Here's the deal: passkeys are going to replace passwords in the near future. But are you comfortable starting that transition yet or are you going to wait until things get a little easier to manage?
@@greenbeginner3353 No, that's not the only safety gain. Of course, the added value is significantly lower if you already handle passwords responsibly, but that is not the case for most people. Disastrously bad passwords are chosen and used for several or all services. This is also prevented. And protection against phishing is no small matter...
Interesting stuff! Meanwhile it's laughable that banks barely have strong password requirements, with only sms 2fa if you're lucky.... it's a total joke
At the end of the day, this is just an "online version of a YubiKey", meaning that the approach is the same as the one with YubiKey, but the challenge answer is shared not over USB channel, but online. If the private key used for signing the challenge sits securely in your phone HSM, you should be safe as long as your phone doesn't get hacked (which with offline YubiKeys would be much harder): indeed, if your phone is rooted, such private keys are not secure anymore, even if they reside in the HSM.
@@FtMTranniesAreGrossWhat do you do if you lose your Yubikey? I assume they must work analogously to crypto hardware or software wallets where you save a recovery phrase somewhere. Anyway, from what I can gather so far… 1 Passkeys will work with Yubikeys, with the latter being the most secure form of passkey. 2 Passkeys as such are objectively much more secure than passwords and passwords plus 2FA. But, as ever, nothing is 100% secure.
Thanks for the video. Still unsure if this is a better option than the physical keys. Any follow up videos to clarify our confusions will be highly appreciated!
it's not a replacement for physical keys. It's a middle ground between passwords and security keys. However, passkeys can also be put onto a physical key like yubikey. But then backup and management is up to you.
I'm very sceptical about this (not least because it's Google). I'm happy using a strong unique password and 2FA and I'm yet to be convinced this is better. Also, Google accessing the passkey itself is not the real question here. Google is all about tracking you and making *you* the product, so I can see scenarios where Google doesn't know your passkey but it does know _where_ you are using passkeys.
You don't have to use Google for it, popular password managers like bitwarden and 1password will also support it: they save your passkeys, like they currently do with your passwords
Strong password & 2fa is still secure. However, no one is using it except when forced to. I see passkeys basically as a standard protocol between services and password/key managers, cutting out the middle man (which is you copying the password/key from one to the other). Where passkeys are more secure is that phishing for passwords or second factors gets basically eliminated. Humans have always been one of the weakest links. Of course, password managers have and will always be technically able to track what passwords/keys you are using. You should choose one that you trust. Most users are and will still be using the easiest/most forced one (built into Google Chrome)...
Thanks for the video. I get the potential benefits of passkeys, but nobody explains if I can get locked out of my accounts, or what if I set up a passkey on my computer but then I'm travelling and don't have access to the desktop, or if I set them up on the cell phone and lose it, etc etc. Can you possibly shed some light on this?
You can now enroll FIDO2 capable keys at Passkey section in security tab of Google account settings. Tested with Windows 11. I need to dismiss Windows Hello twice to begin enrollment of Security key by Yubico.
which was super handy since Google didn't seem able to take the key directly (except the Titan one I never use). Definitely have to dismiss the WH 2x as well, which is a minor nuisance also. Hopefully they solve both sooner than later. I am glad to see the new methods meanwhile.
I see no more asking for passwords. I continued to test it and then Google asked me one more time to activate the passkey. Now it’s just entering my email and then clicking on continue. An explanatory step later and one more click and it’s done, I’m logged in. I assume this explanatory step with time will disappear. Cheers from a happy surfer from Sweden. 👋🇸🇪
This ‘you still have to fill in your password thing’ they fixed that. On my iPhone I created a passkey for my Google account. It worked on my iPad right away and on my windows laptop with scanning of the QR code. On windows it asked to create a new passkey for my windows laptop which is stored in windows hello. About the security keys. It’s the same protocol and yes a security key is a little more secure than a passkey for a number of reasons. So I don’t think the keys will disappear anytime soon.
It is a much more secure method of logging in than just passwords, although it is not really a step up on security if you already use a long complex password which was generated by a passowrd manager + a 2FA method (exluding sms). It is just more convenient. Because of that, you are still vulnerable to session hijacking, an increasingly popular method of hacking, especially for youtubers.
It is more secure since the passkey is never actually sent to the service that you're authenticating against. Compared to a username/password which regardless of complexity is always sent over the network. The convenience also helps prevent phishing attacks since you never have to type anything in.
@@matthewcarr6708 Well, isn't prevention of unauthorised access our end goal though? Ok, let's assume that someone finds out our password. It doesn't really matter if you also have a 2 factor authentication activated though, does it? I guess you do have a point when it comes to phising attacks though, since you probably would also type in the temporary 2fa code, unless of course you have a Yubikey (as i do) as your 2FA, then it would be impossible.
