Hi Leo, back in the day, when CLI was a the only thing out there, PGP for email had caught on. I used to use a product called Eudora and similar email implementations. It seems like it took a while for this to come back in a different form. Better late than never.
@@debtfordwharf It never really went away. There was always a plugin for Thunderbird, and assorted others. The problem is it's still too complex for normal people to use.
If someone adopts Passkeys, should they delete all other methods of authentication they used previously? For instance, Google Prompts? Could someone exploit/intercept Google Prompts if used at some point despite the fact that we set up Passkey?
Passkeys are more secure than passwords because they are less "powerful". With an username/password pair you can potentially log in from any account, on any device, anywhere. Anyone who gets your username/password can potentially masquerade as you from anywhere. That is what makes them less secure / more dangerous. As described in the video, a given passkey is tied to a specific account and a specific device. It is important to remember that passkeys only authenticate the device and account. They do not authenticate the person. This is why the total security solution requires you keep access to the device secure. Fingerprint scanners, FaceID, or PINs HAVE to be used so that people who have physical access to your device, can't actually access your account. The device/operating system you use must, of course, provide a mechanism for securely operating a keystore. This was an excellent video.
This is a naive point of view. Passkeys will be stored in raw form 100% it's impossible to guarantee biometrics on everything and syncable is a core requirement for an everyday user. Because of that you open the opportunity to steal the passkeys from a device guaranteeing that a successful attacker will have access to every. single. account. ever. forever. As you have correctly stated, you have moved away from authenticating people to authenticating just the device. This is an inherent risk introduction.
Thanks. You explained a key point. The passkey is tied to/on the device, so if the device is unlocked, anyone who holds the device can access the account the passkey is associated with. It seems like an off-device password manager would be more secure, even though less convenient, a long as the account password is strong.
Thanks. This video is more than a year old and RUclips just shows it to me now. I had watched several videos about passkey because I heard that it's better. But it's only after watching yours that I truly understand how it works! Thank you!
this is the clearest, most understandable explanation of what a passkey is on youtube, or anywhere else. and it also explains that apps are actually using passkeys when they allow us to login using our fingerprint, face, or pin. and also an added bonus on what are pgp keys. im so glad i watched this. thank you very much.
Wow yeah, I second that. You have a very easy to understand way of explaining this!! Thanks so much. Every time I think I understand the encryption/decryption process, I seem to lose the understanding. This helped immensely.
This is a much better and clearer explanation than the one provided by Google. However: - at my last work place (a major corporation) using ssh keys was not allowed by Info Security group. According to them it violated their security standards. - if using passkeys prevents me from accessing my Google account from a device which doesn't have my passkey, then I have to use password, which defeats the purpose - if my passkey is automatically created on a new device, what if I'm using a public device and don't want my passkeys on it? - with passkeys I'm relying on a strong login security of my device, but if someone breaks in into my device, then they have green light to all my accounts
1) your IT folks are misguided. :-) 2) We're moving to a passwordless future. In some cases you can choose that right now, in others you can simulate. So, no it does not defeat the purpose. 3) Passkeys will never be created without asking you first. 4) No. They'd still have to pass biometric or Windows Hello authentication when they attempt to use a passkey.
This is an amazing explanation. Thank you for making it so clear. I will be saving this video so that when anyone asks about passkeys, I will share this to them.
9:01 this is where Steve Gibson’s SQRL protocol is superior to passkeys. Both use public key encryption, but SQRL has 1 identity that creates a key pair on the fly for each login based on the site’s domain name. Elliptic curve crypto allows you to create a private key based on a determined input. The same input will always create the same key. Therefore a secret (the identity) mixed with the domain name will create a unique key pair for each login. Since this is easily calculated, there’s no need to save it for each site, just keep the original secret (identity)and recalculate based on the domain. This means the protocol and any devices can have an unlimited number of sites to log into, no extra storage and it’s easily shared between devices. Oh well, we get passkeys instead.
I guess there is no golden bullet in cryptography. Each solution has it's strengths and weaknesses, but what is considered a strength (or weakness) by one user might be the opposite for another user. Even though the passkey in it's current form is perhaps less elegant and definitely more cumbersome than the method you describe, I would still prefer the current solution. If I understand you correctly, I personally wouldn't like to have solution like SQRL that is based on a single private secret used to authenticate/unlock all (!) my accounts/logins. Sounds like the likelihood somebody would be able to crack my private secret in the future would increase with the number of accounts/logins and of course advances in technology with time.
It’s nifty but doesn’t scale the same. Passkeys are portable (once the standard is agreed upon) without exposing other logins/identities. Not only to other passkey safes, but to other individuals. The private key shared/transferred/stolen even if cracked, exposes nothing else.
In a passkey-only service, isn't there a higher than normal risk of getting blocked of your own account if you lose the devices the passkey is stored on?
I consider myself a pretty savvy techie. I’ve always understood, encryption and public key and private key stuff. But for passkeys, I have some sort of mental block. That being said, Leo‘s explanation of passkeys is by far the best I have ever heard!
I think because all other explanations contain the "and then magic happens" part, this is the first one that explains that passkeys are just ssh-like authentication with a better UI.
What i like about things like this is that they are complicated for most users and this causes things to go wrong, so you end up dropping down to passwords and email to get back in to most accounts.This negates the purpose of it. you basically bypass by clicking on the "I forgot my password" link, this mostly ends up going back to unsecured emails.
As ever Mr LN explains the inexplicable with ease. Been a follower for years - when internet connections required a series of morse-code-like noises and then went at speeds the common tortoise scoffed at
Have been following passkeys for a while but have never seen such a clear explanation. Congratz! Regarding passkeys i do have 2 concerns 1. Suppose i loose my device with the only private key i have, how will i be able to restore my account on a new device? 2. When creating a passkeys for an existing account, the less safe login method using a password which could be stolen from the server still exists. Hope some one can convince me that both issues can solved.
When you set up a passkey on a new device, yes, you login some other way. It could be password, but it need not be. It's more often something more secure like a confirmation email sent to the email address of record, or a text message to the phone number of record, or similar. Once you've confirmed your identity that way, the passkey is created. Losing your device has nothing to do with any of that. ANY new device on which you want to set up a passkey goes through that process. If you lose your device, however, once you've signed in to the account elsewhere you can remotely disable the passkey associated with that account.
