Passkeys vs Hardware Keys - Which One Works Best For You?
Вставка
- Опубліковано 2 сер 2024
- Get a Yubikey and protect your accounts! www.pjatr.com/t/SENKSk5PS05DS... * and:
Use code “SHANNONMORSE” for $5 off ANY YubiKey 5 Series or Security Key Series purchase!
This episode is sponsored by Yubico!
Becoming a Morse Code Member by checking out the perks linked here!:
/ @shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUBSCRIBE! 🌸 ua-cam.com/users/ShannonMorse?s...
TWITTER 🌸 / snubs
Patreon 🌸 / shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUPPORT MY WORK
Patreon 💛 / shannonmorse
Buy Me a Coffee 💛 www.buymeacoffee.com/snubs
Shop 💛 snubsie.com/shop
TeeSpring 💛 teespring.com/stores/morsecode
Coupon Codes 💛 snubsie.com/support
Tech I Use & Recommend 💛 kit.co/ShannonMorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
FOLLOW THE SOCIALS THINGS
Twitter 🌸 / snubs
Instagram 🌸 / snubs
UA-cam 🌸 ua-cam.com/users/ShannonMorse?s...
Website 🌸 www.shannonrmorse.com
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
TECH I USE AND RECOMMEND
My Kits, Builds, and Must Haves ✨ kit.co/ShannonMorse
My Amazon Influencer Page ✨ www.amazon.com/shop/shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
MY OTHER SHOWS
ThreatWire 🌙 ua-cam.com/users/hak5?sub_confi...
Sailor Snubs 🌙 ua-cam.com/users/sailorsnubs?s...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
GET IN TOUCH
Mail ✈
snubsie.com/contact
Email for Business and Sponsorship Inquiries ✈ Shannon@ShannonRMorse.com
My Media Kit ✈ snubsie.com/work-with-me
Sponsor This Channel ✈ snubsie.com/shannon-morse
Music from 🎵 Epidemic Sound: www.epidemicsound.com/referra...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
😍 FTC DISCLAIMER 😍
Affiliate links listed above allow me to receive a small commission. Any sponsorships for videos are noted in video and listed in descriptions. Any products provided as gifts are listed above. Thank you for your support!
Comment section code of conduct policy:
Constructive feedback is appreciated, but please leave unproductive, divisive and harmful conversation at the door. Hateful comments are not tolerated, and these kinds of messages will be automatically removed. Thank you for making this community a welcoming experience for all viewers :)
snubsie.com/code-of-conduct
LINKS:
Who is using passkeys? www.passkeys.com/whos-using-it and passkeys.directory/
Passkey vs Password: www.techtarget.com/whatis/fea...
Passkeys FAQ: www.yubico.com/blog/a-yubico-...
www.yubico.com/blog/passkeys-...
Hardware Bound Passkey FAQ: www.techrepublic.com/article/...
FIDO2 and Passkeys: www.techrepublic.com/article/...
1Password now supports passkeys: www.techrepublic.com/article/...
FIDO White Paper: media.fidoalliance.org/wp-con...
fidoalliance.org/passkeys/#faq
How Long Does It Take To Brute Force A Password in 2023? www.hivesystems.io/blog/are-y...
Passkeys with Google: www.theverge.com/23712758/goo...
Passkey.org: passkey.org/#TABLE
FTC: Links marked with * are affiliate links, which means I make a small commission off any sales. - Наука та технологія
Thanks for all the love on this video - I worked so hard on the research for this one!! Here's the yubico deal for anyone interested: My affiliate link: www.pjatr.com/t/SENKSk5PS05DSEdGR0ZJQ0dPR0tNSw * and Use code “SHANNONMORSE” for $5 off ANY YubiKey 5 Series or Security Key Series purchase. And if you're looking for the white paper about passkeys, or more of my reference material, I compile all of those links in the shownotes (click "MORE" under the title to see all of my links). Love yall!
I really enjoy your content on passkeys and security issues. That's MY jam, and you deliver on it. Mahalo!
I would love a video on the most common Threat Models for people, probably broken out by age and life stage. I have elderly family members that I try to train on Phishing but one got caught with the "This is Microsoft. Your computer has a virus. Please type these commands in so we can help you..." scan.
Phishing is rough. I've trained my (small) family well enough to stop, send me a photo not a screenshot, and back off or power off if something goes seriously wrong even if it looks legit. A process verified working yesterday with something similar to what you described. I have yet to get a false positive but my mom was a hacker decades ago so your mileage may vary.
