyring.
Cons 1. Hardware passkey can be stolen, 2. lost, 3. malicious borrowed (the worst type of attack besides 4. can be cloned. (not all of them) 5. Price always x2, you need a backup key. To remove all four cons, a hardware key has to have a biometric sensor. As of now, there is no hardware passkey with a fingerprint sensor usable on Linux systems out of the box because you need proper drivers. Also it can't be used cross platforms on your customer's PC/Mac without drivers installation.
Clear explanations and nice overall. But some things are a bit oversimplified and even wrong. Such an example is the note that password managers being susceptible to server hacks. To begin with, one could have local only password manager databases. Moreover, there services have setups where even with low quality master passwords, a server hack will offer no info to the attacker (feel free to check 1Password setup). Furthermore, having a secure master password would basically be enough to prevent any brute forcing, even if the whole hosting server is completely compromised.
Agreed. Also the "they need your PIN" - yeah cool... What I took from it is that the vector of compromising the secret holding service gets eliminated. So it's still no match for pw+(non sms)totp for corporate or self host scenarios. Big plus is that it is a convenient enough method to use for non tech people. About the amount of time to reset a password. Not a strong argument, this can be very streamlined.
I think he's talking about grabbing your account from some random website and cracking it with a rainbow table, not necessarily hacking the password manager's servers. A note about PIN codes, most modern devices have a secure element chip that is hard wired to prevent repeated attempts at brute forcing, so even if you have a 4 digit pin, while that's not great, a thief/spy/hacker would only get to try a couple dozen times before the timeout became days long. That would, in theory, give you time to mitigate the damage by updating your account information in the relevant places, unlink/remote erase the device, etc. Not all devices are equal though, so take it with a grain of salt. Might be worth looking up your device and how it handles that.
**fast clapping** Thank you! Thank you! This is the best, most complete and concise explanation of Passkeys I have heard yet! This video is going to help me so much in explaining the technology more to my team at work and family/friends.
12:38 Yeah, about that. You can't force them to use their personal devices. So instead you give them a different device. And they WILL forget it at home (or loose it). I am speaking of experience here...
@@williamhughmurraycissp8405 sure, but a password is easy to reset with these people, unlike a hardware key besides I wouldn't even call them stupid, it's just that given enough people, you will always have at least one person per day and it's always going to be somebody else
If biometrics is required it is not government proof. This is because your consent is not required to have your photo taken or your fingerprints extracted. Lifelong passwords reside in your memory/mind and no one can get into it unless you voluntarily want them to.
Nice summary. I wonder if cloud based passkey synchronization is being overemphasized. The alternative is to just log on to a new device using an old device that already has a passkey, as you showed in the video. No cloud based passkey synchronization required. But, you still need some kind of passkey backup, whether cloud based or local, in case you lose access to your device.
Not sure about Passkey being more secure than Password + 2FA: IF [Passkey] : Access to Device + PIN == access to any website IF [Password + 2FA] : Access to Device + PIN != access to any website, as password is still needed. Although I do understand that passkeys protect against certain attacks better, like Phishing; it's hard to say one is flat out better or worse than the other.
What is the difference between passkey and ssh keys at the cryptographic level? It sounds like passkeys are very similar if not the exact same technology rebadged and made consumer friendly. A synced passkey feels like moving an ssh private key to a password managers vault.
not quite, i have an Yubikey for years, finally gave it up as i can never remember where i put it. As one other TH-camr pointed out (correctly, IMO), the different types of connectors on different devices also make them a real pain (i have usb micro, usb c, apple ...).
I was pretty up to speed on this but what a great review and in my case, confirmation that I'm arranging our digital security in the best way for us. Thank YOU!
A comprehensive and simple explanation of the various methodologies. Thank you! I love your channel. You present relevant topics with detailed information.
Pass keys were the standard some 20 years ago (dual authentication) ... worked security for a military contractor and passkey fobs were SOP.... they are cheap and easy to implement... Can use almost any cell phone today for the same job.. I now work IT security for the medical industry and ANY Dr that writes sched 2 drug scripts is required to use passkey authentication.. (is law) since the Jan 2023
Better off going with the Thetis, since it's recommended to buy at least 2 (one for backup) the yubi will set you back at least 100 bucks, I've found the Thetis is just as good and half the price.
Passwords are always going to be required for passkeys If not could you imagine the headache administrators will have when something happens to the users device that was storing those passkeys for said account.
I'd suggest a Apple user approach, and a Google user approach. I think you have the Apple approach covered in this video. The Google approach might be a future video. Sharing among the Password managers in the various approaches too - OnePassword to Apple to Google might serve as an example. Also, I'd suggest a discussion of where the resistance to this approach may come from. Thanks for the valuable video. It raises the question of Passkeys and where they may fit in our security vision.
15:27 What happens for example you no longer want someone you have shared your passkey with (say a divorce) and you no longer want them to be able to use your credentials?
How do you keep your hardware passkeys secure? Where do you store them to keep them safe? Or do you carry them with you at all times like on your keychain with your house and car keys?
How do you keep your car and house keys secure? Where do you store them to keep them safe? Or do you carry them with you at all times like on your keychain with your hardware passkeys? Seems like a personal decision based on threat assessment is my point.
Yubikeys are going nowhere. They exist to control concurrent usage of software programs and mostly replaced by storing the keys on an in-house server. They fail often from use and going through the washer and dryer. The software vendor overnights you a new one and deletes the old so even if it is found or starts working it won't work. The only reason this 2009 passkey technology has become usable is because the cell phone has become almost ubiquitous and is the only device that has the intelligence for now and the future. Even your car and house keys are going away. It's already your wallet, passport, visa, credit card, immigration form holder when you travel, map, calendar, secure and insecure communicator, airline tickets, where the gate is for your next flight, flight schedules, your seat, adjust your house environment when you are home and when you are not, guides you around the traffic tie-ups to and from work, lets you scan into the gym, your note taker, language translator, it will soon be carry your ID/driver's license, gets backed up encrypted to the cloud, and is becoming the only thing you need to take with you.
The elephant in the room you didn't mention. what if you lose you phone? sure the private keys aren't stored in there but how can I get my credentials back since Google/Apple uses pass keys which are linked with the old device which you lost.
Exactly! Nowadays a phone is an awfully weak link in a security chain, because it is both indispensable, as you mentioned, and extremely vulnerable to assault: if nicked while unlocked, and/or if your aggressors force your face or your finger on the phone, in a matter of seconds they own your Google or Apple account holding your private passkeys, and as far as I know, there is nothing you can do about it.
So let me get this straight...Even sites that offer passkey integration require a password, so if you have to have a password to do first time set up, even if YOU use the passkey, hackers will still have a password to try to get access to by hacking the business? Are you saying that until businesses allow us to delete the passwords, they are no better than having JUST a password?
Google doesn't even trust the passkeys. They detected a potential attempt to break into my account, and completely disabled every security measure I have to verify my identity, logged me out of my email on all of my devices except my phone, refused to let me login even though I had every single method of verifying my identity, and required I change my password, through a link in my email, then after I reset my password, which didn't require any form of authentication beyond being logged in, I was able to reset up my many authentication methods. What is even the point of any of it if google won't even trust a single method of authentication, and won't even trust you to verify your identity if you have all of them at once. And then doesn't even bother to verify my identity, while it bypassas all of that authentication I have, and lets me reset my password, without verifying who I am.
I think this is an example of not yet perfect, but way better. Part of the benefit of passkeys (even as an alternative to still-active password auth) is that it makes certain attacks way harder to pull off. For example, if someone pointed you to a simple mis-spelling of a website, your browser will not reveal any details about your account to the imposter. It'll just tell you that no passkeys are available for the service without revealing anything. This should clue you in that this your being attacked. This benefit alone can help improve your security posture. Granted, ur right that it would be cool if more sites allowed those who are comfy to just go 100% passkey, eliminating the possibility of a compromise of those passwords on the server side altogether.
A note on interoperability. I have used Apple passkeys on my iPhone to log in to a website on my pc. It works just fine but the process is just a bit less seamless. On a Mac I would just use iCloud Keychain stored key and authenticate directly on the Mac. With PC I’m presented with QR code to scan with my iPhone. The iPhone then presents the passkey and I log in using FaceID. The phone and pc need Bluetooth enabled for this to work but no setup or pairing is needed!
If you use your cell phone pin in a public area and it gets compromised you can have real problems. The WSJ had a great article about this earlier this year where someone used their pin at a bar to make a confirmation, it was compromised (observed) and their phone was immediately stolen as they were getting an Uber outside the bar. The thief used the pin immediately to reset and change all of the passwords, being synced in the password manager. The thief did this so quickly the phone couldn't be shut down. The thief had access to all the accounts on the phone and proceeded to rob the owner of several thousand dollars. Bottom line is that tying everything to your phone has some level of risk. Better use a more complex pin and be careful when you use it as it provides the keys to your kingdom!
You're right - there is always a risk of someone shoulder surfing your PIN and then stealing your phone. But that's not the point here - the point is that your example is extremely rare compared to the amount of phishing and hacking attempts that hit people from far far away. If we eliminated ALL but your specific concern, it would be a HUGE win for security world-wide. And a singular edge case of "well...it can still be compromised in this very specific way..." is not an excuse for rejecting this technology.
