Don't get what's so revolutionary about that. Used digital signature and ssl for years. I get what private key is. But instead of storing password + 2FA, you just store passkey + 2FA. Not that different from password manager. Not that faster either. End it can be lost as well, so the process of "I don't have passkey, please let me in" will still be there.
Not revolutionary in the technology but in the adoption. I loved using keys for passwordless SSH logins back in the day, made things super easy. Okta has analyzed the speeds and found that it is faster than logging in with a password or other MFA forms. It will save seconds. And while that doesn't sound like that much, it creates a more frictionless experience for the user which is always a bonus when you don't sacrifice security.
Passkey is a totally useless thing. 1) When the phone is lost or broken, you still have to log in with a password to access the account, so how can you say Passkey will replace password and you don't need to remember the password. 2) When a bad guy gets your phone, they can't unlock it with fingerprint or face recognition, but they can unlock it with a PIN number. A PIN number is usually 4 or 6 digits. This is easier to figure out than a password, so how can it be called more secure than a password. 3) In the case where the bad guy doesn't have your phone, they will pretend that the phone is lost or broken to be able to enter the password. So what is passkey called more secure. 4) The password is in my head. In the event of being threatened, I may not provide the password even if I am killed. The passkey is on the outside. If threatened, the bad guy will use my finger or face to unlock the phone easily. So how can Passkey be called more secure.
Check out my video on whether 2FA is still secure. That will answer your question on why passkeys are more secure. In your scenarios, they involve physical theft. The majority of attacks that happen are from social engineering and can bypass weaker forms of 2FA.
i reallly think the same. its just complicated and not secure at all, i dont have biometrics on my gaming pc so i rather be on the pin and let windows stop an attacker at the third attempt.
@@Ag89q43G0HyA You don't need biometrics. But regardless, I get prompted to 'unlock' my phone - which can usually be setup with biometrics if that's what you're fixated on.
@@teachmecyber2FA is secure, especially if you use best practices of having it on different devices. Passkeys have way too many risks, it centralizes access to devices which creates inherent risk. Steal your traditional device? No problem access only to session locked data. Steal a pass key first device? Good bye all accounts
My biggest concern with this type of authentication (I have used it on linux / git / ssh ...) is how to secure the private key. It would be disastrous if some malware broke into your PC and sent the private key to someone without your knowledge. Yes I know you can password protect the private key but then it does not remove the password.
It's the primary risk right now. There's a similar risk today with password managers and protecting access to the master password. I've investigated issues before where a hacker has stolen SSH keys for access, so it happens. The primary difference here (at least for now) is that the authenticators can have a bit more security (like requiring biometrics) to help keep that key safe.
You Have 2 Choice 1/ Store Your Username/email/mobile/Private Security Questions/password to Website's Server and fully trust them that they keep it secure. still malware can also attacks on website's server 2/ if passkey will be future, then no need to provide email/SIM Number, Your pet name or your mother's maiden name and no need to store 2FA Key Just login with your fingertips, All passkey will save within your hardware. but still malware can attacks. but its my responsibility to prevent from attacking
@@dgoubliette4554 So use it with a 'screen unlock' pattern on your phone. When I log into google via web browser on my laptop, I get prompted to unlock my phone and viola - the website lets me in.
Cool, meanwhile my bank just recently updated their site login to finally include 2fa, just the only issue is that it doesn't allow a third party authenticator app to be the 2fa. Instead it's sms, call, or email. They had 2fa on their phone app for awhile now, via sms. So not only does it do it via the most insecure way, but sends that info to the same phone it's try to login from. And for a good chunk of time they implemented 2fa in the MOST insecure way possible.
2FA with banks is one of the most frustrating things ever. They are lagging behind on secure authentication. Some financial institutions support hardware keys, which I'm a huge fan of. But there needs to be more pressure on them to implement more secure authentication like passkeys!
Just finished watching your portion of the recent InfoSecurity conference and saw your mentioning passkeys as being your low hanging fruit piece. I have been hearing about them for a while now but hadn't really delved into the mechanics of it, so thank you for explaining since they are starting to make some headway in the market.
Thanks for the hard work to vulgarize all these features! Question: if I store my passwords + my passkeys in Bitwarden, is there any risk if my Bitwarden account is hacked? Shouldn't I use another app to store my passkeys?
what if all of my devices gets stolen from the hotel while traveling, how do I authenticate with the replacements when I am starting from scratch ? Wouldn't a password manager be better in this situation ?