Thank you! This is the best explanation of passkeys I've heard so far! One of my concerns regarding passkeys is... what happens when you have an account that's only using passkeys, have only setup passkeys for that account on a single device, and that device is lost, stolen, or is otherwise unavailable (it dies)? How do you regain access to that account? It seems like the best defense for such a situation is to have passkeys setup on multiple devices, allowing you to confirm you identity when setting up a new device after a device becomes unavailable, but that's not economically viable for some people. An alternative is to actually have a password for the service, using passkeys when possible, but that leaves the account vulnerable in the event of a data breach. Additionally, let's say I want to replace a functional device (my only device) with a new device. It seems I would need to maintain possession of that device for some "overlap period", during which I would need to login to every service I use on the new device, so that my new device can be authenticated by the old device. That seems rather cumbersome, but is probably a small price to pay for the added security of passkeys. What are your thoughts?
Each time you set up a passkey on a new machine a different form of authentication is used. For example a code to your phone, or a message to your email. Once set up it becomes your authentication mechanism. But you're always able to set it up from scratch somehow.
This is an excellent question and one that bothered me for a while. You can’t make the argument that you are in a better security position with passkeys if the use of passkeys is in addition to an authentication method that was already present. Therefore, you have only improved your security posture if you remove the old auth method and only use passkeys. However, if you do this, you run into the issue you are asking about. I think for this scenario is exactly why having a 3rd party password manager (PM) in general, and 1Password in particular, makes sense. The PM collects and manages all the passkey private keys so no matter what happens to the device that actually created them, it doesn’t matter. You get your new phone, authenticate to the PM, and you are back in business. But now isn’t the PM vulnerable? Not with 1Password’s security architecture. There are two necessary pieces of information to access the 1P vault that are never stored in the cloud or even transmitted: your password AND a locally generated random security key. You pair those things with a hardware security key, stored in multiple secure locations, and I think you have a setup that’s nearly impossible to breach, but is also convenient
Well, I think passkeys are just a convenience mechanism in that you have to authenticate only once either in the key manager of your OS or in your password manager and then use the per device generated and stored passkeys to log in to the websites. No need to manage different passwords, and it also increases security as you are not exposing your password in your daily login routine. No chance of some man in the middle or some other malicious browser extension stealing your password. Now your concern about a data breach happening on the website on which you use the password to login, most of the companies don't store raw passwords in their databases. They store salted one way encrypted password. As soon as you supply the password and try to log in, it is immediately encrypted in the client side and transported to the server in an SSL tunnel ("s" in HTTPS indicates that the site uses SSL, which means all traffic is encrypted)
Great explanation. I'm retired IT and keep getting prompted by google and amazon to set one up. It explains why I keep getting prompted to log into windows. I just say cancel and use the amazon password. Will need more info on pins and if they are like pwds and have to be updated. thanks.
Awesome vid. Now I get what passkeys are. Windows does not overtyl explain it. Get quiet lost when setting up a new machine, or being asked to get a code from youtube on my iPhone. Now I get it all. Too bad you can't use it if you are not signed in to your PC with your windows account.
I can remember in the dark ages of the intertubes when all one needed is a few characters for a password. Mine was usually the same illogical six letters. Then banks and financial institutions wanted numbers, too. OK. Now we have many sites that have no need for extreme security insisting on upper case, lower case, numbers, special characters and a Hebrew litter. :) On top of all that, 2FA. Bang head here. In thirty years of extensive activities on the intertubes, I've had at most, a few incidences of security breeches, easily remedied. This Passkey stuff sounds awesome. Almost back to the future. Thanks for the video.
I see the convenience of passkeys, but for me there's still a problem. Passkeys are effectively single factor authentication. Mere possession of the passkey is generally enough to gain access to a passkey protected system. If a criminal steals your laptop and gains access to it (e.g. by shoulder-surfing your laptop password), then they can automatically access any passkey protected data you have. Using complex passwords protected by a password manager (with a strong master password) together with 2FA (using a password protected OTP generating app), whilst much less convenient, seems far more secure. In the event of a data breach at say your email provider, even if hackers got access to your email password, 2FA would still prevent them from accessing your mail.
+1 also agree with my current understanding, but I guess passkeys is still an improvement for the "below average" user that we realistically have given up on trying to make them all put in the effort to adopt the password manager + 2FA setup
No. No. No. In the description you give here, your laptop password is your first factor and the physical passkey is your second factor. That's 2FA. If you let both get stolen, it was still 2FA. If you leave your passkey in your laptop fulltime, then it's no better than using an authenticator app installed on your laptop. A passkey only becomes stronger than a laptop authenticator app if you only plug in your passkey during login and then you physically remove it and store it where it cannot be stolen simultaneously with your laptop.
A passkey is not a hardware key that you can plug and unplug from your computer. You might be thinking of a yubikey? A passkey is a cryptographic hash that stays on your device
You need a devices with fingerprint or facial authentication to create a passkey. So if your computer doesn’t have biometric authentication, you will need your phone to create and store the passkey. You’ll then confirm the access from the computer using your phone. The system is well thought and has been developed by Apple, Microsoft and Google. Nowadays all modern OS’s are compatible. The biggest problem is passkey synchronization between devices so that you don’t loose all your accesses if you loose your device. Apple has the keychain for that, Microsoft and Google will surely also have an equivalent.
Leo, this was an absolutely superb presentation. I already had a decent understanding of private/public key pair but I knew nothing about passkey. I'm going to see how my very non-technical wife can follow your video now :-)
@@askleonotenboom But if it's possible to sign in some other way doesn't that lower the level of security? I apologize for seeming dense but considering the skills of those with less than honorable intentions and the amount of information stored in the cloud this system may be an improvement on the current model but it still isn't perfect. I suppose anyone with these concerns could just have two machines with access then if one died you wouldn't be stuck. It will be interesting to see how it will all work out in the end. Thanks for your prompt reply.
So, it should be strongly recommended to generate passkeys from more than one device for each account, inmediately after creation or activation of passkeys.
@@mfr2 Not necessarily. It depends on the service, but like I said, you probably signed up with an email address so an email to that address could also confirm you're you.
@@frederickclause2694 Of course it's not perfect. There's no such thing. But it is significantly more secure than password based authentication. AND it's easier to use. 🙂
Very helpful and comprehensive explanation of something that is used but not understood. Thanks, Leo, a simple concept, with complex technology, well explained. Seasons greetings to you and look forward to more pearls of wisdom in 2025.
Is a passkey related to two-factor authentication - 2FA - which is now becoming very common for online payments in Australia, where I live. For example, if I log-in to my bank account, I will get an SMS on my smartphone, with a code which I must key into the bank’s log-in screen. 2FA is also being used by suppliers, when you pay a bill online. (PS We only have 4 major banks - ANZ CBA NAB and Westpac).
