Google Passkeys Have Arrived (here's how to use them)

Here's the deal: passkeys are going to replace passwords in the near future. But are you comfortable starting that transition yet or are you going to wait until things get a little easier to manage?

Interesting stuff! Meanwhile it's laughable that banks barely have strong password requirements, with only sms 2fa if you're lucky.... it's a total joke

Question about password security. Do you know of anything that we can store passwords on, something like yubikey, that would do the same functions as 1password or bitwarden?

Glad to hear you are trying to figure this out cause I/m still scratching my head. I agree with the yubikey method.

At the end of the day, this is just an "online version of a YubiKey", meaning that the approach is the same as the one with YubiKey, but the challenge answer is shared not over USB channel, but online. If the private key used for signing the challenge sits securely in your phone HSM, you should be safe as long as your phone doesn't get hacked (which with offline YubiKeys would be much harder): indeed, if your phone is rooted, such private keys are not secure anymore, even if they reside in the HSM.

Good to know I'm not the only one confused. XD You did at least explain the core idea behind aka the user is no longer the weak link, ideally. I do wonder about how security will pan out over time and just hope like you that physical key support stays a thing, and ideally continues to spread.

If my passkey is a pin code from an android phone, will the new device trying to login still have to use a QR code and will i get notified if there's a new sign in with passkey?????

Now they can link accounts to your identity. No more burners. Klaus is happy with this.

I have only a laptop entertaining myself on RUclips. For the time being there is no need for me to have a phone. Do I soon need a one to browse RUclips on my laptop. Will I be I locked out if I don't have a phone?

Passkeys can techincally be stored on a Fido key. I have done so with mine. However I only have room for 12 keys.

Technology corporations are constantly crossing the line with biometrics. Never give up your data to anyone.

Hello just for your information every single time I've set up past keys so far on non-apple devices because I don't use Apple devices it asked me if I want to use a hardware key or if I want to use the device itself because this technology also works if you just use normal to a fake keys which addresses which concerns at the end of the video

Can you talk about Firefox add-ons?
Especially the Firefox Relay add-on

Thanks for the video. Still unsure if this is a better option than the physical keys. Any follow up videos to clarify our confusions will be highly appreciated!

Is it tested? Passkey work for Windows Hello Pin, but for automatically added android device, it prompts "sent notification to the device" but there is not reaction.

Can you no longer add another security key since they added this?

I see no more asking for passwords. I continued to test it and then Google asked me one more time to activate the passkey. Now it’s just entering my email and then clicking on continue. An explanatory step later and one more click and it’s done, I’m logged in.
I assume this explanatory step with time will disappear.
Cheers from a happy surfer from Sweden. 👋🇸🇪

Thanks Josh. I couldn't sleep last night, just thinking through options for Authenticator Apps 😂. (I use 2FA where possible, but they are SMS based).
Passkeys sound like a natural progression and I like simplicity and the extra security. I'm however a bit concerned about whether Passkeys, being partially based on biometrics, might lock out immediate family members, should I pass away?

Do you need a special device to set up google passkey for MacBook? If yes, can the same passkey device be used with multiple MacBooks (same Apple ID for all of them? )

Will this system still be susceptible of account hacking (ie. on RUclips channels) since they store cookies and those can be stolen by virus software?

Thanks for the video. I get the potential benefits of passkeys, but nobody explains if I can get locked out of my accounts, or what if I set up a passkey on my computer but then I'm travelling and don't have access to the desktop, or if I set them up on the cell phone and lose it, etc etc. Can you possibly shed some light on this?

This ‘you still have to fill in your password thing’ they fixed that. On my iPhone I created a passkey for my Google account. It worked on my iPad right away and on my windows laptop with scanning of the QR code. On windows it asked to create a new passkey for my windows laptop which is stored in windows hello. About the security keys. It’s the same protocol and yes a security key is a little more secure than a passkey for a number of reasons. So I don’t think the keys will disappear anytime soon.

I really like the idea of passkeys and changed my password into a very complicated one, expecting, that I would only need it as a backup, if ever. But it is a annoying, that login to a chromebook (not unlocking screen) still requires a password. And in my opinion this contradicts the whole idea. I mean, I have my smartphone next to me and I can use it to log in to my google account on a chrome browser on any windows system. Why not on a chromebook, googles own system?