Good to know I'm not the only one confused. XD You did at least explain the core idea behind aka the user is no longer the weak link, ideally. I do wonder about how security will pan out over time and just hope like you that physical key support stays a thing, and ideally continues to spread.
It's not early days. This has been used for years. This is just a streamline and rebranding of existing technology that you've already been using in some iteration.
Great channel ! Thanks to you I’m updating all my security keys. One question about security keys. If I want to use a physical key to access all my google apps how I’m going to login with that for example on my TH-cam on Apple TV box ? What’s the point of investing in the keys if then I can login on my smart tv with the normal password ? Thanks and great videos !
Thanks Josh. I couldn't sleep last night, just thinking through options for Authenticator Apps 😂. (I use 2FA where possible, but they are SMS based). Passkeys sound like a natural progression and I like simplicity and the extra security. I'm however a bit concerned about whether Passkeys, being partially based on biometrics, might lock out immediate family members, should I pass away?
I agree, but i feel the same about current passwords being more inaccesible. At least they could slip my hand onto my phone if i have an open casket funeral.
@mokiloke Hi, I'm using Fingerprints, but if my phone's reader doesn't recognise my fingerprint at least there is the fall-back of a Password. My wife has assess to our Passwords. I'm just uncertain what happens with Passkeys? I have cancer and while I'm doing ok, I'm interested in fully understanding how Passkeys will work. I love the concept, just need more information. Kindest Regards.
How do passkeys protect your embedded identity when your device is stolen? Mobile phone theft is on the rise. What do you do when you upgrade to the next smartphone and trade in, donate or recycle your old phone?
Hello just for your information every single time I've set up past keys so far on non-apple devices because I don't use Apple devices it asked me if I want to use a hardware key or if I want to use the device itself because this technology also works if you just use normal to a fake keys which addresses which concerns at the end of the video
Hey great video, yeah so like you said this is obviously new to all of us & lots to explore……now with Google there are a ton of apps like TH-cam that need to be signed in on Smart TVs/Apple TVs or the like & then there’s the security element once your account is signed in on another device which may be in your home or office…same goes with Google Maps; possibly signed in on an Android Music system in your car or the like…so considering we don’t use the same Google account everywhere then we don’t enjoy their premium services if one is a premium user…just some thoughts to consider 😊
I have only a laptop entertaining myself on TH-cam. For the time being there is no need for me to have a phone. Do I soon need a one to browse TH-cam on my laptop. Will I be I locked out if I don't have a phone?
When I tried to set up a Yubikey on my Win 10 PC for Google, it said, "Passkey cannot be set up on this device". I installed Windows Hello and then it worked.
I could imagine, for example if it turns out that the phone number is way too old to to pass the verification challange. A pattern lock can be offered for android or face id for apple. Interesting
I can not create a passkey on my Linux box and despite my S20 claims to have one being made already, it doesn't work either. So I stick with my Yubikey and KeepassXC.
I really like the idea of passkeys and changed my password into a very complicated one, expecting, that I would only need it as a backup, if ever. But it is a annoying, that login to a chromebook (not unlocking screen) still requires a password. And in my opinion this contradicts the whole idea. I mean, I have my smartphone next to me and I can use it to log in to my google account on a chrome browser on any windows system. Why not on a chromebook, googles own system?
Do you need a special device to set up google passkey for MacBook? If yes, can the same passkey device be used with multiple MacBooks (same Apple ID for all of them? )
I just set up the passkey on my iPhone 13 Pro Max; then I was about to set it up on my M1 MacBook Pro but didn't have to. When I went to log into my Google account (on my laptop), it asked me for my fingerprint and it worked! I did not have to put in a password, or use Google Authenticator or any of the methods before (and I did NOT set it up on my laptop...just my iPhone). So far, the Passkey is syncing through iCloud (as far as I can tell)
I've had the opportunity to test it a bit more and the results are, well, a bit disappointing. Windows' sandbox, unfortunately, wouldn't read my Yubikey for whatever reason, so I purged *ALL* cookies from one of my browsers and then ran it with all add-ons disabled. Result: Google still prompts for a password, so this is simply not a passwordless account setup. Specifically, the login flow is now: Username (email address), password, Yubikey, then passkey. Once you're signed in, Google then "fakes" a passwordless account by no longer presenting the password prompt when you sign in next time, but this is just left over from a previous cookie (strangely, incognito was not enough to avoid this, but purging ALL cookies did the trick). Note that I'm using "advanced account protection", but the password entry requirement still exists before either the yubikey or passkey is requested by the login flow. I may be misunderstanding something but as it is, the "passwordless" claim seems to be kind of smoke and mirrors. Terrible? Not really, but honestly it's just more weight on my opinion that they're stubbornly refusing to go truly passwordless like Microsoft in favor of making their phones the big focus, rather than security. In my opinion? People should keep using Advanced Account Protection and maybe skip this passkey thing, especially considering how damaging the passkey could potentially be if your phone is stolen. 🤔 But that's, like, just my opinion. (Big Lebowski)
I have a laptop in every room of the house and sometimes two or more laptops near the different chairs I sit in. I use different distro's of Ubuntu and linux on all the laptop and some I have dual and triple booted hard drives with three operating systems, I even have one laptop I rarely use with windows 10 on it, that's just what I do and enjoy. This sounds like a freaking nightmare to me, is this going to be ( forced ) on to us with no choice what so ever ???
