Thank you for the video. But I would disagree with the fact that passkeys are more secure than strong passwords in all situations. Mobile phones, mobile tablets and - to a less degree - laptops which you often take with you are a big question in this case. We know that the "Security is Only As Good As Your Weakest Link". If one of the above-mentioned devices is lost or stolen that it is only required to guess your PIN to get the access to ALL your personal and financial data. Yes, you can change your private keys for all the services, but it takes time. And sometime a lot of time depending on where you lost your device or when you realized that. Yes, IF you phone of laptop is powered off, and IF they have the entire data partition encrypted, than it will save your data (provided that your password is strong). Yes, IF you use face ID or Fingerprint unlock option, than it may protect your data to a certain degree (provided that you do not have your phone rooted), Such "protection" is not very strong as we know, it may give you more time to change your passkeys, but not much usually. And you still have your headache coming from the urgent passkeys cancellation or recall. Yes, IF you use a strong passphrase (I do not know if it is possible with online services though), than your data is protected, but what is the point in passkeys in this case? I would prefer to stick to using strong passwords at least on this type of devices. I also would use Keepass2Android/Keepass2 or my PGP keyring (but for encrypting the list with the passwords locally only) + a good open source 2FA app like aegis (Android) or WinAuth (Windows) which can also be protected with a password. In addition you can make your browsers to delete the session cookies so that session stealing is not possible. You can do it with passkeys to, but will you have too make it all over again (the process of setting your login with a passkey)? You can use passkeys on your homePC. But would it be convenient to you to have different modes of authorization to one particular service? And would this service allow this? These are the questions.
I respectfully disagree. Two factor authentication means using two factor out of the following three: Something you have, something you know, something you are… and passkeys satisfy at least two of these. The device the passkey is installed in is the something you have. Unlocking the device with a biometric satisfies the something you are or unlocking with a PIN is the something you know. This said, I am not a fan of passkeys that are shared between devices. For the utmost security, I feel safer installing a device-bound passkey on each device you want to use as a login device. Remember that you do not need to install a passkey on all devices you want to log in from. You can log in on a device without a passkey installed by scanning a QR code it presents to a device that does have the passkey on it.
Passkeys are indeed secure but if the owner loses the phone or laptop device and a hacker gains access, then all those passkeys (or rather login credentials) would effectively be compromised; correct?
Only if the person who has the phone can consistently unlock (PIN or biometrics) it each time a passkey would be used. AND you can remotely disable the passkeys from the account9s) where they're being used.
A difficult topic to explain. Now there is the added confusion of some password managers saving private keys in their vaults so they are available to users who are setting up passkeys on a new phone. I think they are employing the term synchronization.
Most websites and apps with 2FA capability need 2FA code only the first time youre logging in. Then you can either stay logged in or it will ask for your password or pin the next time you log in, just like with passkeys.
May I disagree, that Passkey is not Two-Factor? IMHO it is Two-Factor: 1. Something you know or you are: pin-code or biometrics to unlock device. 2. something that you have: the device, which is Passkey capable.
It depends on the pin-code and the biometrics. I've heard of some phones being unlocked with photos. Also, it depends if the phone can be infiltrated in some way. I use YubiKey. I have to plug it in or use NFC and touch the YubiKey before it will provide the code to get a password or OTP from the phone. It is a physical device that is not attached to my phone and my phone cannot provide anything without that device even if the phone is hacked. That is two factor.
@@trail.blazer "I've heard of some phones being unlocked with photos" - Luckily that's only a fallacy. For example, iPhones usesTrueDepth technology to build a quite detailed 3-D image of your face. No photo, no matter how detailed, would satisfy the requirements needed for unlocking your phone. Likewise, fingerprint technology is very secure. And of course, for your phone/ipad, choose a pin code of at least 6 digits/characters, don't use your pin code in a public places, and set your phone to brick itself after 10 or so failed attempt at guessing the pin code.
@@Andre-zd8ke Admittedly it was Android rather than iOS, but there was a test done where I think it was 19 out of 48 Android phones unlocked with a photo. I think it varied according to what face recognition mechanism was used. I have seen claims of sporadically unlocking iPhones with photos but I don't know if that is true. That includes wiggling the phone to give the appearance of some 'depth'.
