Understand passkeys in 4 minutes
Вставка
- Опубліковано 26 сер 2024
- Are you still using passwords? Passkeys are a new authentication technology that enables creating online accounts and signing in to them simply and securely-using just a fingerprint, face scan, or device PIN.
Learn more about passkeys and make your users’ online experiences easier and more secure!
Resources:
Passkeys overview → goo.gle/passkeys
Sign in with a passkey through form autofill → goo.gle/3MlyD2a
Create a passkey for passwordless logins → goo.gle/3Kcytrf
Sign in your user with Credential Manager → goo.gle/3UpWq3f
Subscribe to Google Chrome Developers → goo.gle/Chrome...
#ChromeDevelopers
1:57 If the passkey is stored on the device, what happens if that device is lost or stolen?...how would you retrieve your accounts before getting a replacement device 2:54?...this should have been included in the video!
I believe you would log on using another device you have like laptop, which assumes you have one.
@@mokilokethen what should you do if you lose all your devices in the flood, fire or other emergency?
@@hnv151so once you lose your iCloud account to an attacker. They have all your PassKeys as well??? Unless you use a passkey to sign in to your iCloud account. Therefore creating an infinite loop of lost passwords
This is what I want to know too: Right now it is intransparent where the private key actually is and where it is backed up. How can I ensure my personal privacy without to rely on Google or anyone else but myself.
Then the backup codes came into the picture.
Passkeys are still confusing. Does the passkey I use in Chrome on my Windows computer work on my Mac? Does the passkey I use on my Mac work on my Windows computer? Do Chrome passkeys propagate on my Google account, my Apple Keychain, 1Password, Lastpass, Bitwarden? Are they shared? If I wipe my hard drive and reinstall the OS, do I have to create new passkeys? Can I back them up to local-storage? When I do a security audit, is the fact that I have half-a-dozen passkeys for one website bad, or is that okay? Did I make them, or did somebody else? If I delete them will I get locked out?
Do you see how this can be confusing for people?
Passkeys are Device + Platform wise. e.g. each passkey is a combination for Browser + Website, BUT, depending on the platform and user settings, the same passkey can be used in a different device, like a phone, to grant access to the SAME platform in a different device ( around min 3 is explained )
By default, passkeys are device specific. Not OS-specific. Certainly not browser or application specific: DEVICE specific. So if you set up a passkey in (say) Chrome on your Windows laptop, you'll be able to use it immediately in Edge or Brave or Vivaldi ON THE SAME MACHINE. How's that work? Well, using a passkey in Windows basically ties into Windows Hello. But you will NOT be able to use that passkey on another Windows computer or any other computer: You'll have to recreate it there, too. Not a big deal. But that's the way it works - by default.
I say "by default" because it's now possible to store passkeys in other places, including some password managers. NordPass, for example, can store your passkeys. Now the passkey's authentication process gets moved from Windows Hello on the specific device to NordPass's own method (which, just to keep you confused, might be Windows Hello on that specific device!). Advantage of using your password manager to store passkeys is that you don't have to create them on other devices. If you use a lot of different devices to access the same accounts, this MIGHT be a small help. But if you only use one computer and one phone, then storing passkeys in your password manager isn't really any easier.
But seriously, after you create just a couple of passkeys, you'll realize that the process is quite easy. If the passkeys are created on your devices, then you're getting the benefit of hardware authentication. Give your password manager a really good (long, strong, unique) password and then DON'T USE IT unless you have to. That's why, although I work on a lot of different devices, I create the passkeys locally and I do NOT use NordPass (my main password manager) to store them.
NOTE that sites with good support for passkeys (like Google) will allow you to rename your passkeys. When I log into my Google account on a new device, I create a local passkey for that device (again: doesn't matter which browser I do this in) and then I rename it immediately (e.g. I change "Windows Hello 3" to "Surface Pro 9"). That way I can tell, in the manage-your-account area in my Google account settings, which passwords are for which devices. If I sell a computer, I remove the passkey.
