Passkeys are HERE and they're SECURE! Learn this today...
What is a passkey? Passkeys are hands-down the most secure type of login authentication available today - even though using them is deceptively simple. Passkeys use a private key pair to authenticate with the sites and services that you use authenticated with existing PIN codes, FaceID, or TouchID. Passkesy are designed to be easy to use, phish proof, brute-force proof, and it does not matter if your public key gets leaked in a server hack - it's useless without the private key side which only ever lives on your devices. By mass-adopting passkey technology, we can help to put an end to the scammers and hackers who prey on folks with poor security hygiene.
Get your YubiKeys here: geni.us/GunRC (affiliate)
Remember to use coupon code CROSSTALK at checkout to get $5.00 off YubiKey 5 series or Security Key series security keys!
Timecodes:
00:00 Intro
01:27 What is a passkey?
05:11 Features of passkeys
06:21 Passkey security explained
12:21 Passkeys in the Enterprise
13:38 Passkey demo
17:03 Who do you trust with your passkey management?
18:24 Security Heirarchy
Thanks to Yubico for sponsoring this video!
----------------------------------------
Buy me a coffee! ko-fi.com/crosstalk
Crosstalk Discord: / discord
Follow me on:
- Twitter: / crosstalksol
- Facebook: fb.me/crosstalksolutions
- Instagram: / crosstalksolutions
- TikTok: / crosstalksolutions
- LinkedIn: goo.gl/j2Ucgg
Crosstalk Solutions - RECOMMENDED PRODUCTS: crosstalksolutions.com/recomm...
Amazon Wish List: a.co/7dRXc67
Crosstalk Solutions offers best practice phone systems and network/wireless infrastructure design/deployment. Visit www.CrosstalkSolutions.com for more info!
I love the idea of passkeys and their simplicity, but the biometric nature concerns me. In the US, the government/police can’t force you to reveal a password. That is because it’s considered a 1st and 5th amendment protection. Biometric based logins are NOT protected in the same way. That is why password managers w/ security keys still seems like the best to prevent government intrusion.
The "freest" country in the world 🤣🤣
@@pinky6863 So what if I'm required to give them 256-character password from my password manager? :) Passwords won't come cheap! :)
@@pinky6863 In germany both are protected under our "Grundgesetz"/ constitutional law, and also under the "Strafprozessordnung"/Code of Criminal Procedure. You don't have to give anything (information and things) to the government which *could* might incriminate yourself.
@@pinky6863not sure your right as you are required to give prints and DNA samples if your arrested in the UK. And we have new laws effectively going to make it illegal to use these because of the lack of government back door
Exactly, but also people near you that can use your finger or Face ID to get access. Somehow, brains are protected 😅 i would not use Face or Touch ID to confirm.
The biggest limitation of Passkeys is the small number of applications that offer the option and the users that adopt them. Hopefully those will grow with time and videos like this one.
To me the biggest limitation is losing control over my own Identity. PassKeys can be hacked just like LastPass, Comodo, Zero Ring, Golden Ticket, I mean... all this does is create a more valuable target... sure we might save the morons from being "hacked" but now even the geniuses will be forced into this ecosystem and they will now become less secure. Remember the old joke... if you are being chased by a bear... all you need to survive is be faster than the slowest person? It's the same concept. With "gimmicks" like this... it makes even the fast as slow as the slowest! Now... you have to rely on someone else's ability to to dictate your survival and you will not have any ability to understand this technology to fix it when it goes wrong... but the hackers will... they will know more about your own security than you ever will. You have a job to do and can't dedicate the attention necessary. But they have time... they have plenty of it since they get paid by their various governments to datamine your "identity" or just flat out NSL the data directly without any way for you to know or even challenge it. A day will come where an employee is fired because a government somewhere does something with their account and how is the poor sap going to be able to prove any of that? The entire ecosystem is completely outside of their ability to even "know" which means courts will throw out all of your challenges because you can't even prove harm... And just like that... the entire world is compromised. Especially as AI takes off. Nothing beats a personal password where your brain is the storage medium. These are only to fix the problems with the stupid and lazy.
Agreed. So far, even Amazon doesn't accept it (yet). However, because Google does, you can use it for any account you can access via Google including PayPal...which is pointless because PayPal accepts passkey.
I like the idea of passkeys, but yes it seems like the acceptance by apps & sites is woefully slow. 😎
@@freemagicfun It's just so complex. not many people even understand this, so even if the sites offer it, I imagine almost no one uses it.
All of the major email platforms and operating systems are supporting them (Apple, Google, MS, outlook, gmail). But true that most others services do not support them or hardware security keys. The banking industry is woefully behind on the security front.
Agree. This video explains the matter thoroughly and clearly. Helped me a bit further on grasping the passkey tech. Important to highlight though; - The ‘passkey technique’ is what it’s all about. Which hardware you use to make it happen is secondary. (you don’t need ‘security keys’ per see to be able to use the passkey authentication.) - For now it depends on the OS / browser version used, if it can handle passkeys QR codes. Hopefully third parties apps for devices will soon pick up the art of handling, syncing and storing of passkeys. - As an example of how the latter can bite you in the tail, is the nasty surprise for the Apple ecosystem; As for example using security keys, it needs all your devices to be running the latest OS. It’s all or nothing. If you implement security keys, any device not able to run the required OS is at loss. (booted out of the eco system)
Correction: the private key answer to the challenge is checked on the server, not the client. It would be no security at all if the device was just sending "whether or not the challenge was successful" to the server. :D
Was coming to say the same thing... would def be pretty sus lmao
Presumably the servers would also have to use the public key to encrypt a unique timecode in the data sent, and then verify the same timecode in the response, in order to prevent client playback attacks.
**fast clapping** Thank you! Thank you! This is the best, most complete and concise explanation of Passkeys I have heard yet! This video is going to help me so much in explaining the technology more to my team at work and family/friends.