@@trail.blazer "I have seen claims of sporadically unlocking iPhones ..." - The TrueDepth system uses thousands of reference points to create an accurate 3-D picture of your face, so no, wiggling a photo wouldn't work at all. Anything you read or see on TH-cam that claims the wiggling photo trick will work will just be click-bait.
@@trail.blazer I believe that in order to use Android’s built-in (not sure about third party apps) Passkeys processor, Google has to certify the biometric sensor to meet a certain maximum “Spoof Acceptance Rate” such that the Passkey authorization should not be able to be spoofed by a simple 2D photo.
Your password can be obtained by phishing, etc from halfway around the globe. If you are no longer using a password to login, it can't be seized, while at the same time your passkey is never vulnerable to those attacks, which are far, far more common than losing your phone/laptop. Even if they have your passkey, they can't access your account unless they have your devices.
Thank you so much for this amazing video! I have a quick question: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How can I transfer them to Binance?
Silly but specific question if thats ok! Not expecting an answer but advice is appreciated. Work has started forcing passkey on work accounts after previously enforcing two factor. I have set this up on my phone optionally (as its inevitable it will become mandatory) but Im not getting the QR code prompt on some other devices Im trying to sign into that require passkey eg. Accessing edge work profile on communal work desktop. Some PCs work fine others require a security usb which I have never had. Any advice for getting edge to prompt the QR code? (Setting up passkey on the shared work pc is not possible due to enforced no pin or biometric)
@@askleonotenboom I'm talking about the role they play in the workflow i.e. they are something stored on your computer that allows you to stay logged in, but you don't need to know their contents. If you don't have one (cookie or passkey), you go back to other login methods, like your password or e-mail confirmation. That's why I said they're similar.
@@askleonotenboom in my case Apple. I don’t know of others, but I’ve got a small internet footprint. Every time I update the bios (not every system restart and not after a Windows update) I am forced to re-authenticate to iCloud. This was particularly annoying before they supported the Yubikey in iCloud for windows. If I look at my iCloud account, a new device is added to the account device list after the BIOS upgrade , so there are multiple instances of the same machine. I’ve seen this with my windows 10 Thinkpad and windows 11 Dell XPS. Adding the yubikey to the mix made this more apparent and annoying. For each BIOS update I would have to remove the yubikeys from the iCloud account, authenticate the already authorized laptop to iCloud, and re-add the yubikeys to my iCloud account.
I'll be frank. Every description of passkeys that I've heard makes them sound LESS secure than MFA. I'm working in the industry (vaguely) and I just don't trust them.
Many people walk around with their phones unlocked in their pocket. Then if the phone is stolen the passkeys will give automatic log in to the websites. In this scenario it is worse than user/password. If you are in the habit of leaving phone unlocked then user/password is the way to go
actually microsoft option is safer than this, passwordless is really really solid... you have to give the actual phone with the authenticator to give permission
You don’t have to set a passkey on the other device. When logging in, the other device will display a QR code that you can scan with the device that has the passkey to let you through on the other device.
@@AskLeoShorts The specification (CTAP, aka X.1278) that enables a roaming authenticator with Passkeys was officially standardized back in 2018 so it’s been around for a while.
✅ Watch next ▶ What Is a Passkey? ▶ th-cam.com/video/6lBixL_qpro/w-d-xo.html
Cheers. I'm at the point where I can follow along as I hear it; not quite at the point where I could explain it to someone else. But getting there.
This is probably your most confusing explanation, I've read. Usually, you are much clearer. More concrete examples might have helped, if possible.
I agree - I have no idea what he meant! Unusual for Leo.
Thank you for the video. But I would disagree with the fact that passkeys are more secure than strong passwords in all situations. Mobile phones, mobile tablets and - to a less degree - laptops which you often take with you are a big question in this case.
We know that the "Security is Only As Good As Your Weakest Link". If one of the above-mentioned devices is lost or stolen that it is only required to guess your PIN to get the access to ALL your personal and financial data. Yes, you can change your private keys for all the services, but it takes time. And sometime a lot of time depending on where you lost your device or when you realized that.