@m57-ux3ngCrickets
@@echongkan01 Device specific
So with passkeys, it is only your device PIN/password that protects everything. If a criminal steals your device and gets into it, they automatically have access to all the accounts that use passkeys as they have control of your device on which the passkeys are stored. With passwords and 2FA, the criminal steals your device and gets into it but they still can't access anything without cracking your password manager AND the authenticator app that generates the 2FA keys.
This ^
So it seems like 2FA with TTOP seems more secure?
In a cybersecurity way, it's less secure. TOTP is susceptible to real-time phishing attacks. @@DroisKargva
Let's use a phone as an example. What about if you have sensitive photos inside it? Already connected accounts? If they have the device and the password, they can already get that information. The idea of passkeys, as I think, is to help with cyberattacks, as for right now it is the best secure way to connect to an account online, but of course, everything has ups and downs. If you just lost your phone, they can't get you passkeys, YOU would have to give it to them.
Passkeys require confirmation before using them, so the device will have to be unlocked twice. Same as with your 2FA scenario.
If i lost my phone or got stolen? What do i do then?
Pray lol
Recovery codes. It's the same as when you setup 2FA with an authenticator app. You get 10 or 20 codes that are one-time use for recovery. You simply write them down and store them somewhere save so when you do lose your phone or security key, you can simply enter one of those codes to get into your account again and setup a new method for login.
Use a recovery code, or use another device that has your passkeys on it. You can create multiple passkeys for the same app or website. You could also use an online password manager that syncs across your devices and keeps your credentials secure and private in an encrypted database that you can access from almost any PC/phone/tablet/laptop with an internet connection, or use an offline password manager and create backups of it that you store in multiple devices. Or you can use a security key (e.g. Yubikey or Token2) and have an extra security key (with the same credentials stored in it) that you keep hidden somewhere, while the other security key stays with you. If you lose one of the security keys, then buy a new one and use the other one to log in to your accounts so you can add the new security key to your accounts.
If you lose access to your password manager, just use a recovery code to get back into it. Make sure you have recovery codes for your email address if that email address is what you use to sign in to your password manager and/or if the password manager uses the email address to aid in recovering your password manager account (e.g. I think 1Password requires a recovery code and also requires you to have access to your email address that you used to sign up for 1Password).
Two questions:
1. What happens if a user loses their phone?
2. For a legitimate reason, like aiding someone who was injured, how can you access an account you have permission to use but they aren't in the same room as you?
Synced Passkeys are an option, which can be synced to your devices using a Google/Apple account or (preferably imo) using a password/passkey manager like Bitwarden or 1Password
1. In practice, both Google and Apple have your private keys in the cloud, like they do your passwords now.
2. Impossible for now.
You can still make emergency calls without account access. There is no legit reason to gain access
@@portman8909 I don't think that was the question. Consider your mom had an accident and is in a hospital. You need to login to her email to retrieve some information for her while she can't. How could we get this legitimate access done?
Passwords are still there. The presentation doesn't say that, but you'll still have a password to your account if you can't get in using a passkey.
If during travelling I want to login (in an internet café) to a site that supports only passkeys and my phone does not have internet, how it can be done? What if a desktop does not have bluetooth?
You would get a code from your phone that you copy into the browser
@@syawkcab I don't think it works that way. And you still need a connection between desktop and a phone to even initiate the authentication.
@@michaelstrelnikov It does work that way if the code is a recovery code that you saved in a file that is available offline on your phone, or saved in a password manager that lets you access it offline. Make sure you save recovery codes for your email address and your password manager. You could write the recovery codes on paper, too. Enter the recovery codes into the desktop PC if the desktop PC can't use Bluetooth. Or use a security key (e.g. Yubikey or Token2) that has your passkeys stored on it.
As a developer, this sounds very suspicious and kind of inaccurate. It kind of just sounds like automated ssh key generation and exchange, which is inherently single factor authentication.
