Passkeys explained! My take on Google’s password killer…
HTML-код
- Опубликовано: 14 июл 2024
- In which I discuss Passkeys, password-replacement tech that's really started taking off since Apple and Google announced native support for them in iOS and Android.
They've been in the news again recently, because earlier this month Google announced support for passwordless authentication for Google accounts with Passkeys. So, with big tech companies seemingly going all-in on this technology, I want to take a look at how they work, whether they're better than passwords, and whether they're actually as private as Google claims.
❤️ Support the work I do today, or join my newsletter: www.jonaharagon.com/#/portal/...
💛 Send a one-time donation on Ko-Fi: ko-fi.com/jonaharagon
0:00 Intro
0:24 Passkeys Explained
1:42 The Good
3:57 The Bad
5:24 Phone Passkeys vs YubiKey
7:03 Should You Use Them?
🏠 www.jonaharagon.com
🪙 Monero: 45i7M1FfXuBHLMdWm4ZTvFM5tGTSeibjEBpFSBCs2qbSRrHkUpKN5DRVK7T65hbg3WhGXepH7y6Xvb8XdxBmBS8V4AJXtyC (www.privacyguides.org/en/adva...)
I create educational resources for average people to understand the importance of privacy and security on the internet, and take back control over their digital lives.
You may know me from my work on the @techlore RUclips channel, including the Techlore Talks podcast I co-hosts, and the Privacy Guides non-profit website: www.privacyguides.org
Thank you Henry @techlore for the initial A-roll edit of this video :)
#password #privacy #jonaharagon #privacyguides #passkeys 
Наука
![NoCap - Yacht Party [Official Music Video]](http://i.ytimg.com/vi/rm_lvDln8kE/mqdefault.jpg)
New Tech and Privacy RUclipsr Just Dropped.
I answered and said, "If I have found favor in thy sight, O Lord, show this also to thy servant: whether after death, as soon as every one of us yields up his soul, we shall be kept in rest until those times come when thou wilt renew the creation, or whether we shall be tormented at once?" 76 He answered me and said, "I will show you that also, but do not be associated with those who have shown scorn, nor number yourself among those who are tormented. 77 For you have a treasure of works laid up with the Most High; but it will not be shown to you until the last times.
78 Now, concerning death, the teaching is: When the decisive decree has gone forth from the Most High that a man shall die, as the spirit leaves the body to return again to him who gave it, first of all it adores the glory of the Most High. 79 And if it is one of those who have shown scorn and have not kept the way of the Most High, and who have despised his law, and who have hated those who fear the Most High -- 80 such spirits shall not enter into habitations, but shall immediately wander about in torments, ever grieving and sad, in seven ways.
81 The first way, because they have scorned the law of the Most High. 82 The second way, because they cannot now make a good repentance that they may live. 83 The third way, they shall see the reward laid up for those who have trusted the covenants of the Most High. 84 The fourth way, they shall consider the torment laid up for themselves in the last days. 85 The fifth way, they shall see how the habitations of the others are guarded by angels in profound quiet. 86 The sixth way, they shall see how some of them will pass over into torments. 87 The seventh way, which is worse than all the ways that have been mentioned, because they shall utterly waste away in confusion and be consumed with shame, and shall wither with fear at seeing the glory of the Most High before whom they sinned while they were alive, and before whom they are to be judged in the last times.
88 "Now this is the order of those who have kept the ways of the Most High, when they shall be separated from their mortal body. 89 During the time that they lived in it, they laboriously served the Most High, and withstood danger every hour, that they might keep the law of the Lawgiver perfectly. 90 Therefore this is the teaching concerning them: 91 First of all, they shall see with great joy the glory of him who receives them, for they shall have rest in seven orders.
92 The first order, because they have striven with great effort to overcome the evil thought which was formed with them, that it might not lead them astray from life into death. 93 The second order, because they see the perplexity in which the souls of the unrighteous wander, and the punishment that awaits them. 94 The third order, they see the witness which he who formed them bears concerning them, that while they were alive they kept the law which was given them in trust. 95 The fourth order, they understand the rest which they now enjoy, being gathered into their chambers and guarded by angels in profound quiet, and the glory which awaits them in the last days. 96 The fifth order, they rejoice that they have now escaped what is corruptible, and shall inherit what is to come;
and besides they see the straits and toil from which they have been delivered, and the spacious liberty which they are to receive and enjoy in immortality. 97 The sixth order, when it is shown to them how their face is to shine like the sun, and how they are to be made like the light of the stars, being incorruptible from then on. 98 The seventh order, which is greater than all that have been mentioned, because they shall rejoice with boldness, and shall be confident without confusion, and shall be glad without fear, for they hasten to behold the face of him whom they served in life and from whom they are to receive their reward when glorified.