I have been using Youbi Keys for the better half of 5 years now and will never move away from them. I do wish though you would have explained or touched base on the fact that when setting up hardware based auth keys that you should always plan on redundancy. These keys can fail and/or get lost/stolen so it is always best practice to have more than one.... The largest problem with this though is the fact that many sites only allow ONE hardware key, so if you ever loose your youbikey or it gets damaged you are locked out with little to no recourse of being able to get back in to that account. So users should make sure they have backups or sync multiple keys when allowed and even store it in an alternate location like a safety deposit box (just a suggestion), to be able to have a way to access accounts should your main key ever be damaged/lost etc. I also do understand why the keys cannot be duplicated as that would negate their effectiveness which is why All sites/services that move to this level of auth should support at minimum a "Master" key and allow you to sync at least 1 additional key as a "backup". Overall though Great video to help bring awareness
Thanks for that detail. I had no idea sites can restrict the number of copies of hardware keys you can have. If that's true, I have no idea why anyone would want to use a Yubikey. Wow. I mean, it suggests that you should have a different Yubikey for every site that requires a limit of one Yubikey per site. But that kinda invalidates one of the main reasons for having a hardware key in the first place. (You would lose all your private keys if you lost your single Yubikey.) I've never used Yubikeys before, but I think you've just turned me into an opponent of that technology. Thanks for raising my awareness. Yikes.
@@TheNameOfJesus I didn't mean for my comment to turn you away from the technology, But understand that some sites have yet to fully adopt it and thus only support adding one key. This is changing as the technology is adopted but it's not a super fast process. When a site registers a Hardware key By default they should actually require 2 keys so you are making a backup as part of the process. but instead most sites implement a second lower level of security . The only way to get this technology to be more adopted is by using it and promoting it. But it's also understanding the limitations like most banking institutions do not yet support these devices because their customers are using their phones instead so they are opting for a less secure alternative. The YoubiKey is by far the strongest form of authentication as it's offline and a physical device that cannot be duplicated. Phone auth isn't nearly as secure as you're required to use your passcode / pin to unlock your device at boot up even with biometric locking enabled. So I would use it to it's fullest potential that your able to in your circumstance and just make sure to set up whatever backup method is available for any service that you use that doesn't support adding multiple keys and just store those backup codes with your backup key for the services that do support that.... (Alternate location Like Safety deposit box etc or at least a fireproof lockbox or safe to protect from fire loss). Adoption is always the biggest problem and they won't gain traction if too many oppose the use.
@@Pythonaddiction Thanks. I know you didn't intend to turn me away from it. I was perhaps overstating my worry by 50% for dramatic purposes. They Yubikey is FIPS 140-2 evaluated so it's good when used in FIPS 140-2 mode. (Do consumers use it in the FIPS-evaluated mode?? I don't know.) I personally used a different product that was also FIPS 140-2 evaluated. Yubikey is likely not "more secure" than other products with the exact same evaluation. I have no way of knowing if consumers are using it with those features enabled, but I doubt it because people are loading their own private keys rather than getting them from an approved key generation device. In my company, people aren't allowed to load their own keys because we operate in a very, very high security mode.
@@Pythonaddiction what I don't understand is that why do no one even think of using GPS as one of the backup way to recover your account? something like ... they will ask you to open your GPS location to recover your account. which means if you want to recover an account as your last resort, you need to be standing on the place where you created your account. 😂😂😂😂 I really hate making me buy 2 yubikey not only it is expensive. you might not know if the other one you keep safe was taken by someone at home. but having your GPS as last resort.. you and only you know where you created your account. this way you can actually walk on a random train station and use it as your recovery location
@@ChibiKeruchan that’s because gps and geotag loc data is super easy to spoof for starters. And secondly let’s say that work if someone is making an account while on the road outside of their normal area or say a truck driver. There’s many reasons why this wouldn’t be used.
It’s basically the same asymmetric PKI stuff is used for TLS encryption. The private key is stored on the webserver or client and Yubikey hardware stores the private key like a HSM used by servers like webservers or reverse proxy servers such as F5 right?
My excact question is, what you also mentioned in the video with the bestbuy example. If you have to create a user first, using a password, and then only after that can enable passkey login. Then the password login still exists somewhere in bestbuys systems, and be found in a server hack/leak? What would be the correct way to do this(besides being able to actually use passkey when creating the account) - When enabling passkey it somehow should delete any knowledge of a password ever existing?
Exactly my same question. My take is that passkeys (plus other authentication factor) should become the primary login method and username + password the fallback option. Probably in the future we won't even set up a new account like we do today (username + password).
Passphrases (staple horse battery correct) on a secure FOSS password manager FTW. Passkey's are 1: expensive, 2: accounts charge to use PassKey logins, 3: a hassle to carry around for clumsy/daily life users who lose and break stuff.
Problem with passphrases are that they're much more vulnerable to dictionary attacks. 4 correctly spelled common English words are not going to keep someone out for long.
@@norgeek Then don't correctly spell them. Use a mix of capitalisation and obfuscation, use multiple languages, and use different 'spacer' characters between the words. I use an eight word phrase but instead of all being English language words, it includes words from two other languages, and all the words are deliberately misspelled. Could I accidentally give it away? Yes of course, but if I only gave the plain translation, it would still take a long time to turn into my actual password.
@@_starfiend miss-spelling and other obfuscating techniques doesn't necessarily add much protection, a good attack dictionary would be set up to include, say, the thousand most likely variations of each word. Random characters in and between words, and multiple non-obvious languages should make a significant difference though. But at that point you're looking at a significant effort in keeping the passwords unique between each new website without reusing a similar syntax..
@@norgeek While I'm not arguing that a password/pass phrase is necessarily the best idea all the time, adding obfuscation and miss-spellings add more difficulty than you might think. Just as a simple example, my step-daughters are bi-lingual English and one other. Although they speak only English at home, at school they are required to use the other language full time. This means that when they have to write in English they regularly spell phonetically using the other language. I've got used to it now so I can read it, but by doing that they miss spell English words in ways that not just change the spellling, but also change the length of the word, and even in some cases would change the English pronunciation. They do it unintentionally, now imagine doing that intentionally, and doing it with multiple languages. Those word lists would get scarily long. Plus, and it looks like people are not seeing this, you might guess it's a phrase, but how do you know how many words are in that phrase? A 50 character phrase could be anything from 6 to twelve words. How does an attack dictionary help then? A decent pass phrase deliberately does not use only the most common words, but adds longer or less common words as well. It's also not as difficult as you might think to have half a dozen pass phrases. Because they are phrases they are easy to remember, and I just remember how I obfuscated them. They are also (mostly!) not related, so even if you guessed one, it would not lead you to the others. Personally I find pass phrases easier to remember than the "staple horse battery correct" idea, which while I accept is a good idea, just doesn't feel long enough to me. I would want to add at least two additional words. Minimum. At which point proper phrases do become easier to remember, yet no easier to crack.
A serious problem with passphrases (or any preshared password) that passkeys entirely leapfrog is the possibility of replay attacks and some forms of phishing. Passkeys significantly reduce an attacker's ability to man-in-the-middle an authentication attempt from outside of your device (e.g. by convincing you to log into a replica of a real site). They do this by removing the human from some parts of the picture: You can't be convinced to give your passkey to the wrong website, because you don't know it, and aren't required to send it anywhere during a login attempt. And even if someone observed ur login attempt (which requires a compromise of your device), no part of it can be used to log in a second time. As well, you're not a part of verifying that you're looking at the right website: Your browser does this for you, and will not let you even attempt to log into the wrong site with your passkey. It's less about preventing someone from being able to guess your password, and more about making the act of logging in more secure. One longer term benefit is that it can reduce the friction of requiring you to log into services more often, without affecting the security of those login attempts.
I admire your enthusiasm and knowledge. Because I'm a beginner with all this computer technology I found the layers of information you were presenting to be overwhelming. For me getting to the simpler points . Just describing the two keys what they are and how you use them. Then going into all the other detail would have been better for my way of learning. And as I say I'm a beginner so perhaps many of your other viewers don't have that same difficulty
I love passkeys, but would love a way to integrate browsers with Keepass and utilize passkeys for those of us who do not like hardware keys and want to keep them centralized with our existing cred storage.
@16:55 - That is the biggest issue with all these 'more secure methods', they are just adding more ways to log-in without removing the problematic ones, increasing, not decreasing, the threat footprint.
Yes, took me a while to get onto the passkeys, but now I have two (one as a backup offsite) and I have never felt more secure. Everyone should have these. But they should be more afforable as Yubi's are a bit expensive (in Canada anyway). I know, I know, you can't really put a price (tongue in cheek) on security, but ya - WELL WORTH IT.
Hi Chris. Great video on Passkeys, et al. HOWEVER . . . There was hardley any emphasis on purchasing and setting up MORE THAN ONE Yubikey for redundancy in case your Yubikey hardware device is lost(more likely) or physically damaged, i.e. FUBAR, (unlikely). Having just one device with no redundantcy exposes the user to being locked out his/her own stuff. My Mr. Worst Case Scenario wants to ask people to please be prudent and thoughtful at the fundamental level.