Thank you. You described a software pair of keys. And Google does supply that. But, there are vendors selling hardware devices. I assume that using hardware PassKeys, the public key is identical on each of the web services that I use the hardware PassKey. When should I consider buying the hardware PassKey? Do most web services also require a password in addition to the PassKey?
Actually if the yubikey can provide user verification via a pin, fingerprint, or something like that, it’s considered a passkey! Most people use them for 2SV, but they’re very much usable for passkeys (given they can perform user verification)
@@askleonotenboom Yubikey 5 series can be used for passkey (FIDO2/Webauthn) authentication. Actually, that seems to be the only (simple) way currently to use passkey authentication on Linux (not Android) devices.
Impressive video. If anything, the private key is the weak link. So I am left with the doubt that the private key is safe. I know that if one has possession of the hardware with linux the logon procedure is not going to be much of protection. The only protection I would trust in that case is both disk encryption and a logon password. And make sure to switch your computer off, or someone might add a password to the list of passwords for disk encryption (LUKS). However, even that has a shelf life as quantum computing is around the corner. Of course the whole encryption scene will change by that time. Anyway, I thank you for your explanation sir, very clear!
Thanks for your nice overview Leo. I’m interested in how third party password manager apps will help manage this information, versus the device operating system itself.
3rd party password apps aren't necessary. The key pairs are known only to your computer (the private key) and the site you're accessing (the public key). No password for 3rd party password apps to manage.
@@HarshColby Some online 3rd party password managers can store your private key. That's how they sync your passkey between all devices where the password manager works. Some of those online apps include 1Password and Bitwarden. KeepassXC is an offline password manager that will soon support passkeys, too.
thnx. one question, what i missed explaind. say you have done so for your phone. all is working fine. you now get a new phone. do you have to start all over again on your new phone for every account (as where it a other device as you mentioned) , and then can without a problem get access to that account ? just wondering....thnx for the feedback
Depends on the system you're signing into. Worst case you start over, but in general it could be as simple as a one-time additional hoop to jump through (a text message to confirm, and email to respond to, or another device on which to approve the sign in).
Since passkey is authenticated based on a specific device (e.g. android phone) associated with a specific account, if this specific device is lost or damaged and this account only uses a passkey, will the user of this specific account have anyway to recover the acess to this specific account?
Recover access: of course. There's ALWAYS a way to login without a passkey -- that's how you set up a passkey in the first place. (That "way" is usually more convoluted, like responding to an email sent elsewhere, but secure.)
If I create the passkey on my device (smartphone) and a private key is generated based on data from my device and my biometric data, the only way to compromise a passkey-protected account would be to hack my password manager ? Or did I not understand well? The big difference is that I, the user, do not know my private key as I do for the password as it is a very long and complex alphanumeric string.
It seems to me that there are some disadvantages too. Ultimately, you log in using your fingerprint or facial recognition. But a fingerprint is probably not much more secure than a password. It is possible to "steal" your fingerprint from, for example, a glass you are holding. This would not work with a password. I also think that if, for example, your smartphone breaks or is stolen, it will be a hassle to log in again. In that case, you will need your password again. This means that now you have two ways to log in (password and passkeys), but before there was only one way. I don't see why two ways to log in can be more secure than one way to log in, and I also don't see any way to get rid of a password, because you will always need it in case your passkey is lost.
Gee, I finally know about passkeys. I was so curious about them. One problem, however: if someone breaks into your house, and if you are not there and your computer is turned on, they can just sit down at your computer and login anywhere, can they not? Maybe the operating system would ask them for a pin, or a fingerprint.....
@@viktorpaulsen627 Not really, no. It's closer to a plain old password replacement that's more secure. Kinda. Some think of it as 2FA because your device will prompt you for your PIN/fingerprint/face before providing a passkey, but that's still only one factor that you had to provide in the moment.
Thank you Leo! This was very clear. I've been wondering about passkeys for awhile. I do have a doubt however. Does this not make our private computers one stop shopping for hackers? That is to say if they break into someone's machine they can get all the passkeys for all that person's accounts at once?
The public key would be like walking down a street and writing down the house numbers you see on mailboxes, but that won't unlock the deadbolt on the front door...
One question: If I have 3 computers and 2 browsers on each, and want to use all 6 computer/browser combos with Google, would this require the tedium of making 6 passkey arrangements with Google? And then ditto, 6 more for every other site that wants (or encourages) passkeys? And a further multiplier of tedium if I use 2 different OS's on each computer?
"Require" no. Tedium, not really. It's basically one click when offered. But yes, it's a new passkey for each combo. (UNLESS you're using a password manager like 1Password, which allows you to save one for all.)
I don't understand the better security other than no one being able to login from a different device. Getting access to the passkey device and using force (fingerprint, face-id) to unlock the device (against your will) will unlock everything. I prefer a local password manager with an local encrypted database. They can take my device but never force me to give my password for the manager or the hundreds of passwords for the internet. Besides that if the device is stolen of crashes I still have backup and can reinstall very quickly. Like the video thow. Nicely explained
I saw this on my PlayStation account I have lost accounts before so I was looking for a different way to keep my account safe but I didn't understand it thank you for this video
If the site owner isnt forced to update to passkeys it will take ages for this to be implemented. And if its mor conveinient can be discussed. I have setup passkey on my google account. So everytime i log in i have input my win passcode. Compaired to chrome just remembering the password. Not easier. Or i have to buy a camera or a fingerprint reader for my desktop. And how do i know if my fingerprint/face dont get stolen by hackers exploiting flaws in the camera/fingerprint reader? Imo just a new set problems compaired to the old way.
Now that TSA and flight security systems around the globe and immigrations check points are using fingerprint and facial identity, what could possibly go wrong? I would think that a pin number would be a better choice for the final authentication, while using these passkeys.
Great explanation. From a privacy perspective, I’ve always wondered about adding a fingerprint or face as a ‘passkey’. Is this stored anywhere that compromises one’s privacy?
I have been using passkey with google sign in for sometime but with a bit of trepidation not really knowing how it works. This is the first time I get it. I never knew it’s based on private/public key cryptography. Thank you so much for this. I am now subscribed to your channel; that much you deserve. 😅
Passkeys are more secure, but the password problem is not eliminated. One has just shifted the password problem to the Windows (or some other OS on that hardware, as opposed to the software-service that you are trying to secure). If one's device is stolen AND the thief can hack the device-password then they can get into the service concerned. Is my understanding correct?