99 This is the order of the souls of the righteous, as henceforth is announced; and the aforesaid are the ways of torment which those who would not give heed shall suffer hereafter." 100 I answered and said, "Will time therefore be given to the souls, after they have been separated from the bodies, to see what you have described to me?" 101 He said to me, "They shall have freedom for seven days, so that during these seven days they may see the things of which you have been told, and afterwards they shall be gathered in their habitations."
102 I answered and said, "If I have found favor in thy sight, show further to me, thy servant, whether on the day of judgment the righteous will be able to intercede for the unrighteous or to entreat the Most High for them, 103 fathers for sons or sons for parents, brothers for brothers, relatives for their kinsmen, or friends for those who are most dear." 104 He answered me and said, "Since you have found favor in my sight, I will show you this also. The day of judgment is decisive and displays to all the seal of truth. Just as now a father does not send his son, or a son his father, or a master his servant, or a friend his dearest friend, to be ill or sleep or eat or be healed in his stead, 105 so no one shall ever pray for another on that day, neither shall any one lay a burden on another; for then every one shall bear his own righteousness and unrighteousness." 2 Esdras 7:75
///////////////////
Well done! I especially liked how you explained PKI. The graphic helped. As a possible future topic, maybe discuss password generators and differences between them. If no discernible difference, I’ll use KeePass. Thanks, and congratulations on the launch!
Generators? Shouldn’t really make a difference, just make sure it runs locally on your computer (don’t use a website like random.org). KeePass is an excellent choice 👍
I have been searching for a comprehensive explanation regarding passkeys, and I must say, this is the finest one I've come across.
Excellent, thorough, clear introduction. Thank you very much.
Really helpful video, thank you!
Google has an on-decive encryption option. So you can essentially make a passkey device as secure as a security key if you want. So even if your account is breached remotely, which would also need to bypass two factor, the hacker would still need that particular device to access your other passkey protected accounts.
I'd obviously recommend a security key for that kind of protection though, because they have less chance of mechanical failure over a phone, but that is less of a security concern and more of reliability issue.
Right, but a reliability issue becomes denial of service if you can’t authenticate. Are we supposed to keep a second phone for backup purposes?
@@F16_viper_pilot You don't have to keep a second phone on hand. You can get another one if your current one breaks, which I assume anyway. Your passkeys are encrypted on Google's server. You don't have to worry about permanently losing the keys like you would if you lost a security key or it malfunctioned.
Well explained use of passkeys. I've made the switch to passkeys but explaining passkeys to my colleagues and family is impossible. Your video is very helpful.
Terrific summary of Passkey status.
If a password manager supports the use of YubiKey does that mean you can use YubiKey to log into any account?
How do they sync them? Is it secure?
Let’s look at it this way, less security by having it be cloud synces also is still worth it because that is still more secure than having a password with 2FA. Yes, obviously nothing beats a physical hardware key or a Passkey without cloud syncing, locally on device only. Unfortunately, it’s not worth the risk of losing your identity. If you break or lose your phone and don’t have a cloud sync copy. For many, any enhancement to security is still an enhancement.
I don't understand how you recover your key if you lose your phone. Sure it's backed up to Google's cloud, but how do you get back access to your Google account?
Thank you Mate. All information that i were looking for in a short informative video. Great work, appreciate.
How does it work the first time ? My first smartphone ever ? My smartphone destroyed and i have to setup a brand new one ? What would be the password ?
Omg i love you thanks for the explanation
Excellent video!
Great video!
A downside of hardware tokens as of today will be the available space on them. My YubiKey 5 can only hold 25 FIDO2 credentials. That seems plentiful today, but if Passkeys take off having only 25 slots will be useless. Therefore I look forward to FOSS password managers implementing passkey support.
The thing about it is that there’s no reason that you should have to create a separate key pair for each site where you make an account. This is a foolish and wasteful implementation. When people use PGP, for example, they create a single key pair and simply share their public key to whomever they wish to communicate.
@@F16_viper_pilot I would not go so far as calling it wasteful nor agree that there is no reason to have separate keys. While guessing a private key is fairly hard as of today, it is not impossible. Therefore-given the extend to which the UI of a modern implementation of public-key cryptography such as passkeys hides the complexity of key creation and management from the user-I see a key pair per account as a security enhancement. Additionally, that would allow for the public-key to be abused as an identifier, for example if it where leaked in two separate data breaches.