Is it tested? Passkey work for Windows Hello Pin, but for automatically added android device, it prompts "sent notification to the device" but there is not reaction.
Before May 1st my android ph and Windows PC both worked fine with Google Account & email. Then my PC died. Now my new PC which is using Kaspersky Password Manager just like the one that died can't login to any Google account. Ph is just fine. How do I get my New PC to work with Google?
Hey there, how can I turn this off I don't want my lockscreen code to be the password to my google account I have authenticator already setup Dont want this on my phone Thanks
If my passkey is a pin code from an android phone, will the new device trying to login still have to use a QR code and will i get notified if there's a new sign in with passkey?????
Question about password security. Do you know of anything that we can store passwords on, something like yubikey, that would do the same functions as 1password or bitwarden?
This would not be Ideal to a secretary or personal assistant who is manages several devices for two bosses. I log into their many devices so I'm constantly entering in passwords.
As I understand it your bosses should be able to enter your device as well to unlock their devices. I have four phones and one fingerprint scanner set up to unlock on my PC ;)
If you more than one device you can access it from there, same goes for Youbikey, if you loose it and dont have a spare, you can not access any more....
What about mobileless users like me? Passwords are easy for me passkeys are really complicated this is insanity. What if I also login to an older Google account of mine where I had never set a passkey? Will it just disappear because of some stupid new "tech upgrade"? Ugh.
Passwords aren't going away anytime soon, don't worry. Your old Google account might disappear just because you haven't logged into it for a long time, but until that point you can use your password
Correct me if I'm wrong but these google passkeys are ALWAYS the same as your phone passkey! So whoever gets your phone key somehow now has access also to your google account! And whoever has gotten your google key now has access to your entire phone! I tried making a DIFFERENT PASSKEY from my phone key. You can't!! Privacy would be being able to make a number that ISN'T your phone key! Google passkey is fcked! Do not use it. You can't DISABLE google passkey once you've given them your number either!! This number is ALWAYS your whole phone passkey!! It's a way for them to get into whole phones!! I tried to post this to reddit 6 times and got deleted!!!
hey josh i'm waiting you to talk about it and my question is i set up a passkey for my samsung phone S9+ use IRIS scanner it is extremely biometric secure and the Question is why when sign in my laptop i notice that account log out Automatically every single day i need to log in and my laptop dosent support any kind of biometrics?!
As far as I know, passkeys store your usernames. In other words: you don't have to remember your user ID. I could be wrong, though. I'm not an expert on passkeys.
Nice content... I have a question that probably is another persons question also... So If I create a passkey on my mobile device and then i set a lock screen password to use that passkey (if I understood correctly) then someone that steals my mobile device and that saw me putting that screen lock password for the passkey will have direct access to my account? I hope I'm missing something here... Thanks
Even if it requires biometrics, the next question is: how does it respond after I add a new biometric (for example, a new fingerprint on an iPad)? This is a huge gaping whole for Apple’s standard passwords / keychain. I tested this recently. If I’m a bad actor who shoulder surfed someone’s iPhone/ iPad unlock passcode, and then go into settings and add another fingerprint, I can then use that to view all passwords stored in the built-in Apple password system. On the other hand, 1Password is smart enough to detect that the biometrics have changed since the last time I unlocked the app, and will then require me to use the full 1Password password to log in for that next time. This is the smart, safe use of the biometric login. I would be curious to know which of these protections passkeys will use going forward. I like the idea of the separate hardware security key (like my Yubikeys), but I can see that most people just aren’t going to give that level of commitment to their online security. For most users, the device-stored passkey is probably ideal. But I, too, hope that websites will support the use of Yubikeys.