Great video Shannon, and thanks for keeping this topic current and vital. We’re still all waiting on financial and banking vendors to support MFA properly but at least my videogame access is secure!
It’s frustrating that banks and other financial institutions are such amateurs at online customer security.
@@richardpetty9159I find it most frustrating when they think they can do better. Many banks will implement their own way of 2FA instead of implementing the industry standard. Some of my banks will have a hardware device that reads your card and asks you for your PIN code and then it gives you a code that you use on your computer, but those devices are bank specific and they're now moving away from that to their own mobile apps with just 5 digit code (and biometrics optionally). Another bank in Central America literally only has a username and password to log into its web interface. Now it does have an option for 2FA, but only with their own app that has its own version of 6 digit rolling codes.
3 yubikeys and a solo key mean I'm convinced but keep the content coming! Your ability to explain means we all learn something new or approaches or uses we hadn't thought of.
Currently, hardware keys are unbreakable. If somebody wants to break in when blocked by a hardware key, they need to actually get the physical key. That may change with quantum computing, but there likely will be keys that are developed to handle that as well.
Watching your videos is always a priority for me. Thank you Shannon! You're still one of the very best!!
Wow, thank you!
Great stuff, Shannon! I wish banks would get on board and ramp up their security options. If any entity should be the most secure, it should be banks. BTW, I don't care what Musk does with Twitter, don't stop making that bird fly in with that cute sound! :)
Thank you so much for educating me, and others, on the need for password security.
Thank you for the research effort on this one. Totally worth it for me. I'm a huge fan
IIRC 25 passkey limit per YubiKey currently. Not a big deal yet and still unlimited for MFA. I'll be using hardware for important accounts.
Yes, I mentioned this limitation in my last video and I referred to that video in this one when I said there are caveats.
@@ShannonMorse Been watching a lot on the topic and don't remember where I heard it all. 😆
Great video! I was just reading on this last night .... its like you are on my network...
Shannon Morse: making people smarter! Thanks!
I FOUND VALUE IN THIS CONTENT
🤣🤣🤣 thanks Naaackers
Great video. May I suggest two things:
1. Don’t say passkey vs MFA. Passkey is just one of many MFA methods. It is just more convenient and strong at the same time. The two factors for passkeys are a) physical device that stores the passkey b) the biometric or PIN that unlocks the physical device.
2. What exactly the difference between passkey vs the FIDO2 keys before passkey? This important question has not been answered. Prior to passkey, windows for example uses windows hello to store and use locally generated fido keys. Other than syncing/backing up in the cloud, how is passkey different?
Thanks Shannon!
Great content, as always!
I do find these videos informative. I had turned passkeys on for my Gmail account and turned off 2fa. I've been getting passkey prompts in windows, my iPad and Android phone without issues. Thought I was safe and then I logged into gmail on a Pop OS PC with Firefox and it just asked for my password without any passkey confirmation. Let me right in.
Thank u for this valuable information 😃😃😃
Great video Shannon (thumbs-up already smashed). I am still that person you chatted with at VidSummit 21 who was a CISSP with a broken wallet card. Security is VERY important, but I am leaving the 'field of battle.' I just recently renewed my CISSP after completing it's enormous CPE requirement (120 credit hours, with 80 being specifically on security over a three-years), once this term expired in 2026 I will let it go (after 27-years of Certification). I will be retired then, and have already stopped making Security videos on my Channel a couple of years back due to a lack of interest. I see the same thing from the executives at my current day-job (who have punished me at review time for pushing too hard). Though I would like to continue the good-fight, I have lost hope that people will learn from the experiences and expertise of others - they need to be victims I'm afraid. I will definitely continue to watch your content (and comment from time-to-time since I can't avoid raising the sword of the fight many time), but I am reluctantly done. My niche will sans security and stick to general Computer Engineering/Technology education of the World.
I took advantage of your discount code, and purchased 2 Yubico Security Keys ($48 after taxes and shipping). I'm not 100% sure I know what I'm going to start with, but I'll let you know how it goes. Chances are, I'll be adding a hardware key to my Bitwarden account.
Great Videos, I just started on learning how to improve my online privacy and security. Your videos have been a great inspiration and help I appreciate all your hard work you have invested on your channel. I have a quick question, Will the Yubikey "Security Key Series" work with passkey as you show in this video? I'm looking at the Security Key Series or do I need YubiKey 5 C NFC one. I don't really understand what I get for the extra money. can you please explain the differences.
I'm not a regular viewer so I just noticed the ocarina of time navi "HEY!". Very nice! Also glad you're covering this.