And if you lose the private key, you are screwed. The only way I can fathom this kind of working is if keys have to be generated per device. Even then, you need a second way of logging in.... such as a password. An existing login session providing key management is still one single factor. Then again, the explanation/example just was not clear enough on exactly what data is exchanged and stored.
There's a white paper by the fido alliance that you can read.
It's an oversimplifcation,
not 100% sure but I understand when you try to login it will prompt you to recognize some code, like a QR on a device you own.
And authenticate with an existing (possibly local) method, like fingerprint.
Yes, the keys *are* generated per device and are easily revokable if the account manager allows it. The way its setup it's 2 factor by default.
Phone, fingerprint, account QR code to scan. It's kind of a lot and rather inconvenient if you don't carry around a device constantly.
The second way of logging in is already covered by Google and they still allow you use passwords but this doesn't apply to other companies, it also may change in the future. The thing that concerns me is I'm not sure how they plan to impliment the "use this code to authenticate with passkeys" thing and passkeys management. It's a bit inconvenient to use a QR code the way its setup right now, not super reliable. and a bit liable to abuse if its implented too naively.
Also transfering passkeys to other devices looks like an early problem. Same with 2FA
I'll stick with passwords. Why fix what ain't broken?
@@jamestemple8970 I think this thingy is geared towards businesses and organizations, where there certainly are issues with passwords. In orgs a huge security issue is reusing passwords - it's de facto impossible to check if someone is reusing their workstation password at an online casino or their self-hosted wordpress blog or such. People also forget passwords all the time, and in a corporate or educational setting resetting passwords is often not trivial :/
A third issue with passwords is sometimes users have to be stopped from having access to resources, such as a compromised account or when a user leaves an org. If just username/password access is used, that can be an organizational challenge. I bet I still would have access to things like internal file sharing, bug tracking and web servers and such if I chose to remember the passwords of them.
Because they are broken @@jamestemple8970
I really like the idea of passkeys and changed my password into a very complicated one, expecting, that I would only need it as a backup, if ever. But it is a annoying, that login to a chromebook (not unlocking screen) still requires a password. And in my opinion this contradicts the whole idea. I mean, I have my smartphone next to me and I can use it to log in to my google account on a chrome browser on any windows system. Why not on a chromebook, googles own system?
This is "largely due to the way ChromeOS encrypts data at rest residing on the Chromebook itself, specifically the decryption key being tied to the password" (from an Ars Technica article)
I agree that it's quite a nuisance, but ChromeOS simply wasn't built with passkeys in mind, and so their introduction will require more time as, from what I understand, a low-level fix needs to be implemented, which could require restructuring the OS' entire encryption system. It'll take time.
Real
Fingerprints get hacked unless you use mark of the beast
Understand ???? This has so little information it's ridiculous!! And not a single word about how it keeps either half of your passkey private!!
it's like SSH public/private key authentication.
but for it to be synced with other devices would mean that the private key does get stored on a Server, on Google servers which are still Server
Same with the Google password manager, or indeed any password manager
@@tommylehomme8695that’s not true at all. Bitwarden has zero knowledge architecture. Anything sent to them has already been hashed. They dont store private keys.
late but i'm pretty sure it's encrypted with your device's passcode, a password, or a stronger form of biometric like your fingerprint or face authentication
meaning, it's not accessible or readable without authenticating first
Instead of storing private keys on Google servers, you can use a different password manager for storing passkeys, such as 1Password, Bitwarden, Proton Pass, KeePassXC, Strongbox, Keeper, and others. If you want to store them offline, then store them on a security key (e.g. Yubikey or Token2) or in an offline password manager such as KeePassXC or Strongbox (Strongbox is compatible with KeePass database files).
so generally speaking, the mobile device is the single point of failure? if an attacker gets access to users phone and pin, then the whole system is compromised, including any and all services where a passkey is used?
No as when you move to weird location or have different habit it will be detected and google you ask you one more "pass" sms or fingerprint, or to proof clicking in another device you have etc.