I would say this situation is no different than using a password manager. If your phone credential is compromised, a person with physical access to your phone could use your password manager to log into all kinds of sites. Passkeys are stored on your device much like how a password manager handles ordinary passwords.
@@mecampbell30 it really depends on the particular password manager app. As in my post above, 1Password will not let you use the iPhone’s unlock code to get into it (unless one is silly enough to go out of their way, set up a PIN code for 1Password that matches the phone’s code). And if you add a new biometric, it’s aware of that, and requires the full password for access, any time the biometric has changed.
If you trust your browser; yes. If you don't; stop using your browser to log into your accounts. You can also store passkeys in a password manager instead of your browser. Many have plugins.
I'll need to watch the video here in a bit, but my immediate reaction to this from Google is "meh". They need to copy Microsoft's passwordless sign-in & stop this pantomiming with their phones. 🙄I enabled this on my account the other day and it solidly feels like a marketing gimmick by deliberately over engineering around their phones, rather than doing the sensible thing and going truly passwordless with FIDO keys. I still had to use my password to sign into google accounts on both my desktop and my phone. It was only after closing the browser and reloading the site that it finally acted as though the passkey was necessary. I'll need to use a browser in a Sandbox to verify that the service is working as one would assume, but for now, until I do, I actually wouldn't trust this to secure my account.
@@WilcoVerhoef I know. However it's the common name for it now, so I'm simply using the newer name for it. :) The implementation via mobile phones is also quite user friendly.
I would have expected better from a channel called "All Things Secured". Either properly mark your Google advert with the necessary text in the corner at the start of your video or stop spamming. We don't need your stinking passkey spam.
@@AllThingsSecuredYes, why else would you spread their misinformation? Do you really believe they value our security over making a couple of extra millions?
Nope. Never going to happen. I frequently am on my computer with my phone nowhere in site. Not to mention,. I am not going to lock my fucking phone just to sign into Google.
Here's the deal: passkeys are going to replace passwords in the near future. But are you comfortable starting that transition yet or are you going to wait until things get a little easier to manage?
Wait
Based on your video, I don’t see how it’s any more secure than a well designed password.
@@greenbeginner3353 passkeys cannot be phished
@@Venistro That’s all? That’s the entire value of a passkey? There’s got to be something more for such effort to be made to replace passwords.
@@greenbeginner3353 No, that's not the only safety gain. Of course, the added value is significantly lower if you already handle passwords responsibly, but that is not the case for most people. Disastrously bad passwords are chosen and used for several or all services. This is also prevented. And protection against phishing is no small matter...
Interesting stuff! Meanwhile it's laughable that banks barely have strong password requirements, with only sms 2fa if you're lucky.... it's a total joke
Preach
Agree, thinking about switching my bank cause my bank don’t care about security seems like
@@zzrelaaxx8945 I'm curious what you and others pick because I can't find anything good
It's worse than not having strong requirements. They actively prevent you from having strong passwords.
My bank only allows a 16 character password and SMS for 2FA
At the end of the day, this is just an "online version of a YubiKey", meaning that the approach is the same as the one with YubiKey, but the challenge answer is shared not over USB channel, but online. If the private key used for signing the challenge sits securely in your phone HSM, you should be safe as long as your phone doesn't get hacked (which with offline YubiKeys would be much harder): indeed, if your phone is rooted, such private keys are not secure anymore, even if they reside in the HSM.
I agree that Yubikeys are much preferred over phones. What would happen if your phone was compromised and you were not aware of it.
My understanding is that they still wouldn’t have access to your passkey without your biometrics or knowledge of your Apple iCloud password.
@@AllThingsSecured you can get by with just a passcode on iOS. No iCloud password necessary 😅
What do you do if you lose your phone? Yubikeys are better
@@FtMTranniesAreGrossWhat do you do if you lose your Yubikey? I assume they must work analogously to crypto hardware or software wallets where you save a recovery phrase somewhere.
Anyway, from what I can gather so far…
1 Passkeys will work with Yubikeys, with the latter being the most secure form of passkey.
2 Passkeys as such are objectively much more secure than passwords and passwords plus 2FA.
But, as ever, nothing is 100% secure.
Glad to hear you are trying to figure this out cause I/m still scratching my head. I agree with the yubikey method.
Thanks for the video. Still unsure if this is a better option than the physical keys. Any follow up videos to clarify our confusions will be highly appreciated!
it's not a replacement for physical keys. It's a middle ground between passwords and security keys. However, passkeys can also be put onto a physical key like yubikey. But then backup and management is up to you.
