A more secure, more convenient alternative to passwords.
@debtfordwharf
Жыл бұрын
Hi Leo, back in the day, when CLI was a the only thing out there, PGP for email had caught on. I used to use a product called Eudora and similar email implementations. It seems like it took a while for this to come back in a different form. Better late than never.
@askleonotenboom
Жыл бұрын
@@debtfordwharf It never really went away. There was always a plugin for Thunderbird, and assorted others. The problem is it's still too complex for normal people to use.
@ranzali5564
11 ай бұрын
If someone adopts Passkeys, should they delete all other methods of authentication they used previously? For instance, Google Prompts? Could someone exploit/intercept Google Prompts if used at some point despite the fact that we set up Passkey?
@skverskk
Жыл бұрын
Your explanation of pass keys is beyond excellent.
@berrywin
Жыл бұрын
Exactly my thought to!
@markstevens2937
Жыл бұрын
super clear
@DarrelLanders-zf6kq
3 ай бұрын
😮hjbfftttrr 0:33
@aaronloel5238
2 ай бұрын
Mk NM😅
@ericpierce3660
Жыл бұрын
You're so good at explaining things, it's like listening to my favorite professor.
@Back2SquareOne
Ай бұрын
Passkeys are more secure than passwords because they are less "powerful". With an username/password pair you can potentially log in from any account, on any device, anywhere. Anyone who gets your username/password can potentially masquerade as you from anywhere. That is what makes them less secure / more dangerous. As described in the video, a given passkey is tied to a specific account and a specific device. It is important to remember that passkeys only authenticate the device and account. They do not authenticate the person. This is why the total security solution requires you keep access to the device secure. Fingerprint scanners, FaceID, or PINs HAVE to be used so that people who have physical access to your device, can't actually access your account. The device/operating system you use must, of course, provide a mechanism for securely operating a keystore. This was an excellent video.
@Manavetri
10 ай бұрын
One of the few on KZitem that really brilliantly transmits information. Simply incredible, makes me want to listen to you for hours
@creativechannel6148
7 ай бұрын
Yes, he's brilliant.
@michaeljurwin
2 ай бұрын
This is an amazing explanation. Thank you for making it so clear. I will be saving this video so that when anyone asks about passkeys, I will share this to them.
@countorlock3148
Ай бұрын
this is the clearest, most understandable explanation of what a passkey is on youtube, or anywhere else. and it also explains that apps are actually using passkeys when they allow us to login using our fingerprint, face, or pin. and also an added bonus on what are pgp keys. im so glad i watched this. thank you very much.
@chyeong2518
Ай бұрын
Leo, Thanks for sharing and explaining so clearly. you are a champion!
@notreallyme425
Жыл бұрын
9:01 this is where Steve Gibson’s SQRL protocol is superior to passkeys. Both use public key encryption, but SQRL has 1 identity that creates a key pair on the fly for each login based on the site’s domain name. Elliptic curve crypto allows you to create a private key based on a determined input. The same input will always create the same key. Therefore a secret (the identity) mixed with the domain name will create a unique key pair for each login. Since this is easily calculated, there’s no need to save it for each site, just keep the original secret (identity)and recalculate based on the domain. This means the protocol and any devices can have an unlimited number of sites to log into, no extra storage and it’s easily shared between devices. Oh well, we get passkeys instead.
@itssoaztek4592
11 ай бұрын
I guess there is no golden bullet in cryptography. Each solution has it's strengths and weaknesses, but what is considered a strength (or weakness) by one user might be the opposite for another user. Even though the passkey in it's current form is perhaps less elegant and definitely more cumbersome than the method you describe, I would still prefer the current solution. If I understand you correctly, I personally wouldn't like to have solution like SQRL that is based on a single private secret used to authenticate/unlock all (!) my accounts/logins. Sounds like the likelihood somebody would be able to crack my private secret in the future would increase with the number of accounts/logins and of course advances in technology with time.
@jackni41
10 ай бұрын
I've been using PGP keys for years and you have described it perfectly in this video!
@roderashe
Ай бұрын
I consider myself a pretty savvy techie. I’ve always understood, encryption and public key and private key stuff. But for passkeys, I have some sort of mental block. That being said, Leo‘s explanation of passkeys is by far the best I have ever heard!
@rachelflamdesign
6 ай бұрын
Wow this was the clearest explanation I've found and finally understand!!! Thank you for this! 🙏🏻🙏🏻
@sennlich
7 ай бұрын
here we are. I thought i i already knew how, but now i really got it. Thanks from a german Guy. Great work!!!
@cf9699
6 ай бұрын
What i like about things like this is that they are complicated for most users and this causes things to go wrong, so you end up dropping down to passwords and email to get back in to most accounts.This negates the purpose of it. you basically bypass by clicking on the "I forgot my password" link, this mostly ends up going back to unsecured emails.
@danehardinge8801
Жыл бұрын
As ever Mr LN explains the inexplicable with ease. Been a follower for years - when internet connections required a series of morse-code-like noises and then went at speeds the common tortoise scoffed at
@spacewater5866
Жыл бұрын
"Or have a face" Beautifully done 😂
@ezraaaa1
8 ай бұрын
Fantastic explanation! Very clear. Been looking for a video that goes into more detail and this is exactly what I needed!