Yubikeys are great, but due to their inherit limitations of 2FA secret storage on their keys I'm waiting for them to upgrade that storage and release their 6th series before I buy a handful.
And their recent price increase 😡
I would highly recommend you don't buy security keys. If you enable googles highest level of security, and they detect a potential attempt to break into your account, google will immediately disable every way of logging into your account, and disable all of your security measures, including your password, then require you to reset your password via a link in your gmail, then only after reseting your password, will you be able to reset up your security keys. If google can't even trust a yubikey, a titan security key, 2fa via googles app, passkeys, and passwords, to verify who I am, you probably shouldn't trust them either.
Passphrases (staple horse battery correct) on a secure FOSS password manager FTW. Passkey's are 1: expensive, 2: accounts charge to use PassKey logins, 3: a hassle to carry around for clumsy/daily life users who lose and break stuff.
Problem with passphrases are that they're much more vulnerable to dictionary attacks. 4 correctly spelled common English words are not going to keep someone out for long.
@@norgeek Then don't correctly spell them. Use a mix of capitalisation and obfuscation, use multiple languages, and use different 'spacer' characters between the words. I use an eight word phrase but instead of all being English language words, it includes words from two other languages, and all the words are deliberately misspelled. Could I accidentally give it away? Yes of course, but if I only gave the plain translation, it would still take a long time to turn into my actual password.
@@_starfiend miss-spelling and other obfuscating techniques doesn't necessarily add much protection, a good attack dictionary would be set up to include, say, the thousand most likely variations of each word. Random characters in and between words, and multiple non-obvious languages should make a significant difference though. But at that point you're looking at a significant effort in keeping the passwords unique between each new website without reusing a similar syntax..
@@norgeek While I'm not arguing that a password/pass phrase is necessarily the best idea all the time, adding obfuscation and miss-spellings add more difficulty than you might think. Just as a simple example, my step-daughters are bi-lingual English and one other. Although they speak only English at home, at school they are required to use the other language full time. This means that when they have to write in English they regularly spell phonetically using the other language. I've got used to it now so I can read it, but by doing that they miss spell English words in ways that not just change the spellling, but also change the length of the word, and even in some cases would change the English pronunciation. They do it unintentionally, now imagine doing that intentionally, and doing it with multiple languages. Those word lists would get scarily long. Plus, and it looks like people are not seeing this, you might guess it's a phrase, but how do you know how many words are in that phrase? A 50 character phrase could be anything from 6 to twelve words. How does an attack dictionary help then? A decent pass phrase deliberately does not use only the most common words, but adds longer or less common words as well. It's also not as difficult as you might think to have half a dozen pass phrases. Because they are phrases they are easy to remember, and I just remember how I obfuscated them. They are also (mostly!) not related, so even if you guessed one, it would not lead you to the others. Personally I find pass phrases easier to remember than the "staple horse battery correct" idea, which while I accept is a good idea, just doesn't feel long enough to me. I would want to add at least two additional words. Minimum. At which point proper phrases do become easier to remember, yet no easier to crack.
A serious problem with passphrases (or any preshared password) that passkeys entirely leapfrog is the possibility of replay attacks and some forms of phishing. Passkeys significantly reduce an attacker's ability to man-in-the-middle an authentication attempt from outside of your device (e.g. by convincing you to log into a replica of a real site). They do this by removing the human from some parts of the picture: You can't be convinced to give your passkey to the wrong website, because you don't know it, and aren't required to send it anywhere during a login attempt. And even if someone observed ur login attempt (which requires a compromise of your device), no part of it can be used to log in a second time. As well, you're not a part of verifying that you're looking at the right website: Your browser does this for you, and will not let you even attempt to log into the wrong site with your passkey. It's less about preventing someone from being able to guess your password, and more about making the act of logging in more secure. One longer term benefit is that it can reduce the friction of requiring you to log into services more often, without affecting the security of those login attempts.
A comprehensive and simple explanation of the various methodologies. Thank you! I love your channel. You present relevant topics with detailed information.
I was pretty up to speed on this but what a great review and in my case, confirmation that I'm arranging our digital security in the best way for us. Thank YOU!
This is a great video, but couple of suggestions: I understand this tech really well (I’ve been an app security architect for roughly 15+ years, and went into platform architecture), but I tried to consider how my parents (in their 60/70’s) would take it. There’s still some assumptions made, like salted passwords, how key exchanges work, etc. So it’s kind of a decent primer for someone who already knows tech, and how FIDO/TOTP already work. I can’t say I could do any better though, because these can be difficult subjects to explain…but I think it’s something to consider, because it’s these groups (like my parents) who are the most vulnerable. Overall, this is a great video. It calls attn to a huge problem (and timely because I am forcing my parents to use a password manager this week). Thank you for creating the video!
Agreed. It was a bit confusing and I came out of the video still not certain about what it is and what it does. Simplicity is the passkey for many of us.
I watched this video and al it did was convince me to not use passkeys until I have to. What happens if you lose you smart phone or don't even have one?