I'm very sceptical about this (not least because it's Google). I'm happy using a strong unique password and 2FA and I'm yet to be convinced this is better. Also, Google accessing the passkey itself is not the real question here. Google is all about tracking you and making *you* the product, so I can see scenarios where Google doesn't know your passkey but it does know _where_ you are using passkeys.
You don't have to use Google for it, popular password managers like bitwarden and 1password will also support it: they save your passkeys, like they currently do with your passwords
Strong password & 2fa is still secure. However, no one is using it except when forced to.
I see passkeys basically as a standard protocol between services and password/key managers, cutting out the middle man (which is you copying the password/key from one to the other).
Where passkeys are more secure is that phishing for passwords or second factors gets basically eliminated. Humans have always been one of the weakest links.
Of course, password managers have and will always be technically able to track what passwords/keys you are using. You should choose one that you trust. Most users are and will still be using the easiest/most forced one (built into Google Chrome)...
You are mixing things up here. This is for using google account itself. So by definition they are already tracking you with that.
Thanks for the video. I get the potential benefits of passkeys, but nobody explains if I can get locked out of my accounts, or what if I set up a passkey on my computer but then I'm travelling and don't have access to the desktop, or if I set them up on the cell phone and lose it, etc etc. Can you possibly shed some light on this?
u can click try another way and log in with a password or sms code ?
It can be synchronized with icloud etc
You can now enroll FIDO2 capable keys at Passkey section in security tab of Google account settings. Tested with Windows 11. I need to dismiss Windows Hello twice to begin enrollment of Security key by Yubico.
Thanks for sharing 🙏
which was super handy since Google didn't seem able to take the key directly (except the Titan one I never use). Definitely have to dismiss the WH 2x as well, which is a minor nuisance also. Hopefully they solve both sooner than later. I am glad to see the new methods meanwhile.
@@AllThingsSecured4:10
4:10
4:10
I see no more asking for passwords. I continued to test it and then Google asked me one more time to activate the passkey. Now it’s just entering my email and then clicking on continue. An explanatory step later and one more click and it’s done, I’m logged in.
I assume this explanatory step with time will disappear.
Cheers from a happy surfer from Sweden. 👋🇸🇪
This ‘you still have to fill in your password thing’ they fixed that. On my iPhone I created a passkey for my Google account. It worked on my iPad right away and on my windows laptop with scanning of the QR code. On windows it asked to create a new passkey for my windows laptop which is stored in windows hello. About the security keys. It’s the same protocol and yes a security key is a little more secure than a passkey for a number of reasons. So I don’t think the keys will disappear anytime soon.
It is a much more secure method of logging in than just passwords, although it is not really a step up on security if you already use a long complex password which was generated by a passowrd manager + a 2FA method (exluding sms). It is just more convenient. Because of that, you are still vulnerable to session hijacking, an increasingly popular method of hacking, especially for youtubers.
Thankfully many web services are getting wise and requiring you to reauthenticate for certain sensitive actions even with a session token.
@@mecampbell30 Yes, i sure do hope so.
I’m hoping this session hijacking problem is addressed quickly!
It is more secure since the passkey is never actually sent to the service that you're authenticating against. Compared to a username/password which regardless of complexity is always sent over the network. The convenience also helps prevent phishing attacks since you never have to type anything in.
@@matthewcarr6708 Well, isn't prevention of unauthorised access our end goal though? Ok, let's assume that someone finds out our password. It doesn't really matter if you also have a 2 factor authentication activated though, does it? I guess you do have a point when it comes to phising attacks though, since you probably would also type in the temporary 2fa code, unless of course you have a Yubikey (as i do) as your 2FA, then it would be impossible.
Passkeys can techincally be stored on a Fido key. I have done so with mine. However I only have room for 12 keys.
Good to know I'm not the only one confused. XD You did at least explain the core idea behind aka the user is no longer the weak link, ideally. I do wonder about how security will pan out over time and just hope like you that physical key support stays a thing, and ideally continues to spread.
Its still early days for passkeys. I think, I will wait till things get more clear. Nevertheless, Great video Josh
Thanks so much!
It's not early days. This has been used for years. This is just a streamline and rebranding of existing technology that you've already been using in some iteration.
@AllThing 4:10 sSecured
@@IkaikaArnado4:10
4:10
Technology corporations are constantly crossing the line with biometrics. Never give up your data to anyone.
Great channel ! Thanks to you I’m updating all my security keys. One question about security keys. If I want to use a physical key to access all my google apps how I’m going to login with that for example on my TH-cam on Apple TV box ? What’s the point of investing in the keys if then I can login on my smart tv with the normal password ?
Thanks and great videos !
In the case of an Apple TV, I'm pretty sure I remember having to verify my login with a phone or computer on which I could use my key.
