I personally would appreciate a more detailed and easy understanding of the steps needed to use and make a yubikey successful for greater security so YES to your query!
A tutorial would be great, perhaps a series of tutorials. I used to use Yubikeys when they first came out but found the too inconvenient for home use. Having a physical key is great but when you have 3 or more devices spread out over work and home...
I like the chart at the beginning showing the time it takes hackers in 2023 to brute force passwords. Yes, I have been using YubiKeys for at least the past 2 years. Yes, I have two Yubikeys as recommended by Yubico. Yes, I've "Smart Card" paired both keys to all my devices which means I have to use my YubiKey to log into my devices.
The fact that I have better 2FA on my social media accounts than my financial accounts because a lot of financial sites still don't offer 2FA options drives me nuts.....
Amen! At this time Bank of America is the ONLY major bank that allows hardware keys like Yubikeys to be used for 2FA. Vanguard is the only other major financial institution that allows Yubikeys for 2FA
Ditto. My banks only offer (now force) SMS and some emailed 2FA codes. (one is ONLY SMS codes). None of them allow me to use an authenticator app; forget about hardware keys. I am guessing the plan is to skip over all that until forced Digital IDs are implemented.
When Apple "presented" Passkeys last year I was really hoping it would catch on. however now over a year later only a couple of companies have adopted it. It does not seem to work in all browsers - and it is not clear which are actually supported. My biggest problem is, that is not clear to me how the process works technically. In some videos people said in order to sign in on a foreign device - say you want to login to google on your office PC - you need BT on both devices but the devices do not need to be paired. I tried this and - we use edge - and the Google page did not give me the Passkeys login option. It just asked for a password. Why? This really needs to just work in any browser and when it does not there needs to be a clear error message why passkeys is not available so you can fix it.
Mahalo for this passkey info. I JUST watched another video at "The New Oil" about a passkey called "Nitrokey", and that was fascinating, too. My threat model is very...mahjongg-playing old guy...but information security is a totally absorbing topic for me. Keep up the EXCELLENT work on this subject! Aloha!
Oh! This future tech is going to be big! As someone who often works with end users I know they mostly disregard password best practices. This may finally resolve that lingering issue.
Shannon as always amazing content thank you so much for all the time you put into researching this and sharing it. I would also love to see tutorials, I'm on android and Linux computers (desktop and laptop), and it's not clear to me how to implement this. Thanks again, awesome content.
Thanks. I wish more financial companies supported even things like Yubikeys. It really stinks that to stay secure and maintain some ease of use I’m going to have to go all in and be locked into either Apple or Google. I love those hash browns as well, especially once air fryers came out!
Great content! Yes, passkeys are great, but available information about it is kind of sketchy. Please, do more detailed video explanation on it. Thank you Shannon!!!
I was frustrated that the first appearance of a passkey definition didn't appear until 3:30 into the video. I'm happy to hear the background and context, but please, answer the question first, then you can provide the info required to understand the definition.
Hey Shannon, I’m a recent channel subscriber, and I am an IAM IT Pro. WOW! I’m so impressed with, and I am going try borrowing some of, your methods of explaining complex technical material (e.g., passkeys (multi-device FIDO Credential, WebAuthn)). Lord knows it will come in handy trying to explain this stuff to C-Suite folk. Kudos to you! I’ve watched the show 2x and will recommend it to others. MM. Oh! By the way, I loved the clever "Salty hash browns" innuendo analogy! :)
Some websites don't recognize the newly created Passkeys (created using a hardware key instead of biometric) at all. So a test of the new Passkeys right after the creation is needed.
Yes a tutorial in depth would be great. You cover a lot of details and unless I can transfer the information into a more visual form, it evaporates from my memory! Very useful update, thank you.
Considering most websites prevent continued login requests, the threat of having your accounts brute-forced nowadays isn't really a concern. Maybe more so it's a concern for companies that apply poor cryptographic security for their data storage, if they lose the data and then some hacker can spend a long time trying to brute force it.
I've been working on this in my homelab. It started out with exposing services, then I wanted LDAP, so I set up FreeIPA, then I wanted to put IDM in front of that, so I am setting up Authentik (Yes, I know I could use Keycloak), and looking into Webauthn. My kids aren't impressed...yet.