@SreeOne
6 ай бұрын
You are a great Teacher. Especially the core puzzle is untangled with those two KEY images word by word. Great Job Leo. Thank you.
@jeffhbayley9710
5 ай бұрын
Super job Leo! Look forward to making it work...not instant.
@toml.8210
3 ай бұрын
The public key would be like walking down a street and writing down the house numbers you see on mailboxes, but that won't unlock the deadbolt on the front door...
@Unc1eMike
10 ай бұрын
Thank you! This is the best explanation of passkeys I've heard so far! One of my concerns regarding passkeys is... what happens when you have an account that's only using passkeys, have only setup passkeys for that account on a single device, and that device is lost, stolen, or is otherwise unavailable (it dies)? How do you regain access to that account? It seems like the best defense for such a situation is to have passkeys setup on multiple devices, allowing you to confirm you identity when setting up a new device after a device becomes unavailable, but that's not economically viable for some people. An alternative is to actually have a password for the service, using passkeys when possible, but that leaves the account vulnerable in the event of a data breach. Additionally, let's say I want to replace a functional device (my only device) with a new device. It seems I would need to maintain possession of that device for some "overlap period", during which I would need to login to every service I use on the new device, so that my new device can be authenticated by the old device. That seems rather cumbersome, but is probably a small price to pay for the added security of passkeys. What are your thoughts?
@askleonotenboom
10 ай бұрын
Each time you set up a passkey on a new machine a different form of authentication is used. For example a code to your phone, or a message to your email. Once set up it becomes your authentication mechanism. But you're always able to set it up from scratch somehow.
@BoiseTriathlete
10 ай бұрын
This is an excellent question and one that bothered me for a while. You can’t make the argument that you are in a better security position with passkeys if the use of passkeys is in addition to an authentication method that was already present. Therefore, you have only improved your security posture if you remove the old auth method and only use passkeys. However, if you do this, you run into the issue you are asking about. I think for this scenario is exactly why having a 3rd party password manager (PM) in general, and 1Password in particular, makes sense. The PM collects and manages all the passkey private keys so no matter what happens to the device that actually created them, it doesn’t matter. You get your new phone, authenticate to the PM, and you are back in business. But now isn’t the PM vulnerable? Not with 1Password’s security architecture. There are two necessary pieces of information to access the 1P vault that are never stored in the cloud or even transmitted: your password AND a locally generated random security key. You pair those things with a hardware security key, stored in multiple secure locations, and I think you have a setup that’s nearly impossible to breach, but is also convenient
@overtomanu123
5 ай бұрын
Well, I think passkeys are just a convenience mechanism in that you have to authenticate only once either in the key manager of your OS or in your password manager and then use the per device generated and stored passkeys to log in to the websites. No need to manage different passwords, and it also increases security as you are not exposing your password in your daily login routine. No chance of some man in the middle or some other malicious browser extension stealing your password. Now your concern about a data breach happening on the website on which you use the password to login, most of the companies don't store raw passwords in their databases. They store salted one way encrypted password. As soon as you supply the password and try to log in, it is immediately encrypted in the client side and transported to the server in an SSL tunnel ("s" in HTTPS indicates that the site uses SSL, which means all traffic is encrypted)
@cjjuszczak
Жыл бұрын
Excellent explanation, thank you ! i needed a little extra help getting the basic premise after learning a bit about it :)
@florakija
7 ай бұрын
Best explanation on this topic. Thank you, sir!
@mfr2
Жыл бұрын
Loved that XKCD reference!
@askleonotenboom
Жыл бұрын
Of course! And it's so easy to remember! 😀
@toml9647
Ай бұрын
Excellent discussion of the theory. Clarified a lot of questions I had.
@viktorpaulsen627
4 күн бұрын
Thanks. That was top notch.
@macbitz
10 ай бұрын
I see the convenience of passkeys, but for me there's still a problem. Passkeys are effectively single factor authentication. Mere possession of the passkey is generally enough to gain access to a passkey protected system. If a criminal steals your laptop and gains access to it (e.g. by shoulder-surfing your laptop password), then they can automatically access any passkey protected data you have. Using complex passwords protected by a password manager (with a strong master password) together with 2FA (using a password protected OTP generating app), whilst much less convenient, seems far more secure. In the event of a data breach at say your email provider, even if hackers got access to your email password, 2FA would still prevent them from accessing your mail.
@KarlAxelZander
9 ай бұрын
+1 also agree with my current understanding, but I guess passkeys is still an improvement for the "below average" user that we realistically have given up on trying to make them all put in the effort to adopt the password manager + 2FA setup
@jerryglasow513
7 ай бұрын
No. No. No. In the description you give here, your laptop password is your first factor and the physical passkey is your second factor. That's 2FA. If you let both get stolen, it was still 2FA. If you leave your passkey in your laptop fulltime, then it's no better than using an authenticator app installed on your laptop. A passkey only becomes stronger than a laptop authenticator app if you only plug in your passkey during login and then you physically remove it and store it where it cannot be stolen simultaneously with your laptop.