If you're using Google passkeys, they will save the key so it loads to a new Android device. If you're not, you can setup a backup key (e.g. using a Yubikey) that you keep in a safe spot and can use in a "break-glass" scenario where your devices are stolen. There's always the option as well to have a backup authentication method like a password just in case.
You have a single private key stored on the authenticator. Each website that is registered has its own private-public keypair (generated from the private key) with a credential ID (which ties the keypair to the website).
So do you have a seperate privatekey for each site that supports it? What happens if your device gets trashed, do you just create a new passkey on your new device? All of this sounds like ssh.
The device will create the public / private key pair. So that would be your laptop, phone, etc. The private key stays on the device and the public key is given to applications.
You can have a password and passkey at the same time. You can do either device specific or a synced version, it just depends where you store it. So, you can do your phone or laptop and it will just be available there. Or you can use a password manager like 1Password and it will be synced across devices
what if you already have a username and password for the site and then you create a passkey?? cant the username and password still be hacked?? or is it deleted automatically once passkey created?
You can use synced passkeys in that case. Password managers like bitwarden and 1Password offer the ability to store synced passkeys which you can access from different devices.
I still dont get the point of passkeys being the most secure when the websites allow other weaker methods to sign in at the same time. Correct me if im wrong but doesnt Microsoft keep its sms and email codes alongside passkeys?! 🙈
My take, from what I’ve read, is that this will be a transitional technology for a long time. In most cases we will have both passwords and passkeys. But, say if you have a passkey for a site, then you will use that preferentially going forward. Your password can still theoretically be hacked but because you’re not constantly using it there will be few or no opportunities to phish it. So the passkey is still overall more secure. The operative word is “more.” Nothing is 100% secure, just as nothing is 100% safe.
As long as you have your phone with you and it's charged all is good trying to get into your desktop or laptop. Phone missing or dead, you are out of luck.
So, what happens when google decides to ban my account for whatever reason? I lose access to everything? TBH, passkeys sound like a good idea in principle, but there is no way I would trust a private entity with this. Once there is a major FOSS organisation providing an open solution to them, maybe I'll try it.
The passkey is just for Google, so if your Google account was banned, the passkey is irrelevant. The passkeys themselves are stored on your device, so in the event Google unbanned you, then you would still have your original passkey.
@@teachmecyberBut isn't Google being used here as a "provider" or "manager" for passkeys? It's what enables the migration of passkeys to different devices, and what is used as 2nd factor, right? So if my account is banned, I can't sign into Chrome as me, would I be able to use the local passkeys still? On 5:41, when you are prompted to enter the password, isn't that your Google account credentials?
It's only the passkey for Google. Each website you configure has its own passkey, so your other passkeys wouldn't be impacted. Google is only managing its own passkey. Some password managers are building in passkey management which could have all of your passkeys.
You can use synced passkeys (check out my 1Password video on this). Separately, you can also just set up new passkeys for your accounts but that is more time intensive
I didn't get one thing. Many sites don't have yet but those which have they won't have or will have regular registration form but it will have passkey too?
That's correct. You will first need to create a username and password to register with the site. From there, you can then create a passkey. So you will have a both ways of logging in. When you login in the future, you will either automatically get prompted to use a passkey or there will be an option to login with passwordless (which is passkeys)
womp womp, you're right! developers.google.com/identity/passkeys/supported-environments You're going to be stuck using your phone or a hardware token in the meantime.
Don't get what's so revolutionary about that.
Used digital signature and ssl for years. I get what private key is.
But instead of storing password + 2FA, you just store passkey + 2FA. Not that different from password manager. Not that faster either.
End it can be lost as well, so the process of "I don't have passkey, please let me in" will still be there.
Not revolutionary in the technology but in the adoption. I loved using keys for passwordless SSH logins back in the day, made things super easy.
Okta has analyzed the speeds and found that it is faster than logging in with a password or other MFA forms. It will save seconds. And while that doesn't sound like that much, it creates a more frictionless experience for the user which is always a bonus when you don't sacrifice security.
Passkey is a totally useless thing.
1) When the phone is lost or broken, you still have to log in with a password to access the account, so how can you say Passkey will replace password and you don't need to remember the password.
2) When a bad guy gets your phone, they can't unlock it with fingerprint or face recognition, but they can unlock it with a PIN number. A PIN number is usually 4 or 6 digits. This is easier to figure out than a password, so how can it be called more secure than a password.
3) In the case where the bad guy doesn't have your phone, they will pretend that the phone is lost or broken to be able to enter the password. So what is passkey called more secure.
