What are Passkeys? | Are Passwords Dead? | A Security Expert Explains
HTML-код
- Опубликовано: 26 июн 2024
- Passkeys are set to make passwords obsolete. They rely on a basic and widely used technology that is also super secure. Passkeys allow you to log in faster and have security baked in.
In this video, we'll explain how passkeys work and the underlying public-key cryptography technology that makes it work.
📝 Sign up for my free weekly security newsletter: weekendbyte.teachmecyber.com/
Links
Passkey Demo: passkeys-demo.appspot.com/
Passkey Supported Websites: passkeys.directory/
❤️ Leave a comment and hit the like button because it helps spread cyber security knowledge to more people.
Table of Contents
00:00 - Intro
00:36 - What is a passkey?
01:15 - Public-key cryptography
02:12 - How passkeys work
03:45 - Passkeys demo
05:52 - Benefits of passkeys
06:50 - Disadvantages of passkeys
07:30 - Which websites support passkeys?
🔔If you found this helpful, subscribe to the channel!
www.youtube.com/@teachmecyber...
🚀 Connect with me on LinkedIn
/ jrebholz
✅ Recommended playlists:
Cyber Security for Beginners | Basics of IT
• Cyber Security Classes... 
Наука
Passkey is a totally useless thing.
1) When the phone is lost or broken, you still have to log in with a password to access the account, so how can you say Passkey will replace password and you don't need to remember the password.
2) When a bad guy gets your phone, they can't unlock it with fingerprint or face recognition, but they can unlock it with a PIN number. A PIN number is usually 4 or 6 digits. This is easier to figure out than a password, so how can it be called more secure than a password.
3) In the case where the bad guy doesn't have your phone, they will pretend that the phone is lost or broken to be able to enter the password. So what is passkey called more secure.
4) The password is in my head. In the event of being threatened, I may not provide the password even if I am killed. The passkey is on the outside. If threatened, the bad guy will use my finger or face to unlock the phone easily. So how can Passkey be called more secure.
Check out my video on whether 2FA is still secure. That will answer your question on why passkeys are more secure. In your scenarios, they involve physical theft. The majority of attacks that happen are from social engineering and can bypass weaker forms of 2FA.
Thank you Jason, quite insightful
Thanks for watching! Passkeys can get pretty complicated, so hopefully this was an easier way to get the run down on them.
Don't get what's so revolutionary about that.
Used digital signature and ssl for years. I get what private key is.
But instead of storing password + 2FA, you just store passkey + 2FA. Not that different from password manager. Not that faster either.
End it can be lost as well, so the process of "I don't have passkey, please let me in" will still be there.
Not revolutionary in the technology but in the adoption. I loved using keys for passwordless SSH logins back in the day, made things super easy.
Okta has analyzed the speeds and found that it is faster than logging in with a password or other MFA forms. It will save seconds. And while that doesn't sound like that much, it creates a more frictionless experience for the user which is always a bonus when you don't sacrifice security.
Nicely done, thank you!
Thanks!
Well made and informative video, and very well explained.
Just a small video tip: sit a bit farther from the camera to allow a more natural headroom.
Thanks for the feedback!
Just finished watching your portion of the recent InfoSecurity conference and saw your mentioning passkeys as being your low hanging fruit piece. I have been hearing about them for a while now but hadn't really delved into the mechanics of it, so thank you for explaining since they are starting to make some headway in the market.
Glad it was helpful for you!
Perhaps I misunderstand, but this sounds to me like another version of SSO, and with the same weakness: If my Google account is compromised, so is my passkey. Plus, this requires me to activate Chrome's password manager, and most technology bloggers say to avoid using your browser's password manager. And I don't want Google to bug me to use their password manager. I like the idea of public key cryptology, but I don't think this is the winning implementation.
To my knowledge and testing, you don't need to activate Chrome's password manager. It's different than SSO because the key is living on your device (SSO would be centrally managed). Now Google does try to make it easier for multi-device use which is convenient but also a risk. If that risk is not worth it for you, then I would opt for a FIDO2 key instead.
Cool, meanwhile my bank just recently updated their site login to finally include 2fa, just the only issue is that it doesn't allow a third party authenticator app to be the 2fa. Instead it's sms, call, or email. They had 2fa on their phone app for awhile now, via sms. So not only does it do it via the most insecure way, but sends that info to the same phone it's try to login from. And for a good chunk of time they implemented 2fa in the MOST insecure way possible.
2FA with banks is one of the most frustrating things ever. They are lagging behind on secure authentication.
Some financial institutions support hardware keys, which I'm a huge fan of. But there needs to be more pressure on them to implement more secure authentication like passkeys!
So do you have a seperate privatekey for each site that supports it? What happens if your device gets trashed, do you just create a new passkey on your new device? All of this sounds like ssh.
My biggest concern with this type of authentication (I have used it on linux / git / ssh ...) is how to secure the private key. It would be disastrous if some malware broke into your PC and sent the private key to someone without your knowledge. Yes I know you can password protect the private key but then it does not remove the password.
