🗒SOME ADDITIONAL NOTES 🗒 • If your computer doesn’t have bluetooth, you will need to get a usb bluetooth adapter to use them. They are pretty cheap though. • If you use an Android phone with the Google account attached, you might be able to log in to your Google account without scanning a QR code, but it would still require the Bluetooth connection. • If you don’t want to use your phone or don't have a smartphone, you can also use a physical security key (like a Yubikey) as a passkey • Just because you have been logging into sites like discord with a QR codes does not mean they have been using passkeys. For example Discord does not support passkeys yet. In fact only a handful of sites do • You can see a list of websites that currently support Passkeys here: passkeys.directory/
Glad I recently got a usb bluetooth dongle for christmas, it has allowed me to do more stuff, like (finally) use bluetooth gamepads (joycon), with motion controls, as well as me now being able to use passkeys from my computer to my phone.
Discord’s account security is a joke anyway… your account security is only as strong as its weakest link, and discord accounts can be stolen by highjacking session tokens. Happened to me in September (a combination of fatigue and social engineering)
when i try to scan the qr code with my phone camera a pop up comes up with only options to open a link and when i open the link the camera app freezes and if I touch the screen it unfreezes. edit: i had disabled chrome and I now enabled it and the pop-up works
This sounds nice at first glance, but I'm afraid of what this will mean for those of use who don't want everything tied to a central account and/or don't want absolutely everything to tie back to your real identity. I'm always going to be weary of anything that tries to further de-anonymizing the internet. Tying all accounts to not just a central account, but also a physical real world device is about as far you can go in that direction I feel. I really think mass adoption of this could have horrific consequences. Not to mention, the right of people to choose to not have a smart phone and yet still live peacefully (mostly, I can see paying bills getting in the way of that). I can see good intent behind this, but the potential issues concern me deeply.
agreed. this seems like an awful idea for security, and they're still using passwords as backups, so it's just an additional point of failure at best..
There's almost always useful information on this channel. Often times its info thats not widespread or that is so recent that very few people have covered it. Makes me glad I subscribed all those years ago, when the channel switched from satire to actual tech info.
Some security researchers recently noted that Google now scans encrypted zip archives stored inside Google Drive by scanning your E-Mail content (and probably the password storage in your Chrome Browser, which synch to the cloud). Now, I think that authentication via public/private key-pairs is a great idea, but this new concept just insures that those private keys are all synched with your Google cloud. Which means Google won't even have to scan your private data for passwords anymore. They **literally** hold the keys.
He mentioned that keys are stored in an end to end encrypted manner, which means keys are encrypted on device before sending to google servers, and decrypted on device. I just wanna see how they established that transparency.
@@atpray You are right. He mentions in the video that google promised that the keys are securely transmitted via end-to-end encryption. That is true, but also sadly very misleading. Because Google already showed that they broke this "everything is encrypted" promise, by meaning different things for these words. "End-to-end encryption usually just means SSL" for google, not that the data is really encrypted. "Storing data encrypted on our drives" usually means hard disk encryption, similar to Bitlocker. What is not means is that Google cannot access your data.
Something very similiar is widely used in Sweden under the name BankID, which is required when authorizing internet transactions, and whilst logging into governmental websites. Some websites even use it instead of a username and password, which, as mentioned in the video, makes it very easy to log in. This is especially useful for the older population, since they may have trouble remembering all the different username and passwords required to log in. One improvement the Google variant makes an improvement on though, is the bluetooth technology, which is honestly quite ingenious. The fact that it necessitates a close proximity between the devices should mean that it's able to prevent any and all scams, making it nearly impossible for call centers to swindle the elderly off their hard earned money.
Just to be clear here, the bluetooth functionality of passkeys is not an invention of Google, but rather that of FIDO Alliance, whose board is made up of people from Amazon, AmEx, Apple, Google, Intel, MasterCard, Meta, Microsoft, PayPal, Samsung, VISA, Yubico and many more. They created the standard that specifies exactly how this should work. And the term "Passkey" was coined by Apple at WWDC22, and a while later, FIDO officially endorsed it, saying they much prefer it over "FIDO/WebAuthn credential", though they probably talked with Apple and already agreed Passkey is better and gave Apple the go-ahead to publish their implementation with that name.
@@Spamkromite Yeah, for laptops it may be standard, but I have yet to meet anyone who has Bluetooth in a stationary. Then again, granpa nowadays might be doing their bills on an tablet instead of a computer?
@@HasekuraIsuna I dunno if it would work but I bought kinda cheap usb adapter and plugged it so that *might* help. I use it with bluetooth headphones if I'm too lazy to take out "real ones" though, maybe it wouldn't work.
Honestly even with those pass keys that is stored to the local machine, using the physical security keys like Yubikey as the back-up key is always an option
It's a good idea, sure, but I feel like some "problem solves" can just make more problems, losing your phone being the most problematic, plus it feels tedious, but that might just be cuz I've never used it lol. Feels like a double-edged sword scenario, hoping for the best though 👍
@@naturegirl1999 you can add several devices, and they don't need to be phones either. Any fido2 security key should work (I have also added my yubikeys)
I'd be more concerned about social engineering attacks stealing people's private key via a malicious QR code. just scanning shit with your camera has become too normalized for this to be a good idea, IMO.
We should always keep in mind that Google, Microsoft and Amazon are known for suspending or deleting accounts with everything stored or associated without naming a reason or a guaranteed way to appeal.
@@teemo5409 Because teemo is a good little boy, oh so progressive and perfect and loves his little rewards, not like those icky people. Teemo, what's ok now knight be wrong in the future. Maybe you are too young to know that. If you buy into this system, you are likely to get burned later. And sometimes the reward is a piece of candy and the warm fuzzy place is a white van.
@@nebyliczaDeletion, not suspension. And you will never know the reason. No way to appeal, no way to retrieve licenses you've bought. Some people went to court to get their data back. It turned out that pictures of their own children had been classified by an AI as you-know-what and that the data was actually deleted with no chance of restoration.
I had worked in an environment that used Google Workspace Enterprise, and I have not still forgotten how extremely inconvenient it was when Google announced its discontinuing Google Bookmarks, its bookmarking service that is not connected to Chrome browser. I wonder how many other people also lost their bookmarks when they had forgotten to download them to transfer to whatever new online app.
It seems like a good start but I was hoping there was a way to avoid the "what if I lose my phone -> use a password for the first time login" bit. At that point, that means a password is both still required and still enough to take over the entire account with existing techniques (e.g. compromised backup email + compromised password). Feels a lot like sites that allow 2fa but then won't stop pestering you about adding a "backup via SMS or email" just in case you "lose access to your authenticator app". Hopefully a better recovery method will be worked out in the future.
You could probably print out the private key and store it in a safe if you want. I'd assume this would be possible as it is for 2FA backup codes nowadays
@@mstech-gamingandmore1827 But that assumes your only danger is cybercrime. What if your house burns down with the safe? I assume you have a smoke alarm because you've anticipated that possibility. You use seatbelts because you've anticipated you might be in a car accident. To me, security means being prepared for bad shit that could happen in the real world, not just online.
Seems great, however what if your PC doesn't support Bluetooth? They should have a secondary method where it can use maybe wifi instead so it can still work. I actually do have a laptop that doesn't have Bluetooth support
@@Jacob-ABCXYZ each Bluetooth adapter has a device address similar to a mac address for a wifi adaptor, so they are most likely scanning nearby Bluetooth devices in search of the device address matching the device trying to login
it sounds like it's only using the Bluetooth to confirm physical proximity to the device, because he said it doesn't actually need to be connected to the Bluetooth device, so there's no data being transferred. if that's the case there's no reason Wi-Fi shouldn't also be a viable confirmation method. we'll see what the hacking community comes up with after a little bit of playing with it
Hey @ThioJoe, I always love your videos because it's simple and straight to the point. Straighter than an Arrow if you will. I'm just curious about two things: 1. I have heard about public key - private key pairs. I want to know whether Google uses the symmetrical one or the asymmetrical one. I couldn't find the answer for it. 2. You mentioned that passkeys use bluetooth to verify if we are near the system even if we scan the QR code. If passkeys were to replace passwords and other 2FAs in the future, then how will it manage remote logins?
Sacrificing more privacy under the auspices of security isn't a leap forward I'm excited about. It's another way to be compelled to have a phone to prove it's you. It would be nice not to have your phone and yourself being required to be yourself.
@@SBCBears And an ability to attach to the internet which associates you, your geoip and your phone to enhance data harvesting. It sort of begs the question of who you want to be secure from as you just sold your privacy soul in exchange for safety from someone else.