Hey, thanks! And I'm a big nerd. You'll find nerdy Easter eggs all over my videos. 😏
I’ve found your videos to be extremely helpful in trying to find out what the best security measures I can take. I still get confused as how to use the YubiKey but a very kind gentleman has been trying to explain to me exactly how to use it. Thank you for providing the information you do.
Thanks for sharing. I am interested in more passkey videos. Blessings on your day!
Thank you! You too!
Hi Shannon, thanks for your channel. I'm wanting to upgrade my biz security to a very high level. If I've heard you correctly, the best blend of highest security and convenience would come from a dual approach using a Password Vault like Lastpass or Bitwarden (please provide a recommendation of favorites) as well as a Yubikey. Can you please provide a detailed scenario of this process for best practices?
Nice video!
I would prefer future videos to have 5 to 10dB less volume on the background music; I find it hard to concentrate with this video's background volume level.
Great vid 😊
nice tips
Hi, great vid, would you consider adding a link to a past video when you reference it in a video that's playing? Thanks :)
@ShannonMorse Hi, I own Mac Book M1 and Google Pixel 7 Pro. Is it possible to use passkeys wit this configuration on Apple account?
Even though the support is lacking I still like my only key. Wonder if you could make a comparison to yubikey..
This is a great video
Much I need to know
Thanks for keeping me informed
I again am duly warned…
May the algorithm reward you well
Important information you do tell!
⭐ Thanks again Sailor Moon Shannon ⭐
So I switched to Bitwarden a couple of months ago and just bought my first 2 Yubikeys. When I add it to my accounts the Bitwarden extension wants to add a passkey. I have to select a physical key, but it asks for "just this once" or "every time." I selected every time, but should I have selected this or just this once? If I should select just this once, how do I change this setting?
I am interested in starting to use pass keys but I have a question. If my phone can be opened, using a six digit code, or my iPad, using a four digit code then if lose my phone and someone cracks that code and the passkey is saved on the device, then they do they have access to everything? It seems as if everything is only as safe as the code you use to unlock your phone or iPad. I understand that biometrics can unlock it but since a code can also do it then all they need is that code? What am I missing here?
Great subject so there going to rid the pass word ? Pass key will take its place sometime in the future...
Hi Shannon , I've ordered some yubikey's im curious to ask do you carry your's on a keychain for on the go , how do you carry yours to not lose them , I'm concerned with my industrial job and having it on my keychain in my pocket that my keys may rough up the keys contacts and so on . curious to hear your opinion . I recently found your channel and am very happy i did , great content !
Tbh you can probably just leave it at home unless you find yourself needing to unlock a device with them while you're out and about. Cookies will keep your phone apps logged in. If you have a wallet with a coin zipper compartment you could put it in there too.
I already had a problem using passkeys using ip cameras that pair to your network using qr codes on a phone app and google account. I had passkey enabled along with a yubico 5ci key and i was unable to log into my account to view my cams. When i turned off passkeys, the problem went away. So there are some limitations i have found thus far. I even removed 2fa for sms and my hardware key and email but left passkey enabled. Still had issues. When i put just the hardware key back after removing the passkey feature is when everything cleared up. Hope this helps anyone with a similar issue.
Hi, Shannon.
I love the way you explained everything about Passkeys.
One question that has been in my mind for quite some time, once I have Passkeys set up for a certain account, should I then delete/disable the less secure 2FA options I had set up prior such as via SMS and E-Mail (and ONLY use Passkeys as my 2FA) as SMS and E-Mail 2FAs seem easier to hack compared to just using a Passkey?
Thanks for the advice.
Cheers!
Yes absolutely. Just make sure you've copied down your backup codes and optionally set up a secondary key in case the first one is lost
So are you gonna get it in the phone company Astra?
New subscriber
Found you on X. Great video!!🏆
Thanks for subscribing!
I'm beginning to get the strong feeling I should start trying to learn whatever language this content was recorded in. This new space-age language is quite unfamiliar to this 1950s and 60s boy. :)
Lol
Thank you for the video Shannon. Choosing a Password Manager, and I see that 1Password and Dashlane are supporting Passkeys already. Are there any other password managers out there that do?
NordPass and Bitwarden both do, as well
What is to keep someone from logging into your account if they manage to steel your passkey and use it before you are able to unlink the passkey? I would think having a second factor would be needed to keep your accounts secure from a stolen passkey. In the case of using your phone as a passkey, the unlock code or fingerprint would probably be good enough in most cases. But, if using a Yubikey, most do not support biometrics. Do those without biometric need a password to use the Yubikey as a passkey or could they be used if stolen without knowing anything else?