4) The password is in my head. In the event of being threatened, I may not provide the password even if I am killed. The passkey is on the outside. If threatened, the bad guy will use my finger or face to unlock the phone easily. So how can Passkey be called more secure.
Check out my video on whether 2FA is still secure. That will answer your question on why passkeys are more secure. In your scenarios, they involve physical theft. The majority of attacks that happen are from social engineering and can bypass weaker forms of 2FA.
i reallly think the same. its just complicated and not secure at all, i dont have biometrics on my gaming pc so i rather be on the pin and let windows stop an attacker at the third attempt.
@@Ag89q43G0HyA You don't need biometrics. But regardless, I get prompted to 'unlock' my phone - which can usually be setup with biometrics if that's what you're fixated on.
@@teachmecyber2FA is secure, especially if you use best practices of having it on different devices.
Passkeys have way too many risks, it centralizes access to devices which creates inherent risk.
Steal your traditional device? No problem access only to session locked data.
Steal a pass key first device? Good bye all accounts
My biggest concern with this type of authentication (I have used it on linux / git / ssh ...) is how to secure the private key. It would be disastrous if some malware broke into your PC and sent the private key to someone without your knowledge. Yes I know you can password protect the private key but then it does not remove the password.
It's the primary risk right now. There's a similar risk today with password managers and protecting access to the master password.
I've investigated issues before where a hacker has stolen SSH keys for access, so it happens. The primary difference here (at least for now) is that the authenticators can have a bit more security (like requiring biometrics) to help keep that key safe.
You Have 2 Choice
1/ Store Your Username/email/mobile/Private Security Questions/password to Website's Server and fully trust them that they keep it secure. still malware can also attacks on website's server
2/ if passkey will be future, then no need to provide email/SIM Number, Your pet name or your mother's maiden name and no need to store 2FA Key
Just login with your fingertips, All passkey will save within your hardware.
but still malware can attacks.
but its my responsibility to prevent from attacking
@@0x64bit I have a skin condition that makes my fingers crack and peel so I cannot use fingerprint authentication.
@@dgoubliette4554 So use it with a 'screen unlock' pattern on your phone. When I log into google via web browser on my laptop, I get prompted to unlock my phone and viola - the website lets me in.
Cool, meanwhile my bank just recently updated their site login to finally include 2fa, just the only issue is that it doesn't allow a third party authenticator app to be the 2fa. Instead it's sms, call, or email. They had 2fa on their phone app for awhile now, via sms. So not only does it do it via the most insecure way, but sends that info to the same phone it's try to login from. And for a good chunk of time they implemented 2fa in the MOST insecure way possible.
2FA with banks is one of the most frustrating things ever. They are lagging behind on secure authentication.
Some financial institutions support hardware keys, which I'm a huge fan of. But there needs to be more pressure on them to implement more secure authentication like passkeys!
Just finished watching your portion of the recent InfoSecurity conference and saw your mentioning passkeys as being your low hanging fruit piece. I have been hearing about them for a while now but hadn't really delved into the mechanics of it, so thank you for explaining since they are starting to make some headway in the market.
Glad it was helpful for you!
Thanks for the hard work to vulgarize all these features!
Question: if I store my passwords + my passkeys in Bitwarden, is there any risk if my Bitwarden account is hacked?
Shouldn't I use another app to store my passkeys?
what if all of my devices gets stolen from the hotel while traveling, how do I authenticate with the replacements when I am starting from scratch ? Wouldn't a password manager be better in this situation ?
If you're using Google passkeys, they will save the key so it loads to a new Android device.
If you're not, you can setup a backup key (e.g. using a Yubikey) that you keep in a safe spot and can use in a "break-glass" scenario where your devices are stolen.
There's always the option as well to have a backup authentication method like a password just in case.
@@teachmecyber very helpful thanks !
@@teachmecyber
Yes, the motto of google is: "dont do evil". That's why it's okay to copy paste our keys in the cloud
do you just have one private key for all sites or is a private key for each one?
You have a single private key stored on the authenticator. Each website that is registered has its own private-public keypair (generated from the private key) with a credential ID (which ties the keypair to the website).
So do you have a seperate privatekey for each site that supports it? What happens if your device gets trashed, do you just create a new passkey on your new device? All of this sounds like ssh.
Great explanation man !
Thank you Jason, quite insightful
Thanks for watching! Passkeys can get pretty complicated, so hopefully this was an easier way to get the run down on them.
passkeys meaning public and private key pairs are created by the device? ie OS microsoft/andriod/ios or the browsers create key pairs?