Yep I have some guy who logged into my alt account and I can't up my security bc google insists on pass key and everything I enter the key google says its wrong
Can't get the guy off my email
@@OkayOnyx is it oky now ? If its .. Then how ?
So you are using 2fa and remove the password part?
No. This is just single factor authentication, but this single factor requires a physical device so online hackers are out of the way.
It's not that 2FA is bad, it's just that it's too inconvenient for many people. Passkeys is a hardware-backed alternative to passwords, which prevents phishing attacks and like the video said, saves a lot of money for companies with costumer service that needs to reset people's password or for anyone with damages from getting hacked.
@@fabiandrinksmilk6205 "It's not that 2FA is bad, it's just that it's too inconvenient for many people"
That's why biometrics are one of the talking points of passkeys: biometrics are convenient for many people, even more convenient than a PIN unlock or pattern unlock or a security key you have to pay money for that requires a PIN or fingerprint (e.g. Yubikey Bio).
Passkeys are 2FA if they require something you have (phone, password manager database, security key) + something you are (fingerprint or face) or something you know (passcode or PIN or pattern).
Is the key actually generated for the biometric or the Google account?
Because if I create a secret key with my face scan, then lose my device and do another scan, I HIGHLY doubt it will generate the same exact face scan, so how can I now log in?
You're right, every biometric scan will produce a different output so they can't be used to generate keys. It's used more like an authentication rather than a seed for key generation.
The narrator voice volume is hard to listen, it goes from very soft to loud.
I think it may be artificially sped up as well as haveing the volume variations you pointed out. The video was a waste of my time.
I wanted to give this a try but aside from the video not actually showing me how to use pass keys it also does a bad job convincing me it's any more secure than what using bit warden or another password manager.
bitwarden also will start using passkeys to logg in into master password (most likely at the end of this month). I still think 2FA seems the safest choise tho.
@@DroisKargva I read about that but how to use it was still never explained so I'm probably not going to use pass keys.
The reason why it's safer than a password manager is because there are no passwords at all. You can have the safest password manager, but if you stumble on a phishing site or a website gets breached, an attacker has that strong password. Passkeys use either your devices' internal TPM security chip or a USB security key with such chip to store a private key, the private key never leaves the chip and isn't stored in the normal filesystem. If you do get onto a phishing site and try to use your passkey, the information that an attacker gets is useless.
@@fabiandrinksmilk6205 hi. Thanks for explaining this. You seem like you know what passkeys are. So does that mean I physically need my device to log in to websites using a passkey? What if I lose my device or it is broken? Will I be locked out? Will I only be able to log in from THAT device? If someone takes my device will they be able to log in to websites since "they have my keys?" If there are no usable USB ports on the device I want to log into how would I log in if my passkey is on a USB?
Since watching this video only two websites have asked if I want to use passkey but I declined because I didn't understand and the websites still never really explained what they were going to be doing and I don't want to accidentally lock myself out of my accounts the way my grandma accidentally locks herself out of her iPhone. For now I'm relying on 2 factor authorization, which I understand how that works and know how to get around if I lose a device.
What if a fire destroyed my home and I lost everything? Let's assume I don't have a home anymore, let alone my smartphone. How would I deal with that? At least with password managers as long as I remembered one long passphrase I was good to go even after a disaster, now I guess I should prove my identity sending my ID to Google, that would be a long process and it would even go against my privacy. It looks like you solved a problem by introducing thousands more, very nice
(the sending my documents part would be a long process considering that as I mentioned I would have lost everything in that situation, so it would take quite a while even just to get those documents printed and delivered back)
@@DarkH4X0 All you need is a new device, an ability to sign in to your Google account, then the PIN of your previous device to resurrect the passkeys.
Account recovery isn't going away,
phone carriers can help you recovery your mobile number and backups can help you get access to your passkeys.
The passkeys should be unlockable with biometric data so importing directly from a backup should be possible in future.