I agree that Yubikeys are much preferred over phones. What would happen if your phone was compromised and you were not aware of it.

You can now enroll FIDO2 capable keys at Passkey section in security tab of Google account settings. Tested with Windows 11. I need to dismiss Windows Hello twice to begin enrollment of Security key by Yubico.

Hey there, how can I turn this off
I don't want my lockscreen code to be the password to my google account
I have authenticator already setup
Dont want this on my phone
Thanks

I'm very sceptical about this (not least because it's Google). I'm happy using a strong unique password and 2FA and I'm yet to be convinced this is better. Also, Google accessing the passkey itself is not the real question here. Google is all about tracking you and making *you* the product, so I can see scenarios where Google doesn't know your passkey but it does know _where_ you are using passkeys.

Hey great video, yeah so like you said this is obviously new to all of us & lots to explore……now with Google there are a ton of apps like RUclips that need to be signed in on Smart TVs/Apple TVs or the like & then there’s the security element once your account is signed in on another device which may be in your home or office…same goes with Google Maps; possibly signed in on an Android Music system in your car or the like…so considering we don’t use the same Google account everywhere then we don’t enjoy their premium services if one is a premium user…just some thoughts to consider 😊

They aren't working for me, I create them, but it doesn't give me the option to use them when signing in...

Before May 1st my android ph and Windows PC both worked fine with Google Account & email. Then my PC died. Now my new PC which is using Kaspersky Password Manager just like the one that died can't login to any Google account. Ph is just fine. How do I get my New PC to work with Google?

Awesome overview

I have a laptop in every room of the house and sometimes two or more laptops near the different chairs I sit in. I use different distro's of Ubuntu and linux on all the laptop and some I have dual and triple booted hard drives with three operating systems, I even have one laptop I rarely use with windows 10 on it, that's just what I do and enjoy. This sounds like a freaking nightmare to me, is this going to be ( forced ) on to us with no choice what so ever ???

Nice content... I have a question that probably is another persons question also... So If I create a passkey on my mobile device and then i set a lock screen password to use that passkey (if I understood correctly) then someone that steals my mobile device and that saw me putting that screen lock password for the passkey will have direct access to my account? I hope I'm missing something here... Thanks

hey josh i'm waiting you to talk about it and my question is
i set up a passkey for my samsung phone S9+ use IRIS scanner it is extremely biometric secure and the Question is why when sign in my laptop i notice that account log out Automatically every single day i need to log in and my laptop dosent support any kind of biometrics?!

When i scan the qr code it always say "failed to parse qr code" how do i fix PLS HELP!

When I tried to set up a Yubikey on my Win 10 PC for Google, it said, "Passkey cannot be set up on this device". I installed Windows Hello and then it worked.

I can not create a passkey on my Linux box and despite my S20 claims to have one being made already, it doesn't work either.
So I stick with my Yubikey and KeepassXC.

I created the passkey and I am still asked to go to RUclips first. Afterwards I enter the passkey. This is annoying. One more layer to slay.

Great Video!!

I could imagine, for example if it turns out that the phone number is way too old to to pass the verification challange. A pattern lock can be offered for android or face id for apple. Interesting

When it asks for your password you have to click on the words that say try another way for it to use ur passkey

How to disable them?

Its still early days for passkeys. I think, I will wait till things get more clear. Nevertheless, Great video Josh

how do i remove it?

Is it safe to save the passkey in the browser? My gut tells me not, what am I missing?

What about mobileless users like me? Passwords are easy for me passkeys are really complicated this is insanity. What if I also login to an older Google account of mine where I had never set a passkey? Will it just disappear because of some stupid new "tech upgrade"? Ugh.

ty

How do passkeys protect your embedded identity when your device is stolen? Mobile phone theft is on the rise. What do you do when you upgrade to the next smartphone and trade in, donate or recycle your old phone?

Yubikeys still the GOAT in my opinion

This would not be Ideal to a secretary or personal assistant who is manages several devices for two bosses. I log into their many devices so I'm constantly entering in passwords.

A long time ago I put in my password and had it saved so I never have to type my password again. How is this easier ?

I think Google broke something. I was able to sign in from my phone, but now when I try to sign in on a computer I have to put in my password.