@lnxguit
6 ай бұрын
A passkey is not a hardware key that you can plug and unplug from your computer. You might be thinking of a yubikey? A passkey is a cryptographic hash that stays on your device
@lnxguit
4 ай бұрын
Good points. That's why I rely on YubiKeys for my authentication
@fdelaneau
Ай бұрын
You need a devices with fingerprint or facial authentication to create a passkey. So if your computer doesn’t have biometric authentication, you will need your phone to create and store the passkey. You’ll then confirm the access from the computer using your phone. The system is well thought and has been developed by Apple, Microsoft and Google. Nowadays all modern OS’s are compatible. The biggest problem is passkey synchronization between devices so that you don’t loose all your accesses if you loose your device. Apple has the keychain for that, Microsoft and Google will surely also have an equivalent.
@xKoMox
Жыл бұрын
Great update Leo, Passkeys for Google Accounts are now available.
@askleonotenboom
Жыл бұрын
Pretty sure I mentioned that in the video, or at least the companion article. :-)
@johnnynobels
3 ай бұрын
Have been following passkeys for a while but have never seen such a clear explanation. Congratz! Regarding passkeys i do have 2 concerns 1. Suppose i loose my device with the only private key i have, how will i be able to restore my account on a new device? 2. When creating a passkeys for an existing account, the less safe login method using a password which could be stolen from the server still exists. Hope some one can convince me that both issues can solved.
@askleonotenboom
3 ай бұрын
When you set up a passkey on a new device, yes, you login some other way. It could be password, but it need not be. It's more often something more secure like a confirmation email sent to the email address of record, or a text message to the phone number of record, or similar. Once you've confirmed your identity that way, the passkey is created. Losing your device has nothing to do with any of that. ANY new device on which you want to set up a passkey goes through that process. If you lose your device, however, once you've signed in to the account elsewhere you can remotely disable the passkey associated with that account.
@cordovajose5693
Жыл бұрын
In a passkey-only service, isn't there a higher than normal risk of getting blocked of your own account if you lose the devices the passkey is stored on?
@Fregmazors
8 ай бұрын
If your operating system drive goes down, yeah. Or if for some other reason you can't access the computer with the private keys on it.
@Kurtiscott
Жыл бұрын
Thank you for your thorough overview. Cheers!
@toobvu
Жыл бұрын
Thanks for your nice overview Leo. I’m interested in how third party password manager apps will help manage this information, versus the device operating system itself.
@HarshColby
Жыл бұрын
3rd party password apps aren't necessary. The key pairs are known only to your computer (the private key) and the site you're accessing (the public key). No password for 3rd party password apps to manage.
@bigjoegamer
10 ай бұрын
@@HarshColby Some online 3rd party password managers can store your private key. That's how they sync your passkey between all devices where the password manager works. Some of those online apps include 1Password and Bitwarden. KeepassXC is an offline password manager that will soon support passkeys, too.
@MichaelWeston82
11 ай бұрын
Wow yeah, I second that. You have a very easy to understand way of explaining this!! Thanks so much. Every time I think I understand the encryption/decryption process, I seem to lose the understanding. This helped immensely.
@askleonotenboom
11 ай бұрын
Thank you!
@PhilippeLeBras-lr8kv
2 ай бұрын
Hello.Thank you for this very interesting and informative video. A question of security: I imagine that the public key and the private key are created using an algorithm that ensures the link between the 2. What happens if a hacker gains access to this algorithm? Can he decrypt the private key? This is a very unlikely hypothesis and the risk of ordinary passwords is certainly much greater.
@AJBonnema
Ай бұрын
Impressive video. If anything, the private key is the weak link. So I am left with the doubt that the private key is safe. I know that if one has possession of the hardware with linux the logon procedure is not going to be much of protection. The only protection I would trust in that case is both disk encryption and a logon password. And make sure to switch your computer off, or someone might add a password to the list of passwords for disk encryption (LUKS). However, even that has a shelf life as quantum computing is around the corner. Of course the whole encryption scene will change by that time. Anyway, I thank you for your explanation sir, very clear!
@brass427
16 күн бұрын
It's a good explanation, but I am going to create a fictitious email account and set up a passkey with a fingerprint. Then I will try to access the fake account via a desktop that doesn't have a fingerprint scanner. This is where I have trouble seeing how the same account can be accessed by a phone, and desktop and a Chromebook without f*rting around with all sorts of different pins.
@charleshoward1591
Жыл бұрын
Outstanding - I subscribed immediately
@Jack_Callcott_AU
7 ай бұрын
Gee, I finally know about passkeys. I was so curious about them. One problem, however: if someone breaks into your house, and if you are not there and your computer is turned on, they can just sit down at your computer and login anywhere, can they not? Maybe the operating system would ask them for a pin, or a fingerprint.....
@askleonotenboom
7 ай бұрын
Exactly. The OS will ask for that.
@viktorpaulsen627
4 күн бұрын
@@askleonotenboom Is this 2FA? Exactly how?
@askleonotenboom
3 күн бұрын
@@viktorpaulsen627 Not really, no. It's closer to a plain old password replacement that's more secure. Kinda. Some think of it as 2FA because your device will prompt you for your PIN/fingerprint/face before providing a passkey, but that's still only one factor that you had to provide in the moment.