Google aren't removing password logins *for now*
This is why offsite backups are important for protecting anything you don't want to/can't afford to lose. That doesn't just go for passkeys but important data in general.
youd need to log into your google account or apple id or whatever is holding your passkeys and youre good to go.
the audio in this video is poor, I could hardly hear what the narrator was actually saying
Understanding passkeys are really easy and I'm currently using it today. This is the next gen of passwordless feature
I can't believe how confusing this video is. You present the technical mumbo-jumbo but don't provide a single example.
Suppose I’ve set up passkeys with an iPhone, and I would like to change to Android (or simply lose my phone). How does this change affect my passkey experience?
I think this is going to be problematic unless people use a password manager with passkey support for cross platform support?
Just register another key for the same account on the Android. Done. Use either device to log on.
@@LivingInCloud1 but the thing is, how do you register that? I mean, what if for example my phone is lost and now I have bought a replacement phone.
How can i log in to add another key? You would still need to use a password in this case I assume?
@@frituurvlieg In that case you need another way to auth. Always keep a spare FIDO key around as a fallback, that way you can get back in and also in a phishproof way.
@@LivingInCloud1 seems like a headacke. just stick with 2FA with TTOP and that solves all the problems
Can you still use your regular Password even though you have a Passkey? Is the Passkey an OPTION?
Still an option at the moment.
So basically passkeys are just the same type of public/private key encryption we had for ages? Back then you had to manually add private keys to your browser to use them to authenticate and rarely any website actually used that technology to authenticate.
So the "new" thing is that it's more comfortable now?
The new thing is the open source standard and the widespread use of security chips or TPM chips. The private keys are stored in that chip securely instead of your normal filesystem.
Didn't understand a word of it
How exactly does it work on desktop without fingerprint reader? Do I need to keep scanning codes with my phone?
Pin.
same way you unlock your desktop.
@@jayantrohila But I don't ever unlock my desktop. Why would I? I also don't lock my phone.
@@nicolasparada What is the difference between a pin and a password?
@@jamestemple8970 that the pin is local to the device.
So if someone steals your phone you're screwed everywhere? Too much dependency on your phone.
How would they unlock the stolen phone?
@@LivingInCloud1 I mean you wouldn't be able to login anywhere.
@@chadsexinton Create another key on a FIDO and also in Windows Hello. Done. 🍺🍺
@@chadsexinton Also, you would have an iPhone keychain backup?
Wait, did she say "if you buy another device, Google has stored your passkey info on their servers, so your new device will work ...." ?? How is that ultimately secure?
It actually isn't 100% secure in that aspect. But this is the same for passwords. If you choose to use a service that stored your passwords/passkeys on a server, there is always a chance of it getting breached. But two things to keep in mind. You could choose to keep your passkey only on your device, or buy a security key to store the passkeys on. Another thing to keep in mind is that passkeys are still more secure in other aspect, like being phishing resistant.
did anyone have the link of some tutorial or documentation about implementing passkeys in .Net Core projects?
But users appreciate password sharing.
If you say password sharing, do you mean having access to another person's password so that you can log into their online accounts?
I think so
Woow.
From a security standpoint, that is quite inappropriate.
If letting other users access your online account(some controls) is the goal then a delegate access will be the best way to go where they will also have separate credentials to log in.
However, if existing password managers allow for password sharing, then allowing for passkeys sharing with others should be possible now or in the future based on user requests.
@@mickeymond Yes like with Netflix and other paid services where sharing is caring, and brings down the cost by division, that corporates absolutely hate and go through hoops to have you stop.
@@nagarajansubramani 🤣🤣🤣
Then let's pray hard that Netflix and the likes do not migrate to Passkeys soon.
And even worse, make it a mandatory login technique.
Profiles in Netflix could be sub accounts that also log in to Netflix but enjoy their parent account's subscription but I guess it isn't a win for Netflix so they won't do that.