@@jamestemple8970 it's not a great answer, but the idea is that any passkeys on your smartphone are synced with the mobile ecosystem owners cloud password sync provider. So if you happen to have multiple e.g. Google or Apple devices already enrolled with Google or Apple's cloud password syncing service, they'll all magically have all of the passkeys either device has every created. If one device breaks, you can use another device to enroll a new device into ur ecosystem account, and it'll magically get all the passkeys synced up. This has obvious implications which are kinda concerning (mobile ecosystem vendor lock-in), but it is what it is. If a passkey is only on one of the devices from an ecosystem (e.g. if you made an account somewhere, provisioned a passkey on your solitary Android phone, and never enrolled a passkey elsewhere for that site) if you lose that device, you have two options: Option 1: Start the recovery process for the mobile ecosystem account tied to the device: So continuing the example, if you lost your solitary Android phone, buy a new Android phone, and use the recovery options for your Google account to sign back into into it. Then it'll magically have all the passkeys previously provisioned. Option 2: Buy a new other device (iPhone or Windows device with Microsoft Hello, or any device plus compatible hardware security keys), then go down your list of actual passkey protected accounts and invoke each one's recovery process to enroll new passkeys. At least for now, it's a great idea to enroll your convenient to use (but breakable/stealable) mobile device *and also* additional hardware security keys that you can lock up somewhere. Passkey auth requires some different factor (mobile device pin or biometric lock, or hardware key PIN) so the idea is that even if someone stole your backup, they won't be able to log into anything. BUT if they destroyed all ur backups and your main device, you're in trouble. The same trouble you'd be in if you lost your password pre-Passkeys. The crap thing is that you cannot simply remember ur passkey, and you can't practically write it down. Practically, each passkey's private key will be hidden (even in some cases totally inaccessible) on a physical device, so you just need to make backups in the form of ... enrolled devices upfront.
@@jamestemple8970 One thing he highlighted is that password managers now allowing management of passkeys. I think a password manager secured with a hardware key is more secure for managing you passkeys, vice a device or Apple keyring.
I could not agree more, clear as mud. You expect the millennials to have even considered that scenario?@@jamestemple8970
Nice summary. I wonder if cloud based passkey synchronization is being overemphasized. The alternative is to just log on to a new device using an old device that already has a passkey, as you showed in the video. No cloud based passkey synchronization required. But, you still need some kind of passkey backup, whether cloud based or local, in case you lose access to your device.
I think passkeys are a great idea, and as (another) IT professional I understand the benefits. However, they are not without their issues. You have to consider adoption and compatibility, their adoption may not be universal across all platforms, applications, and devices, and some older systems or browsers might not support FIDO2/WebAuthN, limiting their widespread use. You also have the hardware dependency with the issues that brings (forgetting or losing your device, backup and recovery). Initial setup complexity - as has been pointed out in other comments, how do you get your non-IT literate friends onboard with this? Finally cost - not everyone can afford one (really).
Also, have you seen how many dependencies FIDO2/WebAuthN has? It is so much work that most websites will probably never provide it, unless forced by their government...
Jones' Law: "Anything hit with a large enough hammer will break." All security mechanisms have limitations which should be considered when deciding whether or not to apply them in a particular environment. That said, Passkeys offer a balance of security and convenience that works for a broad range of applications and environments. As to "too much work," there are, or will be plug-n-play implementations for most environments. Compared to doing nothing, they are "work." Many, not to say most, managers of websites are reluctant to do any work until they get slammed. I never cease to be amazed at the number of managers who opt for cure over prevention. However, the environment is becoming increasingly hostile and password reuse is a favored method of attack. Perhaps, keeping one's resume up to date is the least work. However, being associated with the victim of an extortion attack may blot an otherwise spotless record.
I'm a (yet another) IT professional. I work in education. Shared computers are a common device deployment method for cost savings, so hardware-tied private keys would not work in this environment. There's also the problem of personal devices. 2FA implementation is always a controversial topic as for one, smartphone use tends to be discouraged, and two, staff are always against using their personal devices for work purposes, and schools do not have the budgets for hardware tokens.
@@HarmonicaMustang Admittedly, Passkeys are neither as convenient or secure on multi-user systems. On the other hand, the majority of modern computer users have never used a shared computer, not even a PC. Most have only used a mobile computer, a single user system. Many of our security risks today are relicts of shared systems. As the cost and scale of computers continue to shrink, solutions like Passkeys will become increasingly convenient and secure.
@@williamhughmurraycissp8405 This misses the knowledge that there are lots of situations both in work and at home where shared devices make lots and lots of sense. I'm thinking a shared public PC in a living area where random visitors might well need to check their e-mail, but don't carry a laptop (and find a full desktop a lot easier than their phone), a roku TV where a visitor would like to load their Netflix profile for one movie, etc. In the work environment I'm thinking all sorts of kiosks where you have manufacturing, scientific experiments, library style public access systems, projection control computers - anything needing walk up access that might require authentication as different users for cloud services, work processes, etc. And in work locations this is going to be even harder because you'll want to give access via many to many matrix for users - both if their laptop dies you want to hand a new one they can start using immediately, but also access to the corporate cloud e-mail, cloud storage, local services, plenty of shared systems you remote into for various reasons like terminal servers and more. And from a work location there's the reverse issue of many of these hardware things just not being available to all OSs - if you use Linux you can't (as far as I can tell) use a TPM to unlock FDE, and worse, the management is completely different between MacOS, Windows and Linux. Passwords have converged to it working the same across all platforms. Not to say passkeys won't potentially get there, but we have these special proprietary "secure enclaves" that often aren't as secure as we are told. So Apple doesn't use TPM from what I can tell, neither does Android. So we already have more Windows only, or Mac only, or Android only implementations.
Great explanation! I haven't yet moved over to passkeys. This helped me get to grips with it.
12:38 Yeah, about that. You can't force them to use their personal devices. So instead you give them a different device. And they WILL forget it at home (or loose it). I am speaking of experience here...
Sorry, there is no remedy for stupid. "The dummies have it, hands down, now and forever."
@@williamhughmurraycissp8405 sure, but a password is easy to reset with these people, unlike a hardware key besides I wouldn't even call them stupid, it's just that given enough people, you will always have at least one person per day and it's always going to be somebody else
Have one on order from your link. Thanks for the heads up. I will be using one of these for everything I can!
Great video! Hopefully the fact that sites still hold on to your legacy password once you switch to passkeys changes soon.
Thanks Chris, love your content for years now (Note has house full of Ubiquiti gear and thanks to this video, 2 new Yubikey 5C NFC's on the way :D )
Not sure about Passkey being more secure than Password + 2FA: IF [Passkey] : Access to Device + PIN == access to any website IF [Password + 2FA] : Access to Device + PIN != access to any website, as password is still needed. Although I do understand that passkeys protect against certain attacks better, like Phishing; it's hard to say one is flat out better or worse than the other.