@Rednunzio
8 ай бұрын
If I create the passkey on my device (smartphone) and a private key is generated based on data from my device and my biometric data, the only way to compromise a passkey-protected account would be to hack my password manager ? Or did I not understand well? The big difference is that I, the user, do not know my private key as I do for the password as it is a very long and complex alphanumeric string.
@VanNguyen-bs5kw
Ай бұрын
wonderfully explain. Thanks, Sir.💟💟🎀🎀
@thatspiritualhumane
Жыл бұрын
You explained in a detailed way. Passkey is still in infacy stage, I'm still waiting another 1-2 yrs..
@Marra54277
Жыл бұрын
So, no more passwords or password managers? What about the security of the pin? Do you need to use different pins on different devices? If I were to lose my device, wouldn’t the pin be easily compromised? Or would pins therefore need to be treated as passwords are now? My passwords are 20+ characters long & in a password manager. I question that use of passkeys & a pin is better than what I currently do. Plus, is it easy to change the passkey if a device is changed? I assume removing a device is done by wiping the data from it. But, the old passkey for the old device needs to no longer be valid.
@neuideas
Жыл бұрын
"no more passwords or password managers?" -- Not necessarily. People may choose to use their favorite password manager to manage their private keystore. "What about the security of the pin?" -- The PIN is handled locally. If you have the device and you know the PIN, then you're good. Unless someone has your device, knowing the PIN alone is useless. "Do you need to use different pins on different devices?" -- Each device is independently secured, so that would be the user's choice. "If I were to lose my device, wouldn’t the pin be easily compromised?" -- If you lost your device, then anyone in possession of the device could access your keystore if they know your PIN. Obviously, a PIN would be easier to crack than a 20+ character password, so best not lose your device. "I question that use of passkeys & a pin is better than what I currently do." -- Passkeys provide some significant advantages, but they have disadvantages as well. You need to choose an appropriate mix of risks that work for you. Passkeys give certain protections against phishing attacks, but are subject to being lost when the device is lost, inaccessible, or nonfunctional. Incorporating passkeys into a password manager service provides some safety here, but then there's the question of how you intend to log into your password manager. " is it easy to change the passkey if a device is changed?" -- That will depend on the site being logged into, and whether or not you plan on managing your passkeys with a password manager service. Using a password manager provides excellent portability between devices: changing a passkey on one device would affect all other devices as well. I am confident that changing a passkey on a given site won't be a terribly difficult issue, but who knows? We still have places where your password length is limited to 16 characters (or less). "But, the old passkey for the old device needs to no longer be valid." If you want to invalidate a passkey (if it's tied to a device, instead of a password manager), that would be done on a site-by-site basis.
@Marra54277
Жыл бұрын
@@neuideas thank you very much for your clear answers to my questions!! A big help!
@himanshuchhabra1942
Жыл бұрын
@@neuideas John Cole One query If a passkey can be uploaded on a online password manager and can be used to login on a new device, then How come is it different from a password mechanism ?? Also, accessing password manager using Local pin, fingerprint or face lock is not possible since its a new device ?? I still cannot understand how I will login on a new device if its lost if I own only a single device
@neuideas
Жыл бұрын
@@himanshuchhabra1942 " is it different from a password mechanism ??" It's different because it uses public key verification of digital signing, rather than hashing a password. The burden shifts from remembering your login information, to not losing your private keys. The private keys are never revealed, so they are never risked. "Also, accessing password manager using Local pin, fingerprint or face lock is not possible since its a new device ??" You will need to authenticate the application first. This can be done by validating your account on an already authenticated device. "I still cannot understand how I will login on a new device if its lost if I own only a single device" You need to set up a backup device first, before you lose your primary device. Alternately, you may be able to log in using one-time use backup codes, if they are offered. Beyond that, you could always fall back on standard login credentials, assuming that's an option.
@himanshuchhabra1942
Жыл бұрын
@@neuideas I understood the mechanism , I was trying to understand the big picture. My point was private keys revelation is not needed, if the hacker can use other ways of authentication which are provided for the user in case he loses the device.
@karlking4980
4 күн бұрын
Leo, The major concern I have regarding the password-to-passkey transition period, is that the service/company/app I am accessing will actually have both the new public key for a specific device(s) AND my original password. In the example you used where the service was hacked and they stole my public key, e-mail, etc., didn't they also get my still usable password? I mention this because I have created a few passkeys but have not seen an option to have the service permanently delete my password once the passkey was created. Therefore, even if I create or share passkeys for all my devices to a particular service, a data breach of that service will cause the same pain it does with or without passkeys because my passwords are stored in the same old way "alongside" my public key. What am I missing? Thanks for the excellent video! Karl
@askleonotenboom
2 күн бұрын
Microsoft allows you to remove passwords. In leiu of that, set the password to something ridiculously long and complex, and then don't save it anywhere. Nothing for hackers to steal, you'd never use it yourself, so it's as close to password-free as you can get.