Google doesn't even trust Titan Security or Yubikeys to verify your identity, if they detect someone may have attempted to break into your account. They simply disable all of your security and hope that the one device they allow to stay logged in, is in your possession and then lets you reset your password without even verifying your identity. If google can't even trust their own system, why should anyone else?
Indeed, this was a weak point in his video. Not only do users need multiple Yubikeys, and store them in different locations, but they need to update each of their Yubikeys EVERY SINGLE TIME that they create new credentials on a new website. I don't want to go to the bank weekly to fetch my Yubikey, take it home, update it, then go back to the bank in the same day to lock it up again. I think my bank counts how many times I access my safety deposit box each year and charges me if I access it too often.
I have some concerns with some of your conclusions, but I'll mention just one. At 10:31 you said "Server leaks don't matter when it comes to Pass Keys." I would call that statement 99% wrong. It's 1% true because your "authentication credentials" remain secure. But any DATA that you upload to the server (name, email, address, phone, contacts, calendar, web links accessed, etc.) may potentially be completely stored "in the clear" on the remote website. Pass Keys are very good when it comes to "credential privacy," but has NOTHING, ABSOLUTELY NOTHING to do with data privacy. You actually said "server leaks don't matter" but that only applies to your credentials in the case of Pass Keys (which is 1% of security overall.) Your data can still be stolen, leaked or sold to communist China, FaceBook or Google. (I'll leave it ambiguous whether the word "communist" applies to only the first of those three.) The only company that I'm aware of that uses YOUR private key to store (some) user data on their servers is Apple. So not even Apple can recover (some) of your data if you lose your private key. But any of your data stored by Google on their own servers is very likely stored using an independent encryption system that has nothing to do with Pass Keys. I'm guessing that you will acknowledge that all you were talking about was credential security, but you really need to look at the big picture. Data security is far more than just password security. Saying "server leaks don't matter!" is misleading at best, wrong at worst.
these sound good but did not explain what happens if you loose the device so you have a ubikey you loose it how do you then get into your accounts. At least with a password manager I only need to login to the password manager on any device. With the hardware ones if it breaks or you loose it how do you get back into your accounts
How secure are iCloud passkeys? Can they be overridden if someone has your iPhone and it’s passcode? If so then your passkeys are only as secure as your 6 digit passcode
a great explaination, but I still got 2 issues with the use. if you have a hardware based private key and the device dies, how are you able to login to your most secure environments. and what if you're private key got leaked or stolen? then a hacker is able to login into everything and everything of you is comprimised. if it is not, how do companies check if they have a revoked key of you in their database if you on you're second or thirth key set (private and public). if this becomes common; does every company or website need to check if the public key is still valid? offcourse they only need the correct public key, but there can be a time that some have you're old key and some have you're new public key. if you have a different password for everyting with a totp and a key and totp key got leaked or stolen, it is only impacting that soecific login.
You are exactly correct. It's built on a false premise. What it is is better than what we have for most people because they are easily tricked or use the same, short, easy to remember passwords everywhere that are never changed, and no password manager. A good password manager with bio limits exposure to one account.
Excellent presentation that covers the various protection levels and their vulnerabilities. Many other presenters glide by the multi-device sharing of passkeys as no issue, but hackers will find a way. I agree that the hardware key is best; your private key never leaves the device and it is difficult to hack while not too expensive to have backups, unlike a ‘phone or laptop/desktop. Nice job!
Enroll multiple passkeys. When you no longer think you have one of them, unenroll it. Until you do, it must have had a layer of security on it before it could generate the passkey (a strong pin or a pin and a biometric lock) that whoever stole it needs to crack. TLDR: You can lose it but you can also prevent that particular key from ever being used to log you into stuff without affecting anything else that isn't lost/stolen from logging you in.
Ahaaa, What happens when your device gets stolen, destroyed, corrupted? What happens when you need to recover your passkey? Can you do that just like you can remember your password?
You forgot another reason passwords get locked out. Infrastructure engineers locking each others domain admin accounts out for a laugh :). I got 3 Ubikeys after seeing your last video. One for the keyring one for the safe one mini one to stay in my home PC. Not enough stuff supports FIDO2 , my unbikey is mostly used for classic 2FA.
Isn't the bound hardway key technically shareable if you just physically give someone the key to use? The only key that isn't shareable in that instance is if it was one of those biometric Yubikeys
Companies need to give better and fully detailed instructions on how to setup passkeys on their website. Take Microsoft for example. They point me to advanced security options and then I have to figure it out all by myself. The same goes for PayPal. If they don't make this easier for their users, than passkeys will take forever to be adopted. And that's a big missed opportunity.
What good are passkeys if I, or someone else (I'm looking at you mr hacker) can still logon to my Adobe account using a password because I can't see an option to remove the password?
Thank Crosstalk Solutions for this DETAILED & INFORMATIVE video. As of today, July 27th, 2024, out of 10 passkey videos I've watched yours is the BEST. It's because your clear & easy-to-understand explanation of how passkey works, how it helps me in case of phishing and website IT breaches.
Is it impossible to hack a device to get access to the private key and use a "fake device" to communicate with passkey servers. And are passkey servers truly unhackable? I find it hard to believe all boxes in the comparison table are so truly checked? Being sponsored isn't making me believe it more either. Just a grumpy sceptical old Swede here😊
Passkeys sound nice until for some reason you can't get access. Imagine the hell of regaining access to hundreds of sites after you lose your phone. That's why all the sites using face id and fingerprints have implemented it as a convenience option with a password/pin backup method.
Although some types of attack remain possible as long as your account allows password login, the point of passkeys is to give you the option of choosing when to use a password. Whether it's *never* is up to you. If you choose to still login with a password, this is what makes your enrollment of passkeys useless :) When you do login with ur passkey, instead of typing your password into a website and submitting it, your browser (after verifying that the website is...the website) will simply ask you which passkey to use, then prove that you have the passkey in a way that cannot easily be man-in-the-middle'ed unless your device is compromised. The idea is your browser will never attempt to log into an imposter website, and if one of your devices is compromised, depending on how, you may be able to un-enroll it from the service from an uncompromised device. This makes it significantly harder for someone to convince you to log into a website that proxies any part of your login attempt, and also allows you to reduce the blast radius of a device compromise to maybe that device (depending on the compromise). Stepping back, the whole idea is to give you a more secure way to login. Eventually, it'll also allow websites to just stop storing (even salted/hashed) passwords altogether. But baby steps.
What I miss is how 2FA will be handled with passkeys, or will 2FA become obsolete? For example when using Nextcloud you have the option to use Fido2 WebAuthn for login and also use Fido2 2FA, so you get asked two times for you key. Will this be the same on other services? And coming back to the maybe obsolescence of 2FA is that maybe because 2FA now only really protects someone against attacks where someone other has your passwords but when someone already has the encrypted password vault 2FA is no concern anymore because you only need the password. At the end I think it comes all to how these services will implement it, like will my account data be encrypted with that passkey or only the login for the web interface.
PayPal supports PassKeys right now, and i have 2FA enabled. I was using OTP to begin with, but it does prompt me for this after the switch to a PassKey. I imagine companies that know what they're doing will require some other form of 2FA (such as OTP) or maybe even just require a secondary Fido2 key for 2FA. The bad companies? Who knows. Interesting point on how customer data will be encrypted. The company would need the private key in order to encrypt whatever private data they store right? Can't just use the generated nonce for that. Although I really know very little about how this architecture works admittedly.
SQRL Secure, Quick, Reliable Login and don't store them on the server but the server has to have SQRL too. It's been out for years and I guess the best but hard to get servers to use it.
I have not seen many of the financial, insurance, and health care institutions listed in the passkey directory other than a handful of credit unions. Do they view this as not fully baked yet?
I tried to keep up with you but glazed over quickly. I do get that I should consider using a Passkey, but what if I lose it? You probably covered that while I was sleeping ;-)
A hardware device for passkeys will never be part of my security process. The headaches associated with the possible loss or theft of the device are just not worth the additional security.
So what do you do with the Yubikey? Stash it away? Carry it with you? At what point/time does the Yubikey get plugged into something - and what and when?
Whatever stores your passkey needs to answer questions about the private key every time you want to log in. If a passkey is on a Yubikey, whatever device you're logging in with needs to be connected to the Yubikey. The idea is you can generate a unique passkey on every device that you want to use to log into whatever site. These devices can be phones and also Yubikeys, so you can have a backup that you physically store somewhere, for the event that you lose your primary one. If this happens, you can log into the site with one of the keys you still have and then generate a passkey on a replacement device/unenroll the passkey for the missing device. If you find it again, now you have an extra device that can store passkeys, and since there was a PIN on it, you can be pretty certain it's the same key you lost and no one accessed it. Not 150% certain, but it's pretty hard to break that PIN on most devices and software that store passkeys.