Best content on passkeys I've seen so far. Thank you! Regarding the Best Buy example, you say that you don't have to worry about Best Buy getting hacked but how is that the case if they don't give you an option to completely remove your password?
Clear explanations and nice overall. But some things are a bit oversimplified and even wrong. Such an example is the note that password managers being susceptible to server hacks. To begin with, one could have local only password manager databases. Moreover, there services have setups where even with low quality master passwords, a server hack will offer no info to the attacker (feel free to check 1Password setup). Furthermore, having a secure master password would basically be enough to prevent any brute forcing, even if the whole hosting server is completely compromised.
Agreed. Also the "they need your PIN" - yeah cool... What I took from it is that the vector of compromising the secret holding service gets eliminated. So it's still no match for pw+(non sms)totp for corporate or self host scenarios. Big plus is that it is a convenient enough method to use for non tech people. About the amount of time to reset a password. Not a strong argument, this can be very streamlined.
I think he's talking about grabbing your account from some random website and cracking it with a rainbow table, not necessarily hacking the password manager's servers. A note about PIN codes, most modern devices have a secure element chip that is hard wired to prevent repeated attempts at brute forcing, so even if you have a 4 digit pin, while that's not great, a thief/spy/hacker would only get to try a couple dozen times before the timeout became days long. That would, in theory, give you time to mitigate the damage by updating your account information in the relevant places, unlink/remote erase the device, etc. Not all devices are equal though, so take it with a grain of salt. Might be worth looking up your device and how it handles that.
@@DFPercush True. The iPhone has the self destruct mode (erase the phone) after 10 failed attempts.
Once a passkey is setup, is the option to sign in with a username and password no longer an option? How does recovery work if I loose my device?
it doesn't, you're screwed this is why they will fail, backing them up is too complex for average users
If biometrics is required it is not government proof. This is because your consent is not required to have your photo taken or your fingerprints extracted. Lifelong passwords reside in your memory/mind and no one can get into it unless you voluntarily want them to.
Chris! Such a great video! I learned so much! Thank you!
Great description helping to show the overlap and underlap between Passkeys and hardware keys.
Does a hardware bound passkey have to be plugged into your phone to use it with your phone?
So let me get this straight...Even sites that offer passkey integration require a password, so if you have to have a password to do first time set up, even if YOU use the passkey, hackers will still have a password to try to get access to by hacking the business? Are you saying that until businesses allow us to delete the passwords, they are no better than having JUST a password?
Google doesn't even trust the passkeys. They detected a potential attempt to break into my account, and completely disabled every security measure I have to verify my identity, logged me out of my email on all of my devices except my phone, refused to let me login even though I had every single method of verifying my identity, and required I change my password, through a link in my email, then after I reset my password, which didn't require any form of authentication beyond being logged in, I was able to reset up my many authentication methods. What is even the point of any of it if google won't even trust a single method of authentication, and won't even trust you to verify your identity if you have all of them at once. And then doesn't even bother to verify my identity, while it bypassas all of that authentication I have, and lets me reset my password, without verifying who I am.
They're technically more vulnerable than a website with just a password, as it's an additional attack vector..
I think this is an example of not yet perfect, but way better. Part of the benefit of passkeys (even as an alternative to still-active password auth) is that it makes certain attacks way harder to pull off. For example, if someone pointed you to a simple mis-spelling of a website, your browser will not reveal any details about your account to the imposter. It'll just tell you that no passkeys are available for the service without revealing anything. This should clue you in that this your being attacked. This benefit alone can help improve your security posture. Granted, ur right that it would be cool if more sites allowed those who are comfy to just go 100% passkey, eliminating the possibility of a compromise of those passwords on the server side altogether.
7 months later and still going forward, passwords are still here and rule the day and not dead!
Very nice video and demo Chris, congrats !
What is the difference between passkey and ssh keys at the cryptographic level? It sounds like passkeys are very similar if not the exact same technology rebadged and made consumer friendly. A synced passkey feels like moving an ssh private key to a password managers vault.
Very nice information .. very well explained.. thanks a ton .. this has clarified the concept brilliantly .. kudos
A note on interoperability. I have used Apple passkeys on my iPhone to log in to a website on my pc. It works just fine but the process is just a bit less seamless. On a Mac I would just use iCloud Keychain stored key and authenticate directly on the Mac. With PC I’m presented with QR code to scan with my iPhone. The iPhone then presents the passkey and I log in using FaceID. The phone and pc need Bluetooth enabled for this to work but no setup or pairing is needed!
Or you could just use a password manager like 1password to hold your passkeys and use them between devices.
@@georgebarlowr sure. You can use 3rd party products for this. I would recommend 1Password too for this
I love passkeys, but would love a way to integrate browsers with Keepass and utilize passkeys for those of us who do not like hardware keys and want to keep them centralized with our existing cred storage.
I bought 2 more yubikeys because of your previous video and how to set it up on the phone. Already had 1 so adding 2 more just made sense. Was helpful because I did have a breach and recovered it nicely cos of the keys. One thing I need to ask is what router, switches do you use? I recall you recommending to me last time about a product, began with P and looked yellow and black. I am trying to setup a secure home network with a sim router. Hope you can help chris :)
I'd suggest a Apple user approach, and a Google user approach. I think you have the Apple approach covered in this video. The Google approach might be a future video. Sharing among the Password managers in the various approaches too - OnePassword to Apple to Google might serve as an example. Also, I'd suggest a discussion of where the resistance to this approach may come from. Thanks for the valuable video. It raises the question of Passkeys and where they may fit in our security vision.