@karlking4980
2 күн бұрын
@@askleonotenboom Thanks Leo. (I am in the Apple ecosystem.) Unless I misunderstood, which is entirely likely, the service still has my valid user ID and/or email and my long/complex password. Many companies use very poor data security practices and leave files exposed on cloud servers like it is a hobby, so I still believe the danger is being unable to have passwords removed from a service when you have switched entirely to passkeys. BTW, although companies frequently use poor data security practices, they are expert at apologizing after they have been breached. I currently have three different "free" identity theft services due to breaches. Being breached does not seem to cause the same reputation damage it used to. Keep up the good work! Karl
@michaelmccullough9668
Жыл бұрын
Great video Leo. I can't wait for passkeys to take over the password phase. Do you have a list of services that have already started using passkeys, besides google?
@askleonotenboom
Жыл бұрын
www.passkeys.com/whos-using-it
@emchannel4160
6 ай бұрын
superb explanation of passkey done layman terms.
@kf4wnf
6 күн бұрын
My question is, what happens if you create a passkey and use it on your mobile device for your crypto account. Is there any instance where you could lose any kind of access to your passkey, to where you couldn't access your crypto account or mobile device?
@jefffinn1105
7 ай бұрын
Excellent & clearly spelled out...thanks!
@frederickclause2694
Жыл бұрын
What happens if the machine with the passkey dies? How would you be able to access the account. I'm thinking here of things like cloud storage.
@askleonotenboom
Жыл бұрын
Each machine has it's own passkey. So you'd be starting over as outlined in the video/article by signing in some other way.
@frederickclause2694
Жыл бұрын
@@askleonotenboom But if it's possible to sign in some other way doesn't that lower the level of security? I apologize for seeming dense but considering the skills of those with less than honorable intentions and the amount of information stored in the cloud this system may be an improvement on the current model but it still isn't perfect. I suppose anyone with these concerns could just have two machines with access then if one died you wouldn't be stuck. It will be interesting to see how it will all work out in the end. Thanks for your prompt reply.
@mfr2
Жыл бұрын
So, it should be strongly recommended to generate passkeys from more than one device for each account, inmediately after creation or activation of passkeys.
@askleonotenboom
Жыл бұрын
@@mfr2 Not necessarily. It depends on the service, but like I said, you probably signed up with an email address so an email to that address could also confirm you're you.
@askleonotenboom
Жыл бұрын
@@frederickclause2694 Of course it's not perfect. There's no such thing. But it is significantly more secure than password based authentication. AND it's easier to use. 🙂
@antonwilloughby2002
7 ай бұрын
This is an absolutely fantastic video - thank you!
@sharvo6
Жыл бұрын
Subscribed! Thanks!
@alsjogren7890
Жыл бұрын
Thank you. You described a software pair of keys. And Google does supply that. But, there are vendors selling hardware devices. I assume that using hardware PassKeys, the public key is identical on each of the web services that I use the hardware PassKey. When should I consider buying the hardware PassKey? Do most web services also require a password in addition to the PassKey?
@askleonotenboom
Жыл бұрын
I haven't seen hardware passkeys. Please don't confuse Yubikey devices with this. They are two-factor keys.
@ankitsanghi
Жыл бұрын
Actually if the yubikey can provide user verification via a pin, fingerprint, or something like that, it’s considered a passkey! Most people use them for 2SV, but they’re very much usable for passkeys (given they can perform user verification)
@itssoaztek4592
11 ай бұрын
@@askleonotenboom Yubikey 5 series can be used for passkey (FIDO2/Webauthn) authentication. Actually, that seems to be the only (simple) way currently to use passkey authentication on Linux (not Android) devices.
@lohphat
11 ай бұрын
The source of “correct horse battery staple” is an XKCD cartoon. Number 936 to be exact.
@kirkusarelius3365
7 ай бұрын
Just found you. Outstanding succinct explanation thank You. Subbed of course
@cmanho8879
11 ай бұрын
Excellent expositor! Thank you very very much.
@bethweld3072
Жыл бұрын
Hmmm, thanks for the great explanation . I wish google would hire you to explain. Dreadful articles. However I am already deep in the swamp of questions. Such as- your laptop has problems any you have to give it to a repair person (not a hard drive replacement). They need admin rights. Does that leave you open? Also, another question - in an emergency (you can’t give them data) how do they get into your device to pull data? Lots and lots of questions before the complicated users feel comfortable. Again, thanks
@askleonotenboom
Жыл бұрын
"Does it leave you open" yes. Choose trustworthy repair people. (Or take extra steps to secure sensitive data while still leaving the machine operable.) Not understanding the emergency scenario you're describing, though.
@autohmae
Жыл бұрын
Make sure you always make backups of your devices and authenticate with multiple devices if you use something like passkey
@hassanmaje5849
3 ай бұрын
Where does PGP email encryption, decryption, digitally signing emails fall in the mix? Sorry, I am not a techy, just someone trying to learn and understand. Thanks.
@askleonotenboom
3 ай бұрын
Related encryption technology, but used for a different purpose.
