Это видео недоступно.
Сожалеем об этом.
What If There’s a Passkey on My Lost Phone?
HTML-код
- Опубликовано: 15 авг 2024
- ✴️ Losing a device with a passkey isn't a disaster at all. I'll describe why that is.
✴️ Losing your passkey?
Losing a device with a passkey isn’t a disaster. Each device has its own passkey. If you lose your phone, set up a new passkey on its replacement and disable the old one remotely. Two-factor authorization helps secure your phone if you’re still using a password, but transitioning to passwordless is safer because there’s nothing to steal.
Updates, related links, and more discussion: askleo.com/171643
🔔 Subscribe to the Ask Leo! RUclips channel for more tech videos & answers: go.askleo.com/...
✅ Watch next ▶ What Is a Passkey? ▶ • What is a Passkey?
Chapters
0:00 Passkey on my lost phone
0:40 Passkeys
1:30 Initial setup
3:30 Losing your phone
5:00 What about passwords
❤️ My best articles: go.askleo.com/...
❤️ My Most Important Article: go.askleo.com/...
More Ask Leo!
☑️ askleo.com to get your questions answered
☑️ newsletter.ask... to subscribe to the Confident Computing newsletter.
☑️ askleo.com/patron to help support Ask Leo!
☑️ askleo.com/all... for even more!
#askleo #passkeys #security
This will take time. Older and younger folks that are technology-challenged have a problem managing simple passwords. Now we are asking these folks to select and use platforms to manage these passkeys on multiple devices and still hang on to the passwords, e.g., Chrome, Edge, 1Password, Apple iCloud keychain. This is very difficult for the average person. Another issue is the adoption of this technology by the business world. How long will it take for the smaller organizations to implement passkeys?
Given that some services still have a six character minimum for their passwords(!), I expect it will take a very long time.
BUT if you use a PIN to open your phone and your phone gets stolen by someone who also figured out your PIN, you’re kind of screwed. Which is why I prefer to use a separate device like a YubiKey.
At that point it’s not an issue with the technology, that’s a user problem.
Unless I'm missing something, just having access to your phone doesn't matter if the method on your phone to authenticate (activate) your passkey is biometric (i.e. face ID) and not a PIN. But if they have your phone login PIN and that same PIN is used to activate your passkeys then yeah, you're in trouble.
Leo, I’ve been a regular viewer for a number of years now. I’m overdue in expressing my gratitude for the excellent work you do. For me, your explanation of passkeys is much easier to comprehend than any other I’ve found.
I use 1password for my passwords and my passkeys. I think the passkey resides on the 1password app. I never created an other passkey with any of my other devices, (desktop, cell phone or laptop). Yet I can sign in with any of my devices.
Thanks Leo for answering my questions in this new video. I believe in passkeys, but currently it is not yet transparent enough where and how they are stored: google, microsoft, several password managers,... They all claim they will store the passkeys for you. How nice😊. I read the comments posted below this video and it is clear that a bigger effort is needed to explain the what and where. Your video really contributes.
There is so much with technology now that is not understood when it comes to the death of a person. All it takes is stopping one thing, and it can mess up several others, especially when the person left to deal with it hasn't a clue what you did! My thanks to Leo for his help to understand better what my guru husband did. I have managed a back up ready for windows 11. NOW passkeys? ARGH!
4:06 I think what people are concerned about is: what if they set their account and their only method of authentication is the passkey on the lost phone and have no alternative authentication methods (To make their account "more secure" as there can't be a password hack or sim swap for text verification), is that scenario possible?
@@marco31 This is a good solution, but if you also use a passkey for your email and only on the lost phone I'd think you would lose access forever. I of course would make certain to have a backup solution, but it's possible some people are going to set their accounts just like I described, if that is even possible.
I don't think you watched the (entire) video. There's ALWAYS a way back in. Consider: how did you set up the passkey in the first place? You had to authenticate some other way first.
@@askleonotenboom I did watch the whole video so there's no need to bash me, I posted my concern for the benefit and engaging of YOUR channel and audience and I don't think you understood me and I'll prove it. I once remember a Microsoft message offering to remove my password and setup a passkey. No password and passkey on lost phone (with no other backup) = no recovery (If this scenario is possible). Unless the system accepts the old "removed" password or forces you to have an alternative authentication method. Do you understand now?
@@Teisjuit took me two seconds to google: Microsoft account recovery.
@@Teisju And as I said in the video, there's ALWAYS another way to get in. With no password and a lost phone, you'll simply authenticate on a new device some other way, like a message sent to your alternate email address, your recovery phone number, a backup code you set up before hand, or something else. Like I (and the video) said, it's the exact same process you used to set up the passkey on the phone initially
Interesting video. I'd never heard of a passkey before. Probably because I don't have a phone.
Still unclear what it is
What would happen if I were to take over using an email account for an organization from the previous person who held the position? How would a passkey be established on my computer instead of theirs?
You would set up the passkey like any other first time use of a device: signing in some other way first.
Based on all the confusion in the comments section, it suggests the video didn't explain the topic well enough?
Why are you still trying to make passkeys relevant? They're not user-friendly or secure and people can't even agree on an implementation. Users are left to figure out if they passkey is device-bound or syncable.
4:00 When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't). How is that secure or convenient? Signing in using another method isn't an option when, like you, someone was dumb enough to remove their password leaving the passkey as the only option. Similarly, you can't invalidate a passkey if you can't get into the account either.
6:22 Your takeaway is concerning too. Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits. We already have passwords for those accounts. Nothing to set up, no time wasted.
And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager.
"people can't even agree on an implementation"?
There's multiple ways to implement passkeys, and that is by design. Some implementations are more convenient, and some are more secure.
A federal government agency website/app might require device-bound passkeys only, while a video game website/app might allow synced passkeys and device-bound passkeys.
"Users are left to figure out if they passkey is device-bound or syncable."
They'll learn, like they learned about how some of their passwords are synced (e.g. Google Password Manager), and some of their passwords are not synced (e.g. local offline accounts on desktop PCs and laptops).
"When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't)"
This is why you remotely deactivate your phone when your phone is lost. Android and iOS devices can be remotely deactivated from another device.
"Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits"
One benefit is that you can still log in if you lose a device or lose access to a password manager. Another benefit is that you don't have to remember your passkeys or write them down.
"And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager."
Your passkeys can be locked away in a password manager, too. Android 14 and iOS 17 and macOS 14 support third-party password managers (Strongbox, KeePassDX, Bitwarden, 1Password, Proton Pass, etc.). Windows is gonna have that same support, too, according to the "device support" page on the "passkeysdev" website.
First of all, my phone is pin protected. I then use an app, which i set a password to open, then I choose any app on my device, i need protected. It even takes a photo of anyone who tries to unlock any app. with a wrong password. lol
I have not yet understood "passkey". I have a couple of mobile devices. One of them I simply turn it on if I plan to use it. The other one I turn on if I plan to use it and I have set-up a code to unlock it for actually actively using it for anything. I do not remember at any time giving or making any passkey. Is that code I put in for unlocking the front screen of the second device actually called a "passkey"?
No, that's a PIN to simply use the phone. The password is the public key/private key and works behind the scenes. Public key on the server and private key on the device. Lose the device and it's not a problem since the server will generate a new private key for your new device.
Microsoft says passwordless accounts are safer. They do offer passwordless account or passkey