@user-mu7jo5hj5prz
Using unique keys for each account/website is preferable because it's akin to having separate baskets for each egg. Imagine an attacker who can solve the elliptic curve discrete logarithm problem, but it takes them a significant amount of time. Requiring the attacker to crack each "egg" individually for access would be a stronger security measure.
The one-to-one approach enhances security by containing the potential fallout from a security breach.
Openpgp and doesn't use this way, mostly as a trade off of between convenience and security.
Actually, only WebAuthN is a W3C standard, the rest is the FIDO2 standard, which is by the FIDO consortium.
Does keeper and Brave support this right now
Your video is amazing mr jonah
I have activated passkey om my chrome browser. But chrome keeps asking me to activate passkey. And i have to enter my username, my password and my code for windows hello since i dont have any ability for biometrics on PC. So far i am not impressed with this implementation of this new solution.
I can't remember the last time that RUclips recommended a new content creator in my feed. Well done! I also have a topic suggestion for you: What are some misconceptions that people have about safety and privacy online? You already mentioned some things here, and I'm curious to hear more. 😁
chrome on linux is supported and i am using it
Thanks for sharing.
Does anyone know whether theres something we need to remember (private key) or it is auto-generated?
What if u lose your device or its no longer working well enough. Is switching to a new device streamlined?
All of this is answered in the video
@@Yoshidzo appreciate ur reply.
To answer my Q: Passkeys are stored in ur browser. It uses our biometric so we don't need to remember, though on the cynical side they will now have a digital identifier of ur biometric.
If u lose ur device, whoever has found it will not be able to log-in to ur account, unless they have ur passkey, which is unlikely but not impossible if u watch spy movies.
On your new device, u need to resubmit ur passkey, after u have entered ur login credentials, so don't just forget ur credentials. Keep them arnd when u need it.
@@karatsurba4791 the biometrics part is also answered in the video and you are wrong again
@@Yoshidzo appreciate ur comment. Care to say, what's wrong ?
I only use solomonic magic sigels for security, but my only form of media is arcane manuscripts.
Great Video!!
Video looks great. I hope to see some more.
BasedKey talk
The tracking problem comes in if the public and private key pair are amended during creation. One way of amending them is through having them signed with information related to the web site accessed. Hopefully, Google has not messed with the key generation. If so, Google would be able to track while no one else would be able to track. The only way to tell for sure is if Google allowed for source code public review. A hash compare of the executable generated from the source code to the Google compiled code would verify Google is not providing source code and then compiling modified source code. Basically, double book keeping.
Finally a real opinion about the frenezy about passkeys
Waiting for 1Password support. I think I’ll be using the non-copyable passkeys (or maybe passkey +DPK) for the big accounts and regular passkeys for anything else.
Pretty solid plan, I think my go-to recommendation for people (who do have a YubiKey) will probably be something along the lines of using that YubiKey to secure your password manager, and using the password manager for most or all the rest of your Passkeys. It is definitely a gigantic pain in the butt to replace a YubiKey on more than a handful of sites if you end up losing it (not to mention YubiKey 5 only supports 25 Passkeys total).
@@jonaharagon - exactly. Very specific accounts and services are candidates for device bound passkey. Google, Microsoft, proton, etc. financial sites should be too, but they seem to be the very last to get on the security train. Many banks still refuse to drop the SMS and adopt Authenticator/security key, so I fear it’ll be a few years before they move to passkeys
@@jonaharagonI don’t understand why a different key pair needs to be generated for each site. The whole point of public key cryptography is that you share a single public key with whomever you wish to communicate. Seems to me this is an attempt to undermine hardware token manufacturers like Yubikey from competing in the market due to the storage limitations of the hardware tokens. I will definitely fight against my phone becoming an authentication device for a number of technician reasons, security/reliability concerns, and from an ethical perspective.
@@F16_viper_pilot Once again, it would be a 'single-point-of-failure' using the same private key for multiple websites. It would also allow the key to be used as a identifier accross sites. Not good.
@@F16_viper_pilot Yubico is thinking of ways to either do what they did with FIDO2 2FA keys and allow unlimited keys, or increase the storage on Yubikeys. Part of the reason why it's not just one key for all sites is that it reduces the blast radius of any one of those keys turning up missing. And here I mean in case someone steals one of your devices. The need to have separate authentication information to each site you access is no less of a thing, esp when only that info can be used to log you in. And need for that key to be stored within a hardened system that *will always try to challenge you* is also important.
