Passkeys are HERE and they're SECURE! Learn this today...
HTML-код
- Опубликовано: 5 авг 2024
- What is a passkey? Passkeys are hands-down the most secure type of login authentication available today - even though using them is deceptively simple. Passkeys use a private key pair to authenticate with the sites and services that you use authenticated with existing PIN codes, FaceID, or TouchID. Passkesy are designed to be easy to use, phish proof, brute-force proof, and it does not matter if your public key gets leaked in a server hack - it's useless without the private key side which only ever lives on your devices. By mass-adopting passkey technology, we can help to put an end to the scammers and hackers who prey on folks with poor security hygiene.
Get your YubiKeys here: geni.us/GunRC (affiliate)
Remember to use coupon code CROSSTALK at checkout to get $5.00 off YubiKey 5 series or Security Key series security keys!
Timecodes:
00:00 Intro
01:27 What is a passkey?
05:11 Features of passkeys
06:21 Passkey security explained
12:21 Passkeys in the Enterprise
13:38 Passkey demo
17:03 Who do you trust with your passkey management?
18:24 Security Heirarchy
Thanks to Yubico for sponsoring this video!
----------------------------------------
Buy me a coffee! ko-fi.com/crosstalk
Crosstalk Discord: / discord
Follow me on:
- Twitter: / crosstalksol
- Facebook: crosstalksolutions
- Instagram: / crosstalksolutions
- TikTok: / crosstalksolutions
- LinkedIn: goo.gl/j2Ucgg
Crosstalk Solutions - RECOMMENDED PRODUCTS: crosstalksolutions.com/recomm...
Amazon Wish List: a.co/7dRXc67
Crosstalk Solutions offers best practice phone systems and network/wireless infrastructure design/deployment. Visit www.CrosstalkSolutions.com for more info! 
Наука
Agree.
This video explains the matter thoroughly and clearly. Helped me a bit further on grasping the passkey tech.
Important to highlight though;
- The ‘passkey technique’ is what it’s all about.
Which hardware you use to make it happen is secondary. (you don’t need ‘security keys’ per see to be able to use the passkey authentication.)
- For now it depends on the OS / browser version used, if it can handle passkeys QR codes. Hopefully third parties apps for devices will soon pick up the art of handling, syncing and storing of passkeys.
- As an example of how the latter can bite you in the tail, is the nasty surprise for the Apple ecosystem; As for example using security keys, it needs all your devices to be running the latest OS.
It’s all or nothing. If you implement security keys, any device not able to run the required OS is at loss. (booted out of the eco system)
Correction: the private key answer to the challenge is checked on the server, not the client. It would be no security at all if the device was just sending "whether or not the challenge was successful" to the server. :D
Was coming to say the same thing... would def be pretty sus lmao
Presumably the servers would also have to use the public key to encrypt a unique timecode in the data sent, and then verify the same timecode in the response, in order to prevent client playback attacks.
Once a passkey is setup, is the option to sign in with a username and password no longer an option? How does recovery work if I loose my device?
The biggest limitation of Passkeys is the small number of applications that offer the option and the users that adopt them. Hopefully those will grow with time and videos like this one.
To me the biggest limitation is losing control over my own Identity. PassKeys can be hacked just like LastPass, Comodo, Zero Ring, Golden Ticket, I mean... all this does is create a more valuable target... sure we might save the morons from being "hacked" but now even the geniuses will be forced into this ecosystem and they will now become less secure.
Remember the old joke... if you are being chased by a bear... all you need to survive is be faster than the slowest person? It's the same concept. With "gimmicks" like this... it makes even the fast as slow as the slowest! Now... you have to rely on someone else's ability to to dictate your survival and you will not have any ability to understand this technology to fix it when it goes wrong... but the hackers will... they will know more about your own security than you ever will. You have a job to do and can't dedicate the attention necessary.
But they have time... they have plenty of it since they get paid by their various governments to datamine your "identity" or just flat out NSL the data directly without any way for you to know or even challenge it.
A day will come where an employee is fired because a government somewhere does something with their account and how is the poor sap going to be able to prove any of that? The entire ecosystem is completely outside of their ability to even "know" which means courts will throw out all of your challenges because you can't even prove harm...
And just like that... the entire world is compromised. Especially as AI takes off.
Nothing beats a personal password where your brain is the storage medium.
These are only to fix the problems with the stupid and lazy.
Agreed. So far, even Amazon doesn't accept it (yet). However, because Google does, you can use it for any account you can access via Google including PayPal...which is pointless because PayPal accepts passkey.
I like the idea of passkeys, but yes it seems like the acceptance by apps & sites is woefully slow. 😎
@@freemagicfun It's just so complex. not many people even understand this, so even if the sites offer it, I imagine almost no one uses it.
All of the major email platforms and operating systems are supporting them (Apple, Google, MS, outlook, gmail). But true that most others services do not support them or hardware security keys. The banking industry is woefully behind on the security front.
I love the idea of passkeys and their simplicity, but the biometric nature concerns me. In the US, the government/police can’t force you to reveal a password. That is because it’s considered a 1st and 5th amendment protection. Biometric based logins are NOT protected in the same way. That is why password managers w/ security keys still seems like the best to prevent government intrusion.