You will be prompted for your FIDO2 PIN.
Passkeys are not a replacement for 2FA. Without 2FA losing your device is like loosing keys to your apartment. If someone knows where they can use it, they can use it to get inside.
Well if I lose my device and someone can use it to get into websites, Id rather have a passkey. That would require they use the fingerprint or Face ID. If its just a password with 2fa, most people have their 2fa as sms or a 2fa app on the device. So they could login with just the password if they have the device. With Passkey they are locked out unless they cut off my thumb lol.
Does anyone know the difference between Series 5 and Series 5 FIPS?
I have a question ⁉️ I'm in India and while out my bank WILL NOT send me txt because I use VOIP on Google voice. I had a Verizon account and ported my number. I'm out here how and the is NOTHING I can do. If I use my phone for my passkey I'm fd. Also things go missing so yubikey won't work out here. Suggestions? With so many digital nomads and crypto nerds.... We need info please! Thanks!
I am a little unclear as to how 2 Yubikeys would work, if I am keeping one for backup. Do I have to set both of them up at the same time. Do I have to duplicate any setup information on both devices? Also, can you use the same Yubikeys across multiple platforms, rg, Android, Windows and Apple?
Thank you for all the great information.
To be brief, No^, No-, Yes+
^You need to set them both up for each account but no you do not *_technically_* need to do it at the same time, although for every day you spend NOT having set both of them up you risk losing your only way into your account. This can be mitigated if you instead use a password manager that has TOTP code generation built in however. If you lock your password manager behind a hardware key that you keep with you and one backup that you keep safe (and preferably hidden) then you could put all of the TOTP codes into that instead.
This is a bit of a security trade off though, since now instead of having every site require your key directly you're having every site require something in your password manager that you need your key to access. If however your password manager gets hacked though then people could get into your accounts without your hardware key, so you want to make sure your manager is secure. Some managers are so secure their servers could literally be public access and you could still not even bother to change your passwords even if the hackers had quantum computers, others not so much. Of course, as I said it's a trade off, because while you are potentially more digitally exposed if you have to take out and use your key often that gives you more chances to drop it, have it stolen, etc. Ether option is miles more secure than the alternatives though.
-You do not have to duplicate information between keys. So long as you set them both up for your accounts they will both work. For all intents and purposes, think of them as two entirely different and unrelated devices that just happen to do the same thing. Something that happens to one key means absolutely nothing to the other key and vice versa. You CAN "duplicate" some information between yubikeys AFAIK but there are a *_lot_* of asterisks to that. First, you can't clone an existing key. If you could do that, then someone else could steal your key, clone it, drop the key somewhere innocous where you'll find it later, and now you're compromised without even knowing it. You can however manually configure the stored data on your yubikeys using the yubikey manager (I think, that might not be it's name but I think so) so you can configure two keys with the same HMAC challenge response value for example. However even in that case I *_believe_* that most of the protocols that yubikeys support also have an internal memory aspect to them as well, so even if you setup two keys identically they won't necessarily work interchangably. I'm sure there are some exceptions to this where you can setup two keys the same and then they will behave interchangably on a protocol, but those would DEFINITELY be exceptions and I can confidently say that if you *_are_* intentionally using one of those protocols then you will definitely already know how they behave.
+Yubikeys work across basically every platform. The same key will work on IOS, Android, Windows, Linux, MacOS, and anything else that asks for it. The only time I have had something ask for a yubikey and had it not work was when I was running a browser installed via flatpak, and even then I'm sure it was probably an edge case. The one exception to this is of course if the key will even fit in the port, for instance iPhones which use lightning would need either a yubikey with a lightning port, a lightning to usb adapter, or a yubikey with NFC functionality.
How to keep track of which Yubikey is currently being used on which application? If a new Yubikey is purchased, how to know which websites or applications it needs to be added to?
I use Yubikey skins (sold on yubicos website) to differentiate my different keys. Websites also let you nickname them when you set them up, or they'll identify them based on which type of yubikey is registered (such as "Yubikey 5ci" or "Yubikey 5 NFC" etc.
What happens if you have multiple devices or get a new phone
unfortunately, there is no MFA on microsoft or google. You just need to choose to authenticate via one of the many options which is degrade the security level
If you are all-in on the Apple ecosystem then passkeys can be synced to both your computer and iPhone. 🍎😎
Is this safe against cookie stealing (session hijacking)?
If I logged in using an Yubikey, will the hacker be able to be logged in as me if they steal my cookie?