My question is, what happens if you create a passkey and use it on your mobile device for your crypto account. Is there any instance where you could lose any kind of access to your passkey, to where you couldn't access your crypto account or mobile device?
Great video Leo. I can't wait for passkeys to take over the password phase. Do you have a list of services that have already started using passkeys, besides google?
Does the rollout of pass keys present a vulnerability for accounts that have not been set up yet that may be compromised, allowing a threat actor to set up the pass key on another device? Does the key have a method of being reestablished manually or during a password reset or account recovery process?
Where does PGP email encryption, decryption, digitally signing emails fall in the mix? Sorry, I am not a techy, just someone trying to learn and understand. Thanks.
Hmmm, thanks for the great explanation . I wish google would hire you to explain. Dreadful articles. However I am already deep in the swamp of questions. Such as- your laptop has problems any you have to give it to a repair person (not a hard drive replacement). They need admin rights. Does that leave you open? Also, another question - in an emergency (you can’t give them data) how do they get into your device to pull data? Lots and lots of questions before the complicated users feel comfortable. Again, thanks
"Does it leave you open" yes. Choose trustworthy repair people. (Or take extra steps to secure sensitive data while still leaving the machine operable.) Not understanding the emergency scenario you're describing, though.
Leo, The major concern I have regarding the password-to-passkey transition period, is that the service/company/app I am accessing will actually have both the new public key for a specific device(s) AND my original password. In the example you used where the service was hacked and they stole my public key, e-mail, etc., didn't they also get my still usable password? I mention this because I have created a few passkeys but have not seen an option to have the service permanently delete my password once the passkey was created. Therefore, even if I create or share passkeys for all my devices to a particular service, a data breach of that service will cause the same pain it does with or without passkeys because my passwords are stored in the same old way "alongside" my public key. What am I missing? Thanks for the excellent video! Karl
Microsoft allows you to remove passwords. In leiu of that, set the password to something ridiculously long and complex, and then don't save it anywhere. Nothing for hackers to steal, you'd never use it yourself, so it's as close to password-free as you can get.
@@askleonotenboom Thanks Leo. (I am in the Apple ecosystem.) Unless I misunderstood, which is entirely likely, the service still has my valid user ID and/or email and my long/complex password. Many companies use very poor data security practices and leave files exposed on cloud servers like it is a hobby, so I still believe the danger is being unable to have passwords removed from a service when you have switched entirely to passkeys. BTW, although companies frequently use poor data security practices, they are expert at apologizing after they have been breached. I currently have three different "free" identity theft services due to breaches. Being breached does not seem to cause the same reputation damage it used to. Keep up the good work! Karl
As a senior citizen I am very concerned that when something happens to me, my children can access all my accounts and information. If I set up a passkey, do they have to have my device to do so?? Right now, I keep passwords in an encrypted file for which they have the password and I send them the current file on a semi-regular basis. This sounds wonderful if YOU are the only one using your device and the only one needing to log into accounts. But I am a bit confused about how it will work in a situation where multiple people need to access the same account (a bank is an example).
What if I have only one device storing my private key (say my phone) and I lost it. What is the recovery option here? and the person who was able to get my lost phone figured out the login pin? I am not questioning the security of passkey but trying to understand this scenario. In case of password, I know it and can use it from any device. By the way excellent explanation!
There is ALWAYS another way to sign in. That other way may involve more steps and be less convenient (say, emailing you a code), but think about how you establish a passkey to begin with: you have to login somehow. Once you're logged in you can then revoke the passkey assigned to your phone.
Some password managers like 1Password will store your passkey for use elsewhere. Otherwise, passkeys are per-device, so you'd set one up on each device the first time you sign in to the account on each device.
Hello.Thank you for this very interesting and informative video. A question of security: I imagine that the public key and the private key are created using an algorithm that ensures the link between the 2. What happens if a hacker gains access to this algorithm? Can he decrypt the private key? This is a very unlikely hypothesis and the risk of ordinary passwords is certainly much greater.
![Felix "Unfair" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/Oswujxm2Ag0/mqdefault.jpg)
![Blox Fruits Dragon Rework Update [Full Stream]](http://i.ytimg.com/vi/EqDAp8udhm0/mqdefault.jpg)
A more secure, more convenient alternative to passwords.
Hi Leo, back in the day, when CLI was a the only thing out there, PGP for email had caught on. I used to use a product called Eudora and similar email implementations. It seems like it took a while for this to come back in a different form. Better late than never.
@@debtfordwharf It never really went away. There was always a plugin for Thunderbird, and assorted others. The problem is it's still too complex for normal people to use.
If someone adopts Passkeys, should they delete all other methods of authentication they used previously? For instance, Google Prompts? Could someone exploit/intercept Google Prompts if used at some point despite the fact that we set up Passkey?
Your explanation of pass keys is beyond excellent.
Exactly my thought to!
super clear
😮hjbfftttrr 0:33
Mk NM😅
Yes, wonderful job!
You're so good at explaining things, it's like listening to my favorite professor.
One of the few on RUclips that really brilliantly transmits information.
Simply incredible, makes me want to listen to you for hours
Sounds like an AI response! Have seen this same response on other videos.
Passkeys are more secure than passwords because they are less "powerful". With an username/password pair you can potentially log in from any account, on any device, anywhere. Anyone who gets your username/password can potentially masquerade as you from anywhere. That is what makes them less secure / more dangerous. As described in the video, a given passkey is tied to a specific account and a specific device. It is important to remember that passkeys only authenticate the device and account. They do not authenticate the person. This is why the total security solution requires you keep access to the device secure. Fingerprint scanners, FaceID, or PINs HAVE to be used so that people who have physical access to your device, can't actually access your account. The device/operating system you use must, of course, provide a mechanism for securely operating a keystore.
This was an excellent video.
This is a naive point of view.
Passkeys will be stored in raw form 100% it's impossible to guarantee biometrics on everything and syncable is a core requirement for an everyday user.
Because of that you open the opportunity to steal the passkeys from a device guaranteeing that a successful attacker will have access to every. single. account. ever. forever.
As you have correctly stated, you have moved away from authenticating people to authenticating just the device. This is an inherent risk introduction.
Thanks. You explained a key point. The passkey is tied to/on the device, so if the device is unlocked, anyone who holds the device can access the account the passkey is associated with.
It seems like an off-device password manager would be more secure, even though less convenient, a long as the account password is strong.