Passkeys can actually be a frustration for Netflix account sharers a whole lot.
yeah, but what happens if you lose your devices? You get locked out without those, right? not everyone has a phone, etc.
You’d probably get a recovery code in case you lose the phone
My question is when I register on android, can i login on iOS? I know that when I register on android, google will save my private key in google cloud, it's ok if I login on another android device, but how about login on iOS?
Is a passkey a physical key that plugs into a USB port as i have seen these on UA-cam to but i just don't understand them at the moment. i have got eBay asking to sign up with passkey and tells me to insert it in a USB port on my PC. trouble is i don't have one and they don't even tell you what one is. also on some UA-cam channels you have to carry it around with you everywhere and they even tell you to back it up on another key which are not even sync together, so if you add another account it looks like you would have to do it on each device every time. As i say i don't understand it at the moment so i may be misinterpreting it all.
Passkey is just a new term for different ways to login other than passwords. This video focused on a new form of passkey, which is the security chip (TPM) already inside your device, but USB security keys like the Yubikey do the same, but as a pluggable device that you can take with you and use on different devices. When it comes to backup, you actually don't need to buy 2 USB security keys. Instead, the website you setup 2 factor authentication or passkeys gives you one-time recovery codes. When you lose your security key, you go to the website and try to login and when it tells you to use your security key, you select recovery code instead so you can get into your account to block that security key and setup a new one.
@@fabiandrinksmilk6205 yes i got that also not the yubico key . now there is another key but not a object more to study .
If someone adopts Passkeys, should they delete all other methods of authentication they used previously? For instance, Google Prompts? Could someone exploit/intercept Google Prompts if used at some point despite the fact that we set up Passkey?
Yes
If you have multiple ways to login, the weakest option ultimately determines the security. You should simply think about what works for you and how you would recover your account in case you lose or forget a method. Ideally, you should delete the other methods and write down the recovery codes to store somewhere save. That way you use your passkey for your daily login, but in the event of you losing a passkey device, you can use a recovery code.
so basically, passkey is the master password of a password manager with auto fill. passkey is your device PIN/face id/fingerprint etc, right?
No 😅. Passkeys are a replacement for passwords. Once created you can use them by unlocking your device (that's where the face id/fingerprint comes into play).
Also don't think of them as a master password, each account to each website could have it's own passkey.
Will the average person know how to backup their passkeys or keep them synchronized between devices/operating systems?
@@daniel.s8126 user 1234
@@daniel.s8126 It's not brain surgery.
Google, Apple and third-party password managers will take care of that
How is a PIN (usually 4 or 6 digits) more secure than passwords? 🤔
Is google pw manager still keeping encryption key along the encrypted passwords? Then what's the point with this?
Phishing protection. And it's easier to push normies using passkeys than a password manager.
@@_Hespro_ password managers aren't super strong because they don't strictly prevent phising attacks,
just make it slightly more resistant if it has a safe autofill.
Worse password managesr are liable to database breaches where as passkeys are very *very* strongly compromise resistant since the authentication credentials are local only. and *encoraged* to use biometric backing
Fingerprints get hacked unless you use mark of the beast
@@Comments_From_All_Channels having a fingerprint is useless in passwordless because its tied to an authenticator with 1 device. only maybe being at risk if you break both a cloud backup of the pairing, and phish a fingerprint, and restore the backup without it being flagged, and don't get kicked out for using a new device
Why didn't passkey replace both the user name and the password, sometimes users struggle remembering the username and since the technology is capable of bypassing a username , why not?
They will eventually, there is no need for the username in the traditional sense now
What happens if your device break or gets lost? What happens if I want to login to an account on my PC rather than phone?
You OKAY there?
I will add then more complications.
Also, what happens if you break your fingers and burn off the face? How do you validate your identity then?
And if police will believe your relatives, what if you kill all your relatives and friends? How can you validate then? If you still have workplace, what if it burns down and everybody will burn along the building? How can you verify then?
Hey what do you cost / money by 2step Authifiacation?