@@AllThingsSecured Thanks for your answer!
Can you talk about Firefox add-ons?
Especially the Firefox Relay add-on
Thanks Josh. I couldn't sleep last night, just thinking through options for Authenticator Apps 😂. (I use 2FA where possible, but they are SMS based).
Passkeys sound like a natural progression and I like simplicity and the extra security. I'm however a bit concerned about whether Passkeys, being partially based on biometrics, might lock out immediate family members, should I pass away?
I agree, but i feel the same about current passwords being more inaccesible. At least they could slip my hand onto my phone if i have an open casket funeral.
@mokiloke Hi, I'm using Fingerprints, but if my phone's reader doesn't recognise my fingerprint at least there is the fall-back of a Password. My wife has assess to our Passwords.
I'm just uncertain what happens with Passkeys? I have cancer and while I'm doing ok, I'm interested in fully understanding how Passkeys will work. I love the concept, just need more information. Kindest Regards.
How do passkeys protect your embedded identity when your device is stolen? Mobile phone theft is on the rise. What do you do when you upgrade to the next smartphone and trade in, donate or recycle your old phone?
I created the passkey and I am still asked to go to TH-cam first. Afterwards I enter the passkey. This is annoying. One more layer to slay.
Hello just for your information every single time I've set up past keys so far on non-apple devices because I don't use Apple devices it asked me if I want to use a hardware key or if I want to use the device itself because this technology also works if you just use normal to a fake keys which addresses which concerns at the end of the video
Hey great video, yeah so like you said this is obviously new to all of us & lots to explore……now with Google there are a ton of apps like TH-cam that need to be signed in on Smart TVs/Apple TVs or the like & then there’s the security element once your account is signed in on another device which may be in your home or office…same goes with Google Maps; possibly signed in on an Android Music system in your car or the like…so considering we don’t use the same Google account everywhere then we don’t enjoy their premium services if one is a premium user…just some thoughts to consider 😊
Yea, that’s interesting. Thanks for sharing, Sachin!
Passkeys are resistant to online attacks like phishing
Is that a question or statement?
What if I change my phone and pc? Is there anything that I need to do first before I wipe out my devices?
When it asks for your password you have to click on the words that say try another way for it to use ur passkey
Yubikeys still the GOAT in my opinion
😂👍🏻
So when the "cloud rains" and drops tons of data "out of the virtual cloud in the sky" and then we are all screwed!
They aren't working for me, I create them, but it doesn't give me the option to use them when signing in...
Sounds like passkeys will be useful for 90% of sites, but downright dangerous for the other 10% of sites. Im hoping for a Passkey+Yubikey solution.
I have only a laptop entertaining myself on TH-cam. For the time being there is no need for me to have a phone. Do I soon need a one to browse TH-cam on my laptop. Will I be I locked out if I don't have a phone?
When I tried to set up a Yubikey on my Win 10 PC for Google, it said, "Passkey cannot be set up on this device". I installed Windows Hello and then it worked.
I could imagine, for example if it turns out that the phone number is way too old to to pass the verification challange. A pattern lock can be offered for android or face id for apple. Interesting
I can not create a passkey on my Linux box and despite my S20 claims to have one being made already, it doesn't work either.
So I stick with my Yubikey and KeepassXC.
I really like the idea of passkeys and changed my password into a very complicated one, expecting, that I would only need it as a backup, if ever. But it is a annoying, that login to a chromebook (not unlocking screen) still requires a password. And in my opinion this contradicts the whole idea. I mean, I have my smartphone next to me and I can use it to log in to my google account on a chrome browser on any windows system. Why not on a chromebook, googles own system?
Do you need a special device to set up google passkey for MacBook? If yes, can the same passkey device be used with multiple MacBooks (same Apple ID for all of them? )
I just set up the passkey on my iPhone 13 Pro Max; then I was about to set it up on my M1 MacBook Pro but didn't have to. When I went to log into my Google account (on my laptop), it asked me for my fingerprint and it worked! I did not have to put in a password, or use Google Authenticator or any of the methods before (and I did NOT set it up on my laptop...just my iPhone). So far, the Passkey is syncing through iCloud (as far as I can tell)
No special device or software.