It's the primary risk right now. There's a similar risk today with password managers and protecting access to the master password.
I've investigated issues before where a hacker has stolen SSH keys for access, so it happens. The primary difference here (at least for now) is that the authenticators can have a bit more security (like requiring biometrics) to help keep that key safe.
You Have 2 Choice
1/ Store Your Username/email/mobile/Private Security Questions/password to Website's Server and fully trust them that they keep it secure. still malware can also attacks on website's server
2/ if passkey will be future, then no need to provide email/SIM Number, Your pet name or your mother's maiden name and no need to store 2FA Key
Just login with your fingertips, All passkey will save within your hardware.
but still malware can attacks.
but its my responsibility to prevent from attacking
@@0x64bit I have a skin condition that makes my fingers crack and peel so I cannot use fingerprint authentication.
do you just have one private key for all sites or is a private key for each one?
You have a single private key stored on the authenticator. Each website that is registered has its own private-public keypair (generated from the private key) with a credential ID (which ties the keypair to the website).
passkeys meaning public and private key pairs are created by the device? ie OS microsoft/andriod/ios or the browsers create key pairs?
The device will create the public / private key pair. So that would be your laptop, phone, etc. The private key stays on the device and the public key is given to applications.
what if all of my devices gets stolen from the hotel while traveling, how do I authenticate with the replacements when I am starting from scratch ? Wouldn't a password manager be better in this situation ?
If you're using Google passkeys, they will save the key so it loads to a new Android device.
If you're not, you can setup a backup key (e.g. using a Yubikey) that you keep in a safe spot and can use in a "break-glass" scenario where your devices are stolen.
There's always the option as well to have a backup authentication method like a password just in case.
@@teachmecyber very helpful thanks !
If your computer needs to be replaced because of theft or broken how do you get your passkeys on your new computer?
You can use synced passkeys (check out my 1Password video on this). Separately, you can also just set up new passkeys for your accounts but that is more time intensive
What if it’s not you’re device? I sometimes want to log into online accounts on my work pc 🤔
You can use synced passkeys in that case. Password managers like bitwarden and 1Password offer the ability to store synced passkeys which you can access from different devices.
I have a lot of questions. If I have a password with Google, can I also use the Passkey as an option? Or does it delete my password?
Is it device specific. OR If I have a phone and a desktop, will it recognize it across devices?
You can have a password and passkey at the same time. You can do either device specific or a synced version, it just depends where you store it. So, you can do your phone or laptop and it will just be available there. Or you can use a password manager like 1Password and it will be synced across devices
How does this protect your identity when your device is lost or stolen? Cellphone theft is on the rise.
Brother how can i save passkeys on my mobile using 1password.
It only works on IOS right now. If you're using Android, you'll have to wait for a later update
I didn't get one thing. Many sites don't have yet but those which have they won't have or will have regular registration form but it will have passkey too?
That's correct. You will first need to create a username and password to register with the site. From there, you can then create a passkey. So you will have a both ways of logging in. When you login in the future, you will either automatically get prompted to use a passkey or there will be an option to login with passwordless (which is passkeys)
Not now.
Still a ways out from mass adoption but this is a good first step
So, what happens when google decides to ban my account for whatever reason? I lose access to everything? TBH, passkeys sound like a good idea in principle, but there is no way I would trust a private entity with this. Once there is a major FOSS organisation providing an open solution to them, maybe I'll try it.
The passkey is just for Google, so if your Google account was banned, the passkey is irrelevant.
The passkeys themselves are stored on your device, so in the event Google unbanned you, then you would still have your original passkey.
@@teachmecyberBut isn't Google being used here as a "provider" or "manager" for passkeys? It's what enables the migration of passkeys to different devices, and what is used as 2nd factor, right? So if my account is banned, I can't sign into Chrome as me, would I be able to use the local passkeys still? On 5:41, when you are prompted to enter the password, isn't that your Google account credentials?
It's only the passkey for Google. Each website you configure has its own passkey, so your other passkeys wouldn't be impacted. Google is only managing its own passkey.
Some password managers are building in passkey management which could have all of your passkeys.
@@teachmecyber … like Google
7:55 Chrome on Ubuntu doesn't have this option. 💩
womp womp, you're right!
developers.google.com/identity/passkeys/supported-environments
You're going to be stuck using your phone or a hardware token in the meantime.
What about privacy? Google and Apple will know and log all and every time I use a site!? No tks
Passkeys can be used independent of Google and Apple. So if you're not a fan, it doesn't mean you can't still use them
@@teachmecyber humm...
Ok.. so, at work, we cannot install any apps on our work phones. And no blue-tooth is permitted.
How do we use passkeys again?
If your work device supports passkeys, you can use that as an authenticator. Just don't put that as your only option!
Trouble with experts is you are unable or unwilling to see, think as a non tech user. You ost me after es than 1 min - no help to me
Too complcated, too many steps. Much jaegon.
Sorry it wasn't for you. This is a pretty complicated topic.
Only if you’re a dolt.