Passkeys do NOT fix the very real problem of the legitimate user not the one holding the device. They can be easily lost, borrowed, broken, and stolen. And any device of consumer caliber using fingerprint is NOT secure enough for high-risk/high-value privilege access (financial accounts, restricted rooms/ buildings, etc.). This is a fundamental problem (FIDO-related) that cannot be solved by anything but advanced biometrics that check for human liveness and exceptional image matching levels. And they are already out there and work. Together, security is very high.
Most likely the biometrics will be saved, just like our data is being saved and sold. To put "trust" on Google, Apple, Amazon. Microsoft, etc would be an oxymoron
Great video and topic! One thing good to do with USB security keys is to have a backup key in case your device gets damaged/lost/stolen. I also liked how you pointed out that Passkey implementations are not perfect yet. I also found that some services still require less secure MFA methods. For example, even if you have an MFA method that uses WebAuthn, Google will still allow device push notifications, which are susceptible to push notification fatigue attacks. But, one step at a time! :)
@@jeffreybankers3988 As you are probably aware, almost all services allow a backup security code in the event you have lost your authentication method. These codes could be secured in a safe location, a secure USB, on the cloud, piece of paper in a safe (one of the most reliable) or on a cloud service. That way if you catastrophically lost your keys, you could still recover the accounts.
Best content on passkeys I've seen so far. Thank you! Regarding the Best Buy example, you say that you don't have to worry about Best Buy getting hacked but how is that the case if they don't give you an option to completely remove your password?
Correction: the private key answer to the challenge is checked on the server, not the client. It would be no security at all if the device was just sending "whether or not the challenge was successful" to the server. :D
Was coming to say the same thing... would def be pretty sus lmao
Presumably the servers would also have to use the public key to encrypt a unique timecode in the data sent, and then verify the same timecode in the response, in order to prevent client playback attacks.
I love the idea of passkeys and their simplicity, but the biometric nature concerns me. In the US, the government/police can’t force you to reveal a password. That is because it’s considered a 1st and 5th amendment protection. Biometric based logins are NOT protected in the same way. That is why password managers w/ security keys still seems like the best to prevent government intrusion.
The "freest" country in the world 🤣🤣
@@pinky6863 So what if I'm required to give them 256-character password from my password manager? :) Passwords won't come cheap! :)
@@pinky6863 In germany both are protected under our "Grundgesetz"/ constitutional law, and also under the "Strafprozessordnung"/Code of Criminal Procedure.
You don't have to give anything (information and things) to the government which *could* might incriminate yourself.
@@pinky6863not sure your right as you are required to give prints and DNA samples if your arrested in the UK. And we have new laws effectively going to make it illegal to use these because of the lack of government back door
Exactly, but also people near you that can use your finger or Face ID to get access. Somehow, brains are protected 😅 i would not use Face or Touch ID to confirm.
The biggest limitation of Passkeys is the small number of applications that offer the option and the users that adopt them. Hopefully those will grow with time and videos like this one.
To me the biggest limitation is losing control over my own Identity. PassKeys can be hacked just like LastPass, Comodo, Zero Ring, Golden Ticket, I mean... all this does is create a more valuable target... sure we might save the morons from being "hacked" but now even the geniuses will be forced into this ecosystem and they will now become less secure.
Remember the old joke... if you are being chased by a bear... all you need to survive is be faster than the slowest person? It's the same concept. With "gimmicks" like this... it makes even the fast as slow as the slowest! Now... you have to rely on someone else's ability to to dictate your survival and you will not have any ability to understand this technology to fix it when it goes wrong... but the hackers will... they will know more about your own security than you ever will. You have a job to do and can't dedicate the attention necessary.
But they have time... they have plenty of it since they get paid by their various governments to datamine your "identity" or just flat out NSL the data directly without any way for you to know or even challenge it.
A day will come where an employee is fired because a government somewhere does something with their account and how is the poor sap going to be able to prove any of that? The entire ecosystem is completely outside of their ability to even "know" which means courts will throw out all of your challenges because you can't even prove harm...
And just like that... the entire world is compromised. Especially as AI takes off.
Nothing beats a personal password where your brain is the storage medium.
These are only to fix the problems with the stupid and lazy.
Agreed. So far, even Amazon doesn't accept it (yet). However, because Google does, you can use it for any account you can access via Google including PayPal...which is pointless because PayPal accepts passkey.
I like the idea of passkeys, but yes it seems like the acceptance by apps & sites is woefully slow. 😎
@@freemagicfun It's just so complex. not many people even understand this, so even if the sites offer it, I imagine almost no one uses it.
All of the major email platforms and operating systems are supporting them (Apple, Google, MS, outlook, gmail). But true that most others services do not support them or hardware security keys. The banking industry is woefully behind on the security front.
Agree.
This video explains the matter thoroughly and clearly. Helped me a bit further on grasping the passkey tech.
Important to highlight though;
- The ‘passkey technique’ is what it’s all about.
Which hardware you use to make it happen is secondary. (you don’t need ‘security keys’ per see to be able to use the passkey authentication.)
- For now it depends on the OS / browser version used, if it can handle passkeys QR codes. Hopefully third parties apps for devices will soon pick up the art of handling, syncing and storing of passkeys.
- As an example of how the latter can bite you in the tail, is the nasty surprise for the Apple ecosystem; As for example using security keys, it needs all your devices to be running the latest OS.
It’s all or nothing. If you implement security keys, any device not able to run the required OS is at loss. (booted out of the eco system)
Once a passkey is setup, is the option to sign in with a username and password no longer an option? How does recovery work if I loose my device?
Yubikeys are great, but due to their inherit limitations of 2FA secret storage on their keys I'm waiting for them to upgrade that storage and release their 6th series before I buy a handful.
And their recent price increase 😡
I would highly recommend you don't buy security keys. If you enable googles highest level of security, and they detect a potential attempt to break into your account, google will immediately disable every way of logging into your account, and disable all of your security measures, including your password, then require you to reset your password via a link in your gmail, then only after reseting your password, will you be able to reset up your security keys.
If google can't even trust a yubikey, a titan security key, 2fa via googles app, passkeys, and passwords, to verify who I am, you probably shouldn't trust them either.
7 months later and still going forward, passwords are still here and rule the day and not dead!
I think passkeys are a great idea, and as (another) IT professional I understand the benefits. However, they are not without their issues. You have to consider adoption and compatibility, their adoption may not be universal across all platforms, applications, and devices, and some older systems or browsers might not support FIDO2/WebAuthN, limiting their widespread use. You also have the hardware dependency with the issues that brings (forgetting or losing your device, backup and recovery). Initial setup complexity - as has been pointed out in other comments, how do you get your non-IT literate friends onboard with this? Finally cost - not everyone can afford one (really).
Also, have you seen how many dependencies FIDO2/WebAuthN has? It is so much work that most websites will probably never provide it, unless forced by their government...
Jones' Law: "Anything hit with a large enough hammer will break." All security mechanisms have limitations which should be considered when deciding whether or not to apply them in a particular environment. That said, Passkeys offer a balance of security and convenience that works for a broad range of applications and environments.
As to "too much work," there are, or will be plug-n-play implementations for most environments. Compared to doing nothing, they are "work." Many, not to say most, managers of websites are reluctant to do any work until they get slammed. I never cease to be amazed at the number of managers who opt for cure over prevention. However, the environment is becoming increasingly hostile and password reuse is a favored method of attack. Perhaps, keeping one's resume up to date is the least work. However, being associated with the victim of an extortion attack may blot an otherwise spotless record.
I'm a (yet another) IT professional. I work in education. Shared computers are a common device deployment method for cost savings, so hardware-tied private keys would not work in this environment. There's also the problem of personal devices. 2FA implementation is always a controversial topic as for one, smartphone use tends to be discouraged, and two, staff are always against using their personal devices for work purposes, and schools do not have the budgets for hardware tokens.
@@HarmonicaMustang Admittedly, Passkeys are neither as convenient or secure on multi-user systems. On the other hand, the majority of modern computer users have never used a shared computer, not even a PC. Most have only used a mobile computer, a single user system. Many of our security risks today are relicts of shared systems. As the cost and scale of computers continue to shrink, solutions like Passkeys will become increasingly convenient and secure.
@@williamhughmurraycissp8405 This misses the knowledge that there are lots of situations both in work and at home where shared devices make lots and lots of sense. I'm thinking a shared public PC in a living area where random visitors might well need to check their e-mail, but don't carry a laptop (and find a full desktop a lot easier than their phone), a roku TV where a visitor would like to load their Netflix profile for one movie, etc.
In the work environment I'm thinking all sorts of kiosks where you have manufacturing, scientific experiments, library style public access systems, projection control computers - anything needing walk up access that might require authentication as different users for cloud services, work processes, etc.
And in work locations this is going to be even harder because you'll want to give access via many to many matrix for users - both if their laptop dies you want to hand a new one they can start using immediately, but also access to the corporate cloud e-mail, cloud storage, local services, plenty of shared systems you remote into for various reasons like terminal servers and more.