The main question I still have is "does a passkey replace username/password?" I have username/password set for a lot of accounts. I have seen some websites prompt me to add a passkey. But if it doesn't remove the password it is only adding a new way to log in. To be more secure the password should be revoked when the passkey is set.
Outstanding explanation and definitely something I will now think about implementing. As for further explanation videos, can we get one on your constant changing hair and nail colours lol Thanks for your videos, which at about 10 mins is perfect for doing bite size catch ups.
Good topic. I ordered a v5 Yubikey to replace my v4 (thanks for the code!). I look forward to your video on using it as a passkey (though I'll try to figure it out first. :) )
At this moment in time one has to ask if one is looking at creating new public key standards, how does this deal with the post-quantum public key risks that many believe to be on the horizon?
Would really like to know the rollout for Passkeys. With most of us having numerous websites made up of stores, banks, forums, airlines and multiple streaming sites, when will they be onboard? How will we know?
The problem is that the password problem still exists. If you lose your passkey you must reauthenticate to the service which generally requires your user name and password. The account reset process, if you don’t have those, can become the weak link, especially if the designers of that process (which is NOT standardized) didn’t give enough or proper consideration of all the security details.
Thanks for your tutorial. V helpful. Passkeys will make things more secure and it is clear that I can use all my devices. Where I am unsure is how this would work on a public computer such as a library or coffee shop? How would I authenticate using my phone onto such a computer? Do I then revert to user name and password (even if 2FA), which sort of defeats the objective? Thanks again.
What if you loose your phone or your phone is damaged beyond repairs, what then. Qould love to see a tutorial on creating a passkey account and using one as well.
Question for you Shannon… existing asymmetric public/private key algorithms are known not to be Quantum resistant. Do the existing passkey algorithms also suffer from a lack of Quantum resistance?
This is basically a step closer to digital ID. With the intro of biometric authentication, phone manufacturers track you because they can determine the true identity of the device owner. With passkeys, all online sites that support passkeys will have that ability as well since your private keys will be tied to your device, which is tied to your biometrics.
There is a fairly recent problem with Apple / Google mobile devices where if someone swipes your phone and runs off while it is unlocked. They could change the passcode and even your Apple / Google account password and hijack your account. This is because both Apple and Google trust the device because it was unlocked with biometrics. I don't know if this oversight has been fixed or not. During pandemic people used passcodes to unlock mobile device because of masks being an issue initially with biometrics. Thieves would observe you entering the passcode so they could unlock the device then hijack your Apple / Google account.
I don't use a mobile device out in public. I only carry a HT. I use yubikey in my own home and my cell phones don't leave the area. Make sure all recovery are all backed up securely.
I got a couple of Yubico keys back when they first came out. As I remember they were real complicated to set up and a pain in the but to use. I didn't use it very long before I got tired of it.
95% of the time I am using my desktop and not my phone for going into websites. How do passkeys work for that? I assume the site has to have passkeys enabled for it to work? Not sure on how to set this up.
I have no idea how to use these and am always wondering as it comes up everywhere and since I have been watching your videos especially Yes please how get started 101 would be so appreciated 🙏
Thank you for the video, Shannon! As I commented on your new video, the risk of losing or damaging the device is a concern holding me back from getting something like Yubico. Could you make a video explaining: What should you do when you lost the Passkey device? Can a Passkey device be backed up to another Passkey device? If so, do you need to back up (duplicate) only once (maybe if it only contains the private key?) or do you have to back up after registering onto new websites on a regular basis?
Question I have is how everyone is saying passkeys will replace passwords, but how would I set up a passkey to begin with if not with a password? For example say I set it up on my phone, with a password, get rid of the password, and then lose my phone. Am I screwed?
I bought a Yubikey and tried to set it up with my Google account. Almost all TH-camrs (this channel included) show how to set up the Yubikey with Google by adding it as a security key. But when I try that I get an error. Instead, Google sets up a passkey (without even letting me know) and I was finally able to use my Yubikey with my Google account after discovering this. It sure would be nice if it werent so difficult and confusing and if things were just clear. Especially since Yubico is sponsoring this video, they should also be more clear about how setting up a Yubikey works with Google and that it is now via passkey instead of security key.