Think of a passkey as less of a way to prove you're you, and more of a way to prove that you are able to ask whatever holds the passkey to prove that the key is inside. It's a subtle but important difference.
Great video :)
I'm curious how it locks you into a platform when you could just create one key on Google password manager, and another key on Apple keychain?
It's not a big deal if you are talking about only the handful of accounts you use most often. But, many people have hundreds of less frequently used accounts. If you switch from Android to Apple, or vice-versa, it could be tedious to go one-by-one through the manual process of setting up passkeys for those hundreds of accounts on the new phone.
@@dansanger5340 oh definitely agreed, I'm just meaning worst case scenario where you suddenly hate iphone or Google and switch...however as of now, websites I use that have passkeys can be counted on one hand of mine...until hundreds are running around it's a moot point anyway
@@jacobcardon6166 True. Not much of an issue now. By the time it is, hopefully there will be a solution.
I came here from Surveillance Report episode SR133...Excellent summary and overview, Jonah!
I just bought a Yubico Yubikey to use with my iOS account, can I also use it with my Google account at the same time?, thank you
Absolutely!
Biometrics should be a no-go. I can change passwords, phone numbers, etc. Can't change biometrics... Once that's out the party is over.
If you look into the third party audit of Google cloud, you'll find out that Google password managers if you have device encryption enabled, our end encrypted, which means that a Google hack would not be able to provide your passkeys or passwords in your password manager, only if your device itself is hacked
3:23 i think this could be explained a bit more clearly. Fr what i know. the fingerprint (or it could be a pattern or a passsord or pin if you didnt set it up) verification is basically a modal (a prompt if you will) made on the operating system level, which basically means that nothing is passed to the application its requesting verification, other than an OK or a Verification failed. Im pretty sure that if the os were to pass your biometric IDs to the apps, it would simply be a really bad idea and probably a breeding ground for lawsuits
I haven't a phone. For the time being I don't need one. I only have my laptop to entertain myself on RUclips. What happens to me without a phone?
Great first video! Keep it up ^
It’s not “Google’s” in any way.
What I don’t get is, the website you’re trying to access must know that the private key it receives is the right one. So how does it know it’s the right one without being able to work out what it should be?! Totally accept this is probably my lack of knowledge rather than an actual issue, but as a simpleton I just can’t see how it’s any different to a password…
With a password, you just send that (private) password to the website and they check whether it matches what they saved your password as on their end.
With a Passkey, a website never receives your private key, just a related public key. Using the public key, the website can basically give you a math equation that can only be solved by someone with the private key. When your computer “solves” the website’s equation and gives the answer back, the website is able to know you have the private key because it would’ve been impossible to solve otherwise. It isn’t able to figure out how you solved it, just that you did solve it successfully. Not sure if that makes any more sense?
@@jonaharagon ahhhhh that’s the bit I was missing, I didn’t realise there was a kind of back and forth. Penny drops now, thank you!
This is a great video. I just subbed I hope you can make more videos, you could definitely be successful.
Thanks! Glad you liked it.
Why does everybody give the same long, technical explanation and never actualy show how to use it? If I am using a web browser on my PC, how do I login?
PRACTICAL EXAMPLES PLELASE!!!!
Very professional and clear presentation. Your videos are easy to understand and extremely helpful. Keep up the good work.
You don't need a teleprompter.
You need some good passwords and a password manager so you don't waste 7 minutes advertising a "technology" no one needs.
Thanks for this video. +1 sub
So passkeys will be not for all. Like all those people that use Library computers. Now we have a society with and a society without. Also passkeys don't work on all sites and so passwords will be around for a long while yet. Look at banks and how they deal with your info? Shouldn't they be right up there with passkeys? How would passkeys be so different than googles advance protection program which requires keys. Not sure if your phone hardware can be used in that with Google advance protection program. I am thinking not. What about the syncing of data such as in Apple keychain or Google sync? There still is a lot of work on this front that needs to be considered. And yes anything new is good, at least until someone figures a work around, and yes they will.