And from a work location there's the reverse issue of many of these hardware things just not being available to all OSs - if you use Linux you can't (as far as I can tell) use a TPM to unlock FDE, and worse, the management is completely different between MacOS, Windows and Linux. Passwords have converged to it working the same across all platforms. Not to say passkeys won't potentially get there, but we have these special proprietary "secure enclaves" that often aren't as secure as we are told. So Apple doesn't use TPM from what I can tell, neither does Android. So we already have more Windows only, or Mac only, or Android only implementations.
This is a great video, but couple of suggestions: I understand this tech really well (I’ve been an app security architect for roughly 15+ years, and went into platform architecture), but I tried to consider how my parents (in their 60/70’s) would take it. There’s still some assumptions made, like salted passwords, how key exchanges work, etc. So it’s kind of a decent primer for someone who already knows tech, and how FIDO/TOTP already work. I can’t say I could do any better though, because these can be difficult subjects to explain…but I think it’s something to consider, because it’s these groups (like my parents) who are the most vulnerable.
Overall, this is a great video. It calls attn to a huge problem (and timely because I am forcing my parents to use a password manager this week). Thank you for creating the video!
Agreed. It was a bit confusing and I came out of the video still not certain about what it is and what it does. Simplicity is the passkey for many of us.
I watched this video and al it did was convince me to not use passkeys until I have to. What happens if you lose you smart phone or don't even have one?
@@jamestemple8970 it's not a great answer, but the idea is that any passkeys on your smartphone are synced with the mobile ecosystem owners cloud password sync provider.
So if you happen to have multiple e.g. Google or Apple devices already enrolled with Google or Apple's cloud password syncing service, they'll all magically have all of the passkeys either device has every created. If one device breaks, you can use another device to enroll a new device into ur ecosystem account, and it'll magically get all the passkeys synced up. This has obvious implications which are kinda concerning (mobile ecosystem vendor lock-in), but it is what it is.
If a passkey is only on one of the devices from an ecosystem (e.g. if you made an account somewhere, provisioned a passkey on your solitary Android phone, and never enrolled a passkey elsewhere for that site) if you lose that device, you have two options:
Option 1: Start the recovery process for the mobile ecosystem account tied to the device: So continuing the example, if you lost your solitary Android phone, buy a new Android phone, and use the recovery options for your Google account to sign back into into it. Then it'll magically have all the passkeys previously provisioned.
Option 2: Buy a new other device (iPhone or Windows device with Microsoft Hello, or any device plus compatible hardware security keys), then go down your list of actual passkey protected accounts and invoke each one's recovery process to enroll new passkeys.
At least for now, it's a great idea to enroll your convenient to use (but breakable/stealable) mobile device *and also* additional hardware security keys that you can lock up somewhere. Passkey auth requires some different factor (mobile device pin or biometric lock, or hardware key PIN) so the idea is that even if someone stole your backup, they won't be able to log into anything. BUT if they destroyed all ur backups and your main device, you're in trouble. The same trouble you'd be in if you lost your password pre-Passkeys. The crap thing is that you cannot simply remember ur passkey, and you can't practically write it down. Practically, each passkey's private key will be hidden (even in some cases totally inaccessible) on a physical device, so you just need to make backups in the form of ... enrolled devices upfront.
@@jamestemple8970 One thing he highlighted is that password managers now allowing management of passkeys. I think a password manager secured with a hardware key is more secure for managing you passkeys, vice a device or Apple keyring.
I could not agree more, clear as mud. You expect the millennials to have even considered that scenario?@@jamestemple8970
Cons
1. Hardware passkey can be stolen,
2. lost,
3. malicious borrowed (the worst type of attack besides
4. can be cloned. (not all of them)
5. Price always x2, you need a backup key.
To remove all four cons, a hardware key has to have a biometric sensor.
As of now, there is no hardware passkey with a fingerprint sensor usable on Linux systems out of the box because you need proper drivers.
Also it can't be used cross platforms on your customer's PC/Mac without drivers installation.
Biometric fingerprint scanners can easily be beaten.
@@MegaLokopo
Yes it is, especially while gobble down a popcorn watching Mission Impossible.
Clear explanations and nice overall.
But some things are a bit oversimplified and even wrong.
Such an example is the note that password managers being susceptible to server hacks. To begin with, one could have local only password manager databases. Moreover, there services have setups where even with low quality master passwords, a server hack will offer no info to the attacker (feel free to check 1Password setup).
Furthermore, having a secure master password would basically be enough to prevent any brute forcing, even if the whole hosting server is completely compromised.
Agreed. Also the "they need your PIN" - yeah cool...
What I took from it is that the vector of compromising the secret holding service gets eliminated. So it's still no match for pw+(non sms)totp for corporate or self host scenarios.
Big plus is that it is a convenient enough method to use for non tech people.
About the amount of time to reset a password. Not a strong argument, this can be very streamlined.
I think he's talking about grabbing your account from some random website and cracking it with a rainbow table, not necessarily hacking the password manager's servers.
A note about PIN codes, most modern devices have a secure element chip that is hard wired to prevent repeated attempts at brute forcing, so even if you have a 4 digit pin, while that's not great, a thief/spy/hacker would only get to try a couple dozen times before the timeout became days long. That would, in theory, give you time to mitigate the damage by updating your account information in the relevant places, unlink/remote erase the device, etc. Not all devices are equal though, so take it with a grain of salt. Might be worth looking up your device and how it handles that.
@@DFPercush True. The iPhone has the self destruct mode (erase the phone) after 10 failed attempts.
Great description helping to show the overlap and underlap between Passkeys and hardware keys.
**fast clapping** Thank you! Thank you! This is the best, most complete and concise explanation of Passkeys I have heard yet! This video is going to help me so much in explaining the technology more to my team at work and family/friends.
12:38 Yeah, about that.
You can't force them to use their personal devices.
So instead you give them a different device.
And they WILL forget it at home (or loose it).
I am speaking of experience here...
Sorry, there is no remedy for stupid. "The dummies have it, hands down, now and forever."
@@williamhughmurraycissp8405 sure, but a password is easy to reset with these people, unlike a hardware key
besides I wouldn't even call them stupid, it's just that given enough people, you will always have at least one person per day and it's always going to be somebody else
If biometrics is required it is not government proof.
This is because your consent is not required to have your photo taken or your fingerprints extracted.
Lifelong passwords reside in your memory/mind and no one can get into it unless you voluntarily want them to.
Nice summary. I wonder if cloud based passkey synchronization is being overemphasized. The alternative is to just log on to a new device using an old device that already has a passkey, as you showed in the video. No cloud based passkey synchronization required. But, you still need some kind of passkey backup, whether cloud based or local, in case you lose access to your device.
Not sure about Passkey being more secure than Password + 2FA:
IF [Passkey] : Access to Device + PIN == access to any website
IF [Password + 2FA] : Access to Device + PIN != access to any website, as password is still needed.
Although I do understand that passkeys protect against certain attacks better, like Phishing; it's hard to say one is flat out better or worse than the other.
What is the difference between passkey and ssh keys at the cryptographic level? It sounds like passkeys are very similar if not the exact same technology rebadged and made consumer friendly.
A synced passkey feels like moving an ssh private key to a password managers vault.
not quite, i have an Yubikey for years, finally gave it up as i can never remember where i put it. As one other TH-camr pointed out (correctly, IMO), the different types of connectors on different devices also make them a real pain (i have usb micro, usb c, apple ...).
I was pretty up to speed on this but what a great review and in my case, confirmation that I'm arranging our digital security in the best way for us. Thank YOU!
A comprehensive and simple explanation of the various methodologies. Thank you! I love your channel. You present relevant topics with detailed information.
Pass keys were the standard some 20 years ago (dual authentication) ... worked security for a military contractor and passkey fobs were SOP.... they are cheap and easy to implement... Can use almost any cell phone today for the same job.. I now work IT security for the medical industry and ANY Dr that writes sched 2 drug scripts is required to use passkey authentication.. (is law) since the Jan 2023
Does a hardware bound passkey have to be plugged into your phone to use it with your phone?
Better off going with the Thetis, since it's recommended to buy at least 2 (one for backup) the yubi will set you back at least 100 bucks, I've found the Thetis is just as good and half the price.
Passwords are always going to be required for passkeys If not could you imagine the headache administrators will have when something happens to the users device that was storing those passkeys for said account.
Great video Chris. I note that Microsoft have announced that Windows 11 is getting a built-in passkey manager. Any comments or thoughts on that?
I'd suggest a Apple user approach, and a Google user approach. I think you have the Apple approach covered in this video. The Google approach might be a future video. Sharing among the Password managers in the various approaches too - OnePassword to Apple to Google might serve as an example.
Also, I'd suggest a discussion of where the resistance to this approach may come from.
Thanks for the valuable video. It raises the question of Passkeys and where they may fit in our security vision.
15:27 What happens for example you no longer want someone you have shared your passkey with (say a divorce) and you no longer want them to be able to use your credentials?
You should be able to create a new passkey and the old passkey will no longer work.
How do you keep your hardware passkeys secure? Where do you store them to keep them safe? Or do you carry them with you at all times like on your keychain with your house and car keys?
How do you keep your car and house keys secure? Where do you store them to keep them safe? Or do you carry them with you at all times like on your keychain with your hardware passkeys?