It is not just confusing, just add remembering a different password for everything and having to change them frequently. It is just a nightmare. Then also consider that some websites want the password in a different format (different number of characters, special characters and numbers). A person who has a hard time with memorizing things will feel hopeless!
On higher security systems, registering the account / passkey should probably require MFA with an App or hardware key. You would only need that App / hardware key initially to setup the passkey authentication or when making other changes to your account. Some MFA methods now have a 2 digit code presented that you must type into the MFA App to complete the approval and biometrics could also be required.
Triple Factor for the win! I wish Yubico's new Yubikey Bio provided the full support that their 5 series does. I'd have upgraded all my Yubikeys to it.
So if I hear you right I would need two yubikeys. One that I carry and one that I store in a secure place in the event of device failure. Do these keys ever fail? Or is it better to have multiple devices? One day passkeys too be will breached, especially if you don't have a device updated all the time. Even with updates Zero days can happen. It's all about the risks and how to lower them. Example a chrome device over a windows device. Especially if all we do is online. Thanks for the video, there was a lot of great info.
Absolutely. If a platform allows for multiple keys, you'd just need to add a second one. Adding secondary keys totally depends on each platform and what protocols they accept
I didn't understand this very well. When listening to an explanation, I think about, "How would this work for my situation?," and I don't know. Most of my "devices" are desktop computers with Ubuntu Linux. What would the process be to transfer passkeys to another Linux installation?
I can't use a passkey created on an iPhone to log into a site when I'm using my PC, whereas a password can be used on both devices. Is that correct or am I barking up the wrong tree? Anyway, keep up the good work :)
If I have to sign into a device why do I need a password, or passkey for every web address. once I'm signed in there should be NO NEED for this headache
Please, create a detailed, step-by-step for "Smart Card pairing" of a Yubikey to a Mac & a PC. The steps are different between Macs & PCs. Yes, I've successfully, "Smart Card Paired" both of my YubiKeys to each of my Macs. Warm Regards from Reno, Nevada
More security is great. however, the more you overtake the plumbing, the easier to stop up the drain. The Enigma machine was broken, so I am sure the pass key can be cracked by someone just like encryption is breakable. The only way to win is not to play, (War Games) UBI keys can work in the moment.
So what happens when you cross an international border and they force you to unlock your device so they can search it or even just copy it outright. Surely they can then access everything because they now have your passkeys. With a password manager those authorities would still require your master password which if strong would I expect stop them or significantly slow them down. I suppose I'll need to properly research passkeys and inform myself how it all works as a security ecosystem.
Interesting. We will all need to get with users and promote this..I see there is an amateur radio callsign in your background, but it is not fully displayed. What is your callsign? De KB1PA
So how long will it take, until you can buy a bunch of biometric data in the dw? Imagine the power you can gain over somebody if you can identity steal their biometrics and every provider like banking or courts will go with it?
what about man in the middle? google sends the request to "my computer" to confirm the public passkey. My computer says nope it isn't right. But the person listening and sending somewhere in the middle sends a yes everything is good and then continues to hijack the session from there. Perhaps the explanation was too simplified on what is sent in return between google and my computer. I assume it would have to be time sensitive and wouldn't be the exact same thing every time? There is probably a lot more complexity than what I'm understanding.
There are two kinds of passkeys. Your phone can be a passkey or you can get an "offline" passkey, like a yubikey. Both are tied to a hardware device but one can be backed up to the cloud.
Chia crypto currency uses Public and private keys to do mining. It's awesome. Your able to give your public to someone that if you want allow them to plot(what you mine) with their hardware. So instead of using my hardware someone else can, and then send me the HDDs to me to host where ever I want. Loving seeing more and more ways to stay safe on the internet everywhere.
If your idea of using computers/internet is your phone, then this makes sense. But having to have your phone up and ready just to get into your laptop or desktop is bogus.
Процедуру одобрения можно подделать, т.к. передается ответ, а не хэш. The approval procedure can be forged, because the response is transmitted, not the hash.
That's fair. Keep in mind biometrics aren't transmitted when you use them for authentication. They're stored locally and sandboxed, so they aren't even shared with other apps.