The "freest" country in the world 🤣🤣
@@pinky6863 So what if I'm required to give them 256-character password from my password manager? :) Passwords won't come cheap! :)
@@pinky6863 In germany both are protected under our "Grundgesetz"/ constitutional law, and also under the "Strafprozessordnung"/Code of Criminal Procedure.
You don't have to give anything (information and things) to the government which *could* might incriminate yourself.
@@pinky6863not sure your right as you are required to give prints and DNA samples if your arrested in the UK. And we have new laws effectively going to make it illegal to use these because of the lack of government back door
Exactly, but also people near you that can use your finger or Face ID to get access. Somehow, brains are protected 😅 i would not use Face or Touch ID to confirm.
Best content on passkeys I've seen so far. Thank you! Regarding the Best Buy example, you say that you don't have to worry about Best Buy getting hacked but how is that the case if they don't give you an option to completely remove your password?
Does a hardware bound passkey have to be plugged into your phone to use it with your phone?
A comprehensive and simple explanation of the various methodologies. Thank you! I love your channel. You present relevant topics with detailed information.
I was pretty up to speed on this but what a great review and in my case, confirmation that I'm arranging our digital security in the best way for us. Thank YOU!
What is the difference between passkey and ssh keys at the cryptographic level? It sounds like passkeys are very similar if not the exact same technology rebadged and made consumer friendly.
A synced passkey feels like moving an ssh private key to a password managers vault.
Yubikeys are great, but due to their inherit limitations of 2FA secret storage on their keys I'm waiting for them to upgrade that storage and release their 6th series before I buy a handful.
And their recent price increase 😡
I would highly recommend you don't buy security keys. If you enable googles highest level of security, and they detect a potential attempt to break into your account, google will immediately disable every way of logging into your account, and disable all of your security measures, including your password, then require you to reset your password via a link in your gmail, then only after reseting your password, will you be able to reset up your security keys.
If google can't even trust a yubikey, a titan security key, 2fa via googles app, passkeys, and passwords, to verify who I am, you probably shouldn't trust them either.
**fast clapping** Thank you! Thank you! This is the best, most complete and concise explanation of Passkeys I have heard yet! This video is going to help me so much in explaining the technology more to my team at work and family/friends.
Nice summary. I wonder if cloud based passkey synchronization is being overemphasized. The alternative is to just log on to a new device using an old device that already has a passkey, as you showed in the video. No cloud based passkey synchronization required. But, you still need some kind of passkey backup, whether cloud based or local, in case you lose access to your device.
How would passkeys work on sites that require a secret for encryption? Clearly, you cannot use the public key as an encryption key, as that is by its very nature public. It appears for that secenario, the passkey protocol would have to include the possibility of securely transmitting a secret to the server on login or on request that is a.) unique to the site and b.) is the same every time, so it can be used to encrypt and decrypt user data on the server. Does that exist or is this in the works?
It’s basically the same asymmetric PKI stuff is used for TLS encryption. The private key is stored on the webserver or client and Yubikey hardware stores the private key like a HSM used by servers like webservers or reverse proxy servers such as F5 right?
Also think of like ssh keys
Great description helping to show the overlap and underlap between Passkeys and hardware keys.
15:27 What happens for example you no longer want someone you have shared your passkey with (say a divorce) and you no longer want them to be able to use your credentials?
You should be able to create a new passkey and the old passkey will no longer work.
I think passkeys are a great idea, and as (another) IT professional I understand the benefits. However, they are not without their issues. You have to consider adoption and compatibility, their adoption may not be universal across all platforms, applications, and devices, and some older systems or browsers might not support FIDO2/WebAuthN, limiting their widespread use. You also have the hardware dependency with the issues that brings (forgetting or losing your device, backup and recovery). Initial setup complexity - as has been pointed out in other comments, how do you get your non-IT literate friends onboard with this? Finally cost - not everyone can afford one (really).
Also, have you seen how many dependencies FIDO2/WebAuthN has? It is so much work that most websites will probably never provide it, unless forced by their government...
Jones' Law: "Anything hit with a large enough hammer will break." All security mechanisms have limitations which should be considered when deciding whether or not to apply them in a particular environment. That said, Passkeys offer a balance of security and convenience that works for a broad range of applications and environments.
As to "too much work," there are, or will be plug-n-play implementations for most environments. Compared to doing nothing, they are "work." Many, not to say most, managers of websites are reluctant to do any work until they get slammed. I never cease to be amazed at the number of managers who opt for cure over prevention. However, the environment is becoming increasingly hostile and password reuse is a favored method of attack. Perhaps, keeping one's resume up to date is the least work. However, being associated with the victim of an extortion attack may blot an otherwise spotless record.
I'm a (yet another) IT professional. I work in education. Shared computers are a common device deployment method for cost savings, so hardware-tied private keys would not work in this environment. There's also the problem of personal devices. 2FA implementation is always a controversial topic as for one, smartphone use tends to be discouraged, and two, staff are always against using their personal devices for work purposes, and schools do not have the budgets for hardware tokens.
@@HarmonicaMustang Admittedly, Passkeys are neither as convenient or secure on multi-user systems. On the other hand, the majority of modern computer users have never used a shared computer, not even a PC. Most have only used a mobile computer, a single user system. Many of our security risks today are relicts of shared systems. As the cost and scale of computers continue to shrink, solutions like Passkeys will become increasingly convenient and secure.