Seems like a personal decision based on threat assessment is my point.
Yubikeys are going nowhere. They exist to control concurrent usage of software programs and mostly replaced by storing the keys on an in-house server. They fail often from use and going through the washer and dryer. The software vendor overnights you a new one and deletes the old so even if it is found or starts working it won't work.
The only reason this 2009 passkey technology has become usable is because the cell phone has become almost ubiquitous and is the only device that has the intelligence for now and the future. Even your car and house keys are going away. It's already your wallet, passport, visa, credit card, immigration form holder when you travel, map, calendar, secure and insecure communicator, airline tickets, where the gate is for your next flight, flight schedules, your seat, adjust your house environment when you are home and when you are not, guides you around the traffic tie-ups to and from work, lets you scan into the gym, your note taker, language translator, it will soon be carry your ID/driver's license, gets backed up encrypted to the cloud, and is becoming the only thing you need to take with you.
The elephant in the room you didn't mention. what if you lose you phone? sure the private keys aren't stored in there but how can I get my credentials back since Google/Apple uses pass keys which are linked with the old device which you lost.
Exactly!
Nowadays a phone is an awfully weak link in a security chain, because it is both indispensable, as you mentioned, and extremely vulnerable to assault: if nicked while unlocked, and/or if your aggressors force your face or your finger on the phone, in a matter of seconds they own your Google or Apple account holding your private passkeys, and as far as I know, there is nothing you can do about it.
So let me get this straight...Even sites that offer passkey integration require a password, so if you have to have a password to do first time set up, even if YOU use the passkey, hackers will still have a password to try to get access to by hacking the business? Are you saying that until businesses allow us to delete the passwords, they are no better than having JUST a password?
Google doesn't even trust the passkeys. They detected a potential attempt to break into my account, and completely disabled every security measure I have to verify my identity, logged me out of my email on all of my devices except my phone, refused to let me login even though I had every single method of verifying my identity, and required I change my password, through a link in my email, then after I reset my password, which didn't require any form of authentication beyond being logged in, I was able to reset up my many authentication methods.
What is even the point of any of it if google won't even trust a single method of authentication, and won't even trust you to verify your identity if you have all of them at once. And then doesn't even bother to verify my identity, while it bypassas all of that authentication I have, and lets me reset my password, without verifying who I am.
They're technically more vulnerable than a website with just a password, as it's an additional attack vector..
I think this is an example of not yet perfect, but way better.
Part of the benefit of passkeys (even as an alternative to still-active password auth) is that it makes certain attacks way harder to pull off. For example, if someone pointed you to a simple mis-spelling of a website, your browser will not reveal any details about your account to the imposter. It'll just tell you that no passkeys are available for the service without revealing anything.
This should clue you in that this your being attacked.
This benefit alone can help improve your security posture. Granted, ur right that it would be cool if more sites allowed those who are comfy to just go 100% passkey, eliminating the possibility of a compromise of those passwords on the server side altogether.
A note on interoperability. I have used Apple passkeys on my iPhone to log in to a website on my pc. It works just fine but the process is just a bit less seamless. On a Mac I would just use iCloud Keychain stored key and authenticate directly on the Mac. With PC I’m presented with QR code to scan with my iPhone. The iPhone then presents the passkey and I log in using FaceID. The phone and pc need Bluetooth enabled for this to work but no setup or pairing is needed!
Or you could just use a password manager like 1password to hold your passkeys and use them between devices.
@@georgebarlowr sure. You can use 3rd party products for this. I would recommend 1Password too for this
If you use your cell phone pin in a public area and it gets compromised you can have real problems. The WSJ had a great article about this earlier this year where someone used their pin at a bar to make a confirmation, it was compromised (observed) and their phone was immediately stolen as they were getting an Uber outside the bar. The thief used the pin immediately to reset and change all of the passwords, being synced in the password manager. The thief did this so quickly the phone couldn't be shut down. The thief had access to all the accounts on the phone and proceeded to rob the owner of several thousand dollars. Bottom line is that tying everything to your phone has some level of risk. Better use a more complex pin and be careful when you use it as it provides the keys to your kingdom!
You're right - there is always a risk of someone shoulder surfing your PIN and then stealing your phone.
But that's not the point here - the point is that your example is extremely rare compared to the amount of phishing and hacking attempts that hit people from far far away.
If we eliminated ALL but your specific concern, it would be a HUGE win for security world-wide. And a singular edge case of "well...it can still be compromised in this very specific way..." is not an excuse for rejecting this technology.
@@CrosstalkSolutions I agree with you but just thought it's important to understand all the risks before entertaining any new endeavor
I have been using Youbi Keys for the better half of 5 years now and will never move away from them. I do wish though you would have explained or touched base on the fact that when setting up hardware based auth keys that you should always plan on redundancy. These keys can fail and/or get lost/stolen so it is always best practice to have more than one.... The largest problem with this though is the fact that many sites only allow ONE hardware key, so if you ever loose your youbikey or it gets damaged you are locked out with little to no recourse of being able to get back in to that account. So users should make sure they have backups or sync multiple keys when allowed and even store it in an alternate location like a safety deposit box (just a suggestion), to be able to have a way to access accounts should your main key ever be damaged/lost etc. I also do understand why the keys cannot be duplicated as that would negate their effectiveness which is why All sites/services that move to this level of auth should support at minimum a "Master" key and allow you to sync at least 1 additional key as a "backup".
Overall though Great video to help bring awareness
Thanks for that detail. I had no idea sites can restrict the number of copies of hardware keys you can have. If that's true, I have no idea why anyone would want to use a Yubikey. Wow. I mean, it suggests that you should have a different Yubikey for every site that requires a limit of one Yubikey per site. But that kinda invalidates one of the main reasons for having a hardware key in the first place. (You would lose all your private keys if you lost your single Yubikey.) I've never used Yubikeys before, but I think you've just turned me into an opponent of that technology. Thanks for raising my awareness. Yikes.
@@TheNameOfJesus I didn't mean for my comment to turn you away from the technology, But understand that some sites have yet to fully adopt it and thus only support adding one key. This is changing as the technology is adopted but it's not a super fast process.
When a site registers a Hardware key By default they should actually require 2 keys so you are making a backup as part of the process. but instead most sites implement a second lower level of security .
The only way to get this technology to be more adopted is by using it and promoting it. But it's also understanding the limitations like most banking institutions do not yet support these devices because their customers are using their phones instead so they are opting for a less secure alternative.
The YoubiKey is by far the strongest form of authentication as it's offline and a physical device that cannot be duplicated.
Phone auth isn't nearly as secure as you're required to use your passcode / pin to unlock your device at boot up even with biometric locking enabled.
So I would use it to it's fullest potential that your able to in your circumstance and just make sure to set up whatever backup method is available for any service that you use that doesn't support adding multiple keys and just store those backup codes with your backup key for the services that do support that.... (Alternate location Like Safety deposit box etc or at least a fireproof lockbox or safe to protect from fire loss).
Adoption is always the biggest problem and they won't gain traction if too many oppose the use.
@@Pythonaddiction Thanks. I know you didn't intend to turn me away from it. I was perhaps overstating my worry by 50% for dramatic purposes. They Yubikey is FIPS 140-2 evaluated so it's good when used in FIPS 140-2 mode. (Do consumers use it in the FIPS-evaluated mode?? I don't know.) I personally used a different product that was also FIPS 140-2 evaluated. Yubikey is likely not "more secure" than other products with the exact same evaluation. I have no way of knowing if consumers are using it with those features enabled, but I doubt it because people are loading their own private keys rather than getting them from an approved key generation device. In my company, people aren't allowed to load their own keys because we operate in a very, very high security mode.
@@Pythonaddiction what I don't understand is that why do no one even think of using GPS as one of the backup way to recover your account? something like ... they will ask you to open your GPS location to recover your account. which means if you want to recover an account as your last resort, you need to be standing on the place where you created your account. 😂😂😂😂
I really hate making me buy 2 yubikey not only it is expensive. you might not know if the other one you keep safe was taken by someone at home.
but having your GPS as last resort.. you and only you know where you created your account.
this way you can actually walk on a random train station and use it as your recovery location
@@ChibiKeruchan that’s because gps and geotag loc data is super easy to spoof for starters. And secondly let’s say that work if someone is making an account while on the road outside of their normal area or say a truck driver. There’s many reasons why this wouldn’t be used.
It’s basically the same asymmetric PKI stuff is used for TLS encryption. The private key is stored on the webserver or client and Yubikey hardware stores the private key like a HSM used by servers like webservers or reverse proxy servers such as F5 right?
Also think of like ssh keys
Great introduction, now could we see examples of doing this with the Yubico please.
Did you check his site? I seem to remember he's demonstrated how to use Yubikeys before.
We should support open source alternatives, not Yubico
Thank you for answering the question about deleting the existing login/password after setting up passkey
My excact question is, what you also mentioned in the video with the bestbuy example. If you have to create a user first, using a password, and then only after that can enable passkey login. Then the password login still exists somewhere in bestbuys systems, and be found in a server hack/leak?