I'm also very enthusiastic since I tried WebAuthn back in 2018 and passkeys in the past year. It's even more urgent to switch to them since the most recent revelations that a quantuum computer can do in just a few seconds what would take 47 years to a normal computer. So our passwords will really be in danger within the next few years. And I'm trying to convince the most people I can to use them as soon as possible
@@Darkk6969 doing that since 2011 😉 at least 20 characters on sites that allows it. So many sites are still limiting to 12... It's for those ones that I'm afraid
I personally would appreciate a more detailed and easy understanding of the steps needed to use and make a yubikey successful for greater security so YES to your query!
Especially in a cloud-only enterprise!
yes tutorials please wizard lady
A tutorial would be great, perhaps a series of tutorials. I used to use Yubikeys when they first came out but found the too inconvenient for home use. Having a physical key is great but when you have 3 or more devices spread out over work and home...
As someone who works in infosec I love the work you do in raising public awareness. Great video.
I like the chart at the beginning showing the time it takes hackers in 2023 to brute force passwords.
Yes, I have been using YubiKeys for at least the past 2 years. Yes, I have two Yubikeys as recommended by Yubico.
Yes, I've "Smart Card" paired both keys to all my devices which means I have to use my YubiKey to log into my devices.
The fact that I have better 2FA on my social media accounts than my financial accounts because a lot of financial sites still don't offer 2FA options drives me nuts.....
Amen! At this time Bank of America is the ONLY major bank that allows hardware keys like Yubikeys to be used for 2FA. Vanguard is the only other major financial institution that allows Yubikeys for 2FA
Ditto. My banks only offer (now force) SMS and some emailed 2FA codes. (one is ONLY SMS codes). None of them allow me to use an authenticator app; forget about hardware keys. I am guessing the plan is to skip over all that until forced Digital IDs are implemented.
why you need security if you sell yourself for free?
For the last decade I have been advocating for Password managers to be the norm. Passkey's are the next evolution of this.
Yup they are!!
When Apple "presented" Passkeys last year I was really hoping it would catch on. however now over a year later only a couple of companies have adopted it. It does not seem to work in all browsers - and it is not clear which are actually supported. My biggest problem is, that is not clear to me how the process works technically.
In some videos people said in order to sign in on a foreign device - say you want to login to google on your office PC - you need BT on both devices but the devices do not need to be paired. I tried this and - we use edge - and the Google page did not give me the Passkeys login option. It just asked for a password. Why? This really needs to just work in any browser and when it does not there needs to be a clear error message why passkeys is not available so you can fix it.
Mahalo for this passkey info. I JUST watched another video at "The New Oil" about a passkey called "Nitrokey", and that was fascinating, too. My threat model is very...mahjongg-playing old guy...but information security is a totally absorbing topic for me. Keep up the EXCELLENT work on this subject! Aloha!
Oh! This future tech is going to be big! As someone who often works with end users I know they mostly disregard password best practices. This may finally resolve that lingering issue.
Shannon as always amazing content thank you so much for all the time you put into researching this and sharing it. I would also love to see tutorials, I'm on android and Linux computers (desktop and laptop), and it's not clear to me how to implement this. Thanks again, awesome content.
Thanks. I wish more financial companies supported even things like Yubikeys. It really stinks that to stay secure and maintain some ease of use I’m going to have to go all in and be locked into either Apple or Google.
I love those hash browns as well, especially once air fryers came out!
Great content! Yes, passkeys are great, but available information about it is kind of sketchy. Please, do more detailed video explanation on it. Thank you Shannon!!!
I was frustrated that the first appearance of a passkey definition didn't appear until 3:30 into the video. I'm happy to hear the background and context, but please, answer the question first, then you can provide the info required to understand the definition.
Hey Shannon, I’m a recent channel subscriber, and I am an IAM IT Pro. WOW! I’m so impressed with, and I am going try borrowing some of, your methods of explaining complex technical material (e.g., passkeys (multi-device FIDO Credential, WebAuthn)). Lord knows it will come in handy trying to explain this stuff to C-Suite folk. Kudos to you! I’ve watched the show 2x and will recommend it to others. MM. Oh! By the way, I loved the clever "Salty hash browns" innuendo analogy! :)
Some websites don't recognize the newly created Passkeys (created using a hardware key instead of biometric) at all. So a test of the new Passkeys right after the creation is needed.