@@williamhughmurraycissp8405 This misses the knowledge that there are lots of situations both in work and at home where shared devices make lots and lots of sense. I'm thinking a shared public PC in a living area where random visitors might well need to check their e-mail, but don't carry a laptop (and find a full desktop a lot easier than their phone), a roku TV where a visitor would like to load their Netflix profile for one movie, etc.
In the work environment I'm thinking all sorts of kiosks where you have manufacturing, scientific experiments, library style public access systems, projection control computers - anything needing walk up access that might require authentication as different users for cloud services, work processes, etc.
And in work locations this is going to be even harder because you'll want to give access via many to many matrix for users - both if their laptop dies you want to hand a new one they can start using immediately, but also access to the corporate cloud e-mail, cloud storage, local services, plenty of shared systems you remote into for various reasons like terminal servers and more.
And from a work location there's the reverse issue of many of these hardware things just not being available to all OSs - if you use Linux you can't (as far as I can tell) use a TPM to unlock FDE, and worse, the management is completely different between MacOS, Windows and Linux. Passwords have converged to it working the same across all platforms. Not to say passkeys won't potentially get there, but we have these special proprietary "secure enclaves" that often aren't as secure as we are told. So Apple doesn't use TPM from what I can tell, neither does Android. So we already have more Windows only, or Mac only, or Android only implementations.
This is a great video, but couple of suggestions: I understand this tech really well (I’ve been an app security architect for roughly 15+ years, and went into platform architecture), but I tried to consider how my parents (in their 60/70’s) would take it. There’s still some assumptions made, like salted passwords, how key exchanges work, etc. So it’s kind of a decent primer for someone who already knows tech, and how FIDO/TOTP already work. I can’t say I could do any better though, because these can be difficult subjects to explain…but I think it’s something to consider, because it’s these groups (like my parents) who are the most vulnerable.
Overall, this is a great video. It calls attn to a huge problem (and timely because I am forcing my parents to use a password manager this week). Thank you for creating the video!
Agreed. It was a bit confusing and I came out of the video still not certain about what it is and what it does. Simplicity is the passkey for many of us.
I watched this video and al it did was convince me to not use passkeys until I have to. What happens if you lose you smart phone or don't even have one?
@@jamestemple8970 it's not a great answer, but the idea is that any passkeys on your smartphone are synced with the mobile ecosystem owners cloud password sync provider.
So if you happen to have multiple e.g. Google or Apple devices already enrolled with Google or Apple's cloud password syncing service, they'll all magically have all of the passkeys either device has every created. If one device breaks, you can use another device to enroll a new device into ur ecosystem account, and it'll magically get all the passkeys synced up. This has obvious implications which are kinda concerning (mobile ecosystem vendor lock-in), but it is what it is.
If a passkey is only on one of the devices from an ecosystem (e.g. if you made an account somewhere, provisioned a passkey on your solitary Android phone, and never enrolled a passkey elsewhere for that site) if you lose that device, you have two options:
Option 1: Start the recovery process for the mobile ecosystem account tied to the device: So continuing the example, if you lost your solitary Android phone, buy a new Android phone, and use the recovery options for your Google account to sign back into into it. Then it'll magically have all the passkeys previously provisioned.
Option 2: Buy a new other device (iPhone or Windows device with Microsoft Hello, or any device plus compatible hardware security keys), then go down your list of actual passkey protected accounts and invoke each one's recovery process to enroll new passkeys.
At least for now, it's a great idea to enroll your convenient to use (but breakable/stealable) mobile device *and also* additional hardware security keys that you can lock up somewhere. Passkey auth requires some different factor (mobile device pin or biometric lock, or hardware key PIN) so the idea is that even if someone stole your backup, they won't be able to log into anything. BUT if they destroyed all ur backups and your main device, you're in trouble. The same trouble you'd be in if you lost your password pre-Passkeys. The crap thing is that you cannot simply remember ur passkey, and you can't practically write it down. Practically, each passkey's private key will be hidden (even in some cases totally inaccessible) on a physical device, so you just need to make backups in the form of ... enrolled devices upfront.
@@jamestemple8970 One thing he highlighted is that password managers now allowing management of passkeys. I think a password manager secured with a hardware key is more secure for managing you passkeys, vice a device or Apple keyring.
I could not agree more, clear as mud. You expect the millennials to have even considered that scenario?@@jamestemple8970
Great explanation! I haven't yet moved over to passkeys. This helped me get to grips with it.
What good are passkeys if I, or someone else (I'm looking at you mr hacker) can still logon to my Adobe account using a password because I can't see an option to remove the password?
if you set up a passkey and for whatever reason passkey verification don't work, is there still a backup way of getting into said account to what you need to do? ... i mean so I'm not locked out while figuring out what went wrong?
Great video! Hopefully the fact that sites still hold on to your legacy password once you switch to passkeys changes soon.
Not sure about Passkey being more secure than Password + 2FA:
IF [Passkey] : Access to Device + PIN == access to any website
IF [Password + 2FA] : Access to Device + PIN != access to any website, as password is still needed.
Although I do understand that passkeys protect against certain attacks better, like Phishing; it's hard to say one is flat out better or worse than the other.
Have one on order from your link. Thanks for the heads up. I will be using one of these for everything I can!
If biometrics is required it is not government proof.
This is because your consent is not required to have your photo taken or your fingerprints extracted.