Was looking forward to these passkeys when i first heard about them. Requiring Bluetooth is the first complication - not all computers (specially towers) have it built-in, and buying a usb receiver on purpose is a faff. Second is that you still have a password - perhaps it'll change if passkeys are successful, but it essentially makes it no more secure than passwords are now. Seems to me it's just a small QoL upgrade at this point if bluetooth is available, sometimes. Having to take your phone out, open the camera, select sign in with passkey, enter lock screen pin/fingerprint is not easier or faster than just typing a password.
@@nebylicza Just because devices without Bluetooth are the minority doesn't mean that a login won't be necessary there. It HAS to work even on those devices, I MUST be able to log in. Otherwise, it's all just useless.
The biggest concern I have with this, is that it won't work for people who use remote desktops. I connect to my home computer via VNC a lot to do things and since I'm not physically near that I won't be able to log in.
it's not a concern for Joe Average and only an another login method for the masses. Btw any solution that can work trough a remote channel is susceptible for phishing attack (the attacker site relaying the real login qr code in their fake login screen) so that's why the Bluetooth is required to verify "the domain" you connected. It may be a stupid question, but can't you use windows hello or similar tech with a pin or password trough VNC as a passkey provider?
@@mtx33 @mtx33 I'm just hoping that it's seen as a valid usecase and isn't for example made as the only method to login. Even if not the majority of people use it, it can still be a requirement to some, and it shouldn't just be made unavailable and leave those who need it in the dark. In my use case I can't use windows hello because 1. It's not windows and 2. The system is managed by my University and we don't have permission to change the OS settings; I do understand how it's way better for the average person though, my mom still has a notebook of passwords
@@loulounya I'm sure there are (will be) other alternatives (like you can already use software based authenticator "emulators" instead your phone), because if i remember right it's "just" a standard FIDO protocol implementation. (excuse me if i'm wrong, i have limited knowledge about the specifics)
I think most desktop computers (at least in my experience) don't even have bluetooth by default, and you need an adapter. So essentially unless you want to carry around a bluetooth adapter, you can't log in at school, at libraries, some internet cafes, etc.
@@nebylicza And how does that help? Unless passkeys work everywhere, username and password still has to be enabled. And how is it any safer if those are still enabled?
To be fair, desktop PC's and even laptops are going the way of the dodo. For people who dont do office work, and dont play games, they dont need computers to begin with. They only browse the internet, talk to their friends, and streaming sites. All of those are possible on a phone, and there are huge amounts of people like this who are going to be ditching computers altogether in the next decade or so As for desktops, why would anyone have them at this point? They are only good for gaming, and intensive work, like CAD-CAM style things, simulations, or photo/video editing. If you dont do those, which the vast majority of people dont, then a simple laptop will do just fine, or no laptop even.
Desktops are not going anywhere anytime soon. Chromebooks and phones don't have nearly enough horsepower for a lot of things, and aren't nearly as customizabke. Oh, and a LOT of people are doing serious photo and video editing, along with a lot of other things that you can't do for sh*t on phones or laptops.
@@terrylockwood9176 Okay, but 'a lot' means a flat number, i was talking about like 60-70% of the population who dont. Your flat number fits perfectly into that 30% and then some. They dont need more horsepower than what a phone has. As for the desktops, sure, i didnt phrase it correctly, but what i meant to say is that them being a mainstream thing is going to go extinct. They will still be around and people like us will still use them, but the mainstream population who dont game, or do anything intensive, wont buy them anymore, because why would they? A desktop offers nothing other more that portable or affordable things wouldnt be able to offer them. Its going to return back into the niche it was, because while everyone needs a computer to exist at this point, fewer and fewer people need the benefits of a desktop, that other computational things wouldnt be able to offer. Because high efficiency computation is only going to be mainstream. Look at arm ffs, it powers apple's new stuff, every android phone made in the last decade, the single board computers like raspberry pi's, datacenters are buying arm based servers in droves too, and arm is not known for how powerful it is, but for how much it does with so little power. Within a decade, X86 is going to go from 'the mainstream' to 'a niche', and thats ok. I've been here since the birth of windows on this architecture, and i'll be using it until i cant anymore. That being said, windows can eat sht and i am going to switch to linux if they keep their bs up. Just cuz i've been a long time windows user doesnt mean i wont switch.
More options is always good, and this looks promising. However, I have my doubts on the privacy department. For now you can have some dummy or """"anonymous"""" Google accounts for IoT and other stuff. If this will be mandatory some of that functionality will be harder to implement. So, it should be among choices, and not the only method in the future. For example you can have a main "device account" and others for different purposes that can be recovered with the main "supersecure" one, and things like that. Just rambling my thoughts here. 🤔
I really hope this will be an "option" rather than "required" not all of us have our phone with us at all times. I even know people who don't have a cellphone.
I’ve been using passkeys on all my accounts that support it. For now very few websites support them but they’re a game changer for me, I can’t wait for them to be the norm everywhere. Also they’re amazing if you use apple devices, no need to scan a qr code with my phone when logging in on my Mac, I just have to use Touch ID to login, and all my passkeys are synced across all my iCloud devices
One thing that should be pointed out / clarified is, Can one create a passkey offline? And once its created then share the public key with the authenticating site? This is the "ideal" method of generating a public/private key pair. Especially when you are directly interfacing with the final authenticator google / apple or anyone else, it is desirable to allow offline key pair generation.
@@autohmae well, if they are "required" to be online, it also implies possible decryption of the private key. I am not suggesting deliberately, but we are all humans and keeping private keys online (not "private") opens up plethora of undesired possibilities. No offense.
@@niranjan-81 they private key is stored in a TPM or 'secure area' on a phone and doesn't leave that, some data just gets send to that device and encrypted/signed, etc.
If your phone and computer are stolen at the same time (eg from a bag or case), then you could potentially lose access to your account. And if there's a username/password backup method, then having an extra method of logging in could mean you are actually less secure than you were. Passkeys are potentially more convenient, but I don't think they add any extra security in the real world.
@Serenity Recently a flaw with Android devices was found which lets you brute force a fingerprint lock in a day. Just because you have a pin code or some other method to lock your phone, it doesn't mean you're safe. Sorry I'm very tired while writing this hopefully i'm making sense lol
I would have to agree that the requirement that the device/site you are trying to log into has to have bluetooth is cumbersome at best, and if it is cumbersome enough, people wont use it. What I WOULD like to see you do is compare this type of authentication to using an authenticator, like Google or Microsoft Authenticator, which from experience is easier to use (e.g. less cumbersome) than futzing around trying to scan a QR code AND having to have bluetooth etc etc etc. Authenticators work on multiple vendor websites too, and also very common in the UK these days and it has worked pretty well all things considered. A video comparing the advantages/disadvantages and what you recommend would be helpful.
@@AltonV With an authenticator you don't need anything else, cheap (BT adapter) or not. It is still more money and more messing around, including deciding whether to turn BT on or off and when. The question remains on the advantages or disadvantages, and why, of one or the other.
@@charliecashman With authenticator apps, I think the downside is if you’re tricked into giving or typing that pin code into a fake website then the hackers have your second factor authentication. But with a security key or passkey that second piece of information is only given to the real website, so human error (meaning you accidentally giving that pin code to a hacker) is eliminated.
So this depends on having two devices that connect via Bluetooth to verify that you're this person because you have these two unique devices. So it's of no use if you just use a phone with no other device. Plus it doesn't add security because your password, which can be stolen, still works. Great feature.
But it does tie all of your accounts together once other websites just start having to use your Google taskeasy login the same way they've been encouraging you to create accounts using your Google account, which makes it even easier for Google to track every single thing you do anywhere on the internet, it isn't that really the point?
If you have multiple computers do you have to set up a pass key for each one. If so, then hopefully your phone will sync w/the right one. Great video and new subscriber.
They need to have your phone and if someone steals your phone you can just disable it on that device. This is really similar to how banks handle security.
@@viktoranderas9541 How do you disable it on a stolen phone? you need to use the phone to log in to verify your identity to disable the phone, no? sounds like a catch 22.
@@viltvalt1057 you can link the pass codes to more devices so naturally your computer to. Which you hopefully won't lose. Or have some Bacup physical key. Or maybe an old unused phone as a backup just laying somewhere in your bacement. Or a smart watch in the future. And if someone steals multiple devices from you. You are being targeted and it probably couldn't be avoided.
It's good to see security continue to be a priority - but it's also good that old password methods are still an option because my cellphone is for emergency-use only when I'm traveling, and I use a land-line for normal use. Besides that, I never use Bluetooth devices, since all devices are wired. I also never use the "cloud" (other people's computers) for storing any of my data. I have over 250 TB of storage on my local network, so all my data is secure and locally controlled. Other people have other priorities, and that's fine, so it's great that there's multiple secure options for people with different needs and preferences.