Thanks for sharing: very informative. I look forward to future videos. Blessings on your day!
Yes a tutorial in depth would be great. You cover a lot of details and unless I can transfer the information into a more visual form, it evaporates from my memory! Very useful update, thank you.
Considering most websites prevent continued login requests, the threat of having your accounts brute-forced nowadays isn't really a concern. Maybe more so it's a concern for companies that apply poor cryptographic security for their data storage, if they lose the data and then some hacker can spend a long time trying to brute force it.
I've been working on this in my homelab. It started out with exposing services, then I wanted LDAP, so I set up FreeIPA, then I wanted to put IDM in front of that, so I am setting up Authentik (Yes, I know I could use Keycloak), and looking into Webauthn.
My kids aren't impressed...yet.
Great video, Shannon!
Yes, more videos on this topic, please
The main question I still have is "does a passkey replace username/password?"
I have username/password set for a lot of accounts. I have seen some websites prompt me to add a passkey. But if it doesn't remove the password it is only adding a new way to log in. To be more secure the password should be revoked when the passkey is set.
Outstanding explanation and definitely something I will now think about implementing. As for further explanation videos, can we get one on your constant changing hair and nail colours lol Thanks for your videos, which at about 10 mins is perfect for doing bite size catch ups.
Great intro! I'm curious myself about local login with passkeys; do you know the state/possibility of this across Win/Mac/*nix systems?
You are such a beautiful asset to the technology world. Great video! Thank you for sharing!
CONGRATULATIONS, Shannon, 102,000 subscribers.
Good topic. I ordered a v5 Yubikey to replace my v4 (thanks for the code!). I look forward to your video on using it as a passkey (though I'll try to figure it out first. :) )
At this moment in time one has to ask if one is looking at creating new public key standards, how does this deal with the post-quantum public key risks that many believe to be on the horizon?
Would really like to know the rollout for Passkeys. With most of us having numerous websites made up of stores, banks, forums, airlines and multiple streaming sites, when will they be onboard? How will we know?
I think a flowchart would be helpful.
The problem is that the password problem still exists. If you lose your passkey you must reauthenticate to the service which generally requires your user name and password. The account reset process, if you don’t have those, can become the weak link, especially if the designers of that process (which is NOT standardized) didn’t give enough or proper consideration of all the security details.
Thanks for your tutorial. V helpful. Passkeys will make things more secure and it is clear that I can use all my devices. Where I am unsure is how this would work on a public computer such as a library or coffee shop? How would I authenticate using my phone onto such a computer? Do I then revert to user name and password (even if 2FA), which sort of defeats the objective? Thanks again.
What if you loose your phone or your phone is damaged beyond repairs, what then. Qould love to see a tutorial on creating a passkey account and using one as well.
Have a great weekend Sailor Moon Shannon 😊
Question for you Shannon… existing asymmetric public/private key algorithms are known not to be Quantum resistant. Do the existing passkey algorithms also suffer from a lack of Quantum resistance?
What pass key is best for iPhone 14???
This is basically a step closer to digital ID. With the intro of biometric authentication, phone manufacturers track you because they can determine the true identity of the device owner. With passkeys, all online sites that support passkeys will have that ability as well since your private keys will be tied to your device, which is tied to your biometrics.
There is a fairly recent problem with Apple / Google mobile devices where if someone swipes your phone and runs off while it is unlocked. They could change the passcode and even your Apple / Google account password and hijack your account. This is because both Apple and Google trust the device because it was unlocked with biometrics. I don't know if this oversight has been fixed or not. During pandemic people used passcodes to unlock mobile device because of masks being an issue initially with biometrics. Thieves would observe you entering the passcode so they could unlock the device then hijack your Apple / Google account.
I don't use a mobile device out in public. I only carry a HT. I use yubikey in my own home and my cell phones don't leave the area. Make sure all recovery are all backed up securely.
I got a couple of Yubico keys back when they first came out. As I remember they were real complicated to set up and a pain in the but to use. I didn't use it very long before I got tired of it.
95% of the time I am using my desktop and not my phone for going into websites. How do passkeys work for that? I assume the site has to have passkeys enabled for it to work? Not sure on how to set this up.