Lifelong passwords reside in your memory/mind and no one can get into it unless you voluntarily want them to.
Clear explanations and nice overall.
But some things are a bit oversimplified and even wrong.
Such an example is the note that password managers being susceptible to server hacks. To begin with, one could have local only password manager databases. Moreover, there services have setups where even with low quality master passwords, a server hack will offer no info to the attacker (feel free to check 1Password setup).
Furthermore, having a secure master password would basically be enough to prevent any brute forcing, even if the whole hosting server is completely compromised.
Agreed. Also the "they need your PIN" - yeah cool...
What I took from it is that the vector of compromising the secret holding service gets eliminated. So it's still no match for pw+(non sms)totp for corporate or self host scenarios.
Big plus is that it is a convenient enough method to use for non tech people.
About the amount of time to reset a password. Not a strong argument, this can be very streamlined.
I think he's talking about grabbing your account from some random website and cracking it with a rainbow table, not necessarily hacking the password manager's servers.
A note about PIN codes, most modern devices have a secure element chip that is hard wired to prevent repeated attempts at brute forcing, so even if you have a 4 digit pin, while that's not great, a thief/spy/hacker would only get to try a couple dozen times before the timeout became days long. That would, in theory, give you time to mitigate the damage by updating your account information in the relevant places, unlink/remote erase the device, etc. Not all devices are equal though, so take it with a grain of salt. Might be worth looking up your device and how it handles that.
@@DFPercush True. The iPhone has the self destruct mode (erase the phone) after 10 failed attempts.
If someone steals a companys DB of public keys, and create a fake site, could they could trick you into signing in with your passkey?
Thanks Chris, love your content for years now (Note has house full of Ubiquiti gear and thanks to this video, 2 new Yubikey 5C NFC's on the way :D )
I'd suggest a Apple user approach, and a Google user approach. I think you have the Apple approach covered in this video. The Google approach might be a future video. Sharing among the Password managers in the various approaches too - OnePassword to Apple to Google might serve as an example.
Also, I'd suggest a discussion of where the resistance to this approach may come from.
Thanks for the valuable video. It raises the question of Passkeys and where they may fit in our security vision.
Great video Chris. I note that Microsoft have announced that Windows 11 is getting a built-in passkey manager. Any comments or thoughts on that?
My excact question is, what you also mentioned in the video with the bestbuy example. If you have to create a user first, using a password, and then only after that can enable passkey login. Then the password login still exists somewhere in bestbuys systems, and be found in a server hack/leak?
What would be the correct way to do this(besides being able to actually use passkey when creating the account) - When enabling passkey it somehow should delete any knowledge of a password ever existing?
Exactly my same question. My take is that passkeys (plus other authentication factor) should become the primary login method and username + password the fallback option. Probably in the future we won't even set up a new account like we do today (username + password).
What I miss is how 2FA will be handled with passkeys, or will 2FA become obsolete?
For example when using Nextcloud you have the option to use Fido2 WebAuthn for login and also use Fido2 2FA, so you get asked two times for you key.
Will this be the same on other services?
And coming back to the maybe obsolescence of 2FA is that maybe because 2FA now only really protects someone against attacks where someone other has your passwords but when someone already has the encrypted password vault 2FA is no concern anymore because you only need the password.
At the end I think it comes all to how these services will implement it, like will my account data be encrypted with that passkey or only the login for the web interface.
PayPal supports PassKeys right now, and i have 2FA enabled. I was using OTP to begin with, but it does prompt me for this after the switch to a PassKey. I imagine companies that know what they're doing will require some other form of 2FA (such as OTP) or maybe even just require a secondary Fido2 key for 2FA. The bad companies? Who knows.
Interesting point on how customer data will be encrypted. The company would need the private key in order to encrypt whatever private data they store right? Can't just use the generated nonce for that. Although I really know very little about how this architecture works admittedly.
I love passkeys, but would love a way to integrate browsers with Keepass and utilize passkeys for those of us who do not like hardware keys and want to keep them centralized with our existing cred storage.
How do you keep your hardware passkeys secure? Where do you store them to keep them safe? Or do you carry them with you at all times like on your keychain with your house and car keys?
How do you keep your car and house keys secure? Where do you store them to keep them safe? Or do you carry them with you at all times like on your keychain with your hardware passkeys?
Seems like a personal decision based on threat assessment is my point.
Yubikeys are going nowhere. They exist to control concurrent usage of software programs and mostly replaced by storing the keys on an in-house server. They fail often from use and going through the washer and dryer. The software vendor overnights you a new one and deletes the old so even if it is found or starts working it won't work.
The only reason this 2009 passkey technology has become usable is because the cell phone has become almost ubiquitous and is the only device that has the intelligence for now and the future. Even your car and house keys are going away. It's already your wallet, passport, visa, credit card, immigration form holder when you travel, map, calendar, secure and insecure communicator, airline tickets, where the gate is for your next flight, flight schedules, your seat, adjust your house environment when you are home and when you are not, guides you around the traffic tie-ups to and from work, lets you scan into the gym, your note taker, language translator, it will soon be carry your ID/driver's license, gets backed up encrypted to the cloud, and is becoming the only thing you need to take with you.
Is session cookie compromise still an issue with passkeys? I'm assuming if someone were to gain access to your device and grab all of your session cookies, they could potentially bypass your authentication methods, passkeys and hardware keys included.