Wow this was the clearest explanation I've found and finally understand!!! Thank you for this! 🙏🏻🙏🏻
Thanks. This video is more than a year old and RUclips just shows it to me now. I had watched several videos about passkey because I heard that it's better. But it's only after watching yours that I truly understand how it works! Thank you!
this is the clearest, most understandable explanation of what a passkey is on youtube, or anywhere else. and it also explains that apps are actually using passkeys when they allow us to login using our fingerprint, face, or pin. and also an added bonus on what are pgp keys. im so glad i watched this. thank you very much.
Wow yeah, I second that. You have a very easy to understand way of explaining this!! Thanks so much. Every time I think I understand the encryption/decryption process, I seem to lose the understanding. This helped immensely.
Thank you!
This is a much better and clearer explanation than the one provided by Google. However:
- at my last work place (a major corporation) using ssh keys was not allowed by Info Security group. According to them it violated their security standards.
- if using passkeys prevents me from accessing my Google account from a device which doesn't have my passkey, then I have to use password, which defeats the purpose
- if my passkey is automatically created on a new device, what if I'm using a public device and don't want my passkeys on it?
- with passkeys I'm relying on a strong login security of my device, but if someone breaks in into my device, then they have green light to all my accounts
1) your IT folks are misguided. :-)
2) We're moving to a passwordless future. In some cases you can choose that right now, in others you can simulate. So, no it does not defeat the purpose.
3) Passkeys will never be created without asking you first.
4) No. They'd still have to pass biometric or Windows Hello authentication when they attempt to use a passkey.
This is an amazing explanation. Thank you for making it so clear.
I will be saving this video so that when anyone asks about passkeys, I will share this to them.
Best explanation of public/private key, asymmetric, cryptography I've heard.
Someone commented his explanation is beyond excellent - I agree and subscribed.
9:01 this is where Steve Gibson’s SQRL protocol is superior to passkeys. Both use public key encryption, but SQRL has 1 identity that creates a key pair on the fly for each login based on the site’s domain name. Elliptic curve crypto allows you to create a private key based on a determined input. The same input will always create the same key. Therefore a secret (the identity) mixed with the domain name will create a unique key pair for each login. Since this is easily calculated, there’s no need to save it for each site, just keep the original secret (identity)and recalculate based on the domain. This means the protocol and any devices can have an unlimited number of sites to log into, no extra storage and it’s easily shared between devices. Oh well, we get passkeys instead.
I guess there is no golden bullet in cryptography. Each solution has it's strengths and weaknesses, but what is considered a strength (or weakness) by one user might be the opposite for another user. Even though the passkey in it's current form is perhaps less elegant and definitely more cumbersome than the method you describe, I would still prefer the current solution. If I understand you correctly, I personally wouldn't like to have solution like SQRL that is based on a single private secret used to authenticate/unlock all (!) my accounts/logins. Sounds like the likelihood somebody would be able to crack my private secret in the future would increase with the number of accounts/logins and of course advances in technology with time.
It’s nifty but doesn’t scale the same. Passkeys are portable (once the standard is agreed upon) without exposing other logins/identities. Not only to other passkey safes, but to other individuals. The private key shared/transferred/stolen even if cracked, exposes nothing else.
here we are. I thought i i already knew how, but now i really got it. Thanks from a german Guy. Great work!!!
Thank you again for making a difficult concept EASY to understand.
In a passkey-only service, isn't there a higher than normal risk of getting blocked of your own account if you lose the devices the passkey is stored on?
If your operating system drive goes down, yeah. Or if for some other reason you can't access the computer with the private keys on it.
Good question on a passkey only set up, but if you use 2 hardware passkeys (1 set as backup) do you think that solves that problem?
@@Fregmazors Nice answer! Here is the end of "passkey magic". Who want to lose their google "only passkey" account along with a stolen smartphone?
I have watched you for years, back when you were on TV. I still love your teaching! Bless you
You are a great Teacher. Especially the core puzzle is untangled with those two KEY images word by word. Great Job Leo. Thank you.
Super job Leo! Look forward to making it work...not instant.
I've been using PGP keys for years and you have described it perfectly in this video!
This is the best explanation of public and private keys and pass keys that I’ve ever seen. Thank you.
I consider myself a pretty savvy techie. I’ve always understood, encryption and public key and private key stuff. But for passkeys, I have some sort of mental block. That being said, Leo‘s explanation of passkeys is by far the best I have ever heard!
Agreed, & same here
I think because all other explanations contain the "and then magic happens" part, this is the first one that explains that passkeys are just ssh-like authentication with a better UI.
What i like about things like this is that they are complicated for most users and this causes things to go wrong, so you end up dropping down to passwords and email to get back in to most accounts.This negates the purpose of it. you basically bypass by clicking on the "I forgot my password" link, this mostly ends up going back to unsecured emails.
Nice summary of public key cryptography!
As ever Mr LN explains the inexplicable with ease. Been a follower for years - when internet connections required a series of morse-code-like noises and then went at speeds the common tortoise scoffed at
Best explanation on this topic. Thank you, sir!
Thank you, for me it is the best passkey explanation yet.
Leo this is THE best video you have ever done! Not only very relavent, but very very well explained! Thank you!
Have been following passkeys for a while but have never seen such a clear explanation. Congratz! Regarding passkeys i do have 2 concerns 1. Suppose i loose my device with the only private key i have, how will i be able to restore my account on a new device? 2. When creating a passkeys for an existing account, the less safe login method using a password which could be stolen from the server still exists. Hope some one can convince me that both issues can solved.
When you set up a passkey on a new device, yes, you login some other way. It could be password, but it need not be. It's more often something more secure like a confirmation email sent to the email address of record, or a text message to the phone number of record, or similar. Once you've confirmed your identity that way, the passkey is created.
Losing your device has nothing to do with any of that. ANY new device on which you want to set up a passkey goes through that process.
If you lose your device, however, once you've signed in to the account elsewhere you can remotely disable the passkey associated with that account.
Thanks!
thank you!
your explanations are so clear, far surpassing the many many other voices on this topic. Many thanks.
Leo, Thanks for sharing and explaining so clearly. you are a champion!
Excellent explanation, thank you !
i needed a little extra help getting the basic premise after learning a bit about it :)
Thank you! This is the best explanation of passkeys I've heard so far! One of my concerns regarding passkeys is... what happens when you have an account that's only using passkeys, have only setup passkeys for that account on a single device, and that device is lost, stolen, or is otherwise unavailable (it dies)? How do you regain access to that account? It seems like the best defense for such a situation is to have passkeys setup on multiple devices, allowing you to confirm you identity when setting up a new device after a device becomes unavailable, but that's not economically viable for some people. An alternative is to actually have a password for the service, using passkeys when possible, but that leaves the account vulnerable in the event of a data breach. Additionally, let's say I want to replace a functional device (my only device) with a new device. It seems I would need to maintain possession of that device for some "overlap period", during which I would need to login to every service I use on the new device, so that my new device can be authenticated by the old device. That seems rather cumbersome, but is probably a small price to pay for the added security of passkeys. What are your thoughts?