I have no idea how to use these and am always wondering as it comes up everywhere and since I have been watching your videos especially
Yes please how get started 101 would be so appreciated 🙏
Thank you for the video, Shannon! As I commented on your new video, the risk of losing or damaging the device is a concern holding me back from getting something like Yubico. Could you make a video explaining: What should you do when you lost the Passkey device? Can a Passkey device be backed up to another Passkey device? If so, do you need to back up (duplicate) only once (maybe if it only contains the private key?) or do you have to back up after registering onto new websites on a regular basis?
Question I have is how everyone is saying passkeys will replace passwords, but how would I set up a passkey to begin with if not with a password? For example say I set it up on my phone, with a password, get rid of the password, and then lose my phone. Am I screwed?
I bought a Yubikey and tried to set it up with my Google account. Almost all TH-camrs (this channel included) show how to set up the Yubikey with Google by adding it as a security key. But when I try that I get an error. Instead, Google sets up a passkey (without even letting me know) and I was finally able to use my Yubikey with my Google account after discovering this. It sure would be nice if it werent so difficult and confusing and if things were just clear. Especially since Yubico is sponsoring this video, they should also be more clear about how setting up a Yubikey works with Google and that it is now via passkey instead of security key.
It is not just confusing, just add remembering a different password for everything and having to change them frequently. It is just a nightmare. Then also consider that some websites want the password in a different format (different number of characters, special characters and numbers). A person who has a hard time with memorizing things will feel hopeless!
So what happens to the key if you have to factory reset
Of course! The three places, where I can use passkeys, will do.
what happens if we change or remove windows login password for example ?
On higher security systems, registering the account / passkey should probably require MFA with an App or hardware key. You would only need that App / hardware key initially to setup the passkey authentication or when making other changes to your account. Some MFA methods now have a 2 digit code presented that you must type into the MFA App to complete the approval and biometrics could also be required.
So how would you use a passkey to login at an internet cafe ?
Great content & very well explained. Can I opt out of using passkeys and return to username, password, and my YubiKey?
Yes, at least right now you can. 👍
Is the new weak spot when using passkeys losing or having the device stolen when the passkey is on the device?
Threat modeling, good point! Please do a video on how a private individual can define their own threat model! 🙏
Triple Factor for the win!
I wish Yubico's new Yubikey Bio provided the full support that their 5 series does. I'd have upgraded all my Yubikeys to it.
When adding a passkey to google, do you first have to disable all existing 2fa within the account?
Thanks for this informative video. As for another video on how to use Yubikeys, yes please.
So if I hear you right I would need two yubikeys. One that I carry and one that I store in a secure place in the event of device failure. Do these keys ever fail? Or is it better to have multiple devices? One day passkeys too be will breached, especially if you don't have a device updated all the time. Even with updates Zero days can happen. It's all about the risks and how to lower them. Example a chrome device over a windows device. Especially if all we do is online. Thanks for the video, there was a lot of great info.
Very nicely done explanation. I could send this to my mom and she would get it.
@ShannonMorse If I use a hardware-based passkey like a Yubikey, is there a way for me to have my Spouse have a key synced or duplicated for her use?
Absolutely. If a platform allows for multiple keys, you'd just need to add a second one. Adding secondary keys totally depends on each platform and what protocols they accept
I didn't understand this very well. When listening to an explanation, I think about, "How would this work for my situation?," and I don't know. Most of my "devices" are desktop computers with Ubuntu Linux. What would the process be to transfer passkeys to another Linux installation?
Fantastic explanation! But it’s hackable using Flipper Zero 😂 . still vulnerable even with the not new fancy usb stick
Would love to see a video where you actually go through doing the account setup and then an account login and so on.
I can't use a passkey created on an iPhone to log into a site when I'm using my PC, whereas a password can be used on both devices. Is that correct or am I barking up the wrong tree? Anyway, keep up the good work :)
Had to use passkeys / keyfobs years ago at work. Was a pain in the arse...everytime you logged in.
Is there a point to all this if it doesn't really end the password?
If I have to sign into a device why do I need a password, or passkey for every web address. once I'm signed in there should be NO NEED for this headache
What is the difference between 2fa and passkeys?
Unless passkeys are implemented on *all* popular sites quickly, the passwords will remain the king for years.
Please, create a detailed, step-by-step for "Smart Card pairing" of a Yubikey to a Mac & a PC. The steps are different between Macs & PCs.