I don’t like the fact that your phone becomes a glorified cloud-based hardware token. The security is reduced with cloud storage, and the phone becomes a single point of failure. With hardware tokens, such as Yubikey, one can keep multiple backup keys (which are cheap compared to the cost of a phone), they aren’t cloud-based (making them more secure), they don’t track your movements like a phone does, and I’m not tied into a particular brand (such as Apple or Google). Also, from a legal perspective, you have no constitutional rights regarding biometric data, so your fingerprints and facial biometrics can be used by law enforcement without your consent. With passwords that you keep in your head, you cannot be compelled to divulge that data. Sites just need to start adopting the FIDO2 standard, without restrictions to particular hardware, and people need to become more educated about security. Apple and Google want to provide their own myopic solution, but I don’t trust their motivations. I’d rather stick with long randomized passwords that I control through a password manager than give my control to Apple or Google. I’m perfectly fine generating 50-character long passwords (when possible), and using hardware tokens for 2FA (when possible).
If you want to be successful on this platform you are going to get a better microphone or more likely just put the microphone you have closer to your mouth.
I’m not seeing how creating a passkey in Windows is providing a better user experience nor that passkeys are passwordless. I’m finding the contrary: they require passwords and provide an even worse user experience than Traditional authentication.
Problems with Passkey authentication:
I need to buy an $80.00 security key to create a passkey on Windows.
A security key is a physical key like my YubiKey that cost $80.00. I can already use that as a 2FA authentication method by itself.
A passkey is a virtual security key. It’s not physical.
I just happened to already have an $80.00 YubiKey security key.
I went to a web site to create a passkey and then Windows prompted me to insert a security key.
Why do I need a Security Key to use a passkey, when I can already just use the Security Key for 2FA?
To use the security key, I have to type in an unmemorizable password associated with the security key.
After providing a password, I then have to touch my security key to use the passkey.
What’s the difference between that and currently existing 2FA?
Traditional authentication: Username+password+2FA prompt: I have to type in a username+password and deal with a 2FA prompt on a phone.
Passkey authentication: Using a passkey, I have to open a password management program and copy a password and paste it into the Windows Clipboard so when I go to use the passkey and Windows prompts me for the Security Key PIN, I can paste it in. Then I have to touch the Security Key.
What’s the difference?
Where is the better user experience? It’s actually worse.
Where is there less irritation?
Where is the passwordlessness?
I don’t think you need a physical security key with Windows. I believe Windows can use the TPM chip in your computer to create passkeys. In fact, I think this is one of the reasons TPM is a requirement for installing Windows 11.
What i heard nowhere yet: I use my browser to keep a passkey... What is the secourity level of it? Can it be stolen as a cookie, in a session stealing situation? Why not?
While cookies are stored in essentially plaintext, Passkeys stored in your browser are kept in an encrypted database protected by your OS keychain. Also, cookies are sent to the website you're visiting with every network request, while the Passkey secret is never sent outside your browser, which makes it more difficult to steal.
It is definitely *possible* for malware installed on your computer to steal a Passkey, but it is harder than stealing cookies. If you want to be *certain* that a Passkey secret can't be extracted by software, you have to use a hardware security key like a YubiKey.
TL;DR The security level is more similar to a password manager than cookie storage.
@@jonaharagon Thanks!
Also: What is your opinion about the next comparison: passkey on a yubikey VS Yubikey as a 2nd factor. What is "safer" overall, if an account allows for both?
@@ledgeri using a YubiKey for passwordless login should be as secure-if not more secure-as using a YubiKey for 2FA. When you register a YubiKey as a passwordless credential, it makes you set up a PIN/password on the YubiKey, so your account is still secured with both “something you know” (YubiKey PIN) and “something you have” (physical possession of the YubiKey).
In either case, the security of your account is still somewhat reduced to the security of your recovery options. If you have SMS recovery enabled on your account for example, it’s still not great. You have to make sure every possible way to access your account is secure, not just the “front door.”
@@jonaharagon Thank you! The inconsistency between the services is a problem: some allows me to go straight to keys only as 2fa, some forces me to have totp, or SMS even next to two keys already in "in case..." Even Microsoft forcefully keeps one other 2fa, even if a 1-2 passkey is added. But at least we moving!
@@jonaharagon " While cookies are stored in essentially plaintext, Passkeys stored in your browser are kept in an encrypted database protected by your OS keychain. Also, cookies are sent to the website you're visiting with every network request, while the Passkey secret is never sent outside your browser, which makes it more difficult to steal."
This does not answer the question.
How does the website know you're connected?
Explain it as if to someone who needs to implement this.
Because there's some detail you're missing here, as I don't see how extra security can be gained from this.
At some point the browser needs to send something to the server which the server processes to check if the user is authenticated and authorized. What is that something that is sent, how does the website check that as opposed to checking a cookie, etc - that was the question.