It amazed how readily and happily people upload everything to the cloud which is located who knows where and potentially accessed by governments and/or hackers. SMH Encrypted local storage with a second backup off site is the most private, cheapest, and fastest storage.
4:20 The problem here is that you assume that the thief didn't look over your shoulder when you entered the phone's PIN/password before he steals it. This is basically what happened to a woman in Manhattan with her iPhone. She was in a bar having a conversation with a man. At some point she unlocked her iPhone with the device passcode. The complice of the man spied on her how she entered the passcode. Later they stole her iPhone and with the device passcode they could mess around with her AppleID. And apparently there have been more cases like this. So now it's just as easy to hack into your Google account when you use your Android phone as a passkey.
but... how do you log in to stuff when you're on your phone? do you need a second phone to be able to scan the qr code and log in with your first phone?
It's a really great anti-scam technology! We have been using it since 2011 here in Sweden and it's pretty much impossible to get scammed with this tech. The only risk is being forced after a house invasion or after bing kidnapped or some crazy stuff like that.
@@WGDO5805 I have a couple yubikey 5 ($50 for the cheapest in that series) that I use for this. Then they have a security key that is only uses FIDO that you can use as a passkeys that is $25 (USB-A) or $29 (USB-C), both also have nfc
On iPhone, I was able to create it from the gmail app. It didn't require any qr code scan. It just asked me if I wanted to create, and then it worked. I logged off and then tried to login again to test it, and immediately it scanned my face and I was in. Pretty neat feature
So will this not work for remote desktops? I have a situation where I remote into my work PC from home at times and we currently use DUO security, which requires constant push notifications. Since you have to be within Bluetooth range, will passkeys never support this or is there another solution?
So basically, like any other extremely great security features, scammers will exploit the "easier" way to recover. They will have you lock your account then "assist" you with the unlocking
@@viktoranderas9541 let's wait for the more options. There are still a lot of devices in education and businesses that dont't have webcams or fingerprint readers.
If the passkeys are encrypted with your PIN, wouldn't they be super easy to break in the event of a data breach. Most peoples phones use 4 digit pins, not exactly secure encryption keys
Fortunately they are not that stupid. I'm not sure about these passkeys, but android cloud backups (Android 9+) are encrypted by a separate key pair stored in a secure element on a dedicated google server isolated by the backups itself and the restore "lockscreen PIN" checking is done by dedicated hardware with brute force protection (the protocol is more complicated in practice). I guess these "new" passkeys are stored in a similar manner, if not in the same infrastructure. It can protect your data in case of an external data breach and from an internal rouge employee. You can read more from this system in the NCC Group's analysis about Google Encrypted Backup conducted in 2018. It's a fascinating system really if you are interested.
I remember you from a video, I think it was almost 10 years ago, how to increase internet speed and I fell for that, didn't know you still make videos.
Unfortunately, I didn't found (or maybe haven't got) the option to add Passkey in my Google security settings, I got instead a "Security Key" option in it's place on all of my devices (Windows and Android) and browsers and it requires either USB or Bluetooth physical security key. Hope my accounts get this Passkey feature soon.
I'm going to use it, and I shared your video. I'm going to add it to all my devices, iPhone and Android. All my Android devices said they already had it, it automatically made a sign in key.
Well, what if: a) I don't have bluetooth on my pc b) I use Firefox c) I'm not logged into a google account on my phone d) I use Linux e) I don't have Chrome installed on my phone Just for context I also own 2 YubiKeys 5 (the better version)
If it were the only login method (it's not /yet/), you can always use/write some custom implementation that can provide a passkey, it's just a protocol (FIDO standard), you don't have to use any "proprietary" software if you REALLY don't want to.
a) A bluetooth dongle is cheap b) Firefox apparently added full support with version 109 in january Or just use a usb security key Any FIDO2 security key shold work (yubikey for example)
#💯 I agree... because on the iPhone 17 update I am heading that there is feature being forced on you already open to accessing every iPhone you pass by linking your phone to strangers with your inform!
If you lose your phone or if you're trying to login on an older pc with a mobo that didn't support bluetooth you're basically SOL. Great move, google ... We love the .zip domains as well❤
Thank, just set mine up, works great. Sadly very few sites i found that support it. If this gets more popular might even get a fingerprint reader for my desktop.
This just seems like a less secure way to do OpenPGP, without any control over the keys. I already have little faith in Microsoft and Google for privacy, so why would I give them my keys?
Yes of course you absolutely want to set up this new authentication method before it has the time to be tested, it's always a great security feature to jump on any new technology
What if I use Linux? On PC and phone? Aren't we reliant on Google and Apple then? What about self hosted for passkey backup, not relying on anyone else?
Using a phone at least works in chrome on linux, local usb security keys don't seem to be supported yet I don't know about using the phone for firefox on linux, but they added support for usb security keys on mac and linux in the latest nightly
I've been waiting like 6+ years for FIDO2 (and more recently WebAuthn) to actually be supported by services. So I am extremely happy to see these passkeys finally making headway. Phishing will become so much harder and many peoples accounts will become overall more secure since they won't be reusing weak passwords everywhere.
more secure while giving Google or Apple my private keys to all my sites?! sorry, i respectfully decline. how insecure is 'end-to-end encryption' when the end encryption is so weak that it is a local swipe pattern? i say this is such a bad idea to trust Google or Apple or Microsoft with weakly encrypted private info. it sounds stupidly ignorant to me.
@@humilulo You don’t have to give the private keys to anyone. Passkeys are a FIDO specification. Any device that supports FIDO2 is compatible (such as a Yubikey)
@@humilulo Also you’re misunderstanding how PINs and the like work on modern devices. The actual keys to everything on your device are stored in a hardware module. When you enter the PIN you are authorizing the hardware module to release the key which is then used for the cryptographic operations. Depending on the design it may not even need to release the key to the OS. In that case all the OS is able to do is ask that hardware to encrypt or decrypt data.
@@MarcusTheDorkus i think you are failing to make your point. it encrypts it with what key? for what party? i am ignorant of a coherent cryptographic chain process where sharing it with Apple or Google is not a horrible idea. can you fill me in?
You don't even understand how bad things really are already, now imagine how bad things are going to get when passwords become obsolete (this becomes mandatory).
That's assuming technology will NOT evolve to eliminate the need for physical devices that can be easily misplaced. There is quite a lot of competitive tech research at work trying to eliminate the need to carry a cumbersome mobile device that serves as your "proxy" identity. Future tech will identify "you", rather than your username/password or phone or something that's not directly and "you". Hence, things like "turn on your bluetooth" or "scan so and so image with your phone" will not be required at all. Edit: Corrected (or atleast tried) grammatical mistakes. English is not my first language, but hoping to get better at it.
Since I have the iOS 17 Beta, Apple automaticly enabled a passkey for my iCloud account without asking me lol. I noticed, when you try to log in on a device that doesn't have bluetooth it asked me to plug my iPhone in with a cable, but I haven't tested if it works.
@@CattopyTheWeb You still need a login ID (username or email) and a password to log in to your Google account or whatever other account is storing your keys. That part is online. This is something that is only good for businesses since they don't have to worry as much about security. Putting everything in one place is not secure. Granted, many of us already use Google Chrome as a password manager which would have the exact same vulnerability, but if they really wanted to make it more secure than passwords than they would make sure it stays offline entirely. There's also the marketing of the feature. If it's said to be secure from phishing scams then people are going to trust that. We know that putting everything into QR codes is not secure, however. It is very difficult to verify if a QR code is safe without first putting yourself at risk. If somebody sets up a fake website which looks just like an official one where you would be expecting to input sensitive information then there is a risk that they will trick people into giving them other information before they realize what's happening, if they do at all. Scams are getting more and more sophisticated and it is getting difficult even for tech savvy people to recognize when something is wrong. This introduces a new vector for attack due it's unfamiliarity. Maybe in a few years there will be data showing that it actually has had a positive impact on preventing attacks, but I'm not going to trust it until then.
Ah, the Google Passkey predicament. It is, indeed, a situation as complex and nuanced as any Cardassian enigma. You see, there is a certain, let's say, "inconvenience" in the Google Passkey design. It bears resemblance to an Obsidian Order operation planned without considering all necessary contingencies. The flaw, dear friend, lies in its inability to operate in environments such as RDP and Citrix, where the lifeline of Bluetooth connectivity is severed. Just as a Cardassian Gul would find himself at a loss without his trusty subspace communication device, so does the Google Passkey fail to perform its duty in these circumstances. In the days of yore, the solution was as straightforward as a Bajoran telling time with an Orb. You'd simply correspond the number presented on your computer screen - a system as simple and reliable as an old Cardassian shuttle. Alas, the winds of change have swept across this landscape of technology, leaving us to yearn for the simplicity and functionality of the past. In essence, it seems that while striving for progress and innovation, the architects of Google Passkey may have overlooked the importance of universal functionality - a misstep akin to ignoring the importance of a neutral zone in interstellar politics. It's a lesson, my dear interlocutor, that sometimes in our quest for advancement, we must not forget the utility and reliability of the tried and tested.