If you use your cell phone pin in a public area and it gets compromised you can have real problems. The WSJ had a great article about this earlier this year where someone used their pin at a bar to make a confirmation, it was compromised (observed) and their phone was immediately stolen as they were getting an Uber outside the bar. The thief used the pin immediately to reset and change all of the passwords, being synced in the password manager. The thief did this so quickly the phone couldn't be shut down. The thief had access to all the accounts on the phone and proceeded to rob the owner of several thousand dollars. Bottom line is that tying everything to your phone has some level of risk. Better use a more complex pin and be careful when you use it as it provides the keys to your kingdom!
You're right - there is always a risk of someone shoulder surfing your PIN and then stealing your phone. But that's not the point here - the point is that your example is extremely rare compared to the amount of phishing and hacking attempts that hit people from far far away. If we eliminated ALL but your specific concern, it would be a HUGE win for security world-wide. And a singular edge case of "well...it can still be compromised in this very specific way..." is not an excuse for rejecting this technology.
@@CrosstalkSolutions I agree with you but just thought it's important to understand all the risks before entertaining any new endeavor
15:27 What happens for example you no longer want someone you have shared your passkey with (say a divorce) and you no longer want them to be able to use your credentials?
You should be able to create a new passkey and the old passkey will no longer work.
It’s basically the same asymmetric PKI stuff is used for TLS encryption. The private key is stored on the webserver or client and Yubikey hardware stores the private key like a HSM used by servers like webservers or reverse proxy servers such as F5 right?
Also think of like ssh keys
Better off going with the Thetis, since it's recommended to buy at least 2 (one for backup) the yubi will set you back at least 100 bucks, I've found the Thetis is just as good and half the price.
Pass keys were the standard some 20 years ago (dual authentication) ... worked security for a military contractor and passkey fobs were SOP.... they are cheap and easy to implement... Can use almost any cell phone today for the same job.. I now work IT security for the medical industry and ANY Dr that writes sched 2 drug scripts is required to use passkey authentication.. (is law) since the Jan 2023
You're always great, thanks so much!
Love the yubikey and the authenticator app as well. If phone is stolen nothing is in the authenticator app, because you need the key!!
Great introduction, now could we see examples of doing this with the Yubico please.
Did you check his site? I seem to remember he's demonstrated how to use Yubikeys before.
We should support open source alternatives, not Yubico
Passwords are always going to be required for passkeys If not could you imagine the headache administrators will have when something happens to the users device that was storing those passkeys for said account.
Cons 1. Hardware passkey can be stolen, 2. lost, 3. malicious borrowed (the worst type of attack besides 4. can be cloned. (not all of them) 5. Price always x2, you need a backup key. To remove all four cons, a hardware key has to have a biometric sensor. As of now, there is no hardware passkey with a fingerprint sensor usable on Linux systems out of the box because you need proper drivers. Also it can't be used cross platforms on your customer's PC/Mac without drivers installation.
Biometric fingerprint scanners can easily be beaten.
@@MegaLokopo Yes it is, especially while gobble down a popcorn watching Mission Impossible.
Great video! Out of curiousity, what does Wireshark show when using passkeys?
Nothing. All data is encrypted by TLS. And even if they did get the data the challenge issued by the server is random and changing so trying to replay the response does no good.
How do you keep your hardware passkeys secure? Where do you store them to keep them safe? Or do you carry them with you at all times like on your keychain with your house and car keys?
How do you keep your car and house keys secure? Where do you store them to keep them safe? Or do you carry them with you at all times like on your keychain with your hardware passkeys? Seems like a personal decision based on threat assessment is my point.
Yubikeys are going nowhere. They exist to control concurrent usage of software programs and mostly replaced by storing the keys on an in-house server. They fail often from use and going through the washer and dryer. The software vendor overnights you a new one and deletes the old so even if it is found or starts working it won't work. The only reason this 2009 passkey technology has become usable is because the cell phone has become almost ubiquitous and is the only device that has the intelligence for now and the future. Even your car and house keys are going away. It's already your wallet, passport, visa, credit card, immigration form holder when you travel, map, calendar, secure and insecure communicator, airline tickets, where the gate is for your next flight, flight schedules, your seat, adjust your house environment when you are home and when you are not, guides you around the traffic tie-ups to and from work, lets you scan into the gym, your note taker, language translator, it will soon be carry your ID/driver's license, gets backed up encrypted to the cloud, and is becoming the only thing you need to take with you.
My excact question is, what you also mentioned in the video with the bestbuy example. If you have to create a user first, using a password, and then only after that can enable passkey login. Then the password login still exists somewhere in bestbuys systems, and be found in a server hack/leak? What would be the correct way to do this(besides being able to actually use passkey when creating the account) - When enabling passkey it somehow should delete any knowledge of a password ever existing?
Exactly my same question. My take is that passkeys (plus other authentication factor) should become the primary login method and username + password the fallback option. Probably in the future we won't even set up a new account like we do today (username + password).
How would passkeys work on sites that require a secret for encryption? Clearly, you cannot use the public key as an encryption key, as that is by its very nature public. It appears for that secenario, the passkey protocol would have to include the possibility of securely transmitting a secret to the server on login or on request that is a.) unique to the site and b.) is the same every time, so it can be used to encrypt and decrypt user data on the server. Does that exist or is this in the works?
Great video Chris. I note that Microsoft have announced that Windows 11 is getting a built-in passkey manager. Any comments or thoughts on that?
and what happens if your OS disk fails and you lose your windows install? do MS have plans to store the keys in your MS account/onedrive?
What I miss is how 2FA will be handled with passkeys, or will 2FA become obsolete? For example when using Nextcloud you have the option to use Fido2 WebAuthn for login and also use Fido2 2FA, so you get asked two times for you key. Will this be the same on other services? And coming back to the maybe obsolescence of 2FA is that maybe because 2FA now only really protects someone against attacks where someone other has your passwords but when someone already has the encrypted password vault 2FA is no concern anymore because you only need the password. At the end I think it comes all to how these services will implement it, like will my account data be encrypted with that passkey or only the login for the web interface.