This is so frustrating. I’m trying to sign in with google id to apps on my new iPhone and it’s giving me a QR code to scan with another device?? Wtf how am I supposed to do that.
Passkeys are not safe, neither are biometrics. Two-step is still the most secure.
Passkeys are awesome thanks to their convenience
This video is fine, but you NON Stop repeating the word - Device and you mean Smartphones. What about the Computers - Desktops and Laptops. Where is the biometric in the most common PC with Windows? As a Mac user, I can tell you - the most of Desktop PC users don't have any form of biometric recognition on their Desktop machines.
This. While my Macbook had a fingerprint scanner, I use it 98% in clamshell mode with external keyboard/mouse/display. No biometric scanner available.
I believe they mentioned, that device PINs, Patterns or Passcode would work as well. From 2:00 to 2:10
Also, a person should be able to scan a QR code and use their mobile device to scan and verify using biometrics using the hybrid method (as mentioned in the video)
Passkeys could only be used as a convenient way to login, but can not replace the password + 2nd factor because eventually if all devices are gone/lost, there is still a need a way to authenticate users using something stored in their mind (pass) plus some 2nd factor like a SMS code (get a another new device with new sim card but old number, or from another email account).
Once things are recovered from that pass + 2nd factor, the new passkey pair could be established and save for future use of password.
Yeah I mostly agree. Passwords will never be truly gone. But they should be rare, you should only have a handful of password to very important accounts/devices. I looked in my password manager, I have 500 passwords. 490 of them could easily be replaces by a passkey.
Hmmm. I wonder what benefits a unique identifier provides the authenticator...
Advertising ID
This video brings more questions than answers. Is the passkey the same as fingerprint? It's implied that it is. If not, why not? How is it not? Is it a device token? Is it a "public key" vs "private key" scenario? HOW DOES IT ACTUALLY WORK. If someone steals my fingerprint, will they now control all my passwords?
passkey is not the same as a fingerprint or any other biometric. why not: passkeys are stored on your device, and you can only access them once you unlocked your device.
It is not a device token, it doesn't even indicate what device it was used from.
It is a public/private keypair, yes.
If someone steals your fingerprint, then yeah they could sign in using your passkeys. This argument comes up a lot, but how common do you think that is? Believe me, you would have so many more problems if someone is specifically recreating your fingerprint 😜
How this is related to MS office??
It is difficult for me to understand what is being said while that relatively loud and somewhat distracting background music is playing. Respectfully, please consider reducing the volume or removing the background music altogether. Your video is important for its informational content alone and does not need to entertain the listener. Thank you for reading my comment.
what if i lose my device? And also how i can setup google on a new if i will be passwordless after a lose.
it's an universal authenticator?
I wonder if phone is hijack and imposter access it? Since many apps or browsers can get user data.
how does 2fa cost me money?
That was one of the many questions I had.
It cost money for the company that sends the SMS codes. Sending SMS costs money, especially when done at scale like for a company doing SMS 2FA.
Very convenient. But at what cost? Most of this type of videos never touch the disadvantages of passkeys. The more dependency to big companies for authentications. Losing or stolen devices could lead to headaches to recover accounts, if possible, and many others.
Like so many you are unable or unwilling to put yourself as aa newbie or non tech, you lost me less than 2 mins in, no help at all
Yeah it doesn't explain it at all. And I'm no noob
Not entirely clear
how to nonactive the passkey?
is there a better, simpler, direct explanation for how this works?
All this talk and windows 11 pc with Edge browser still doesnt support passkeys. Lame
If we use google password manager to sync across devices that means these keys can travel on the internet. And what if i switch from google password manager to other service?
iCloud chain already supports passkeys so you can generate one for that. Also, 1Password is coming up with passkeys support you you can use something like that for cross platform.
what if one does not have a smartphone?
What is google doing that another browser can not do ? Slowing a key do you mean yubikey or key as numbers or letters or each ?