I ain't got no got dang idea what you be sayin spaceman, all's I know is my nokia 3310 has no camera or bluetooth and like heck am I ever replacing it!
This sounds like jumping through a lot of hoops to force compatibility. The only advantage to this is the extra security. It would be much better if, upon account creation, Google already generated a passkey that could be used to link with other websites, just as how other sites create their own accounts by linking to your google one. Of course, this is still following the trend of attempting to track and isolate people online and giving them as little privacy as possible. Google will undoubtedly share all of your mobile activity to every site using your passkey for advertising. Especially if you're using an Android device, which has unremovable apps that only serve to sync the data of all the Google apps. I see this as a complete negative and would definitely like to avoid any Google problems affecting my accounts on other sites. That aside, if they're looking for convenience they should think about fixing RUclips. Aside from this very site, Google itself is beyond convenient to the point where they simply don't have much left to do on that front. They could maybe change how web navigation works by sorting sites into categories, being able to filter by site traffic and such, providing the ability to search using all forms of digital data, or even better, provide a way to automatically find similar websites based on one of those categories. But yeah, I don't see much need for passkeys.
Just use a FIDO2 hardware key instead if you are worried about privacy. From the fido2 webpage: "Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. Plus, biometric data, when used, never leaves the user’s device."
"Google will undoubtedly share all of your mobile activity to every site using your passkey for advertising." I own a site which uses Google's sign-in API and displays Google ads--where can I get some of this data? I'm not sure you know how this works. They don't need to share your data with external sites in order to advertise on them.
@@GrantGryczan No clue. It could be built into many things, such as being able to gather all of the profile information about each youtube subscriber, or knowing how much of the video each person watched. What I do know is that Google blatantly gathers data from each of its many apps and syncs it together. Much of the data is not relevant for personal use, so it's used elsewhere.
Absolutely terrible for those who wanna keep anonymous accounts Soon it'll get forced onto us like 2 factor authentication I've lost multiple accounts due to 2 factor authentication effing (suspicious activity😑) How do I keep off the grid accounts!
3:10 Wow...no website has made it this clear before that your phone has to be near the device with which you are trying to login. Thank you for this important piece of information!
I have to say something about fingerprints. I am a climber, not even a good one, and after a good climbing session I usually can't login using my fingerprint, because my skin doesn't look the same. Once I even add to redo the setup, because it was looking like I had another finger. 🙂 Anyway, eBay had this for more than one year. I do login using the fingerprint on eBay. And I personally implemented over 5 years ago an authentication method for an app that uses private and public keys. Actually the most secure in the world to date, because it also prevents the replay attack.
Oh that's interesting! I just saw that like 2 days ago when enabling 2FA - I didn't think it was brand new, cause I rarely check the Google Account settings otherwise.
🗒SOME ADDITIONAL NOTES 🗒
• If your computer doesn’t have bluetooth, you will need to get a usb bluetooth adapter to use them. They are pretty cheap though.
• If you use an Android phone with the Google account attached, you might be able to log in to your Google account without scanning a QR code, but it would still require the Bluetooth connection.
• If you don’t want to use your phone or don't have a smartphone, you can also use a physical security key (like a Yubikey) as a passkey
• Just because you have been logging into sites like discord with a QR codes does not mean they have been using passkeys. For example Discord does not support passkeys yet. In fact only a handful of sites do
• You can see a list of websites that currently support Passkeys here: passkeys.directory/
Does this work on Firefox as well?
Glad I recently got a usb bluetooth dongle for christmas, it has allowed me to do more stuff, like (finally) use bluetooth gamepads (joycon), with motion controls, as well as me now being able to use passkeys from my computer to my phone.
The Bluetooth dangle part is stupid, if Google forces passkeys some people will be locked off their accounts without special equipment
Discord’s account security is a joke anyway… your account security is only as strong as its weakest link, and discord accounts can be stolen by highjacking session tokens. Happened to me in September (a combination of fatigue and social engineering)
when i try to scan the qr code with my phone camera a pop up comes up with only options to open a link and when i open the link the camera app freezes and if I touch the screen it unfreezes.
edit: i had disabled chrome and I now enabled it and the pop-up works
Mfw this video comes after 2 videos crapping on Google
Hahaha 😂
Lol 😂
What’s mfw?
Google has to fix their rep somehow. And after all the password manager breaches this is the way to do it!
@@chargeminecraft my face when
This sounds nice at first glance, but I'm afraid of what this will mean for those of use who don't want everything tied to a central account and/or don't want absolutely everything to tie back to your real identity. I'm always going to be weary of anything that tries to further de-anonymizing the internet. Tying all accounts to not just a central account, but also a physical real world device is about as far you can go in that direction I feel. I really think mass adoption of this could have horrific consequences. Not to mention, the right of people to choose to not have a smart phone and yet still live peacefully (mostly, I can see paying bills getting in the way of that). I can see good intent behind this, but the potential issues concern me deeply.
Yep, I was thinking the same thing. This is Google assuming again that they know what's best for everyone. Spoiler alert, they don't.
There's always a catch with these "revolutionary" new features and that catch is almost always less control for the end user.
There should be open source alternatives for this technology, otherwise how will people with degoogled device use it?
finally sombody sane!
agreed. this seems like an awful idea for security, and they're still using passwords as backups, so it's just an additional point of failure at best..
Looking forward to when Bitwarden implements this so you can retain control of the passkeys yourself rather than relying on Google or Apple.
Oh yes!!!! I would like to see that happen!
This would be perfect, just still have some form of backup MFA setup on your account however.
Ah yes that i used all the time
im not gonna use this feature at all its made by google so i dont trust them at all id rather buy yubikey over using google for passkeys
@@billyhatcher643 did you watch the video
There's almost always useful information on this channel. Often times its info thats not widespread or that is so recent that very few people have covered it. Makes me glad I subscribed all those years ago, when the channel switched from satire to actual tech info.
i like satire too, we need 2 channels!
Please look at my reply to the video (a few messages above this). Are you sure that this is a positive thing?
same.
2 x speed boost for your internet connection - For Free - with this simple trick 🤣🤣🤣🤣
id recommend to not use google to store ur stuff go buy a yubikey instead its expensive but worth the price i dont trust google with my passkeys
@@mos8541 this was the case many years ago lol. this was the satire one and thiojoetech was the informative one (maybe you already knew this though)
Some security researchers recently noted that Google now scans encrypted zip archives stored inside Google Drive by scanning your E-Mail content (and probably the password storage in your Chrome Browser, which synch to the cloud).
Now, I think that authentication via public/private key-pairs is a great idea, but this new concept just insures that those private keys are all synched with your Google cloud. Which means Google won't even have to scan your private data for passwords anymore. They **literally** hold the keys.
He mentioned that keys are stored in an end to end encrypted manner, which means keys are encrypted on device before sending to google servers, and decrypted on device. I just wanna see how they established that transparency.
Yup. Anything that shifts control away from the user to Skynet is suspect.
You can use a hardware key like yubikey for example instead of your phone
Yeah, it's a lot easier to say the phrase "end-to-end encryption" than to write and use trustworthy end-to-end encryption software.
@@atpray You are right. He mentions in the video that google promised that the keys are securely transmitted via end-to-end encryption. That is true, but also sadly very misleading. Because Google already showed that they broke this "everything is encrypted" promise, by meaning different things for these words. "End-to-end encryption usually just means SSL" for google, not that the data is really encrypted. "Storing data encrypted on our drives" usually means hard disk encryption, similar to Bitlocker. What is not means is that Google cannot access your data.
Something very similiar is widely used in Sweden under the name BankID, which is required when authorizing internet transactions, and whilst logging into governmental websites. Some websites even use it instead of a username and password, which, as mentioned in the video, makes it very easy to log in. This is especially useful for the older population, since they may have trouble remembering all the different username and passwords required to log in. One improvement the Google variant makes an improvement on though, is the bluetooth technology, which is honestly quite ingenious. The fact that it necessitates a close proximity between the devices should mean that it's able to prevent any and all scams, making it nearly impossible for call centers to swindle the elderly off their hard earned money.
The worst part is that you need to buy a new computer with bluetooth for your gramps.