@edcruz8820
6 ай бұрын
I saw this on my PlayStation account I have lost accounts before so I was looking for a different way to keep my account safe but I didn't understand it thank you for this video
@v3rlon
Жыл бұрын
Okay, I know and understand that passkeys > passwords, but I still have a few questions. Your house burns down and with it your laptop, desktop, tablet, and phone. How do you recover those passkeys? Now I understand how this can be done, but so will the black hat hackers in Elbownia. What can we do to prevent that attack? Next, what about brute force on the public key? Yeah, it would take a zillion years to do it on a laptop today. We had the same thing with the Windows NT password system back in the 90s, and just a few (like 4-5) years laters, it was possible to crack within hours using a desktop computer. With all the computing power on earth today (equal to a single GPU in 2050), how long does it take to get through all the possible combinations? Are there collisions (you create an A-B pair, but it turns out that R can also Decrypt some A? Can there be a 'dictionary' of passkeys? There are a number of formulas and prime numbers in use. Once they are fed through, is it possible to recognize the A key and then pull the B key out of a dictionary as well?
@MichaelJessen
Жыл бұрын
Regarding the house burning down question. If you're in the Apple ecosystem, your passkeys are stored on your iCloud Keychain. If all of your Apple devices are destroyed in the fire, when you go to set up a replacement device you'll need to go through their Apple account recovery process (assuming you lost the appleid/password in the fire too). It's a good idea to prepare for this beforehand (for example, you can nominate someone else's account as your recovery buddy). I believe Google has a similar password manager these days.
@raviscal
4 ай бұрын
What if I have only one device storing my private key (say my phone) and I lost it. What is the recovery option here? and the person who was able to get my lost phone figured out the login pin? I am not questioning the security of passkey but trying to understand this scenario. In case of password, I know it and can use it from any device. By the way excellent explanation!
@askleonotenboom
4 ай бұрын
There is ALWAYS another way to sign in. That other way may involve more steps and be less convenient (say, emailing you a code), but think about how you establish a passkey to begin with: you have to login somehow. Once you're logged in you can then revoke the passkey assigned to your phone.
@NoEgg4u
Жыл бұрын
Supplying your face-print or your finger-print, to access computers containing sensitive data, is fraught with risk. Once a bad actor gets your face-print or your finger-print, then they have your private pass-key. Yes, having two-factor authentication helps. But how many people people do not use two-factor authentication? For non essential login credentials, then use the above. But if your livelihood or your company's trade secrets could be attacked or stolen by someone with access to the above, then you should not use a finger print or a face print as the sole means of access. Can you imagine the potential damage if the Chief of Medicine physician at a hospital were able to access and alter any patient's treatments, by simply having her face scanned? Or how about military computers, or banking computers? Gaining access, even if only to disrupt services, simply by scanning someone's face, is high risk. Always use a long (virtually) uncrackable password/passphrase for anything that matters. It is all well and good to improve the convenience of authenticating yourself. But understand that convenience and security do not make for a happy marriage. With convenience, you are giving up some level of control. For any critical on-line services that I use, I always use a unique, long, unbreakable, cryptic pass phrase. I use a password manager to facilitate the above. That, too, involves some risk, if a key logger should get my password manager's master pass phrase. But they would also need my password database file, and any key-files that I might be using as part of my master pass phrase. So there are trade-offs. But always use a strong password / passphrase for critical services. Apple understands the importance of still requiring a pass-code. Every so often, you are required to tap in your code, even if you normally gain access via your face scan or your finger print. When you power on your iPhone, you must enter your pass-code. By the way, as far as I can remember, "PGP" (Pretty Good Privacy) was the first software to implement public/private key encryption -- and has since been replace with "GPG (GNU Privacy Guard)". Both PGP and GPG are free and open source. If you decide to download the above, be very careful to get it only from its official site.
@williamhughmurraycissp8405
Жыл бұрын
Not quite true. The facial or fingerprint reference is only useful on the device where it is created (remember that you created one reference on your iPhone and another on your iPad. They are both about you but will be subtly different on each device) and only for authenticating to that device. The reference is not reversible (cannot be used to see what your finger or face look like), need not be kept secret, and copies of it are not useful. One must have both the device on which the private key was created and is stored and beneficial use (finger, face, or PIN) of the device, whether the device is a mobile, desktop, or UbiKey. If you are to have privileged use of my systems I will likely associate that access (private key) with a token (e.g. Ubikey, SecureID) that I both own and can reclaim upon your separation (e.g., retirement, termination for cause.)
@richardlanglois5183
2 ай бұрын
Very well explained!
@cleantechnologies9125
Жыл бұрын
Thank you for that explanation.
@steveworley1339
5 ай бұрын
Excellent explanation - thanks
@capnsalty0200
6 ай бұрын
Thanks this answers my questions.
@coolraoul3292
4 ай бұрын
My main concern about this is that I can't easily imagine what could be a smooth transition to a new device (computer or phone for example) when the previous one is damaged or simply obsolete.
@askleonotenboom
4 ай бұрын
It's exactly the same as setting up the passkey on that first device the first time. You authenticate some other way, and set it up again.
@coolraoul3292
4 ай бұрын
@@askleonotenboomThe first time it's one site at a time and progressively. When switching computer of phone with hundreds of accounts already registered with the previous device (I've more than 800 entries in the "personal" section of my KeePass database) it could be not so trivial.