I have been hacked using cookie stealing recently and I am trying to protect myself, but I can't find a way to protect me from this.
You have identified two separate issues.
Yeah, but the Apple has a thing to block it. It’s the password your pin, and the bank and get in.
The info is great. The music is distracting.
Lol, it wasn’t distracting to me until you mentioned it was distracting. Now it’s distracting!
Good video Sharon if someone knows your phone identification, you use as a passkey. Can they duplicate it?
If you mean phone number, imei, google account, etc. then no, but if your asking whether or not someone with hardware access to your device could duplicate it almost certainly not, but "almost" is a relevant word there. There are things like cold-boot attacks which really screw over almost all forms of security, but AFAIK most phones implement these sorts of security features in-hardware so even cold-boot attacks can't bypass them. With that said, if you're so security conscious that you have to worry about the CIA, NSA, and FBI all collaborating to perform some elaborate extraction of your phone's hardware passkey without your knowledge, you should probably just buy a yubikey and avoid the phone alltogether.
It's *_possible_* that some phones have bad software implementations or something similar, but if you have a phone from any brand that exists on a google search I wouldn't really care about that as a possibility. The people who design these things design them as paranoia filled as possible. While crappy implementations probably do exist, by now we've already figured out the right way to do it. What's far more likely is that someone with access to your phone would just use it as a passkey through spoofing another form of identification than try some elaborate duplication attack.
Again though, this is only even vaguely a possibility if they have hardware access and even then it's unfathomably unlikely.
@robonator2945 thanks for the information. I was curious
Good 👍
Thank you! Cheers!
I have been using the underlying tech since the late 70’s. It is such a problematic tech to implement that 50 years later it is still struggling for acceptance. Maybe the next 50 years holds promise.
as long as Google's Android Passkey implementation stays broken when you use Chrome password for sync of your data, I will refuse to use it.
Microsoft is introducing passkeys to its Authenticator app
1:20 make you lose consciousness and biometrics compromised
Sooo, the whole passkey thing is just moving FIDO2 from second factor, to first factor?
Sorta. With older 2FA, in order to login, you need to prove you know something, and then that you have something directly to a website. The website verifies both things, and ur in.
With passkeys, to the website, you need to prove that you're able to convince the holder of a cryptographic private key to prove that the private key is held. Websites will only trust this proof from a device that also requires you to prove you know something (a PIN) or are something (with a fingerprint, face scan, or other challenge, if you so choose to use a biometric lock). So it's still multi-factor auth.
Passkeys change the way the primary challenge happens (but it's still between you and the website, and is more likely to be between you and the website 🔐), but move the second factor challenge away from the website and onto a device that you (the account holder) trusts and can secure. And also, because of how it works, at least as far as the website's concerned, you can have multiple passkeys without really reducing your security exposure. Whether this makes things less secure is really up to how well you can secure physical things in ur possession.
Like public/private SSH keys.
Comment for engagement
@@PaulyTater Engage comment.
Make it so.
What if you lose your phone?
I answered this in my passkeys playlist!
Again a Patron looking for how the hardware keys can support PGP encryption.
I bought a couple yubikeys when they first came out. As I remember, they were very hard to set up. Using them was, frankly a pain in the arears. They also were USB-3 and these days not all laptops have anything other than a USB-C. I don't think I want to go through that again.
I just don't wanna be screwed if and when I kill my phone
In that case, getting a couple of hardware keys is probably a better option
Shannon: Have fun in Vegas, Cheers J
Defcon has been cancelled.
excellent as ever, Shannon (but the music....?)
Aw, don't like the music? I chose a new soundtrack this time. Too loud or just don't like the song?
I honestly find passkeys as a concept so annoying because, yes, I get that they're good in a lot of ways for convenience, but it has gotten to the point where humanity has an unpickable, unhackable, and extremely durable authentication method... and then we tried to put it in a phone again because people can't be bothered to just carry a key. It's not that I don't see the *_reason_* for wanting it to be in the phone it's just, really humanity? You invent this perfect blend of hardware and software security that's completely isolated yet supremely convenient, perfectly meshing the security benefits of both the digital and physical, and then you digitized it fully and stuck it in your phone again. I swear it's literally llamas with hats, we just can't stop ourselves from putting things in phones.
We are just never going to break this cycle are we? Every day that goes by I have to ask myself more and more if the boomers were right; maybe phones were a mistake and we should go back to the good old days of fax machines. I miss the fax machines.
To be honest I don't trust it... something feels off.
Ill stick to 2fa apps
Great content, as always!