PayPal supports PassKeys right now, and i have 2FA enabled. I was using OTP to begin with, but it does prompt me for this after the switch to a PassKey. I imagine companies that know what they're doing will require some other form of 2FA (such as OTP) or maybe even just require a secondary Fido2 key for 2FA. The bad companies? Who knows. Interesting point on how customer data will be encrypted. The company would need the private key in order to encrypt whatever private data they store right? Can't just use the generated nonce for that. Although I really know very little about how this architecture works admittedly.
The elephant in the room you didn't mention. what if you lose you phone? sure the private keys aren't stored in there but how can I get my credentials back since Google/Apple uses pass keys which are linked with the old device which you lost.
Exactly! Nowadays a phone is an awfully weak link in a security chain, because it is both indispensable, as you mentioned, and extremely vulnerable to assault: if nicked while unlocked, and/or if your aggressors force your face or your finger on the phone, in a matter of seconds they own your Google or Apple account holding your private passkeys, and as far as I know, there is nothing you can do about it.
I have been using Youbi Keys for the better half of 5 years now and will never move away from them. I do wish though you would have explained or touched base on the fact that when setting up hardware based auth keys that you should always plan on redundancy. These keys can fail and/or get lost/stolen so it is always best practice to have more than one.... The largest problem with this though is the fact that many sites only allow ONE hardware key, so if you ever loose your youbikey or it gets damaged you are locked out with little to no recourse of being able to get back in to that account. So users should make sure they have backups or sync multiple keys when allowed and even store it in an alternate location like a safety deposit box (just a suggestion), to be able to have a way to access accounts should your main key ever be damaged/lost etc. I also do understand why the keys cannot be duplicated as that would negate their effectiveness which is why All sites/services that move to this level of auth should support at minimum a "Master" key and allow you to sync at least 1 additional key as a "backup". Overall though Great video to help bring awareness
Thanks for that detail. I had no idea sites can restrict the number of copies of hardware keys you can have. If that's true, I have no idea why anyone would want to use a Yubikey. Wow. I mean, it suggests that you should have a different Yubikey for every site that requires a limit of one Yubikey per site. But that kinda invalidates one of the main reasons for having a hardware key in the first place. (You would lose all your private keys if you lost your single Yubikey.) I've never used Yubikeys before, but I think you've just turned me into an opponent of that technology. Thanks for raising my awareness. Yikes.
@@TheNameOfJesus I didn't mean for my comment to turn you away from the technology, But understand that some sites have yet to fully adopt it and thus only support adding one key. This is changing as the technology is adopted but it's not a super fast process. When a site registers a Hardware key By default they should actually require 2 keys so you are making a backup as part of the process. but instead most sites implement a second lower level of security . The only way to get this technology to be more adopted is by using it and promoting it. But it's also understanding the limitations like most banking institutions do not yet support these devices because their customers are using their phones instead so they are opting for a less secure alternative. The YoubiKey is by far the strongest form of authentication as it's offline and a physical device that cannot be duplicated. Phone auth isn't nearly as secure as you're required to use your passcode / pin to unlock your device at boot up even with biometric locking enabled. So I would use it to it's fullest potential that your able to in your circumstance and just make sure to set up whatever backup method is available for any service that you use that doesn't support adding multiple keys and just store those backup codes with your backup key for the services that do support that.... (Alternate location Like Safety deposit box etc or at least a fireproof lockbox or safe to protect from fire loss). Adoption is always the biggest problem and they won't gain traction if too many oppose the use.
@@Pythonaddiction Thanks. I know you didn't intend to turn me away from it. I was perhaps overstating my worry by 50% for dramatic purposes. They Yubikey is FIPS 140-2 evaluated so it's good when used in FIPS 140-2 mode. (Do consumers use it in the FIPS-evaluated mode?? I don't know.) I personally used a different product that was also FIPS 140-2 evaluated. Yubikey is likely not "more secure" than other products with the exact same evaluation. I have no way of knowing if consumers are using it with those features enabled, but I doubt it because people are loading their own private keys rather than getting them from an approved key generation device. In my company, people aren't allowed to load their own keys because we operate in a very, very high security mode.
@@Pythonaddiction what I don't understand is that why do no one even think of using GPS as one of the backup way to recover your account? something like ... they will ask you to open your GPS location to recover your account. which means if you want to recover an account as your last resort, you need to be standing on the place where you created your account. 😂😂😂😂 I really hate making me buy 2 yubikey not only it is expensive. you might not know if the other one you keep safe was taken by someone at home. but having your GPS as last resort.. you and only you know where you created your account. this way you can actually walk on a random train station and use it as your recovery location
@@ChibiKeruchan that’s because gps and geotag loc data is super easy to spoof for starters. And secondly let’s say that work if someone is making an account while on the road outside of their normal area or say a truck driver. There’s many reasons why this wouldn’t be used.
Hi Chris. Great video on Passkeys, et al. HOWEVER . . . There was hardley any emphasis on purchasing and setting up MORE THAN ONE Yubikey for redundancy in case your Yubikey hardware device is lost(more likely) or physically damaged, i.e. FUBAR, (unlikely). Having just one device with no redundantcy exposes the user to being locked out his/her own stuff. My Mr. Worst Case Scenario wants to ask people to please be prudent and thoughtful at the fundamental level.
Google doesn't even trust Titan Security or Yubikeys to verify your identity, if they detect someone may have attempted to break into your account. They simply disable all of your security and hope that the one device they allow to stay logged in, is in your possession and then lets you reset your password without even verifying your identity. If google can't even trust their own system, why should anyone else?
Indeed, this was a weak point in his video. Not only do users need multiple Yubikeys, and store them in different locations, but they need to update each of their Yubikeys EVERY SINGLE TIME that they create new credentials on a new website. I don't want to go to the bank weekly to fetch my Yubikey, take it home, update it, then go back to the bank in the same day to lock it up again. I think my bank counts how many times I access my safety deposit box each year and charges me if I access it too often.