Yes, IF you phone of laptop is powered off, and IF they have the entire data partition encrypted, than it will save your data (provided that your password is strong). Yes, IF you use face ID or Fingerprint unlock option, than it may protect your data to a certain degree (provided that you do not have your phone rooted), Such "protection" is not very strong as we know, it may give you more time to change your passkeys, but not much usually. And you still have your headache coming from the urgent passkeys cancellation or recall. Yes, IF you use a strong passphrase (I do not know if it is possible with online services though), than your data is protected, but what is the point in passkeys in this case?
I would prefer to stick to using strong passwords at least on this type of devices. I also would use Keepass2Android/Keepass2 or my PGP keyring (but for encrypting the list with the passwords locally only) + a good open source 2FA app like aegis (Android) or WinAuth (Windows) which can also be protected with a password. In addition you can make your browsers to delete the session cookies so that session stealing is not possible. You can do it with passkeys to, but will you have too make it all over again (the process of setting your login with a passkey)?
You can use passkeys on your homePC. But would it be convenient to you to have different modes of authorization to one particular service? And would this service allow this? These are the questions.
I respectfully disagree. Two factor authentication means using two factor out of the following three: Something you have, something you know, something you are… and passkeys satisfy at least two of these. The device the passkey is installed in is the something you have. Unlocking the device with a biometric satisfies the something you are or unlocking with a PIN is the something you know. This said, I am not a fan of passkeys that are shared between devices. For the utmost security, I feel safer installing a device-bound passkey on each device you want to use as a login device. Remember that you do not need to install a passkey on all devices you want to log in from. You can log in on a device without a passkey installed by scanning a QR code it presents to a device that does have the passkey on it.
Passkeys are indeed secure but if the owner loses the phone or laptop device and a hacker gains access, then all those passkeys (or rather login credentials) would effectively be compromised; correct?
Only if the person who has the phone can consistently unlock (PIN or biometrics) it each time a passkey would be used. AND you can remotely disable the passkeys from the account9s) where they're being used.
A difficult topic to explain. Now there is the added confusion of some password managers saving private keys in their vaults so they are available to users who are setting up passkeys on a new phone. I think they are employing the term synchronization.
Most websites and apps with 2FA capability need 2FA code only the first time youre logging in. Then you can either stay logged in or it will ask for your password or pin the next time you log in, just like with passkeys.
something you know, something you have and something you are(biometrics)
Which is not passkeys.
My corporate accounts require 2FA every time I log in. Every. Time.
May I disagree, that Passkey is not Two-Factor? IMHO it is Two-Factor:
1. Something you know or you are: pin-code or biometrics to unlock device.
2. something that you have: the device, which is Passkey capable.
It depends on the pin-code and the biometrics. I've heard of some phones being unlocked with photos. Also, it depends if the phone can be infiltrated in some way.
I use YubiKey. I have to plug it in or use NFC and touch the YubiKey before it will provide the code to get a password or OTP from the phone. It is a physical device that is not attached to my phone and my phone cannot provide anything without that device even if the phone is hacked. That is two factor.
@@trail.blazer "I've heard of some phones being unlocked with photos" - Luckily that's only a fallacy. For example, iPhones usesTrueDepth technology to build a quite detailed 3-D image of your face. No photo, no matter how detailed, would satisfy the requirements needed for unlocking your phone.
Likewise, fingerprint technology is very secure.
And of course, for your phone/ipad, choose a pin code of at least 6 digits/characters, don't use your pin code in a public places, and set your phone to brick itself after 10 or so failed attempt at guessing the pin code.
@@Andre-zd8ke Admittedly it was Android rather than iOS, but there was a test done where I think it was 19 out of 48 Android phones unlocked with a photo. I think it varied according to what face recognition mechanism was used.
I have seen claims of sporadically unlocking iPhones with photos but I don't know if that is true. That includes wiggling the phone to give the appearance of some 'depth'.
@@trail.blazer "I have seen claims of sporadically unlocking iPhones ..." - The TrueDepth system uses thousands of reference points to create an accurate 3-D picture of your face, so no, wiggling a photo wouldn't work at all. Anything you read or see on TH-cam that claims the wiggling photo trick will work will just be click-bait.
@@trail.blazer I believe that in order to use Android’s built-in (not sure about third party apps) Passkeys processor, Google has to certify the biometric sensor to meet a certain maximum “Spoof Acceptance Rate” such that the Passkey authorization should not be able to be spoofed by a simple 2D photo.