Each time you set up a passkey on a new machine a different form of authentication is used. For example a code to your phone, or a message to your email. Once set up it becomes your authentication mechanism. But you're always able to set it up from scratch somehow.
This is an excellent question and one that bothered me for a while. You can’t make the argument that you are in a better security position with passkeys if the use of passkeys is in addition to an authentication method that was already present. Therefore, you have only improved your security posture if you remove the old auth method and only use passkeys. However, if you do this, you run into the issue you are asking about.
I think for this scenario is exactly why having a 3rd party password manager (PM) in general, and 1Password in particular, makes sense. The PM collects and manages all the passkey private keys so no matter what happens to the device that actually created them, it doesn’t matter. You get your new phone, authenticate to the PM, and you are back in business. But now isn’t the PM vulnerable? Not with 1Password’s security architecture. There are two necessary pieces of information to access the 1P vault that are never stored in the cloud or even transmitted: your password AND a locally generated random security key. You pair those things with a hardware security key, stored in multiple secure locations, and I think you have a setup that’s nearly impossible to breach, but is also convenient
Well, I think passkeys are just a convenience mechanism in that you have to authenticate only once either in the key manager of your OS or in your password manager and then use the per device generated and stored passkeys to log in to the websites. No need to manage different passwords, and it also increases security as you are not exposing your password in your daily login routine. No chance of some man in the middle or some other malicious browser extension stealing your password.
Now your concern about a data breach happening on the website on which you use the password to login, most of the companies don't store raw passwords in their databases. They store salted one way encrypted password. As soon as you supply the password and try to log in, it is immediately encrypted in the client side and transported to the server in an SSL tunnel ("s" in HTTPS indicates that the site uses SSL, which means all traffic is encrypted)
Thanks Leo great explanation on passkeys
Great explanation. I'm retired IT and keep getting prompted by google and amazon to set one up. It explains why I keep getting prompted to log into windows. I just say cancel and use the amazon password. Will need more info on pins and if they are like pwds and have to be updated. thanks.
Awesome vid. Now I get what passkeys are. Windows does not overtyl explain it. Get quiet lost when setting up a new machine, or being asked to get a code from youtube on my iPhone. Now I get it all. Too bad you can't use it if you are not signed in to your PC with your windows account.
You explained in a detailed way. Passkey is still in infacy stage, I'm still waiting another 1-2 yrs..
Videos so great, speaks very well and slowly, like the words at the side, easy to understand
"Or have a face"
Beautifully done 😂
Loved that XKCD reference!
Of course! And it's so easy to remember! 😀
I can remember in the dark ages of the intertubes when all one needed is a few characters for a password. Mine was usually the same illogical six letters. Then banks and financial institutions wanted numbers, too. OK. Now we have many sites that have no need for extreme security insisting on upper case, lower case, numbers, special characters and a Hebrew litter. :) On top of all that, 2FA. Bang head here. In thirty years of extensive activities on the intertubes, I've had at most, a few incidences of security breeches, easily remedied.
This Passkey stuff sounds awesome. Almost back to the future.
Thanks for the video.
I see the convenience of passkeys, but for me there's still a problem. Passkeys are effectively single factor authentication. Mere possession of the passkey is generally enough to gain access to a passkey protected system. If a criminal steals your laptop and gains access to it (e.g. by shoulder-surfing your laptop password), then they can automatically access any passkey protected data you have. Using complex passwords protected by a password manager (with a strong master password) together with 2FA (using a password protected OTP generating app), whilst much less convenient, seems far more secure. In the event of a data breach at say your email provider, even if hackers got access to your email password, 2FA would still prevent them from accessing your mail.
+1 also agree with my current understanding, but I guess passkeys is still an improvement for the "below average" user that we realistically have given up on trying to make them all put in the effort to adopt the password manager + 2FA setup
No. No. No. In the description you give here, your laptop password is your first factor and the physical passkey is your second factor. That's 2FA. If you let both get stolen, it was still 2FA. If you leave your passkey in your laptop fulltime, then it's no better than using an authenticator app installed on your laptop. A passkey only becomes stronger than a laptop authenticator app if you only plug in your passkey during login and then you physically remove it and store it where it cannot be stolen simultaneously with your laptop.
A passkey is not a hardware key that you can plug and unplug from your computer. You might be thinking of a yubikey?
A passkey is a cryptographic hash that stays on your device
Good points. That's why I rely on YubiKeys for my authentication
You need a devices with fingerprint or facial authentication to create a passkey. So if your computer doesn’t have biometric authentication, you will need your phone to create and store the passkey. You’ll then confirm the access from the computer using your phone. The system is well thought and has been developed by Apple, Microsoft and Google. Nowadays all modern OS’s are compatible. The biggest problem is passkey synchronization between devices so that you don’t loose all your accesses if you loose your device. Apple has the keychain for that, Microsoft and Google will surely also have an equivalent.
Leo, this was an absolutely superb presentation. I already had a decent understanding of private/public key pair but I knew nothing about passkey. I'm going to see how my very non-technical wife can follow your video now :-)
This was great. Thank you for explaining it without any frills.
Thank you for your thorough overview. Cheers!
Passkey is cool, thanks for explaining it. I wondered what was stored for that!
What happens if the machine with the passkey dies? How would you be able to access the account. I'm thinking here of things like cloud storage.
Each machine has it's own passkey. So you'd be starting over as outlined in the video/article by signing in some other way.
@@askleonotenboom But if it's possible to sign in some other way doesn't that lower the level of security? I apologize for seeming dense but considering the skills of those with less than honorable intentions and the amount of information stored in the cloud this system may be an improvement on the current model but it still isn't perfect. I suppose anyone with these concerns could just have two machines with access then if one died you wouldn't be stuck. It will be interesting to see how it will all work out in the end.
Thanks for your prompt reply.
So, it should be strongly recommended to generate passkeys from more than one device for each account, inmediately after creation or activation of passkeys.
@@mfr2 Not necessarily. It depends on the service, but like I said, you probably signed up with an email address so an email to that address could also confirm you're you.