Agreed. Post authentication attacks are still in play. Also if the service is hacked your data will still be stolen. So the claims about data being protected is true only from one attack vector.
Session cookie compromise is definitely possible, since you would appear already logged in to whatever website (it would have no reason to require you to authenticate). BUT this is why some websites automatically invalidate sessions after a bit. It's also why if you've suddenly travelled across a continent in 10 seconds, you'll get an email asking what the deal is. It's also why all websites require you to log in again in order to change your authentication options.
These are all attempts to make it more obvious to you when one of your devices has been compromised. Once it is, in this new world of passkeys, you can react by unenrolling the compromised device's passkey from your accounts from a device you know is secure.
One of the benefits of moving to these new more secure authentication methods is to remove the friction it would cause if sites started reducing session durations further, and continued to harden things. Since logging in would take seconds, users would tolerate the more occasional tap of a fingerprint reader, and in the background, it would help reduce the impact of these sorts of attacks.
Chris! Such a great video! I learned so much! Thank you!
When signing in with passkeys, is it typically possible to disable signing in with passwords, so that a hacker cannot bypass the passkey by using the alternative less secure login method?
From what I gather passkey is just another form of 2FA. The password alone is not enough.
I bought 2 more yubikeys because of your previous video and how to set it up on the phone. Already had 1 so adding 2 more just made sense. Was helpful because I did have a breach and recovered it nicely cos of the keys. One thing I need to ask is what router, switches do you use? I recall you recommending to me last time about a product, began with P and looked yellow and black. I am trying to setup a secure home network with a sim router. Hope you can help chris :)
Does all of this require one of the devices used for authentication to be a phone with a US phone number? Or can it be laptop/tablet devices?
I am asking because I want to retire overseas and won't have a phone with a US number.
Once set up can I sync with an international number?
I have many computers,run up to six drives in some .From Win 3.1 to win 11,around eight different Linux distros how would passkey`s work on all of these.A passkey for every drive and a new one when i rewrite a drive?
12:38 Yeah, about that.
You can't force them to use their personal devices.
So instead you give them a different device.
And they WILL forget it at home (or loose it).
I am speaking of experience here...
Sorry, there is no remedy for stupid. "The dummies have it, hands down, now and forever."
@@williamhughmurraycissp8405 sure, but a password is easy to reset with these people, unlike a hardware key
besides I wouldn't even call them stupid, it's just that given enough people, you will always have at least one person per day and it's always going to be somebody else
Thank you for answering the question about deleting the existing login/password after setting up passkey
So let me get this straight...Even sites that offer passkey integration require a password, so if you have to have a password to do first time set up, even if YOU use the passkey, hackers will still have a password to try to get access to by hacking the business? Are you saying that until businesses allow us to delete the passwords, they are no better than having JUST a password?
Google doesn't even trust the passkeys. They detected a potential attempt to break into my account, and completely disabled every security measure I have to verify my identity, logged me out of my email on all of my devices except my phone, refused to let me login even though I had every single method of verifying my identity, and required I change my password, through a link in my email, then after I reset my password, which didn't require any form of authentication beyond being logged in, I was able to reset up my many authentication methods.
What is even the point of any of it if google won't even trust a single method of authentication, and won't even trust you to verify your identity if you have all of them at once. And then doesn't even bother to verify my identity, while it bypassas all of that authentication I have, and lets me reset my password, without verifying who I am.
They're technically more vulnerable than a website with just a password, as it's an additional attack vector..
I think this is an example of not yet perfect, but way better.
Part of the benefit of passkeys (even as an alternative to still-active password auth) is that it makes certain attacks way harder to pull off. For example, if someone pointed you to a simple mis-spelling of a website, your browser will not reveal any details about your account to the imposter. It'll just tell you that no passkeys are available for the service without revealing anything.
This should clue you in that this your being attacked.
This benefit alone can help improve your security posture. Granted, ur right that it would be cool if more sites allowed those who are comfy to just go 100% passkey, eliminating the possibility of a compromise of those passwords on the server side altogether.
So what's the backup? How do I restore access when I lose my device and my private key can't be restored from the cloud for some reason? If it's personal ID for example a thief could have it right there with your wallet.
I admire your enthusiasm and knowledge. Because I'm a beginner with all this computer technology I found the layers of information you were presenting to be overwhelming. For me getting to the simpler points . Just describing the two keys what they are and how you use them. Then going into all the other detail would have been better for my way of learning. And as I say I'm a beginner so perhaps many of your other viewers don't have that same difficulty
Passwords are always going to be required for passkeys If not could you imagine the headache administrators will have when something happens to the users device that was storing those passkeys for said account.
these sound good but did not explain what happens if you loose the device so you have a ubikey you loose it how do you then get into your accounts. At least with a password manager I only need to login to the password manager on any device. With the hardware ones if it breaks or you loose it how do you get back into your accounts
Hey what happens when u accidentally erase the Fido2 on my yubikey?? What do I do? And I’m not a techie!!
Question: If I use Windows as my passkey manager, and I have to perform a clean install of Windows, does that then erase the passkeys associated with that install as well? In other words, do I then have to setup new passkeys that were once associated with that install? Or better yet, should I remove all passkeys first, then do a clean install, then setup new passkeys?
is there a max number of fido sites i can have on a yubi key? (did i ask that right?)