Just to be clear here, the bluetooth functionality of passkeys is not an invention of Google, but rather that of FIDO Alliance, whose board is made up of people from Amazon, AmEx, Apple, Google, Intel, MasterCard, Meta, Microsoft, PayPal, Samsung, VISA, Yubico and many more. They created the standard that specifies exactly how this should work. And the term "Passkey" was coined by Apple at WWDC22, and a while later, FIDO officially endorsed it, saying they much prefer it over "FIDO/WebAuthn credential", though they probably talked with Apple and already agreed Passkey is better and gave Apple the go-ahead to publish their implementation with that name.
Yes, the skandinavian elites have always been first when adapting measures that let them control their population even more.
@@Spamkromite Yeah, for laptops it may be standard, but I have yet to meet anyone who has Bluetooth in a stationary.
Then again, granpa nowadays might be doing their bills on an tablet instead of a computer?
@@HasekuraIsuna I dunno if it would work but I bought kinda cheap usb adapter and plugged it so that *might* help. I use it with bluetooth headphones if I'm too lazy to take out "real ones" though, maybe it wouldn't work.
Thank you for your information. Loved the extra info showing what happens if it takes too long. Nice to know possible errors
Honestly even with those pass keys that is stored to the local machine, using the physical security keys like Yubikey as the back-up key is always an option
yubikey is so much better cause u dont need to use the phone at all for that id rather use yubikey for stuff like this compared to google
yubi yubi!
Yubi key is best option
yes but is yubikey universally accepted ?
It's a good idea, sure, but I feel like some "problem solves" can just make more problems, losing your phone being the most problematic, plus it feels tedious, but that might just be cuz I've never used it lol.
Feels like a double-edged sword scenario, hoping for the best though 👍
You are too naive.
I agree, what happens when a phone breaks and you need a new one? Would a backup have the private key on it? Or would I have to set it up again?
@@naturegirl1999 he literally talked about this in the video
@@naturegirl1999 you can add several devices, and they don't need to be phones either.
Any fido2 security key should work (I have also added my yubikeys)
I'd be more concerned about social engineering attacks stealing people's private key via a malicious QR code. just scanning shit with your camera has become too normalized for this to be a good idea, IMO.
We should always keep in mind that Google, Microsoft and Amazon are known for suspending or deleting accounts with everything stored or associated without naming a reason or a guaranteed way to appeal.
Yes. Stay away from this.
Why do you have to worry about your account being suspended or deleted? I don't. I don't do anything with my accounts to have to worry about this.
@@teemo5409 Because teemo is a good little boy, oh so progressive and perfect and loves his little rewards, not like those icky people. Teemo, what's ok now knight be wrong in the future. Maybe you are too young to know that. If you buy into this system, you are likely to get burned later. And sometimes the reward is a piece of candy and the warm fuzzy place is a white van.
@@nebyliczaDeletion, not suspension. And you will never know the reason. No way to appeal, no way to retrieve licenses you've bought. Some people went to court to get their data back. It turned out that pictures of their own children had been classified by an AI as you-know-what and that the data was actually deleted with no chance of restoration.
I had worked in an environment that used Google Workspace Enterprise, and I have not still forgotten how extremely inconvenient it was when Google announced its discontinuing Google Bookmarks, its bookmarking service that is not connected to Chrome browser. I wonder how many other people also lost their bookmarks when they had forgotten to download them to transfer to whatever new online app.
It seems like a good start but I was hoping there was a way to avoid the "what if I lose my phone -> use a password for the first time login" bit. At that point, that means a password is both still required and still enough to take over the entire account with existing techniques (e.g. compromised backup email + compromised password). Feels a lot like sites that allow 2fa but then won't stop pestering you about adding a "backup via SMS or email" just in case you "lose access to your authenticator app".
Hopefully a better recovery method will be worked out in the future.
You could probably print out the private key and store it in a safe if you want. I'd assume this would be possible as it is for 2FA backup codes nowadays
@@mstech-gamingandmore1827 Then the safe (or safe deposit box) becomes an attack vector.
@@mrtechie6810 you can encrypt your private key with a long passphrase before you print out, best way to store private key backups
@@mrtechie6810 Probably shouldn't be be using this feature from Google or any of their services at all if that would ever have to be a concern lol.
@@mstech-gamingandmore1827 But that assumes your only danger is cybercrime. What if your house burns down with the safe? I assume you have a smoke alarm because you've anticipated that possibility. You use seatbelts because you've anticipated you might be in a car accident. To me, security means being prepared for bad shit that could happen in the real world, not just online.
Seems great, however what if your PC doesn't support Bluetooth? They should have a secondary method where it can use maybe wifi instead so it can still work. I actually do have a laptop that doesn't have Bluetooth support
Just get a bluetooth adapter
@@ThioJoe Does this work for logging in that is not saved or associated with said device?
I'm curious what traffic is actually sent over Bluetooth or if they were to use wifi. But I'm inclined to say that WiFi would not be better
@@Jacob-ABCXYZ each Bluetooth adapter has a device address similar to a mac address for a wifi adaptor, so they are most likely scanning nearby Bluetooth devices in search of the device address matching the device trying to login
it sounds like it's only using the Bluetooth to confirm physical proximity to the device, because he said it doesn't actually need to be connected to the Bluetooth device, so there's no data being transferred. if that's the case there's no reason Wi-Fi shouldn't also be a viable confirmation method. we'll see what the hacking community comes up with after a little bit of playing with it
Hey @ThioJoe,
I always love your videos because it's simple and straight to the point.
Straighter than an Arrow if you will.
I'm just curious about two things:
1. I have heard about public key - private key pairs. I want to know whether Google uses the symmetrical one or the asymmetrical one. I couldn't find the answer for it.
2. You mentioned that passkeys use bluetooth to verify if we are near the system even if we scan the QR code.
If passkeys were to replace passwords and other 2FAs in the future, then how will it manage remote logins?
Private and public keys mean asymmetric keys. A symmetric key would be used for both encrypting and decrypting.
About remote logins: then the client software for the remote login will have to know how to handle the Bluetooth flow.
I'd just use public-private key logins, tbh.
It's safe and in used in the servers for decades already
Sacrificing more privacy under the auspices of security isn't a leap forward I'm excited about. It's another way to be compelled to have a phone to prove it's you.
It would be nice not to have your phone and yourself being required to be yourself.
It doesn't need to be a phone.
You could use a hardware key like a yubikey
Yes, now you need two electronic devices both functioning correctly and simultaneously and connecting with one another.
@@AltonV How will you scan a QR code with a Yubikey?
@@SBCBears And an ability to attach to the internet which associates you, your geoip and your phone to enhance data harvesting. It sort of begs the question of who you want to be secure from as you just sold your privacy soul in exchange for safety from someone else.
@@wisenber you don't need to.
Plug it in, enter the yubikey's pin and touch the button on it.
Was looking forward to these passkeys when i first heard about them. Requiring Bluetooth is the first complication - not all computers (specially towers) have it built-in, and buying a usb receiver on purpose is a faff. Second is that you still have a password - perhaps it'll change if passkeys are successful, but it essentially makes it no more secure than passwords are now.
Seems to me it's just a small QoL upgrade at this point if bluetooth is available, sometimes. Having to take your phone out, open the camera, select sign in with passkey, enter lock screen pin/fingerprint is not easier or faster than just typing a password.
Right. And if you're running VPN the associated bluetooth will NOT work. With VPN the host doesn't know about your bluetooth.
That's what I was thinking also.
@@nebylicza Just because devices without Bluetooth are the minority doesn't mean that a login won't be necessary there. It HAS to work even on those devices, I MUST be able to log in. Otherwise, it's all just useless.
The biggest concern I have with this, is that it won't work for people who use remote desktops. I connect to my home computer via VNC a lot to do things and since I'm not physically near that I won't be able to log in.
I'm honestly surprised how far down this was, I was thinking the exact same
it's not a concern for Joe Average and only an another login method for the masses. Btw any solution that can work trough a remote channel is susceptible for phishing attack (the attacker site relaying the real login qr code in their fake login screen) so that's why the Bluetooth is required to verify "the domain" you connected.
It may be a stupid question, but can't you use windows hello or similar tech with a pin or password trough VNC as a passkey provider?
@@mtx33 @mtx33 I'm just hoping that it's seen as a valid usecase and isn't for example made as the only method to login. Even if not the majority of people use it, it can still be a requirement to some, and it shouldn't just be made unavailable and leave those who need it in the dark. In my use case I can't use windows hello because 1. It's not windows and 2. The system is managed by my University and we don't have permission to change the OS settings; I do understand how it's way better for the average person though, my mom still has a notebook of passwords
@@loulounya I'm sure there are (will be) other alternatives (like you can already use software based authenticator "emulators" instead your phone), because if i remember right it's "just" a standard FIDO protocol implementation. (excuse me if i'm wrong, i have limited knowledge about the specifics)
I think most desktop computers (at least in my experience) don't even have bluetooth by default, and you need an adapter.