@@frederickclause2694 Of course it's not perfect. There's no such thing. But it is significantly more secure than password based authentication. AND it's easier to use. 🙂
Outstanding - I subscribed immediately
The way u have explained is awesome thanks. I will see all ur videos
Very helpful and comprehensive explanation of something that is used but not understood. Thanks, Leo, a simple concept, with complex technology, well explained. Seasons greetings to you and look forward to more pearls of wisdom in 2025.
Excellent discussion of the theory. Clarified a lot of questions I had.
Is a passkey related to two-factor authentication - 2FA - which is now becoming very common for online payments in Australia, where I live. For example, if I log-in to my bank account, I will get an SMS on my smartphone, with a code which I must key into the bank’s log-in screen. 2FA is also being used by suppliers, when you pay a bill online. (PS We only have 4 major banks - ANZ CBA NAB and Westpac).
Passkey is more a replacement for a password, and not directly related to 2FA.
Thank you. You described a software pair of keys. And Google does supply that. But, there are vendors selling hardware devices. I assume that using hardware PassKeys, the public key is identical on each of the web services that I use the hardware PassKey. When should I consider buying the hardware PassKey? Do most web services also require a password in addition to the PassKey?
I haven't seen hardware passkeys. Please don't confuse Yubikey devices with this. They are two-factor keys.
Actually if the yubikey can provide user verification via a pin, fingerprint, or something like that, it’s considered a passkey! Most people use them for 2SV, but they’re very much usable for passkeys (given they can perform user verification)
@@askleonotenboom Yubikey 5 series can be used for passkey (FIDO2/Webauthn) authentication. Actually, that seems to be the only (simple) way currently to use passkey authentication on Linux (not Android) devices.
Just found you. Outstanding succinct explanation thank You. Subbed of course
Impressive video. If anything, the private key is the weak link. So I am left with the doubt that the private key is safe. I know that if one has possession of the hardware with linux the logon procedure is not going to be much of protection. The only protection I would trust in that case is both disk encryption and a logon password. And make sure to switch your computer off, or someone might add a password to the list of passwords for disk encryption (LUKS). However, even that has a shelf life as quantum computing is around the corner. Of course the whole encryption scene will change by that time. Anyway, I thank you for your explanation sir, very clear!
Thanks for your nice overview Leo. I’m interested in how third party password manager apps will help manage this information, versus the device operating system itself.
3rd party password apps aren't necessary. The key pairs are known only to your computer (the private key) and the site you're accessing (the public key). No password for 3rd party password apps to manage.
@@HarshColby Some online 3rd party password managers can store your private key. That's how they sync your passkey between all devices where the password manager works. Some of those online apps include 1Password and Bitwarden. KeepassXC is an offline password manager that will soon support passkeys, too.
thnx. one question, what i missed explaind. say you have done so for your phone. all is working fine. you now get a new phone. do you have to start all over again on your new phone for every account (as where it a other device as you mentioned) , and then can without a problem get access to that account ? just wondering....thnx for the feedback
Depends on the system you're signing into. Worst case you start over, but in general it could be as simple as a one-time additional hoop to jump through (a text message to confirm, and email to respond to, or another device on which to approve the sign in).
your channel has helped me so much, thanks for all you do
Since passkey is authenticated based on a specific device (e.g. android phone) associated with a specific account, if this specific device is lost or damaged and this account only uses a passkey, will the user of this specific account have anyway to recover the acess to this specific account?
Recover access: of course. There's ALWAYS a way to login without a passkey -- that's how you set up a passkey in the first place. (That "way" is usually more convoluted, like responding to an email sent elsewhere, but secure.)
If I create the passkey on my device (smartphone) and a private key is generated based on data from my device and my biometric data, the only way to compromise a passkey-protected account would be to hack my password manager ? Or did I not understand well? The big difference is that I, the user, do not know my private key as I do for the password as it is a very long and complex alphanumeric string.
Wow! Finally explained in a way I can undestand. thank yo
This is an absolutely fantastic video - thank you!
It seems to me that there are some disadvantages too. Ultimately, you log in using your fingerprint or facial recognition. But a fingerprint is probably not much more secure than a password. It is possible to "steal" your fingerprint from, for example, a glass you are holding. This would not work with a password. I also think that if, for example, your smartphone breaks or is stolen, it will be a hassle to log in again. In that case, you will need your password again. This means that now you have two ways to log in (password and passkeys), but before there was only one way. I don't see why two ways to log in can be more secure than one way to log in, and I also don't see any way to get rid of a password, because you will always need it in case your passkey is lost.
Gee, I finally know about passkeys. I was so curious about them. One problem, however: if someone breaks into your house, and if you are not there and your computer is turned on, they can just sit down at your computer and login anywhere, can they not? Maybe the operating system would ask them for a pin, or a fingerprint.....
Exactly. The OS will ask for that.
@@askleonotenboom Is this 2FA? Exactly how?
@@viktorpaulsen627 Not really, no. It's closer to a plain old password replacement that's more secure. Kinda. Some think of it as 2FA because your device will prompt you for your PIN/fingerprint/face before providing a passkey, but that's still only one factor that you had to provide in the moment.
Thank you so much AskLeo
Thank you Leo! This was very clear. I've been wondering about passkeys for awhile. I do have a doubt however. Does this not make our private computers one stop shopping for hackers? That is to say if they break into someone's machine they can get all the passkeys for all that person's accounts at once?
The public key would be like walking down a street and writing down the house numbers you see on mailboxes, but that won't unlock the deadbolt on the front door...
🙏🙏🙏 I’m paying an IT pro to advise me.., a you have explained what he didn’t… I need a better IT guy..
Excellent & clearly spelled out...thanks!
Great update Leo, Passkeys for Google Accounts are now available.
Pretty sure I mentioned that in the video, or at least the companion article. :-)
Excellent expositor! Thank you very very much.
One question: If I have 3 computers and 2 browsers on each, and want to use all 6 computer/browser combos with Google, would this require the tedium of making 6 passkey arrangements with Google? And then ditto, 6 more for every other site that wants (or encourages) passkeys? And a further multiplier of tedium if I use 2 different OS's on each computer?
"Require" no. Tedium, not really. It's basically one click when offered. But yes, it's a new passkey for each combo. (UNLESS you're using a password manager like 1Password, which allows you to save one for all.)
I don't understand the better security other than no one being able to login from a different device. Getting access to the passkey device and using force (fingerprint, face-id) to unlock the device (against your will) will unlock everything. I prefer a local password manager with an local encrypted database. They can take my device but never force me to give my password for the manager or the hundreds of passwords for the internet. Besides that if the device is stolen of crashes I still have backup and can reinstall very quickly.