With the series 5 Yubikeys, it’s 25 max FIDO credentials, but they’ve stated that they’re working on one that holds more.
Better off going with the Thetis, since it's recommended to buy at least 2 (one for backup) the yubi will set you back at least 100 bucks, I've found the Thetis is just as good and half the price.
Pass keys were the standard some 20 years ago (dual authentication) ... worked security for a military contractor and passkey fobs were SOP.... they are cheap and easy to implement... Can use almost any cell phone today for the same job.. I now work IT security for the medical industry and ANY Dr that writes sched 2 drug scripts is required to use passkey authentication.. (is law) since the Jan 2023
so I replace two factors with one factor again? that seems less secure in at least a few ways. what if it gets stolen from my device?
How secure are iCloud passkeys?
Can they be overridden if someone has your iPhone and it’s passcode?
If so then your passkeys are only as secure as your 6 digit passcode
Apple support security and recovery key, eight character passcode
So many different ways of authenticating. I would like to have 1 solution for all but it seems this is not available? Is there a good key/pw manager combination? For work I already use microsoft authenticator for 2FA
Cons
1. Hardware passkey can be stolen,
2. lost,
3. malicious borrowed (the worst type of attack besides
4. can be cloned. (not all of them)
5. Price always x2, you need a backup key.
To remove all four cons, a hardware key has to have a biometric sensor.
As of now, there is no hardware passkey with a fingerprint sensor usable on Linux systems out of the box because you need proper drivers.
Also it can't be used cross platforms on your customer's PC/Mac without drivers installation.
Biometric fingerprint scanners can easily be beaten.
@@MegaLokopo
Yes it is, especially while gobble down a popcorn watching Mission Impossible.
For hardware passkeys: What if I loose it somehow? Can I somehow recover all my logins? What if I use face id, but 1 day I suffer an accident, injure my head and it cannot recognize me? Or face trackers can handle these? these are my concerns. Yes I can suffer from abnesia and forgot my password but I think this has a lower chance.
So what are the backup options then if someone lost access to their Google account and had to create a new one. How would all the websites be able to verify who the user was without storing something like their email address or phone number ?
What happens if you lost your YubiKey?
Very nice video and demo Chris, congrats !
Thanks for the video and the coupon. I saved $10 (2 keys).
If I change the sign in option to use a passkey on home depot, using biometrics on my smart phone, then how does that change the sign in on my pc with no biometrics? Would I be locked out of my account using a pc?
Love the yubikey and the authenticator app as well. If phone is stolen nothing is in the authenticator app, because you need the key!!
Isn't the bound hardway key technically shareable if you just physically give someone the key to use? The only key that isn't shareable in that instance is if it was one of those biometric Yubikeys
a great explaination, but I still got 2 issues with the use. if you have a hardware based private key and the device dies, how are you able to login to your most secure environments.
and what if you're private key got leaked or stolen? then a hacker is able to login into everything and everything of you is comprimised. if it is not, how do companies check if they have a revoked key of you in their database if you on you're second or thirth key set (private and public).
if this becomes common; does every company or website need to check if the public key is still valid? offcourse they only need the correct public key, but there can be a time that some have you're old key and some have you're new public key.
if you have a different password for everyting with a totp and a key and totp key got leaked or stolen, it is only impacting that soecific login.
You are exactly correct. It's built on a false premise. What it is is better than what we have for most people because they are easily tricked or use the same, short, easy to remember passwords everywhere that are never changed, and no password manager. A good password manager with bio limits exposure to one account.
I have been using Youbi Keys for the better half of 5 years now and will never move away from them. I do wish though you would have explained or touched base on the fact that when setting up hardware based auth keys that you should always plan on redundancy. These keys can fail and/or get lost/stolen so it is always best practice to have more than one.... The largest problem with this though is the fact that many sites only allow ONE hardware key, so if you ever loose your youbikey or it gets damaged you are locked out with little to no recourse of being able to get back in to that account. So users should make sure they have backups or sync multiple keys when allowed and even store it in an alternate location like a safety deposit box (just a suggestion), to be able to have a way to access accounts should your main key ever be damaged/lost etc. I also do understand why the keys cannot be duplicated as that would negate their effectiveness which is why All sites/services that move to this level of auth should support at minimum a "Master" key and allow you to sync at least 1 additional key as a "backup".
Overall though Great video to help bring awareness
Thanks for that detail. I had no idea sites can restrict the number of copies of hardware keys you can have. If that's true, I have no idea why anyone would want to use a Yubikey. Wow. I mean, it suggests that you should have a different Yubikey for every site that requires a limit of one Yubikey per site. But that kinda invalidates one of the main reasons for having a hardware key in the first place. (You would lose all your private keys if you lost your single Yubikey.) I've never used Yubikeys before, but I think you've just turned me into an opponent of that technology. Thanks for raising my awareness. Yikes.
@@TheNameOfJesus I didn't mean for my comment to turn you away from the technology, But understand that some sites have yet to fully adopt it and thus only support adding one key. This is changing as the technology is adopted but it's not a super fast process.
When a site registers a Hardware key By default they should actually require 2 keys so you are making a backup as part of the process. but instead most sites implement a second lower level of security .
The only way to get this technology to be more adopted is by using it and promoting it. But it's also understanding the limitations like most banking institutions do not yet support these devices because their customers are using their phones instead so they are opting for a less secure alternative.