What would be the correct way to do this(besides being able to actually use passkey when creating the account) - When enabling passkey it somehow should delete any knowledge of a password ever existing?
Exactly my same question. My take is that passkeys (plus other authentication factor) should become the primary login method and username + password the fallback option. Probably in the future we won't even set up a new account like we do today (username + password).
Passphrases (staple horse battery correct) on a secure FOSS password manager FTW. Passkey's are 1: expensive, 2: accounts charge to use PassKey logins, 3: a hassle to carry around for clumsy/daily life users who lose and break stuff.
Problem with passphrases are that they're much more vulnerable to dictionary attacks. 4 correctly spelled common English words are not going to keep someone out for long.
@@norgeek Then don't correctly spell them. Use a mix of capitalisation and obfuscation, use multiple languages, and use different 'spacer' characters between the words. I use an eight word phrase but instead of all being English language words, it includes words from two other languages, and all the words are deliberately misspelled. Could I accidentally give it away? Yes of course, but if I only gave the plain translation, it would still take a long time to turn into my actual password.
@@_starfiend miss-spelling and other obfuscating techniques doesn't necessarily add much protection, a good attack dictionary would be set up to include, say, the thousand most likely variations of each word. Random characters in and between words, and multiple non-obvious languages should make a significant difference though. But at that point you're looking at a significant effort in keeping the passwords unique between each new website without reusing a similar syntax..
@@norgeek While I'm not arguing that a password/pass phrase is necessarily the best idea all the time, adding obfuscation and miss-spellings add more difficulty than you might think. Just as a simple example, my step-daughters are bi-lingual English and one other. Although they speak only English at home, at school they are required to use the other language full time. This means that when they have to write in English they regularly spell phonetically using the other language. I've got used to it now so I can read it, but by doing that they miss spell English words in ways that not just change the spellling, but also change the length of the word, and even in some cases would change the English pronunciation. They do it unintentionally, now imagine doing that intentionally, and doing it with multiple languages. Those word lists would get scarily long. Plus, and it looks like people are not seeing this, you might guess it's a phrase, but how do you know how many words are in that phrase? A 50 character phrase could be anything from 6 to twelve words. How does an attack dictionary help then? A decent pass phrase deliberately does not use only the most common words, but adds longer or less common words as well.
It's also not as difficult as you might think to have half a dozen pass phrases. Because they are phrases they are easy to remember, and I just remember how I obfuscated them. They are also (mostly!) not related, so even if you guessed one, it would not lead you to the others.
Personally I find pass phrases easier to remember than the "staple horse battery correct" idea, which while I accept is a good idea, just doesn't feel long enough to me. I would want to add at least two additional words. Minimum. At which point proper phrases do become easier to remember, yet no easier to crack.
A serious problem with passphrases (or any preshared password) that passkeys entirely leapfrog is the possibility of replay attacks and some forms of phishing.
Passkeys significantly reduce an attacker's ability to man-in-the-middle an authentication attempt from outside of your device (e.g. by convincing you to log into a replica of a real site). They do this by removing the human from some parts of the picture: You can't be convinced to give your passkey to the wrong website, because you don't know it, and aren't required to send it anywhere during a login attempt. And even if someone observed ur login attempt (which requires a compromise of your device), no part of it can be used to log in a second time. As well, you're not a part of verifying that you're looking at the right website: Your browser does this for you, and will not let you even attempt to log into the wrong site with your passkey.
It's less about preventing someone from being able to guess your password, and more about making the act of logging in more secure. One longer term benefit is that it can reduce the friction of requiring you to log into services more often, without affecting the security of those login attempts.
What happens if you lost your YubiKey?
I admire your enthusiasm and knowledge. Because I'm a beginner with all this computer technology I found the layers of information you were presenting to be overwhelming. For me getting to the simpler points . Just describing the two keys what they are and how you use them. Then going into all the other detail would have been better for my way of learning. And as I say I'm a beginner so perhaps many of your other viewers don't have that same difficulty
Chris! Such a great video! I learned so much! Thank you!
And Lastpass, which already supports yubikeys. So your password manager requires the hardware key.
If someone steals a companys DB of public keys, and create a fake site, could they could trick you into signing in with your passkey?
I love passkeys, but would love a way to integrate browsers with Keepass and utilize passkeys for those of us who do not like hardware keys and want to keep them centralized with our existing cred storage.
IT departments will now have to deal with people losing or forgetting their passkeys 😂
@16:55 - That is the biggest issue with all these 'more secure methods', they are just adding more ways to log-in without removing the problematic ones, increasing, not decreasing, the threat footprint.
Yes, took me a while to get onto the passkeys, but now I have two (one as a backup offsite) and I have never felt more secure. Everyone should have these. But they should be more afforable as Yubi's are a bit expensive (in Canada anyway).
I know, I know, you can't really put a price (tongue in cheek) on security, but ya - WELL WORTH IT.
Hi Chris. Great video on Passkeys, et al. HOWEVER . . . There was hardley any emphasis on purchasing and setting up MORE THAN ONE Yubikey for redundancy in case your Yubikey hardware device is lost(more likely) or physically damaged, i.e. FUBAR, (unlikely). Having just one device with no redundantcy exposes the user to being locked out his/her own stuff. My Mr. Worst Case Scenario wants to ask people to please be prudent and thoughtful at the fundamental level.
Google doesn't even trust Titan Security or Yubikeys to verify your identity, if they detect someone may have attempted to break into your account. They simply disable all of your security and hope that the one device they allow to stay logged in, is in your possession and then lets you reset your password without even verifying your identity.
If google can't even trust their own system, why should anyone else?
Indeed, this was a weak point in his video. Not only do users need multiple Yubikeys, and store them in different locations, but they need to update each of their Yubikeys EVERY SINGLE TIME that they create new credentials on a new website. I don't want to go to the bank weekly to fetch my Yubikey, take it home, update it, then go back to the bank in the same day to lock it up again. I think my bank counts how many times I access my safety deposit box each year and charges me if I access it too often.
Very good point!
I have some concerns with some of your conclusions, but I'll mention just one. At 10:31 you said "Server leaks don't matter when it comes to Pass Keys." I would call that statement 99% wrong. It's 1% true because your "authentication credentials" remain secure. But any DATA that you upload to the server (name, email, address, phone, contacts, calendar, web links accessed, etc.) may potentially be completely stored "in the clear" on the remote website. Pass Keys are very good when it comes to "credential privacy," but has NOTHING, ABSOLUTELY NOTHING to do with data privacy. You actually said "server leaks don't matter" but that only applies to your credentials in the case of Pass Keys (which is 1% of security overall.) Your data can still be stolen, leaked or sold to communist China, FaceBook or Google. (I'll leave it ambiguous whether the word "communist" applies to only the first of those three.) The only company that I'm aware of that uses YOUR private key to store (some) user data on their servers is Apple. So not even Apple can recover (some) of your data if you lose your private key. But any of your data stored by Google on their own servers is very likely stored using an independent encryption system that has nothing to do with Pass Keys. I'm guessing that you will acknowledge that all you were talking about was credential security, but you really need to look at the big picture. Data security is far more than just password security. Saying "server leaks don't matter!" is misleading at best, wrong at worst.
You name it: "Everything protected by my Apple-ID [...]" LOL
Great video! Hopefully the fact that sites still hold on to your legacy password once you switch to passkeys changes soon.
these sound good but did not explain what happens if you loose the device so you have a ubikey you loose it how do you then get into your accounts. At least with a password manager I only need to login to the password manager on any device. With the hardware ones if it breaks or you loose it how do you get back into your accounts
SMS based are extremely vulnerable to SIM swapping! Avoid if possible. Sadly many banks refuse to upgrade.
What do you do if you lose or damage your hardware key? How do you authenticate to setup a new one?
How secure are iCloud passkeys?
Can they be overridden if someone has your iPhone and it’s passcode?
If so then your passkeys are only as secure as your 6 digit passcode
Apple support security and recovery key, eight character passcode
Great explanation! I haven't yet moved over to passkeys. This helped me get to grips with it.
What if you lose the passkey. Or stolen or broken? It looks meaningless but a marketing hype
great video but you should mention the cons of passkeys. Each method has its own strengths and weaknesses.
So like the part where I talked about the cons of passkeys you mean?
a great explaination, but I still got 2 issues with the use. if you have a hardware based private key and the device dies, how are you able to login to your most secure environments.
and what if you're private key got leaked or stolen? then a hacker is able to login into everything and everything of you is comprimised. if it is not, how do companies check if they have a revoked key of you in their database if you on you're second or thirth key set (private and public).
if this becomes common; does every company or website need to check if the public key is still valid? offcourse they only need the correct public key, but there can be a time that some have you're old key and some have you're new public key.
if you have a different password for everyting with a totp and a key and totp key got leaked or stolen, it is only impacting that soecific login.
You are exactly correct. It's built on a false premise. What it is is better than what we have for most people because they are easily tricked or use the same, short, easy to remember passwords everywhere that are never changed, and no password manager. A good password manager with bio limits exposure to one account.