All I used was my iPhone
I've had the opportunity to test it a bit more and the results are, well, a bit disappointing. Windows' sandbox, unfortunately, wouldn't read my Yubikey for whatever reason, so I purged *ALL* cookies from one of my browsers and then ran it with all add-ons disabled. Result: Google still prompts for a password, so this is simply not a passwordless account setup. Specifically, the login flow is now: Username (email address), password, Yubikey, then passkey. Once you're signed in, Google then "fakes" a passwordless account by no longer presenting the password prompt when you sign in next time, but this is just left over from a previous cookie (strangely, incognito was not enough to avoid this, but purging ALL cookies did the trick). Note that I'm using "advanced account protection", but the password entry requirement still exists before either the yubikey or passkey is requested by the login flow. I may be misunderstanding something but as it is, the "passwordless" claim seems to be kind of smoke and mirrors. Terrible? Not really, but honestly it's just more weight on my opinion that they're stubbornly refusing to go truly passwordless like Microsoft in favor of making their phones the big focus, rather than security. In my opinion? People should keep using Advanced Account Protection and maybe skip this passkey thing, especially considering how damaging the passkey could potentially be if your phone is stolen. 🤔 But that's, like, just my opinion. (Big Lebowski)
I have a laptop in every room of the house and sometimes two or more laptops near the different chairs I sit in. I use different distro's of Ubuntu and linux on all the laptop and some I have dual and triple booted hard drives with three operating systems, I even have one laptop I rarely use with windows 10 on it, that's just what I do and enjoy. This sounds like a freaking nightmare to me, is this going to be ( forced ) on to us with no choice what so ever ???
I think Google broke something. I was able to sign in from my phone, but now when I try to sign in on a computer I have to put in my password.
When i scan the qr code it always say "failed to parse qr code" how do i fix PLS HELP!
Can you no longer add another security key since they added this?
Can i use a passkey to retrieve my email account which i forgot My password
Is it tested? Passkey work for Windows Hello Pin, but for automatically added android device, it prompts "sent notification to the device" but there is not reaction.
It says that my device does not support passkeys.
This is bullshit.
Ill stick to my passwords.
Before May 1st my android ph and Windows PC both worked fine with Google Account & email. Then my PC died. Now my new PC which is using Kaspersky Password Manager just like the one that died can't login to any Google account. Ph is just fine. How do I get my New PC to work with Google?
Hey there, how can I turn this off
I don't want my lockscreen code to be the password to my google account
I have authenticator already setup
Dont want this on my phone
Thanks
Saving your passkey to the Apple cloud is NOT end to end encrypted.
A long time ago I put in my password and had it saved so I never have to type my password again. How is this easier ?
Not easier but safer
If my passkey is a pin code from an android phone, will the new device trying to login still have to use a QR code and will i get notified if there's a new sign in with passkey?????
Question about password security. Do you know of anything that we can store passwords on, something like yubikey, that would do the same functions as 1password or bitwarden?
This would not be Ideal to a secretary or personal assistant who is manages several devices for two bosses. I log into their many devices so I'm constantly entering in passwords.
As I understand it your bosses should be able to enter your device as well to unlock their devices. I have four phones and one fingerprint scanner set up to unlock on my PC ;)
What if my phone breaks, or I lose it, or someone steals it from me?
For now, you can still fall back on your password, but in the future I’m pretty sure they will force backup 2FA, such as from a 2FA key.
If you more than one device you can access it from there, same goes for Youbikey, if you loose it and dont have a spare, you can not access any more....
Store more than one passkey.
Now they can link accounts to your identity. No more burners. Klaus is happy with this.
What about mobileless users like me? Passwords are easy for me passkeys are really complicated this is insanity. What if I also login to an older Google account of mine where I had never set a passkey? Will it just disappear because of some stupid new "tech upgrade"? Ugh.
Passwords aren't going away anytime soon, don't worry.
Your old Google account might disappear just because you haven't logged into it for a long time, but until that point you can use your password
Will this system still be susceptible of account hacking (ie. on TH-cam channels) since they store cookies and those can be stolen by virus software?
Correct me if I'm wrong but these google passkeys are ALWAYS the same as your phone passkey! So whoever gets your phone key somehow now has access also to your google account! And whoever has gotten your google key now has access to your entire phone! I tried making a DIFFERENT PASSKEY from my phone key. You can't!! Privacy would be being able to make a number that ISN'T your phone key! Google passkey is fcked! Do not use it. You can't DISABLE google passkey once you've given them your number either!! This number is ALWAYS your whole phone passkey!! It's a way for them to get into whole phones!! I tried to post this to reddit 6 times and got deleted!!!
hey josh i'm waiting you to talk about it and my question is
i set up a passkey for my samsung phone S9+ use IRIS scanner it is extremely biometric secure and the Question is why when sign in my laptop i notice that account log out Automatically every single day i need to log in and my laptop dosent support any kind of biometrics?!
I’m not sure I understand the question. Biometrics is entirely dependent upon the hardware, so the kind of laptop you have matters.
Don't we still have to remember our userid's?