Very good point!
You forgot another reason passwords get locked out. Infrastructure engineers locking each others domain admin accounts out for a laugh :). I got 3 Ubikeys after seeing your last video. One for the keyring one for the safe one mini one to stay in my home PC. Not enough stuff supports FIDO2 , my unbikey is mostly used for classic 2FA.
Great explanation. Love this
Thanks for the articulate explanation. I just wonder how different it is from PKI.
not quite, i have an Yubikey for years, finally gave it up as i can never remember where i put it. As one other KZheadr pointed out (correctly, IMO), the different types of connectors on different devices also make them a real pain (i have usb micro, usb c, apple ...).
Great video and topic! One thing good to do with USB security keys is to have a backup key in case your device gets damaged/lost/stolen. I also liked how you pointed out that Passkey implementations are not perfect yet. I also found that some services still require less secure MFA methods. For example, even if you have an MFA method that uses WebAuthn, Google will still allow device push notifications, which are susceptible to push notification fatigue attacks. But, one step at a time! :)
@@jeffreybankers3988 As you are probably aware, almost all services allow a backup security code in the event you have lost your authentication method. These codes could be secured in a safe location, a secure USB, on the cloud, piece of paper in a safe (one of the most reliable) or on a cloud service. That way if you catastrophically lost your keys, you could still recover the accounts.
Yes, took me a while to get onto the passkeys, but now I have two (one as a backup offsite) and I have never felt more secure. Everyone should have these. But they should be more afforable as Yubi's are a bit expensive (in Canada anyway). I know, I know, you can't really put a price (tongue in cheek) on security, but ya - WELL WORTH IT.
Thanks for the video and the coupon. I saved $10 (2 keys).
SMS based are extremely vulnerable to SIM swapping! Avoid if possible. Sadly many banks refuse to upgrade.
Is session cookie compromise still an issue with passkeys? I'm assuming if someone were to gain access to your device and grab all of your session cookies, they could potentially bypass your authentication methods, passkeys and hardware keys included.
Agreed. Post authentication attacks are still in play. Also if the service is hacked your data will still be stolen. So the claims about data being protected is true only from one attack vector.
Session cookie compromise is definitely possible, since you would appear already logged in to whatever website (it would have no reason to require you to authenticate). BUT this is why some websites automatically invalidate sessions after a bit. It's also why if you've suddenly travelled across a continent in 10 seconds, you'll get an email asking what the deal is. It's also why all websites require you to log in again in order to change your authentication options. These are all attempts to make it more obvious to you when one of your devices has been compromised. Once it is, in this new world of passkeys, you can react by unenrolling the compromised device's passkey from your accounts from a device you know is secure. One of the benefits of moving to these new more secure authentication methods is to remove the friction it would cause if sites started reducing session durations further, and continued to harden things. Since logging in would take seconds, users would tolerate the more occasional tap of a fingerprint reader, and in the background, it would help reduce the impact of these sorts of attacks.
Does all of this require one of the devices used for authentication to be a phone with a US phone number? Or can it be laptop/tablet devices? I am asking because I want to retire overseas and won't have a phone with a US number. Once set up can I sync with an international number?
And Lastpass, which already supports yubikeys. So your password manager requires the hardware key.
@16:55 - That is the biggest issue with all these 'more secure methods', they are just adding more ways to log-in without removing the problematic ones, increasing, not decreasing, the threat footprint.
If someone steals a companys DB of public keys, and create a fake site, could they could trick you into signing in with your passkey?
a great explaination, but I still got 2 issues with the use. if you have a hardware based private key and the device dies, how are you able to login to your most secure environments. and what if you're private key got leaked or stolen? then a hacker is able to login into everything and everything of you is comprimised. if it is not, how do companies check if they have a revoked key of you in their database if you on you're second or thirth key set (private and public). if this becomes common; does every company or website need to check if the public key is still valid? offcourse they only need the correct public key, but there can be a time that some have you're old key and some have you're new public key. if you have a different password for everyting with a totp and a key and totp key got leaked or stolen, it is only impacting that soecific login.
You are exactly correct. It's built on a false premise. What it is is better than what we have for most people because they are easily tricked or use the same, short, easy to remember passwords everywhere that are never changed, and no password manager. A good password manager with bio limits exposure to one account.
I have not seen many of the financial, insurance, and health care institutions listed in the passkey directory other than a handful of credit unions. Do they view this as not fully baked yet?
When signing in with passkeys, is it typically possible to disable signing in with passwords, so that a hacker cannot bypass the passkey by using the alternative less secure login method?
From what I gather passkey is just another form of 2FA. The password alone is not enough.
these sound good but did not explain what happens if you loose the device so you have a ubikey you loose it how do you then get into your accounts. At least with a password manager I only need to login to the password manager on any device. With the hardware ones if it breaks or you loose it how do you get back into your accounts
IT departments will now have to deal with people losing or forgetting their passkeys 😂
Thank you for making a video in a way even I can understand. I had no idea about passkeys. and I thought I was up to date in technology🤣
What good are passkeys if I, or someone else (I'm looking at you mr hacker) can still logon to my Adobe account using a password because I can't see an option to remove the password?
What happens if you lost your YubiKey?
You name it: "Everything protected by my Apple-ID [...]" LOL
if you set up a passkey and for whatever reason passkey verification don't work, is there still a backup way of getting into said account to what you need to do? ... i mean so I'm not locked out while figuring out what went wrong?
the problem is that no one points out the single massive and major flaw with hardware keys. when someone takes it from you, youre screwed.