The YoubiKey is by far the strongest form of authentication as it's offline and a physical device that cannot be duplicated.
Phone auth isn't nearly as secure as you're required to use your passcode / pin to unlock your device at boot up even with biometric locking enabled.
So I would use it to it's fullest potential that your able to in your circumstance and just make sure to set up whatever backup method is available for any service that you use that doesn't support adding multiple keys and just store those backup codes with your backup key for the services that do support that.... (Alternate location Like Safety deposit box etc or at least a fireproof lockbox or safe to protect from fire loss).
Adoption is always the biggest problem and they won't gain traction if too many oppose the use.
@@Pythonaddiction Thanks. I know you didn't intend to turn me away from it. I was perhaps overstating my worry by 50% for dramatic purposes. They Yubikey is FIPS 140-2 evaluated so it's good when used in FIPS 140-2 mode. (Do consumers use it in the FIPS-evaluated mode?? I don't know.) I personally used a different product that was also FIPS 140-2 evaluated. Yubikey is likely not "more secure" than other products with the exact same evaluation. I have no way of knowing if consumers are using it with those features enabled, but I doubt it because people are loading their own private keys rather than getting them from an approved key generation device. In my company, people aren't allowed to load their own keys because we operate in a very, very high security mode.
@@Pythonaddiction what I don't understand is that why do no one even think of using GPS as one of the backup way to recover your account? something like ... they will ask you to open your GPS location to recover your account. which means if you want to recover an account as your last resort, you need to be standing on the place where you created your account. 😂😂😂😂
I really hate making me buy 2 yubikey not only it is expensive. you might not know if the other one you keep safe was taken by someone at home.
but having your GPS as last resort.. you and only you know where you created your account.
this way you can actually walk on a random train station and use it as your recovery location
@@ChibiKeruchan that’s because gps and geotag loc data is super easy to spoof for starters. And secondly let’s say that work if someone is making an account while on the road outside of their normal area or say a truck driver. There’s many reasons why this wouldn’t be used.
Yes, took me a while to get onto the passkeys, but now I have two (one as a backup offsite) and I have never felt more secure. Everyone should have these. But they should be more afforable as Yubi's are a bit expensive (in Canada anyway).
I know, I know, you can't really put a price (tongue in cheek) on security, but ya - WELL WORTH IT.
What do you do if you lose or damage your hardware key? How do you authenticate to setup a new one?
not quite, i have an Yubikey for years, finally gave it up as i can never remember where i put it. As one other RUclipsr pointed out (correctly, IMO), the different types of connectors on different devices also make them a real pain (i have usb micro, usb c, apple ...).
I tried using a ubikey but it doesn't work for me as I'm not able to keep it with me at all times. I need something that doesn't require a physical component - like a password...
If you use your cell phone pin in a public area and it gets compromised you can have real problems. The WSJ had a great article about this earlier this year where someone used their pin at a bar to make a confirmation, it was compromised (observed) and their phone was immediately stolen as they were getting an Uber outside the bar. The thief used the pin immediately to reset and change all of the passwords, being synced in the password manager. The thief did this so quickly the phone couldn't be shut down. The thief had access to all the accounts on the phone and proceeded to rob the owner of several thousand dollars. Bottom line is that tying everything to your phone has some level of risk. Better use a more complex pin and be careful when you use it as it provides the keys to your kingdom!
You're right - there is always a risk of someone shoulder surfing your PIN and then stealing your phone.
But that's not the point here - the point is that your example is extremely rare compared to the amount of phishing and hacking attempts that hit people from far far away.
If we eliminated ALL but your specific concern, it would be a HUGE win for security world-wide. And a singular edge case of "well...it can still be compromised in this very specific way..." is not an excuse for rejecting this technology.
@@CrosstalkSolutions I agree with you but just thought it's important to understand all the risks before entertaining any new endeavor
I have not seen many of the financial, insurance, and health care institutions listed in the passkey directory other than a handful of credit unions. Do they view this as not fully baked yet?
Very nice information .. very well explained.. thanks a ton .. this has clarified the concept brilliantly .. kudos
A note on interoperability. I have used Apple passkeys on my iPhone to log in to a website on my pc. It works just fine but the process is just a bit less seamless. On a Mac I would just use iCloud Keychain stored key and authenticate directly on the Mac. With PC I’m presented with QR code to scan with my iPhone. The iPhone then presents the passkey and I log in using FaceID. The phone and pc need Bluetooth enabled for this to work but no setup or pairing is needed!
Or you could just use a password manager like 1password to hold your passkeys and use them between devices.
@@georgebarlowr sure. You can use 3rd party products for this. I would recommend 1Password too for this
The elephant in the room you didn't mention. what if you lose you phone? sure the private keys aren't stored in there but how can I get my credentials back since Google/Apple uses pass keys which are linked with the old device which you lost.
Exactly!
Nowadays a phone is an awfully weak link in a security chain, because it is both indispensable, as you mentioned, and extremely vulnerable to assault: if nicked while unlocked, and/or if your aggressors force your face or your finger on the phone, in a matter of seconds they own your Google or Apple account holding your private passkeys, and as far as I know, there is nothing you can do about it.
Great introduction, now could we see examples of doing this with the Yubico please.
Did you check his site? I seem to remember he's demonstrated how to use Yubikeys before.