Yes, I've successfully, "Smart Card Paired" both of my YubiKeys to each of my Macs.
Warm Regards from Reno, Nevada
More security is great. however, the more you overtake the plumbing, the easier to stop up the drain. The Enigma machine was broken, so I am sure the pass key can be cracked by someone just like encryption is breakable. The only way to win is not to play, (War Games) UBI keys can work in the moment.
So what happens when you cross an international border and they force you to unlock your device so they can search it or even just copy it outright. Surely they can then access everything because they now have your passkeys. With a password manager those authorities would still require your master password which if strong would I expect stop them or significantly slow them down. I suppose I'll need to properly research passkeys and inform myself how it all works as a security ecosystem.
Luckily this isn't a threat vector that I have to deal with in my day to day lifem get yo'self a burner phone, my friend.
Interesting. We will all need to get with users and promote this..I see there is an amateur radio callsign in your background, but it is not fully displayed. What is your callsign? De KB1PA
OMG I’d love to know how to use a pass key
So how long will it take, until you can buy a bunch of biometric data in the dw?
Imagine the power you can gain over somebody if you can identity steal their biometrics and every provider like banking or courts will go with it?
what about man in the middle? google sends the request to "my computer" to confirm the public passkey. My computer says nope it isn't right. But the person listening and sending somewhere in the middle sends a yes everything is good and then continues to hijack the session from there. Perhaps the explanation was too simplified on what is sent in return between google and my computer. I assume it would have to be time sensitive and wouldn't be the exact same thing every time? There is probably a lot more complexity than what I'm understanding.
Very informative thank you snubs
Confused! I thought a passkey was the physical key you could buy. It sounds like there is a online key of sorts.
There are two kinds of passkeys. Your phone can be a passkey or you can get an "offline" passkey, like a yubikey. Both are tied to a hardware device but one can be backed up to the cloud.
That's great info! Thank you!
Chia crypto currency uses Public and private keys to do mining. It's awesome. Your able to give your public to someone that if you want allow them to plot(what you mine) with their hardware. So instead of using my hardware someone else can, and then send me the HDDs to me to host where ever I want. Loving seeing more and more ways to stay safe on the internet everywhere.
If your idea of using computers/internet is your phone, then this makes sense. But having to have your phone up and ready just to get into your laptop or desktop is bogus.
Процедуру одобрения можно подделать, т.к. передается ответ, а не хэш. The approval procedure can be forged, because the response is transmitted, not the hash.
Why not cover yubikey security key as it is a cheeper choice. There are few if almost none that talk about the key being diffrent.
salty hashbrowns don't get enough love 😍😍
Thank You. Good job as usual
Thank you!
Cool video
Thank you
Very clear explanation
I've been very leery about biometric authentication because I'm sure your biometrics can get hacked as well. If it does, you can't change that.
That's fair. Keep in mind biometrics aren't transmitted when you use them for authentication. They're stored locally and sandboxed, so they aren't even shared with other apps.
uncle Roger meme clip was a top tier move
hahaha you can thank my editor for that one
I'm also very enthusiastic since I tried WebAuthn back in 2018 and passkeys in the past year. It's even more urgent to switch to them since the most recent revelations that a quantuum computer can do in just a few seconds what would take 47 years to a normal computer. So our passwords will really be in danger within the next few years. And I'm trying to convince the most people I can to use them as soon as possible
For quick fix is use a password manager and much longer random passwords.
@@Darkk6969 doing that since 2011 😉 at least 20 characters on sites that allows it. So many sites are still limiting to 12... It's for those ones that I'm afraid
@@Darkk6969 and I had to change almost 600 after the lastpass hack. I was not using it anymore but things were still stored there "to be deleted"
That screen fills in so slow, I'd hate to have something mission critical going on
Great video. Tutorials please.
Very informative but I think some of my friends would have been a bit lost when you use a lot of acronyms.
Uncle Roger? Fuiyoh!
Mmmm Salty Hashbrowns! 🤤
but the websites ive seen that use passkeys still have my password, so how does this help?if there's a password leak someone can still get in.
I'm aging, and wondering if the whole bloody thing is worth it.
man her hair. 😮. ❤
so...... pgp?