So essentially unless you want to carry around a bluetooth adapter, you can't log in at school, at libraries, some internet cafes, etc.
@@nebylicza And how does that help? Unless passkeys work everywhere, username and password still has to be enabled. And how is it any safer if those are still enabled?
Small fraction? I'd say they're more than just a small fraction.
To be fair, desktop PC's and even laptops are going the way of the dodo.
For people who dont do office work, and dont play games, they dont need computers to begin with. They only browse the internet, talk to their friends, and streaming sites.
All of those are possible on a phone, and there are huge amounts of people like this who are going to be ditching computers altogether in the next decade or so
As for desktops, why would anyone have them at this point? They are only good for gaming, and intensive work, like CAD-CAM style things, simulations, or photo/video editing. If you dont do those, which the vast majority of people dont, then a simple laptop will do just fine, or no laptop even.
Desktops are not going anywhere anytime soon. Chromebooks and phones don't have nearly enough horsepower for a lot of things, and aren't nearly as customizabke.
Oh, and a LOT of people are doing serious photo and video editing, along with a lot of other things that you can't do for sh*t on phones or laptops.
@@terrylockwood9176 Okay, but 'a lot' means a flat number, i was talking about like 60-70% of the population who dont. Your flat number fits perfectly into that 30% and then some. They dont need more horsepower than what a phone has.
As for the desktops, sure, i didnt phrase it correctly, but what i meant to say is that them being a mainstream thing is going to go extinct. They will still be around and people like us will still use them, but the mainstream population who dont game, or do anything intensive, wont buy them anymore, because why would they? A desktop offers nothing other more that portable or affordable things wouldnt be able to offer them.
Its going to return back into the niche it was, because while everyone needs a computer to exist at this point, fewer and fewer people need the benefits of a desktop, that other computational things wouldnt be able to offer. Because high efficiency computation is only going to be mainstream. Look at arm ffs, it powers apple's new stuff, every android phone made in the last decade, the single board computers like raspberry pi's, datacenters are buying arm based servers in droves too, and arm is not known for how powerful it is, but for how much it does with so little power.
Within a decade, X86 is going to go from 'the mainstream' to 'a niche', and thats ok. I've been here since the birth of windows on this architecture, and i'll be using it until i cant anymore. That being said, windows can eat sht and i am going to switch to linux if they keep their bs up. Just cuz i've been a long time windows user doesnt mean i wont switch.
Not for enterprise yet though, which is really annoying. I hope it rolls out for Google Workspace business accounts soon
Yep i am waiting for that
when MS releases functions for Home vs Enterprise, be suspicious
this is exactly opposite of OpenID, huh? Google owns the privatekey DIRECTORY in this case?
@@ThioJoe what do I do to stop being surveillanced on my phone and on my internet tv and arries.
Having a paid account on Google restricts many services this way. I've been looking at (shudder) office 365 instead
More options is always good, and this looks promising. However, I have my doubts on the privacy department. For now you can have some dummy or """"anonymous"""" Google accounts for IoT and other stuff. If this will be mandatory some of that functionality will be harder to implement. So, it should be among choices, and not the only method in the future. For example you can have a main "device account" and others for different purposes that can be recovered with the main "supersecure" one, and things like that. Just rambling my thoughts here. 🤔
Thank you for adding the search for your stock videos Theo!
Guaranteed this is more about Google being able to track you easier than it is about your security.
What a good way to twice the complexity of such a straightforward thing that is logging in to a email account
I really hope this will be an "option" rather than "required" not all of us have our phone with us at all times. I even know people who don't have a cellphone.
I’ve been using passkeys on all my accounts that support it. For now very few websites support them but they’re a game changer for me, I can’t wait for them to be the norm everywhere.
Also they’re amazing if you use apple devices, no need to scan a qr code with my phone when logging in on my Mac, I just have to use Touch ID to login, and all my passkeys are synced across all my iCloud devices
As long as this remains an option, and not the forced one exclusive way.
ThioJoe once again comes through with a thourough explanation of useful cutting edge tech.
I think it's an awful tech. But the devil is in the untold details, not in the parts shown.
Thanks! This is a lot better explanation of passkeys than I have seen anywhere else.
One thing that should be pointed out / clarified is, Can one create a passkey offline? And once its created then share the public key with the authenticating site? This is the "ideal" method of generating a public/private key pair. Especially when you are directly interfacing with the final authenticator google / apple or anyone else, it is desirable to allow offline key pair generation.
Your keys need to be 'online', because they are used to sign random data provided by the website/app. But they can be for example Yubikeys as well.
@@autohmae well, if they are "required" to be online, it also implies possible decryption of the private key. I am not suggesting deliberately, but we are all humans and keeping private keys online (not "private") opens up plethora of undesired possibilities. No offense.
@@niranjan-81 they private key is stored in a TPM or 'secure area' on a phone and doesn't leave that, some data just gets send to that device and encrypted/signed, etc.
@@autohmae then it means the private keys are not needed to be online. Which is good.
Great info, I'm tech savvy but didn't know how these passkeys worked. Thanks for sharing!
If your phone and computer are stolen at the same time (eg from a bag or case), then you could potentially lose access to your account. And if there's a username/password backup method, then having an extra method of logging in could mean you are actually less secure than you were. Passkeys are potentially more convenient, but I don't think they add any extra security in the real world.
@Serenity Recently a flaw with Android devices was found which lets you brute force a fingerprint lock in a day.
Just because you have a pin code or some other method to lock your phone, it doesn't mean you're safe.
Sorry I'm very tired while writing this hopefully i'm making sense lol
New ideas like this are *often* (I'm tempted to say "always") not gamed out enough, or by people smart (and evil :-)) enough...
@Serenity You are right. Those are great points.
@Serenity Yeah, and you just described a large part of society.
Or what about destroyed at the dance time ie due to flood or fire, you didn't have time to grab them
I would have to agree that the requirement that the device/site you are trying to log into has to have bluetooth is cumbersome at best, and if it is cumbersome enough, people wont use it. What I WOULD like to see you do is compare this type of authentication to using an authenticator, like Google or Microsoft Authenticator, which from experience is easier to use (e.g. less cumbersome) than futzing around trying to scan a QR code AND having to have bluetooth etc etc etc. Authenticators work on multiple vendor websites too, and also very common in the UK these days and it has worked pretty well all things considered. A video comparing the advantages/disadvantages and what you recommend would be helpful.
A bluetooth adapter is cheap and you don't even need to configure anything
@@AltonV With an authenticator you don't need anything else, cheap (BT adapter) or not. It is still more money and more messing around, including deciding whether to turn BT on or off and when. The question remains on the advantages or disadvantages, and why, of one or the other.
@@charliecashman With authenticator apps, I think the downside is if you’re tricked into giving or typing that pin code into a fake website then the hackers have your second factor authentication. But with a security key or passkey that second piece of information is only given to the real website, so human error (meaning you accidentally giving that pin code to a hacker) is eliminated.
good explainer, reminds me of PGP with private and public key - and, of course, will keep the crytpo bros happy with social normalisation of such keys
So this depends on having two devices that connect via Bluetooth to verify that you're this person because you have these two unique devices.
So it's of no use if you just use a phone with no other device.
Plus it doesn't add security because your password, which can be stolen, still works.
Great feature.
Yup. at worst it can lock you out if you loose your devices, and at best it's just an additional point of failure.
@@Jake28 you can add several devices and not just phones.
Any FIDO2 security key should work (yubikey for example)
But it does tie all of your accounts together once other websites just start having to use your Google taskeasy login the same way they've been encouraging you to create accounts using your Google account, which makes it even easier for Google to track every single thing you do anywhere on the internet, it isn't that really the point?
@@GrueTurtle google cannot do it at least if you don't use an android phone.
And you don't need a phone either.
You could use a fido2 USB security key
If you have multiple computers do you have to set up a pass key for each one.
If so, then hopefully your phone will sync w/the right one.
Great video and new subscriber.
Now, thieves just need to physically get into your phone to access all passwords. Sounds like a Lord of the Rings situation.
watch again please
They need to have your phone and if someone steals your phone you can just disable it on that device.
This is really similar to how banks handle security.
I thought exactly the same 💍
@@viktoranderas9541 How do you disable it on a stolen phone? you need to use the phone to log in to verify your identity to disable the phone, no? sounds like a catch 22.
@@viltvalt1057 you can link the pass codes to more devices so naturally your computer to. Which you hopefully won't lose.
Or have some Bacup physical key. Or maybe an old unused phone as a backup just laying somewhere in your bacement. Or a smart watch in the future.