Clear as mud. I think our society has gone crazy with technology gobbledygook.
Your password can be obtained by phishing, etc from halfway around the globe. If you are no longer using a password to login, it can't be seized, while at the same time your passkey is never vulnerable to those attacks, which are far, far more common than losing your phone/laptop. Even if they have your passkey, they can't access your account unless they have your devices.
Very informative!
Thank you so much for this amazing video! I have a quick question: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How can I transfer them to Binance?
Silly but specific question if thats ok! Not expecting an answer but advice is appreciated. Work has started forcing passkey on work accounts after previously enforcing two factor. I have set this up on my phone optionally (as its inevitable it will become mandatory) but Im not getting the QR code prompt on some other devices Im trying to sign into that require passkey eg. Accessing edge work profile on communal work desktop. Some PCs work fine others require a security usb which I have never had. Any advice for getting edge to prompt the QR code? (Setting up passkey on the shared work pc is not possible due to enforced no pin or biometric)
This is the first time I have failed to understand one of your explanations. I just don’t get it.
It seems to me that passkeys are just a replacement for that cookie mentioned at 1:34
Passkeys are unrelated to cookies.
@@askleonotenboom I'm talking about the role they play in the workflow i.e. they are something stored on your computer that allows you to stay logged in, but you don't need to know their contents. If you don't have one (cookie or passkey), you go back to other login methods, like your password or e-mail confirmation. That's why I said they're similar.
Now I am really confused after watching this lol
Can you explain why a software (BIOS) update creates what some sites see as a new device?
Some sites? I've never heard of a site identifying as a new device.
@@askleonotenboom in my case Apple. I don’t know of others, but I’ve got a small internet footprint. Every time I update the bios (not every system restart and not after a Windows update) I am forced to re-authenticate to iCloud. This was particularly annoying before they supported the Yubikey in iCloud for windows. If I look at my iCloud account, a new device is added to the account device list after the BIOS upgrade , so there are multiple instances of the same machine. I’ve seen this with my windows 10 Thinkpad and windows 11 Dell XPS. Adding the yubikey to the mix made this more apparent and annoying. For each BIOS update I would have to remove the yubikeys from the iCloud account, authenticate the already authorized laptop to iCloud, and re-add the yubikeys to my iCloud account.
I'll be frank. Every description of passkeys that I've heard makes them sound LESS secure than MFA. I'm working in the industry (vaguely) and I just don't trust them.
Unfortunately saying it slower doesn’t help
Many people walk around with their phones unlocked in their pocket. Then if the phone is stolen the passkeys will give automatic log in to the websites. In this scenario it is worse than user/password. If you are in the habit of leaving phone unlocked then user/password is the way to go
@@CryingCroc. The phone unlock code is then the only factor needed to get access
That and physical access, yes. Having both is rare. And Passkeys add significant security in more commonly vulnerable situations.
Microsoft offers passwordless accounts which they say are after then with a password.
actually microsoft option is safer than this, passwordless is really really solid... you have to give the actual phone with the authenticator to give permission
Correct. No password to enter, no password to be stolen.
No excuse for having a password on your Microsoft account.
If I set up a passkey for an account with my phone and then want to log into that same account with another device, how does that work?
You set it up on the other device just like you set it up on the phone.
You don’t have to set a passkey on the other device. When logging in, the other device will display a QR code that you can scan with the device that has the passkey to let you through on the other device.
@@MaxPower-11 Maybe. That's up to the specific service you're signing into.
@@AskLeoShorts The specification (CTAP, aka X.1278) that enables a roaming authenticator with Passkeys was officially standardized back in 2018 so it’s been around for a while.
@@MaxPower-11 That may be, but passkey adoption has been slow, and I suspect not all providers have implemented this.
Currently only a few web services offer passkey as it is slowly rolling out
1 questions can passkeys be hacked or is it impossible
Passkeys aren't sent over the internet so they can only be guessed and even then, it is only of value on the owner's device(s).
@@msun12000 yea thanks for info
I'd never say "impossible" for anything - there are no absolutes in technology. But it's EXTREMELY EXTREMELY unlikely.
@@askleonotenboom yea i thought so to