It is a much more secure method of logging in than just passwords, although it is not really a step up on security if you already use a long complex password which was generated by a passowrd manager + a 2FA method (exluding sms). It is just more convenient. Because of that, you are still vulnerable to session hijacking, an increasingly popular method of hacking, especially for youtubers.

It would be so much easier if we all could use our thumb print.

Saving your passkey to the Apple cloud is NOT end to end encrypted.

What if my phone breaks, or I lose it, or someone steals it from me?

Passkeys are resistant to online attacks like phishing

Sounds like passkeys will be useful for 90% of sites, but downright dangerous for the other 10% of sites. Im hoping for a Passkey+Yubikey solution.

set up a passkey for my accounts

It says that my device does not support passkeys.
This is bullshit.
Ill stick to my passwords.

it doesn't work on my Pixel 7 Pro

Don't we still have to remember our userid's?

Yubikey > Passkey

Hello!

The future is now!!!

I'll need to watch the video here in a bit, but my immediate reaction to this from Google is "meh". They need to copy Microsoft's passwordless sign-in & stop this pantomiming with their phones. 🙄I enabled this on my account the other day and it solidly feels like a marketing gimmick by deliberately over engineering around their phones, rather than doing the sensible thing and going truly passwordless with FIDO keys. I still had to use my password to sign into google accounts on both my desktop and my phone. It was only after closing the browser and reloading the site that it finally acted as though the passkey was necessary. I'll need to use a browser in a Sandbox to verify that the service is working as one would assume, but for now, until I do, I actually wouldn't trust this to secure my account.

Correct me if I'm wrong but these google passkeys are ALWAYS the same as your phone passkey! So whoever gets your phone key somehow now has access also to your google account! And whoever has gotten your google key now has access to your entire phone! I tried making a DIFFERENT PASSKEY from my phone key. You can't!! Privacy would be being able to make a number that ISN'T your phone key! Google passkey is fcked! Do not use it. You can't DISABLE google passkey once you've given them your number either!! This number is ALWAYS your whole phone passkey!! It's a way for them to get into whole phones!! I tried to post this to reddit 6 times and got deleted!!!

What if you have not set up a passkey but enable the passkey function on your google account? It seems really troublesome to get it work

👍🏻

honestly reluctant to use this. not rolled out by Google well. I am a tech person and I don't really understand this.. :)

hard to follow video

4 minutes of nothing.
Show us an example video of the creation of one passkey, so we can actually use this feature TODAY.

I would have expected better from a channel called "All Things Secured".
Either properly mark your Google advert with the necessary text in the corner at the start of your video or stop spamming.
We don't need your stinking passkey spam.

Nope. Never going to happen. I frequently am on my computer with my phone nowhere in site. Not to mention,. I am not going to lock my fucking phone just to sign into Google.

Sounds more confusing and uncertain than passwords at the moment.

That stain on your blue background is annoying as hell.

I hate this feature

I'm losing brain power a little more each year. And I just lost more watching this. I'm retired so that's my deal.

I wouldn’t trust google with my dirty socks 😂

NEVER EVER WILL I TRUST GOOGLE PRODUCTS

I've had the opportunity to test it a bit more and the results are, well, a bit disappointing. Windows' sandbox, unfortunately, wouldn't read my Yubikey for whatever reason, so I purged *ALL* cookies from one of my browsers and then ran it with all add-ons disabled. Result: Google still prompts for a password, so this is simply not a passwordless account setup. Specifically, the login flow is now: Username (email address), password, Yubikey, then passkey. Once you're signed in, Google then "fakes" a passwordless account by no longer presenting the password prompt when you sign in next time, but this is just left over from a previous cookie (strangely, incognito was not enough to avoid this, but purging ALL cookies did the trick). Note that I'm using "advanced account protection", but the password entry requirement still exists before either the yubikey or passkey is requested by the login flow. I may be misunderstanding something but as it is, the "passwordless" claim seems to be kind of smoke and mirrors. Terrible? Not really, but honestly it's just more weight on my opinion that they're stubbornly refusing to go truly passwordless like Microsoft in favor of making their phones the big focus, rather than security. In my opinion? People should keep using Advanced Account Protection and maybe skip this passkey thing, especially considering how damaging the passkey could potentially be if your phone is stolen. 🤔 But that's, like, just my opinion. (Big Lebowski)