Enroll multiple passkeys. When you no longer think you have one of them, unenroll it. Until you do, it must have had a layer of security on it before it could generate the passkey (a strong pin or a pin and a biometric lock) that whoever stole it needs to crack. TLDR: You can lose it but you can also prevent that particular key from ever being used to log you into stuff without affecting anything else that isn't lost/stolen from logging you in.
double dutch@@seetentees
How secure are iCloud passkeys? Can they be overridden if someone has your iPhone and it’s passcode? If so then your passkeys are only as secure as your 6 digit passcode
Apple support security and recovery key, eight character passcode
I've always liked SQRL (a spiritual predecessor to passkeys). The problem with it though is that the onus is completely on the individual to keep their keys backed up (very secure, but not at all forgiving). With passkeys, there is a fallback via a 3rd party, and that alone makes it much more likely that non-techies will adopt it over SQRL.
Good password managers aren't that different in terms of recovery, although slightly more forgivable. I don't think printing a qr code is that difficult even for simple folk. I'd be all about SQRL but the tech companies part of the alliance will never use it or copy it.
SQRL did not corral users into passkey islands (i.e. Google, Apple) and offered some features not available with passkeys. SQRL could have been adapted to offer 3rd-party backup if tech corporations had wished to adopt it, but they did not. It's rather strange to watch the world promote a "new" Passkey system that's inferior in most ways to the SQRL protocol, but here we are :(. Passkeys are a step in the right direction, however, and SQRL's dependence upon domain names and 1st-party backup may have been detriments as well.
Companies need to give better and fully detailed instructions on how to setup passkeys on their website. Take Microsoft for example. They point me to advanced security options and then I have to figure it out all by myself. The same goes for PayPal. If they don't make this easier for their users, than passkeys will take forever to be adopted. And that's a big missed opportunity.
There is still very limited support for hardware passkeys. I have a couple of Yubikeys that I have kicking around but I can only rarely use them.
So, the passkey manager has to be some faceless corporation or a hardware key that has obvious downsides? I guess I'll stick with password managers that have a fully locally managed option. Maybe Bitwarden's passkey solution will allow that (assuming I'm understanding this right).
Certain applications, for example Quicken, store user credentials (hopefully securely :-) so they can be used to download transaction data from financial institutions for recordkeeping, reporting, analysis, and statement reconciliation purposes. How will such applications continue to properly operate when passkeys become ubitiquous?
Ahaaa, What happens when your device gets stolen, destroyed, corrupted? What happens when you need to recover your passkey? Can you do that just like you can remember your password?
As usual, great content. But I had to chime in on your comment of “hopefully giving scammer and hackers very few options to breaking into accounts”. The first computer I ever used was an IBM 1130, I mention this to give all an understanding of how long I have been in the field. And through it all, there is always the ‘war to end all wars” . Hackers will always continue to be ahead of the game, it is what drives them. To break the “unbreakable”. The best we can do, is to employ the best and make use of those talents.
passkeys will not replace passwords outside of enterprise IT - protecting against loss of passkeys through hardware failure/loss is simply too complex for average users
Excellent overview! 😊
I remember hating infomercials on the telly as a kid. These days I watch them by choice on KZhead because the content actually justifies the pitch.
Under no circumstances should you be endorsing email/sms 2FA solutions. That is a VERY bad take, at this point.
Quality video ! Thumbs up 👍
For hardware passkeys: What if I loose it somehow? Can I somehow recover all my logins? What if I use face id, but 1 day I suffer an accident, injure my head and it cannot recognize me? Or face trackers can handle these? these are my concerns. Yes I can suffer from abnesia and forgot my password but I think this has a lower chance.
very useful video thank you. I have the habit to save everything to my self hosted Nextcloud. Is there a way to sync with your own cloud rather than Apple or Android?
Passkeys sound nice until for some reason you can't get access. Imagine the hell of regaining access to hundreds of sites after you lose your phone. That's why all the sites using face id and fingerprints have implemented it as a convenience option with a password/pin backup method.
Tremendously useful video. Thank You
What do you do if you lose or damage your hardware key? How do you authenticate to setup a new one?
is there a max number of fido sites i can have on a yubi key? (did i ask that right?)
With the series 5 Yubikeys, it’s 25 max FIDO credentials, but they’ve stated that they’re working on one that holds more.
So what are the backup options then if someone lost access to their Google account and had to create a new one. How would all the websites be able to verify who the user was without storing something like their email address or phone number ?
Great video, thank you. What happens if my yubikey gets lost or stolen? I understand i need redundancy but can i or do i need to revoke this key on all sites? Can the criminal easily try some popular websites and login on them?
You got it. If you store your passkeys on a Yubikey, and it's stolen, you lost your passkeys :) But in order for a Yubikey to store Passkeys, it must have a PIN (or can have both a pin and a Biometric challenge if it's a Yubikey Bio). Just make your PIN is a long one. So if it's stolen, the attacker will need to unlock it first. But ur passkeys will still be long gone :) BUT accounts will still have recovery options, and, for your convenience, most sites allow you to enroll multiple passkeys. Because a passkey is effectively a very large password that you never have to send over the internet to login (you just have to prove you have it, after proving you know how to open up the box that it's in), having a few on an account doesn't really have the same impact on the security of that account that, e.g. having multiple passwords would.
But all yubikeys store passkeys? Or they can store passwords? It is confusing to me…
The security key stores cryptographic keypairs and the domains of sites they were generated for. These are passkeys. I mentioned "strong password that you need to prove you have" as an analogy. This is not a password. When you log in with the passkey, whatever holds it will cryptographically sign a challenge with the private part of that cryptographic keypair. And the website will verify with the public part and log you in.
thanks for the demo and info, have a great day
Thank you Chris! Can you please help me understand... How does this address auth'ing with both something you HAVE and something you KNOW? Is this best practice still applicable?
That’s just it - something you KNOW can be phished. The security with passkeys (generally…of course there are variations) is two factor between your identity (ie FaceID, TouchID, Windows Hello, etc. ) and a public/private key pair.
@@CrosstalkSolutions I think the problem with this is that both factors would rely on the phone if the biometric private key and passkey were generated by the same device. If that single device were lost, wouldn't that account be unrecoverable?