As far as I know, passkeys store your usernames. In other words: you don't have to remember your user ID. I could be wrong, though. I'm not an expert on passkeys.
Yubikey > Passkey
Nice content... I have a question that probably is another persons question also... So If I create a passkey on my mobile device and then i set a lock screen password to use that passkey (if I understood correctly) then someone that steals my mobile device and that saw me putting that screen lock password for the passkey will have direct access to my account? I hope I'm missing something here... Thanks
I’m not 100% sure. I don’t think your passcode will unlock the passkey. It would require your biometrics or your Apple password, I think?
Even if it requires biometrics, the next question is: how does it respond after I add a new biometric (for example, a new fingerprint on an iPad)? This is a huge gaping whole for Apple’s standard passwords / keychain. I tested this recently. If I’m a bad actor who shoulder surfed someone’s iPhone/ iPad unlock passcode, and then go into settings and add another fingerprint, I can then use that to view all passwords stored in the built-in Apple password system.
On the other hand, 1Password is smart enough to detect that the biometrics have changed since the last time I unlocked the app, and will then require me to use the full 1Password password to log in for that next time. This is the smart, safe use of the biometric login.
I would be curious to know which of these protections passkeys will use going forward. I like the idea of the separate hardware security key (like my Yubikeys), but I can see that most people just aren’t going to give that level of commitment to their online security. For most users, the device-stored passkey is probably ideal. But I, too, hope that websites will support the use of Yubikeys.
I would say this situation is no different than using a password manager. If your phone credential is compromised, a person with physical access to your phone could use your password manager to log into all kinds of sites. Passkeys are stored on your device much like how a password manager handles ordinary passwords.
@@mecampbell30 it really depends on the particular password manager app. As in my post above, 1Password will not let you use the iPhone’s unlock code to get into it (unless one is silly enough to go out of their way, set up a PIN code for 1Password that matches the phone’s code).
And if you add a new biometric, it’s aware of that, and requires the full password for access, any time the biometric has changed.
Is it safe to save the passkey in the browser? My gut tells me not, what am I missing?
If you trust your browser; yes. If you don't; stop using your browser to log into your accounts.
You can also store passkeys in a password manager instead of your browser. Many have plugins.
4 minutes of nothing.
Show us an example video of the creation of one passkey, so we can actually use this feature TODAY.
It would be so much easier if we all could use our thumb print.
How to disable them?
honestly reluctant to use this. not rolled out by Google well. I am a tech person and I don't really understand this.. :)
set up a passkey for my accounts
Awesome overview
I'll need to watch the video here in a bit, but my immediate reaction to this from Google is "meh". They need to copy Microsoft's passwordless sign-in & stop this pantomiming with their phones. 🙄I enabled this on my account the other day and it solidly feels like a marketing gimmick by deliberately over engineering around their phones, rather than doing the sensible thing and going truly passwordless with FIDO keys. I still had to use my password to sign into google accounts on both my desktop and my phone. It was only after closing the browser and reloading the site that it finally acted as though the passkey was necessary. I'll need to use a browser in a Sandbox to verify that the service is working as one would assume, but for now, until I do, I actually wouldn't trust this to secure my account.
"Passkeys" are what Google and Apple call FIDO keys
@@WilcoVerhoef I know. However it's the common name for it now, so I'm simply using the newer name for it. :) The implementation via mobile phones is also quite user friendly.
how do i remove it?
I would have expected better from a channel called "All Things Secured".
Either properly mark your Google advert with the necessary text in the corner at the start of your video or stop spamming.
We don't need your stinking passkey spam.
😂🤣 You think Google PAID me?! 🤣
@@AllThingsSecuredYes, why else would you spread their misinformation? Do you really believe they value our security over making a couple of extra millions?
ty
Great Video!!
it doesn't work on my Pixel 7 Pro
Hmm…I don’t know why that would be.
What if you have not set up a passkey but enable the passkey function on your google account? It seems really troublesome to get it work
The future is now!!!
Nope. Never going to happen. I frequently am on my computer with my phone nowhere in site. Not to mention,. I am not going to lock my fucking phone just to sign into Google.
That stain on your blue background is annoying as hell.
hard to follow video
Hello!
Hi
Sounds more confusing and uncertain than passwords at the moment.
I hate this feature
Sorry
👍🏻
🙏
is this only apple bs
I'm losing brain power a little more each year. And I just lost more watching this. I'm retired so that's my deal.
NEVER EVER WILL I TRUST GOOGLE PRODUCTS
But it’s not a Google product. So…??
I wouldn’t trust google with my dirty socks 😂
I don’t think you understand…a passkey is not “trusting Google” any more than creating a password is trusting Google.