Excellent presentation that covers the various protection levels and their vulnerabilities. Many other presenters glide by the multi-device sharing of passkeys as no issue, but hackers will find a way. I agree that the hardware key is best; your private key never leaves the device and it is difficult to hack while not too expensive to have backups, unlike a ‘phone or laptop/desktop. Nice job!
the problem is that no one points out the single massive and major flaw with hardware keys. when someone takes it from you, youre screwed.
Enroll multiple passkeys. When you no longer think you have one of them, unenroll it. Until you do, it must have had a layer of security on it before it could generate the passkey (a strong pin or a pin and a biometric lock) that whoever stole it needs to crack.
TLDR: You can lose it but you can also prevent that particular key from ever being used to log you into stuff without affecting anything else that isn't lost/stolen from logging you in.
double dutch@@seetentees
Ahaaa,
What happens when your device gets stolen, destroyed, corrupted? What happens when you need to recover your passkey? Can you do that just like you can remember your password?
You forgot another reason passwords get locked out. Infrastructure engineers locking each others domain admin accounts out for a laugh :).
I got 3 Ubikeys after seeing your last video. One for the keyring one for the safe one mini one to stay in my home PC.
Not enough stuff supports FIDO2 , my unbikey is mostly used for classic 2FA.
I remember hating infomercials on the telly as a kid. These days I watch them by choice on TH-cam because the content actually justifies the pitch.
Isn't the bound hardway key technically shareable if you just physically give someone the key to use? The only key that isn't shareable in that instance is if it was one of those biometric Yubikeys
I saw it...I saw it!
...
(referring to the Twitter logo :D)
Companies need to give better and fully detailed instructions on how to setup passkeys on their website. Take Microsoft for example. They point me to advanced security options and then I have to figure it out all by myself.
The same goes for PayPal. If they don't make this easier for their users, than passkeys will take forever to be adopted. And that's a big missed opportunity.
Love the yubikey and the authenticator app as well. If phone is stolen nothing is in the authenticator app, because you need the key!!
Under no circumstances should you be endorsing email/sms 2FA solutions. That is a VERY bad take, at this point.
What good are passkeys if I, or someone else (I'm looking at you mr hacker) can still logon to my Adobe account using a password because I can't see an option to remove the password?
Have one on order from your link. Thanks for the heads up. I will be using one of these for everything I can!
Thank Crosstalk Solutions for this DETAILED & INFORMATIVE video. As of today, July 27th, 2024, out of 10 passkey videos I've watched yours is the BEST. It's because your clear & easy-to-understand explanation of how passkey works, how it helps me in case of phishing and website IT breaches.
Always trust the CIA to be working in your best interest.
Lol😂😂😂😂
Is it impossible to hack a device to get access to the private key and use a "fake device" to communicate with passkey servers. And are passkey servers truly unhackable?
I find it hard to believe all boxes in the comparison table are so truly checked?
Being sponsored isn't making me believe it more either.
Just a grumpy sceptical old Swede here😊
Passkeys sound nice until for some reason you can't get access. Imagine the hell of regaining access to hundreds of sites after you lose your phone. That's why all the sites using face id and fingerprints have implemented it as a convenience option with a password/pin backup method.
No option to remove account passwords after a passkey login has been set up renders passkeys useless.
Although some types of attack remain possible as long as your account allows password login, the point of passkeys is to give you the option of choosing when to use a password. Whether it's *never* is up to you. If you choose to still login with a password, this is what makes your enrollment of passkeys useless :)
When you do login with ur passkey, instead of typing your password into a website and submitting it, your browser (after verifying that the website is...the website) will simply ask you which passkey to use, then prove that you have the passkey in a way that cannot easily be man-in-the-middle'ed unless your device is compromised. The idea is your browser will never attempt to log into an imposter website, and if one of your devices is compromised, depending on how, you may be able to un-enroll it from the service from an uncompromised device.
This makes it significantly harder for someone to convince you to log into a website that proxies any part of your login attempt, and also allows you to reduce the blast radius of a device compromise to maybe that device (depending on the compromise).
Stepping back, the whole idea is to give you a more secure way to login. Eventually, it'll also allow websites to just stop storing (even salted/hashed) passwords altogether. But baby steps.
What I miss is how 2FA will be handled with passkeys, or will 2FA become obsolete?
For example when using Nextcloud you have the option to use Fido2 WebAuthn for login and also use Fido2 2FA, so you get asked two times for you key.
Will this be the same on other services?
And coming back to the maybe obsolescence of 2FA is that maybe because 2FA now only really protects someone against attacks where someone other has your passwords but when someone already has the encrypted password vault 2FA is no concern anymore because you only need the password.
At the end I think it comes all to how these services will implement it, like will my account data be encrypted with that passkey or only the login for the web interface.
PayPal supports PassKeys right now, and i have 2FA enabled. I was using OTP to begin with, but it does prompt me for this after the switch to a PassKey. I imagine companies that know what they're doing will require some other form of 2FA (such as OTP) or maybe even just require a secondary Fido2 key for 2FA. The bad companies? Who knows.
Interesting point on how customer data will be encrypted. The company would need the private key in order to encrypt whatever private data they store right? Can't just use the generated nonce for that. Although I really know very little about how this architecture works admittedly.
Thanks for the video and the coupon. I saved $10 (2 keys).
Thanks for the articulate explanation. I just wonder how different it is from PKI.
SQRL Secure, Quick, Reliable Login and don't store them on the server but the server has to have SQRL too. It's been out for years and I guess the best but hard to get servers to use it.
Thanks Chris, love your content for years now (Note has house full of Ubiquiti gear and thanks to this video, 2 new Yubikey 5C NFC's on the way :D )
Too bad that 90% of the shitty windows laptops don't feature IR cams or fingerprint scanners....
Could you call them hardware token/keys instead of generically using Yubikey. We should be supporting open source hardware options.
I agree that we should support free (libre) hardware, but Yubico sponsored this video. That’s why he mentions Yubikeys.
If you use passkeys, what's the best practice regarding 2FA? Keep or remove?
I have not seen many of the financial, insurance, and health care institutions listed in the passkey directory other than a handful of credit unions. Do they view this as not fully baked yet?
I bet the government and all of its alphabet agencies just love this more centralized code system. Much easier to track everyone.
Thanks - GREAT info - great explanation FIGHT FIGHT FIGHT FOR AMERICAN FREEDOM !!!!!!!! 🇺🇸🇺🇸
I tried to keep up with you but glazed over quickly.
I do get that I should consider using a Passkey, but what if I lose it?
You probably covered that while I was sleeping ;-)
A hardware device for passkeys will never be part of my security process. The headaches associated with the possible loss or theft of the device are just not worth the additional security.
If you use Disney+, you deserve to be forced to put your min. length of 128 chars password using remote control every 30 minutes
Face ID is a joke. I've bypassed it with a printed picture.
Insert [doubt] meme here...
So what do you do with the Yubikey? Stash it away? Carry it with you? At what point/time does the Yubikey get plugged into something - and what and when?
Whatever stores your passkey needs to answer questions about the private key every time you want to log in. If a passkey is on a Yubikey, whatever device you're logging in with needs to be connected to the Yubikey.
The idea is you can generate a unique passkey on every device that you want to use to log into whatever site. These devices can be phones and also Yubikeys, so you can have a backup that you physically store somewhere, for the event that you lose your primary one.
If this happens, you can log into the site with one of the keys you still have and then generate a passkey on a replacement device/unenroll the passkey for the missing device. If you find it again, now you have an extra device that can store passkeys, and since there was a PIN on it, you can be pretty certain it's the same key you lost and no one accessed it. Not 150% certain, but it's pretty hard to break that PIN on most devices and software that store passkeys.
Passkeys do NOT fix the very real problem of the legitimate user not the one holding the device. They can be easily lost, borrowed, broken, and stolen. And any device of consumer caliber using fingerprint is NOT secure enough for high-risk/high-value privilege access (financial accounts, restricted rooms/ buildings, etc.). This is a fundamental problem (FIDO-related) that cannot be solved by anything but advanced biometrics that check for human liveness and exceptional image matching levels. And they are already out there and work. Together, security is very high.
A password manager with end-to-end encryption with a memorized password, of course a fido key when available
Most likely the biometrics will be saved, just like our data is being saved and sold. To put "trust" on Google, Apple, Amazon. Microsoft, etc would be an oxymoron
a few years ago Steve Gibson was championing SQRL and wondering why that hasn't been widely adopted?
To me this just sounds like PGP. Secret and public keys. You then access your secret key with some form of ID. QR code, Face ID, Master password?
Great video and topic! One thing good to do with USB security keys is to have a backup key in case your device gets damaged/lost/stolen.
I also liked how you pointed out that Passkey implementations are not perfect yet. I also found that some services still require less secure MFA methods. For example, even if you have an MFA method that uses WebAuthn, Google will still allow device push notifications, which are susceptible to push notification fatigue attacks. But, one step at a time! :)
@@jeffreybankers3988 As you are probably aware, almost all services allow a backup security code in the event you have lost your authentication method. These codes could be secured in a safe location, a secure USB, on the cloud, piece of paper in a safe (one of the most reliable) or on a cloud service. That way if you catastrophically lost your keys, you could still recover the accounts.