@2kings3queens
11 ай бұрын
I think you confused things a little with the "A & B" thing, Just call them what they are, Private & Public, just my 2 cents. Other than that thank you very much for the hard work
@garytschacher8361
5 ай бұрын
Does the rollout of pass keys present a vulnerability for accounts that have not been set up yet that may be compromised, allowing a threat actor to set up the pass key on another device? Does the key have a method of being reestablished manually or during a password reset or account recovery process?
@askleonotenboom
5 ай бұрын
A passkey requires that you be able to authenticate some other way in order to be set up. A devices passkey can be individually revoked remotely.
@syedirfanahmad9626
Ай бұрын
Good, useful intro
@russellman1281
6 күн бұрын
What happens if you hard drive crashes? Will the passkey be on the backup. What if you have no backup. How do you get in the account?
@askleonotenboom
6 күн бұрын
The same way you got into the account when you first setup a passkey on that machine. Usually a different, more cumbersome, authentication process, like an email to your email address with a code or something similar.
@RJSandefur79
6 ай бұрын
So on my google account, I can set up a passkey for my chromebook?
@askleonotenboom
6 ай бұрын
Google account: yes. Chromebook: I haven't tested, but I would expect so.
@stevethewirepuller
Жыл бұрын
Good clear explanation. My concern is that each device is locked to each passkey. This potentially could be a lot to manage. Also a source of privacy issues. Given the exponential growth of surveillance capitalism I will avoid use of passkey until it's better addressed.
@williamhughmurraycissp8405
Жыл бұрын
Not much to manage. Registering a device requires a click and is thereafter transparent. Apple and Google😢 offer the option to store the private keys in the cloud so that one key-pair can be used across multiple devices. The choice depends in part upon which you trust more, your device or the cloud.
@stevethewirepuller
Жыл бұрын
My understanding is that if I want to use another device to check my email, it had to be authenticated. Each key pair uses the device ID as part of the encryption. Not normally a problem, but if I want to use my friends or public computer that might be an issue.
@hotjamsm07
8 ай бұрын
Now that TSA and flight security systems around the globe and immigrations check points are using fingerprint and facial identity, what could possibly go wrong? I would think that a pin number would be a better choice for the final authentication, while using these passkeys.
@YTWAGNERM1
4 ай бұрын
Very clear! Thanks!
@prettymerch
5 ай бұрын
Great explanation and examples, but I have a question! Let say that we are in 2027 all my accounts are using passkeys and there are no passwords anymore and all the private keys are stored in my machine. Now, let's imagine that someone stole my machine or it gets damaged, how can I access my accounts again without my private keys?
@askleonotenboom
5 ай бұрын
Your passkey is never the only way authenticate. Remember, in order to set up the passkey on each device you had to authenticate some way that didn't involve a passkey. So that continues to work when you move to a new device. A common password-free example is a link sent to your email account.
@tryder7901
7 ай бұрын
How do you sign out of a machine so that if someone else signs into it after you does not have access to your key?
@askleonotenboom
7 ай бұрын
They have to sign in to a different account on that machine. Passkeys are per user.
@louisesmith575
10 ай бұрын
As a senior citizen I am very concerned that when something happens to me, my children can access all my accounts and information. If I set up a passkey, do they have to have my device to do so?? Right now, I keep passwords in an encrypted file for which they have the password and I send them the current file on a semi-regular basis. This sounds wonderful if YOU are the only one using your device and the only one needing to log into accounts. But I am a bit confused about how it will work in a situation where multiple people need to access the same account (a bank is an example).
@askleonotenboom
10 ай бұрын
Whatever technique the service uses for you to set up a passkey on a new machine should be made available to your heirs.
@megcavanaugh953
4 ай бұрын
Thanks!
@askleonotenboom
4 ай бұрын
thank you!
@batman51
Жыл бұрын
Interesting. I am familiar with PGP, for example, but had not realised it could be used in this way.
@askleonotenboom
Жыл бұрын
It's one of those technologies I find endlessly fascinating.
@RhNegA-
5 ай бұрын
For how long will the private key be valid ? Does it expire ? (Like certificates do) Greetings, Rik
@askleonotenboom
4 ай бұрын
To the best of my knowledge they do not expire.
@oceanbreeze76
4 ай бұрын
Hello. What if i loose device? Can i still access my data and how? Thanks
@askleonotenboom
4 ай бұрын
Of course. You had to setup the passkey on that device by authenticating some other way to begin with, so you would simply authenticate some other way on a new device and setup a new passkey.
@fredscholl5250
11 ай бұрын
Very good explanation
@OldGirlPhotography
Жыл бұрын
This is a superb explanation. I have one dumb question: is there no way for the server side and the device side to be hacked at the same time, or even at different times, and somehow allow the private and public keys to be mated up by the hackers?
@askleonotenboom
Жыл бұрын
Seems incredibly unlikely. (As in infinitesimal chance.)
@hansm5566
Жыл бұрын
Thanks! Great video.
@thenecessitarian
Ай бұрын
I'm trying to figure out what happens if you lose access to the device which authenticates the credentials.... like the fingerprint sensor on my phone ... if my phone explodes or gets stolen... how am I going to gain access to my account?
@askleonotenboom
Ай бұрын
The same way you got access to it when you set up your passkey in the first place. There's ALWAYS another, often less convenient, way to sign in.