We should support open source alternatives, not Yubico
You forgot another reason passwords get locked out. Infrastructure engineers locking each others domain admin accounts out for a laugh :).
I got 3 Ubikeys after seeing your last video. One for the keyring one for the safe one mini one to stay in my home PC.
Not enough stuff supports FIDO2 , my unbikey is mostly used for classic 2FA.
what happens if you lose the hardware (or phone) that the private key is paired with? What happens if they are stolen?
Thank you for making a video in a way even I can understand. I had no idea about passkeys. and I thought I was up to date in technology🤣
So what do you do with the Yubikey? Stash it away? Carry it with you? At what point/time does the Yubikey get plugged into something - and what and when?
Whatever stores your passkey needs to answer questions about the private key every time you want to log in. If a passkey is on a Yubikey, whatever device you're logging in with needs to be connected to the Yubikey.
The idea is you can generate a unique passkey on every device that you want to use to log into whatever site. These devices can be phones and also Yubikeys, so you can have a backup that you physically store somewhere, for the event that you lose your primary one.
If this happens, you can log into the site with one of the keys you still have and then generate a passkey on a replacement device/unenroll the passkey for the missing device. If you find it again, now you have an extra device that can store passkeys, and since there was a PIN on it, you can be pretty certain it's the same key you lost and no one accessed it. Not 150% certain, but it's pretty hard to break that PIN on most devices and software that store passkeys.
If you use passkeys, what's the best practice regarding 2FA? Keep or remove?
There is still very limited support for hardware passkeys. I have a couple of Yubikeys that I have kicking around but I can only rarely use them.
Question.
If i already have an account ie google account. Then i set up passkey and use that fron now on to authenticate.
Is the old password i had when i created that account still a valid method of logging in, is it still stored for someone to steal and use?, is there a way i can delete that password and only use passkeys ?
tried best buy from app on phone and ipad and it says browser not supported. ??
I don’t get it. What is that key? If everything is stored in the device, what is that little object?
Thanks for such a clear video. I have a question about sharing passkeys with others (15m45s) Do you know if you can reverse this. Just thinking about what happens if you divorce your spouse and things get acrimonious.
I’m a bit confused, I’ve had passkeys set up on both Apple and Google for several months. However the passwords I was using for those sites previously are still showing in my iPhone password list and when I log into my Apple ID it still shows 2 factor authentication under Account security. What’s more the passkeys do not show in my password list to share. To be clear I just logged into my Apple ID with Face ID and no OTP. Therefore it seems like I can use either password or passkey but perhaps that defeats the purpose since hackers could still guess/ fish / steal the password and get in? Have I misunderstood something?
Sorry I just saw the rest of the video. So half the above question is answered. But I’m still not sure why I can’t find the passkey in my password storage. Thanks
7 months later and still going forward, passwords are still here and rule the day and not dead!
Hi Chris. Great video on Passkeys, et al. HOWEVER . . . There was hardley any emphasis on purchasing and setting up MORE THAN ONE Yubikey for redundancy in case your Yubikey hardware device is lost(more likely) or physically damaged, i.e. FUBAR, (unlikely). Having just one device with no redundantcy exposes the user to being locked out his/her own stuff. My Mr. Worst Case Scenario wants to ask people to please be prudent and thoughtful at the fundamental level.
Google doesn't even trust Titan Security or Yubikeys to verify your identity, if they detect someone may have attempted to break into your account. They simply disable all of your security and hope that the one device they allow to stay logged in, is in your possession and then lets you reset your password without even verifying your identity.
If google can't even trust their own system, why should anyone else?
Indeed, this was a weak point in his video. Not only do users need multiple Yubikeys, and store them in different locations, but they need to update each of their Yubikeys EVERY SINGLE TIME that they create new credentials on a new website. I don't want to go to the bank weekly to fetch my Yubikey, take it home, update it, then go back to the bank in the same day to lock it up again. I think my bank counts how many times I access my safety deposit box each year and charges me if I access it too often.
Very good point!
I bought a Thetis 2 pack. The NFC does not seem to work (I have NFC tags all over the place and they work fine) the number of application supported by Thetis is really slim, maybe I should have bought a Yubikey.
I have a question. I want to go passwordless on outlook 365, personal account. How can I do this without the MS authenticator app? I just want to use my key ONLY to login, otherwise what's the point of the security? How do you accomplish this?
What if you get a new phone. Or lose your phone. How can you log in to passkey sites
What if you lose the passkey. Or stolen or broken? It looks meaningless but a marketing hype
Hola , did you set an access code to the passkey?
14:35 no password needed, but since your account still has a valid password, cant hackers just brute force/ make a server leak and login with the valid password instead of using passkey?
Edit: oh you mention it a bit later in the video. at 16:47
A hacker goes to a site says I am user x, the site gives it a token to verify. The hacker says yes this is correct. Is the hacker now logged in??? Or is there something else in the response?
So, the passkey manager has to be some faceless corporation or a hardware key that has obvious downsides? I guess I'll stick with password managers that have a fully locally managed option. Maybe Bitwarden's passkey solution will allow that (assuming I'm understanding this right).
But what if someone steal you Fido key? Seems easier than hacking any account no?
very useful video thank you.
I have the habit to save everything to my self hosted Nextcloud.
Is there a way to sync with your own cloud rather than Apple or Android?