And if someone steals multiple devices from you. You are being targeted and it probably couldn't be avoided.
Thanks Thio. The information and service you provide is very valuable. I asked all in my family circle to consider making your content “theirs’”.
This will make us more dependent on Google and our smartphone which is opposite of what I am trying to do.
Did not know about pass keys but will set it up. Thanks and I will use your videos to reference them.
It's good to see security continue to be a priority - but it's also good that old password methods are still an option because my cellphone is for emergency-use only when I'm traveling, and I use a land-line for normal use. Besides that, I never use Bluetooth devices, since all devices are wired. I also never use the "cloud" (other people's computers) for storing any of my data. I have over 250 TB of storage on my local network, so all my data is secure and locally controlled. Other people have other priorities, and that's fine, so it's great that there's multiple secure options for people with different needs and preferences.
Do you use physical security keys for 2fa or just regular codes stored in your password manager?
I think it's an awful tech. But the devil is in the untold details, not in the parts shown.
@@brunoais???
@@Moli05 ?
It amazed how readily and happily people upload everything to the cloud which is located who knows where and potentially accessed by governments and/or hackers. SMH Encrypted local storage with a second backup off site is the most private, cheapest, and fastest storage.
4:20 The problem here is that you assume that the thief didn't look over your shoulder when you entered the phone's PIN/password before he steals it.
This is basically what happened to a woman in Manhattan with her iPhone. She was in a bar having a conversation with a man. At some point she unlocked her iPhone with the device passcode. The complice of the man spied on her how she entered the passcode. Later they stole her iPhone and with the device passcode they could mess around with her AppleID. And apparently there have been more cases like this.
So now it's just as easy to hack into your Google account when you use your Android phone as a passkey.
Could be solved with biometrics
but... how do you log in to stuff when you're on your phone? do you need a second phone to be able to scan the qr code and log in with your first phone?
Instead of having you scan a qr code it will automatically detect your using a phone and prompt for your pin/face/touch id.
Awesome channel. love every video that comes out....
It's a really great anti-scam technology! We have been using it since 2011 here in Sweden and it's pretty much impossible to get scammed with this tech. The only risk is being forced after a house invasion or after bing kidnapped or some crazy stuff like that.
Do you use a Yubikey for it? Or a cheaper key? What do you recommend?
@@WGDO5805 I have a couple yubikey 5 ($50 for the cheapest in that series) that I use for this.
Then they have a security key that is only uses FIDO that you can use as a passkeys that is $25 (USB-A) or $29 (USB-C), both also have nfc
On iPhone, I was able to create it from the gmail app. It didn't require any qr code scan. It just asked me if I wanted to create, and then it worked. I logged off and then tried to login again to test it, and immediately it scanned my face and I was in. Pretty neat feature
So will this not work for remote desktops? I have a situation where I remote into my work PC from home at times and we currently use DUO security, which requires constant push notifications. Since you have to be within Bluetooth range, will passkeys never support this or is there another solution?
Maybe they could add some kind of support for this in remote desktop? 🤷♂
Best explanation of passkeys I've seen for now !
So basically, like any other extremely great security features, scammers will exploit the "easier" way to recover. They will have you lock your account then "assist" you with the unlocking
Thanks man! Great educational and explanatory vid. Liked & subscribed 🤙
I'd love to see how this works in education where phones are not allowed or in organisations where there is a no phone policy! Well done Google!! 🙄
You can also use a computer with windows hello as an example in the video and more options will probably come.
@@viktoranderas9541 let's wait for the more options. There are still a lot of devices in education and businesses that dont't have webcams or fingerprint readers.
@@tim.hobson yeah it was mostly as an example of an existing option.
@@tim.hobson isnt there a portable usb like fingerprint reader? correct me if im wrong
@@Lephiz Some hi-sec policy deviced won't allow any usb devices to be attached. But could be usable for many.
If the passkeys are encrypted with your PIN, wouldn't they be super easy to break in the event of a data breach. Most peoples phones use 4 digit pins, not exactly secure encryption keys
Fortunately they are not that stupid. I'm not sure about these passkeys, but android cloud backups (Android 9+) are encrypted by a separate key pair stored in a secure element on a dedicated google server isolated by the backups itself and the restore "lockscreen PIN" checking is done by dedicated hardware with brute force protection (the protocol is more complicated in practice). I guess these "new" passkeys are stored in a similar manner, if not in the same infrastructure. It can protect your data in case of an external data breach and from an internal rouge employee. You can read more from this system in the NCC Group's analysis about Google Encrypted Backup conducted in 2018. It's a fascinating system really if you are interested.
There's a reason I set my phone to use a password rather than a PIN.
I remember you from a video, I think it was almost 10 years ago, how to increase internet speed and I fell for that, didn't know you still make videos.
Unfortunately, I didn't found (or maybe haven't got) the option to add Passkey in my Google security settings, I got instead a "Security Key" option in it's place on all of my devices (Windows and Android) and browsers and it requires either USB or Bluetooth physical security key. Hope my accounts get this Passkey feature soon.
I'm going to use it, and I shared your video. I'm going to add it to all my devices, iPhone and Android. All my Android devices said they already had it, it automatically made a sign in key.
Well, what if:
a) I don't have bluetooth on my pc
b) I use Firefox
c) I'm not logged into a google account on my phone
d) I use Linux
e) I don't have Chrome installed on my phone
Just for context I also own 2 YubiKeys 5 (the better version)
@Savvy "just do exactly what they tell you to! you don't get options"
If it were the only login method (it's not /yet/), you can always use/write some custom implementation that can provide a passkey, it's just a protocol (FIDO standard), you don't have to use any "proprietary" software if you REALLY don't want to.
a) A bluetooth dongle is cheap
b) Firefox apparently added full support with version 109 in january
Or just use a usb security key
Any FIDO2 security key shold work (yubikey for example)
I will be using this from now on!!
I just hope this won't be forced onto us
#💯 I agree... because on the iPhone 17 update I am heading that there is feature being forced on you already open to accessing every iPhone you pass by linking your phone to strangers with your inform!
Good stuff, I knew about passkeys, but now I know that they are released.
I was actually wondering about this feature a while ago and I don't fully understand it. Thank you for this video
Wait hold up this video was posted 25 secs ago and you commented 17 hrs ago?
@@tdrg_ he’s joined in the channel with join button
@@tdrg_ Channel membership 🙂
That makes sense
Can't wait for the Why Passkeys Actually SUCK video next month because theres some problem that wasnt discovered during testing
bruh i was thinking the exact same, bluetooth isn't that secure
@@AlphaYellow Yes especially since it's not safe to keep it on when it's not being used.
@@AlphaYellow You can use a usb security key, no bluetooth needed
Any FIDO2 security key shold work (yubikey for example)
So, an alternate version of certificates, yes? I need to read up more on this, but thanks for creating this video to let us know about it! 👍
Wow! You explain things so well. Much appreciated
If you lose your phone or if you're trying to login on an older pc with a mobo that didn't support bluetooth you're basically SOL. Great move, google ... We love the .zip domains as well❤
Apparently you didn't watch the whole video as he talked about both these scenarios
Thank, just set mine up, works great. Sadly very few sites i found that support it. If this gets more popular might even get a fingerprint reader for my desktop.
Thank you! You make watching You Tube very very useful!😃
This just seems like a less secure way to do OpenPGP, without any control over the keys. I already have little faith in Microsoft and Google for privacy, so why would I give them my keys?
you can use a hardware key instead of your phone (yubikey for example)
Another good thing after the log in with google button. I love the Sign in with google button btw its just so easy just requires one account.
Yes of course you absolutely want to set up this new authentication method before it has the time to be tested, it's always a great security feature to jump on any new technology
I have several google accounts, I’ll definitely be switching to passkeys. Thanks for introducing us to this
I am very skeptical of anything that google comes up with. I hope they dont force this passkeys on all users.
I believe he said the development of the passkeys was a joint effort between all major tech companies, not just Google.
I used this twice this past week. It was simple and easy.
What if I use Linux? On PC and phone?
Aren't we reliant on Google and Apple then?
What about self hosted for passkey backup, not relying on anyone else?
What about people who don't have the internet?
@@FusionDeveloper well then, it's not something for them. Because they don't have a use for it yet because of no internet.
Using a phone at least works in chrome on linux, local usb security keys don't seem to be supported yet
I don't know about using the phone for firefox on linux, but they added support for usb security keys on mac and linux in the latest nightly
Great! I just saw that this was added the other day and was planning to research how it works.. research done 😁
It would be great if google focused on answering questions, seeing as they no longer do that.
That's great but it doesn't fix session jacking. If you click a link your account will still be compromised. This is really just a virtual yubico.