@darknetworld
8 ай бұрын
I wonder if they hijack but knowing hardware locked to the key. But what if the emulate the hardware?
@mitchconnor7066
2 ай бұрын
Websites that I use passkey with are asking my MacOS to do fingerprint verification. So it basically is 1FA. It is really good against fishing attacks and databreaches. So it is good against digital criminals.
@David_F579
Жыл бұрын
Great explanation - thank u
@pernilsson2394
Жыл бұрын
If the site owner isnt forced to update to passkeys it will take ages for this to be implemented. And if its mor conveinient can be discussed. I have setup passkey on my google account. So everytime i log in i have input my win passcode. Compaired to chrome just remembering the password. Not easier. Or i have to buy a camera or a fingerprint reader for my desktop. And how do i know if my fingerprint/face dont get stolen by hackers exploiting flaws in the camera/fingerprint reader? Imo just a new set problems compaired to the old way.
@TechBainCool
Ай бұрын
Great Video!
@alviolampis
7 ай бұрын
TY 8) What if you loose your PC with private keys or have the disk died?
@askleonotenboom
7 ай бұрын
Then you'll use a different recovery method to login on a new machine.
@lohphat
11 ай бұрын
The point of potential confusion is where the private key is going to be stored. It’s not obvious. If you live in a multi platform environment where you login to website from various OS and mobile devices running different OSes, who is the private key store cross platform? Do I use my Google account? Do I use my 3rd party password manager? My 2 or 3 OSes? I’m already concerned that Google Authenticator offers to backup your 2FA keys in the cloud, thats putting all your access keys in one basket and outside of your physical control. I only use the QR export and import to a separate device not via the cloud. If I put passkeys in 1Password, what if my account is hacked? All the eggs are in one basket. PKI relies on the private key not getting duplicated outside of your control. This is the weakest link if we allow the private keys out into the cloud.
@askleonotenboom
11 ай бұрын
Each platform gets its own, unique, private key the first time you sign in, and it's stored in that platforms secure store. Tools like 1Password can act as that store to make passkeys available across platforms if you like.
@lohphat
11 ай бұрын
@@askleonotenboom "In theory". As I've been testing passkeys cross platform (including Yubikey, Google and Microsoft Authenticators), I've yet to get the 1password passkey for my Adobe account (as a a test) to work x-platform. My android 14 phone and iPad OS 17 aren't accessing 1password for the passkey. The xp functionality still needs a lot of work.
@ghostmanscores1666
Жыл бұрын
Can you use emojis in passwords? It would sure expand options
@askleonotenboom
Жыл бұрын
It depends entirely on the system asking you for a password.
@marcelus4614
5 ай бұрын
GREAT VIDEO thanks!!
@MN-oy9dr
Жыл бұрын
thnx. one question, what i missed explaind. say you have done so for your phone. all is working fine. you now get a new phone. do you have to start all over again on your new phone for every account (as where it a other device as you mentioned) , and then can without a problem get access to that account ? just wondering....thnx for the feedback
@askleonotenboom
Жыл бұрын
Depends on the system you're signing into. Worst case you start over, but in general it could be as simple as a one-time additional hoop to jump through (a text message to confirm, and email to respond to, or another device on which to approve the sign in).
@briantodd6903
7 ай бұрын
Hay Leo can I use the same passkey on different devices? Or do I need more passkey Thanks
@askleonotenboom
7 ай бұрын
Some password managers like 1Password will store your passkey for use elsewhere. Otherwise, passkeys are per-device, so you'd set one up on each device the first time you sign in to the account on each device.
@roobscoob47
3 ай бұрын
Thanks, Leo~
@neuideas
Жыл бұрын
I may be a novice on this topic, but I thought that authentication with a private/public keypair was a matter of signing a "nonce" (a randomly generated number) with your private key, and the server using the public key to verify the signature. Am I wrong?
@askleonotenboom
Жыл бұрын
I believe you're correct. What you're referring to as a nonce is essentially the "I'm thinking of a number" referenced in the video. I did say it's a very high level overview and abstraction. 😀
@Technological_ko
3 ай бұрын
If someone has my passwrds already and has access to everything will this work to stop them getting into my phone?
@askleonotenboom
3 ай бұрын
Change your passwords first.
@Technological_ko
3 ай бұрын
Oh wow that's a really quick response, thank you sir. Because this person has my email will they not see that?
@Technological_ko
3 ай бұрын
I was worried I'd have to factory reset my tablet and phone... do you think I might have to do that or should changing the passwords and setting a passkey be sufficient?
@Jackie1952
4 ай бұрын
Dear Lord, this is confusing
@tubejim101
Жыл бұрын
What happens if my hard drive fails?
@askleonotenboom
Жыл бұрын
It's just like moving to a new machine, as described in the video. You'll sign in some other (typically more complicated) way.
@mikechaplin1566
8 ай бұрын
Will password managers still have value when everyone starts using passkeys?
@askleonotenboom
8 ай бұрын
Yes. My password manager is now also serving as a repository for passkeys. (1Password) - and not all sites will migrate to passkeys.
@mikechaplin1566
8 ай бұрын
@@askleonotenboom I have used 1Password for years, but have not started using Passkeys because I didn't really know anything about them....now I do.
Пікірлер: 231