The device will create the public / private key pair. So that would be your laptop, phone, etc. The private key stays on the device and the public key is given to applications.
I have a lot of questions. If I have a password with Google, can I also use the Passkey as an option? Or does it delete my password?
Is it device specific. OR If I have a phone and a desktop, will it recognize it across devices?
You can have a password and passkey at the same time. You can do either device specific or a synced version, it just depends where you store it. So, you can do your phone or laptop and it will just be available there. Or you can use a password manager like 1Password and it will be synced across devices
what if you already have a username and password for the site and then you create a passkey?? cant the username and password still be hacked?? or is it deleted automatically once passkey created?
What if it’s not you’re device? I sometimes want to log into online accounts on my work pc 🤔
You can use synced passkeys in that case. Password managers like bitwarden and 1Password offer the ability to store synced passkeys which you can access from different devices.
I still dont get the point of passkeys being the most secure when the websites allow other weaker methods to sign in at the same time.
Correct me if im wrong but doesnt Microsoft keep its sms and email codes alongside passkeys?! 🙈
My take, from what I’ve read, is that this will be a transitional technology for a long time. In most cases we will have both passwords and passkeys. But, say if you have a passkey for a site, then you will use that preferentially going forward. Your password can still theoretically be hacked but because you’re not constantly using it there will be few or no opportunities to phish it. So the passkey is still overall more secure.
The operative word is “more.” Nothing is 100% secure, just as nothing is 100% safe.
Brother how can i save passkeys on my mobile using 1password.
It only works on IOS right now. If you're using Android, you'll have to wait for a later update
As long as you have your phone with you and it's charged all is good trying to get into your desktop or laptop. Phone missing or dead, you are out of luck.
So, what happens when google decides to ban my account for whatever reason? I lose access to everything? TBH, passkeys sound like a good idea in principle, but there is no way I would trust a private entity with this. Once there is a major FOSS organisation providing an open solution to them, maybe I'll try it.
The passkey is just for Google, so if your Google account was banned, the passkey is irrelevant.
The passkeys themselves are stored on your device, so in the event Google unbanned you, then you would still have your original passkey.
@@teachmecyberBut isn't Google being used here as a "provider" or "manager" for passkeys? It's what enables the migration of passkeys to different devices, and what is used as 2nd factor, right? So if my account is banned, I can't sign into Chrome as me, would I be able to use the local passkeys still? On 5:41, when you are prompted to enter the password, isn't that your Google account credentials?
It's only the passkey for Google. Each website you configure has its own passkey, so your other passkeys wouldn't be impacted. Google is only managing its own passkey.
Some password managers are building in passkey management which could have all of your passkeys.
@@teachmecyber … like Google
Well made and informative video, and very well explained.
Just a small video tip: sit a bit farther from the camera to allow a more natural headroom.
Thanks for the feedback!
Nicely done, thank you!
Thanks!
How does this protect your identity when your device is lost or stolen? Cellphone theft is on the rise.
If your computer needs to be replaced because of theft or broken how do you get your passkeys on your new computer?
You can use synced passkeys (check out my 1Password video on this). Separately, you can also just set up new passkeys for your accounts but that is more time intensive
Not now.
Still a ways out from mass adoption but this is a good first step
What about privacy? Google and Apple will know and log all and every time I use a site!? No tks
Passkeys can be used independent of Google and Apple. So if you're not a fan, it doesn't mean you can't still use them
@@teachmecyber humm...
I didn't get one thing. Many sites don't have yet but those which have they won't have or will have regular registration form but it will have passkey too?
That's correct. You will first need to create a username and password to register with the site. From there, you can then create a passkey. So you will have a both ways of logging in. When you login in the future, you will either automatically get prompted to use a passkey or there will be an option to login with passwordless (which is passkeys)
7:55 Chrome on Ubuntu doesn't have this option. 💩
womp womp, you're right!
developers.google.com/identity/passkeys/supported-environments
You're going to be stuck using your phone or a hardware token in the meantime.
SURE THEY ARE IN FACT,,ARE PREETY SIMPLE
Ok.. so, at work, we cannot install any apps on our work phones. And no blue-tooth is permitted.
How do we use passkeys again?
If your work device supports passkeys, you can use that as an authenticator. Just don't put that as your only option!
Trouble with experts is you are unable or unwilling to see, think as a non tech user. You ost me after es than 1 min - no help to me
Too complcated, too many steps. Much jaegon.
Sorry it wasn't for you. This is a pretty complicated topic.
Only if you’re a dolt.