So basically they are implementing SSH public private key authentication.
That’s what I was thinking 😮. But I don’t need google to come in between, and hopefully we have open source clients
Yep, gonna set it up.Thanks
I've been waiting like 6+ years for FIDO2 (and more recently WebAuthn) to actually be supported by services. So I am extremely happy to see these passkeys finally making headway. Phishing will become so much harder and many peoples accounts will become overall more secure since they won't be reusing weak passwords everywhere.
more secure while giving Google or Apple my private keys to all my sites?! sorry, i respectfully decline. how insecure is 'end-to-end encryption' when the end encryption is so weak that it is a local swipe pattern? i say this is such a bad idea to trust Google or Apple or Microsoft with weakly encrypted private info. it sounds stupidly ignorant to me.
@@humilulo You don’t have to give the private keys to anyone. Passkeys are a FIDO specification. Any device that supports FIDO2 is compatible (such as a Yubikey)
@@humilulo Also you’re misunderstanding how PINs and the like work on modern devices. The actual keys to everything on your device are stored in a hardware module. When you enter the PIN you are authorizing the hardware module to release the key which is then used for the cryptographic operations.
Depending on the design it may not even need to release the key to the OS. In that case all the OS is able to do is ask that hardware to encrypt or decrypt data.
@@MarcusTheDorkus i think you are failing to make your point. it encrypts it with what key? for what party? i am ignorant of a coherent cryptographic chain process where sharing it with Apple or Google is not a horrible idea. can you fill me in?
Thanks for this explanation. Very helpful.
You don't even understand how bad things really are already, now imagine how bad things are going to get when passwords become obsolete (this becomes mandatory).
That's assuming technology will NOT evolve to eliminate the need for physical devices that can be easily misplaced. There is quite a lot of competitive tech research at work trying to eliminate the need to carry a cumbersome mobile device that serves as your "proxy" identity. Future tech will identify "you", rather than your username/password or phone or something that's not directly and "you". Hence, things like "turn on your bluetooth" or "scan so and so image with your phone" will not be required at all.
Edit: Corrected (or atleast tried) grammatical mistakes. English is not my first language, but hoping to get better at it.
You don't need a phone for this.
Any FIDO2 security key should work (yubikey for example)
this looks unironically amazing
this assumes you have a smartphone
@@ttrev007 and bluetooth supported pc
Since I have the iOS 17 Beta, Apple automaticly enabled a passkey for my iCloud account without asking me lol. I noticed, when you try to log in on a device that doesn't have bluetooth it asked me to plug my iPhone in with a cable, but I haven't tested if it works.
Wow, I hate it :) I'm going to avoid using this feature as long as I am allowed to
Same team ✋🏻
Why?
@@CattopyTheWeb its bad security (bluetooth isnt quite there yet) plus its weird as it requires specific software so it wont have linux support
@@CattopyTheWeb You still need a login ID (username or email) and a password to log in to your Google account or whatever other account is storing your keys. That part is online. This is something that is only good for businesses since they don't have to worry as much about security. Putting everything in one place is not secure. Granted, many of us already use Google Chrome as a password manager which would have the exact same vulnerability, but if they really wanted to make it more secure than passwords than they would make sure it stays offline entirely.
There's also the marketing of the feature. If it's said to be secure from phishing scams then people are going to trust that. We know that putting everything into QR codes is not secure, however. It is very difficult to verify if a QR code is safe without first putting yourself at risk. If somebody sets up a fake website which looks just like an official one where you would be expecting to input sensitive information then there is a risk that they will trick people into giving them other information before they realize what's happening, if they do at all. Scams are getting more and more sophisticated and it is getting difficult even for tech savvy people to recognize when something is wrong. This introduces a new vector for attack due it's unfamiliarity.
Maybe in a few years there will be data showing that it actually has had a positive impact on preventing attacks, but I'm not going to trust it until then.
You can use a usb security key
Any FIDO2 security key should work (yubikey for example)
Very well explained !!
Ah, the Google Passkey predicament. It is, indeed, a situation as complex and nuanced as any Cardassian enigma. You see, there is a certain, let's say, "inconvenience" in the Google Passkey design. It bears resemblance to an Obsidian Order operation planned without considering all necessary contingencies.
The flaw, dear friend, lies in its inability to operate in environments such as RDP and Citrix, where the lifeline of Bluetooth connectivity is severed. Just as a Cardassian Gul would find himself at a loss without his trusty subspace communication device, so does the Google Passkey fail to perform its duty in these circumstances.
In the days of yore, the solution was as straightforward as a Bajoran telling time with an Orb. You'd simply correspond the number presented on your computer screen - a system as simple and reliable as an old Cardassian shuttle. Alas, the winds of change have swept across this landscape of technology, leaving us to yearn for the simplicity and functionality of the past.
In essence, it seems that while striving for progress and innovation, the architects of Google Passkey may have overlooked the importance of universal functionality - a misstep akin to ignoring the importance of a neutral zone in interstellar politics. It's a lesson, my dear interlocutor, that sometimes in our quest for advancement, we must not forget the utility and reliability of the tried and tested.
I ain't got no got dang idea what you be sayin spaceman, all's I know is my nokia 3310 has no camera or bluetooth and like heck am I ever replacing it!
@@glebglub He is saying this cant be used over a remote desktop connection
Excellent video and I’ll give it a try!
This sounds like jumping through a lot of hoops to force compatibility. The only advantage to this is the extra security. It would be much better if, upon account creation, Google already generated a passkey that could be used to link with other websites, just as how other sites create their own accounts by linking to your google one.
Of course, this is still following the trend of attempting to track and isolate people online and giving them as little privacy as possible. Google will undoubtedly share all of your mobile activity to every site using your passkey for advertising. Especially if you're using an Android device, which has unremovable apps that only serve to sync the data of all the Google apps. I see this as a complete negative and would definitely like to avoid any Google problems affecting my accounts on other sites.
That aside, if they're looking for convenience they should think about fixing RUclips. Aside from this very site, Google itself is beyond convenient to the point where they simply don't have much left to do on that front. They could maybe change how web navigation works by sorting sites into categories, being able to filter by site traffic and such, providing the ability to search using all forms of digital data, or even better, provide a way to automatically find similar websites based on one of those categories. But yeah, I don't see much need for passkeys.
Just use a FIDO2 hardware key instead if you are worried about privacy.
From the fido2 webpage:
"Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. Plus, biometric data, when used, never leaves the user’s device."
"Google will undoubtedly share all of your mobile activity to every site using your passkey for advertising."
I own a site which uses Google's sign-in API and displays Google ads--where can I get some of this data? I'm not sure you know how this works. They don't need to share your data with external sites in order to advertise on them.
@@GrantGryczan I didn't mean for Google advertisements, but for people unable to make use of Google Ads.
@@puppergump4117 Then under what configuration can my website to receive some of the data you're saying Google will freely share?
@@GrantGryczan No clue. It could be built into many things, such as being able to gather all of the profile information about each youtube subscriber, or knowing how much of the video each person watched.
What I do know is that Google blatantly gathers data from each of its many apps and syncs it together. Much of the data is not relevant for personal use, so it's used elsewhere.
Thanks man, very useful info as usual
Absolutely terrible for those who wanna keep anonymous accounts
Soon it'll get forced onto us like 2 factor authentication
I've lost multiple accounts due to 2 factor authentication effing (suspicious activity😑)
How do I keep off the grid accounts!
You don't need to use a phone.
Any FIDO2 security key should work (yubikey for example)
Thanks for your useful info as always
3:10 Wow...no website has made it this clear before that your phone has to be near the device with which you are trying to login. Thank you for this important piece of information!
I have to say something about fingerprints. I am a climber, not even a good one, and after a good climbing session I usually can't login using my fingerprint, because my skin doesn't look the same. Once I even add to redo the setup, because it was looking like I had another finger. 🙂
Anyway, eBay had this for more than one year. I do login using the fingerprint on eBay. And I personally implemented over 5 years ago an authentication method for an app that uses private and public keys. Actually the most secure in the world to date, because it also prevents the replay attack.
Sounds really nice, but ONLY if if's an open standard and if there are independant apps for using them. Like with TOTP
Thanks Theo I really wanted to understand pass keys
Great work as always!!! Will logging into a desktop which has no bluetooth still work?
No , the video explain that you will can get a cheap USB Bluetooth for that desktop
Great info and feature! Hope it will be available for Google Workspace users as well soon! Way to go, Google!
Awesome! About time!
thanx Thio. much appreciated
I received email about this and changed accordingly, its a nice update
Oh that's interesting! I just saw that like 2 days ago when enabling 2FA - I didn't think it was brand new, cause I rarely check the Google Account settings otherwise.