Like the video thow. Nicely explained
So, if my OS crashes, my recovery drive may or may not have my private passkey on it? If not, just repeat the setup process?
I saw this on my PlayStation account I have lost accounts before so I was looking for a different way to keep my account safe but I didn't understand it thank you for this video
If the site owner isnt forced to update to passkeys it will take ages for this to be implemented.
And if its mor conveinient can be discussed. I have setup passkey on my google account. So everytime i log in i have input my win passcode. Compaired to chrome just remembering the password. Not easier. Or i have to buy a camera or a fingerprint reader for my desktop.
And how do i know if my fingerprint/face dont get stolen by hackers exploiting flaws in the camera/fingerprint reader?
Imo just a new set problems compaired to the old way.
Now that TSA and flight security systems around the globe and immigrations check points are using fingerprint and facial identity, what could possibly go wrong? I would think that a pin number would be a better choice for the final authentication, while using these passkeys.
Subscribed! Thanks!
Great explanation. From a privacy perspective, I’ve always wondered about adding a fingerprint or face as a ‘passkey’. Is this stored anywhere that compromises one’s privacy?
I don't believe so. It's stored and used only on the device.
I have been using passkey with google sign in for sometime but with a bit of trepidation not really knowing how it works. This is the first time I get it. I never knew it’s based on private/public key cryptography. Thank you so much for this. I am now subscribed to your channel; that much you deserve. 😅
Passkeys are more secure, but the password problem is not eliminated. One has just shifted the password problem to the Windows (or some other OS on that hardware, as opposed to the software-service that you are trying to secure). If one's device is stolen AND the thief can hack the device-password then they can get into the service concerned. Is my understanding correct?
Yes, but that's a MUCH MUCH MUCH lower risk than a password being compromised in a breach, or by phishing.
Thanks. That was top notch.
Thank you for that explanation.
My question is, what happens if you create a passkey and use it on your mobile device for your crypto account. Is there any instance where you could lose any kind of access to your passkey, to where you couldn't access your crypto account or mobile device?
Great video Leo. I can't wait for passkeys to take over the password phase. Do you have a list of services that have already started using passkeys, besides google?
www.passkeys.com/whos-using-it
Does the rollout of pass keys present a vulnerability for accounts that have not been set up yet that may be compromised, allowing a threat actor to set up the pass key on another device? Does the key have a method of being reestablished manually or during a password reset or account recovery process?
A passkey requires that you be able to authenticate some other way in order to be set up. A devices passkey can be individually revoked remotely.
Where does PGP email encryption, decryption, digitally signing emails fall in the mix? Sorry, I am not a techy, just someone trying to learn and understand. Thanks.
Related encryption technology, but used for a different purpose.
Fantastic explanation! Very clear. Been looking for a video that goes into more detail and this is exactly what I needed!
superb explanation of passkey done layman terms.
Hmmm, thanks for the great explanation . I wish google would hire you to explain. Dreadful articles. However I am already deep in the swamp of questions. Such as- your laptop has problems any you have to give it to a repair person (not a hard drive replacement). They need admin rights. Does that leave you open? Also, another question - in an emergency (you can’t give them data) how do they get into your device to pull data? Lots and lots of questions before the complicated users feel comfortable. Again, thanks
"Does it leave you open" yes. Choose trustworthy repair people. (Or take extra steps to secure sensitive data while still leaving the machine operable.) Not understanding the emergency scenario you're describing, though.
Make sure you always make backups of your devices and authenticate with multiple devices if you use something like passkey
Leo,
The major concern I have regarding the password-to-passkey transition period, is that the service/company/app I am accessing will actually have both the new public key for a specific device(s) AND my original password. In the example you used where the service was hacked and they stole my public key, e-mail, etc., didn't they also get my still usable password? I mention this because I have created a few passkeys but have not seen an option to have the service permanently delete my password once the passkey was created.
Therefore, even if I create or share passkeys for all my devices to a particular service, a data breach of that service will cause the same pain it does with or without passkeys because my passwords are stored in the same old way "alongside" my public key.
What am I missing?
Thanks for the excellent video!
Karl
Microsoft allows you to remove passwords. In leiu of that, set the password to something ridiculously long and complex, and then don't save it anywhere. Nothing for hackers to steal, you'd never use it yourself, so it's as close to password-free as you can get.
@@askleonotenboom Thanks Leo. (I am in the Apple ecosystem.) Unless I misunderstood, which is entirely likely, the service still has my valid user ID and/or email and my long/complex password. Many companies use very poor data security practices and leave files exposed on cloud servers like it is a hobby, so I still believe the danger is being unable to have passwords removed from a service when you have switched entirely to passkeys. BTW, although companies frequently use poor data security practices, they are expert at apologizing after they have been breached. I currently have three different "free" identity theft services due to breaches. Being breached does not seem to cause the same reputation damage it used to.
Keep up the good work!
Karl
As a senior citizen I am very concerned that when something happens to me, my children can access all my accounts and information. If I set up a passkey, do they have to have my device to do so?? Right now, I keep passwords in an encrypted file for which they have the password and I send them the current file on a semi-regular basis.
This sounds wonderful if YOU are the only one using your device and the only one needing to log into accounts. But I am a bit confused about how it will work in a situation where multiple people need to access the same account (a bank is an example).
Whatever technique the service uses for you to set up a passkey on a new machine should be made available to your heirs.
Very clear. Thank you
Can you use emojis in passwords? It would sure expand options
It depends entirely on the system asking you for a password.
What if I have only one device storing my private key (say my phone) and I lost it. What is the recovery option here? and the person who was able to get my lost phone figured out the login pin? I am not questioning the security of passkey but trying to understand this scenario. In case of password, I know it and can use it from any device. By the way excellent explanation!
There is ALWAYS another way to sign in. That other way may involve more steps and be less convenient (say, emailing you a code), but think about how you establish a passkey to begin with: you have to login somehow. Once you're logged in you can then revoke the passkey assigned to your phone.
Hay Leo can I use the same passkey on different devices? Or do I need more passkey Thanks
Some password managers like 1Password will store your passkey for use elsewhere. Otherwise, passkeys are per-device, so you'd set one up on each device the first time you sign in to the account on each device.
Excellent explanation - thanks
Hello.Thank you for this very interesting and informative video. A question of security: I imagine that the public key and the private key are created using an algorithm that ensures the link between the 2. What happens if a hacker gains access to this algorithm? Can he decrypt the private key? This is a very unlikely hypothesis and the risk of ordinary passwords is certainly much greater.
Thanks this answers my questions.