So what if you lose your device? 🤔
And then you lose your phone and all of your accounts are locked away forever. Thanks passkeys!
finger of unconscious user grant all access... There is already a lot of stories when users get drunk by scammers and lose all money when use fingerprint on banking apps. Never use biometric on banking
this is good approach. what if robber comes and grabs your phone and forces you to give him your phone pin. then he can use passkey to access any resource from your phone.
@@DroisKargvawhat is the same robber just demands for your bank password instead then?
it's the same deal really
almost ALL account hacking is done through phishing attacks and data breaches, which passkeys are MUCH more resistant to
Why would passwords stored on a server be compromised if a databreach happens. They should be hashed/encrypted anyways!
You are questioning that passwords breaches are useless because the passwords could be hashed? 😂
You can brute force them, you can run a huge list of known passwords and their hash. You can use dictionary attacks, you can use credential stuffing.
There are so many ways of breaking into an account protected by a password. With passkeys these attacks don't really exists.
Linux???????
What is the fallback for users with no smartphone?
usar la contraseña o pin almacenada para iniciar en tu dispositivo, además debes adaptarla al cambio en caso de que decidas cambiar la contraseña
You can create passkeys within your browser, i imagine you have to be logged it for them to be saved
Windows Hello, FIDO Keys...
People dont see this, but this solution drifts from an open internet environment to a closed one. Instead of being dependant on ourselves when logging into pages, we will now have to be dependent on the os, as well as actually giving out our passkeys to Google so they can log in freely to our resources.
Big no!
Google said in a blog that your pass keys are send to end encrypted so Google can't access your login credentials
@@camoelmaobut google knows what encryption is used. And they most likely have the resources to break the encryption.
@@camoelmao i believe these would be stored locally on the device the only thing google would have access to is the public key
this is basically shifting the password keeping responsibility to the user, instead of company. you lose your device, too bad. Good for corps
It's actually not much different. If you forget your password you also need a recovery via email or something else. It's the same with passkeys. Also, passkeys are usually backed up in some cloud, like with iCloud Keychain, Google Password Manager, or 1Password.
Also, why would it be "Good for corps" when you loose your passkey? they just want you to sign in quickly to use their website/app.
so a passkey is biometric identification? why do they call it passkey then?
Its not. Its agnostic to how it is being secured itself. But biometrics are a common way to secure the Passkeys.
What if my fingerprint is stolen? There are ways to print someone's fingerprint.
Excelente sistema de protección
Excelente sistema de protección
What appen if I lost my android phone?
So why doesn't Google let me add 2FA codes to accounts any more? I shouldn't need to provide my phone number every time. And then Google randomly decides not to let me log in even when I provide the correct username and password, with absolutely no way to proceed. I'm done and moving to another service.
You can still use 2factor, go to your security settings
Agreed, this whole thing is convenient, but must be corporations wet dream, knowing you location, phone number, etc, all through one convenient tracker.
🎉🎉
The narrator reminds me of the last time I called Xfinity for customer support.
Seems nice... But then Google will log and see every site I logged... What about privacy?
they could already do that when you use Google Password Manager with passwords. I'd put more trust in 1Password or another password manager
But one can wonder why this solution wasnt implemented earlier if passwords are so bad. One way to get rid of passwords is for the site not asking the user to create an account. But then the companies cant as easily harvest your data and target you with ads.
real
because earlier we do not have quantum computers. we are in a different ERA now. your password can be cracked easily if you don't make one that is 20 alphanumeric password with special characters.
@@ChibiKeruchan That only matters if you're encrypting a file. If it's a weblogin, your ip will be blocked and account locked if too many attempts are made on the account. Brute force doesn't work well against online services due to account locks. Most weblogin hacks are through phishing, credential stuffing, and stealing session cookies.
What if someone stoll the device?
So? How would they get into it? You do secure your devices already today we hope?
Passkeys are also a pain right now. Nobody understands how it works. Some magic QR code and no overview to manage them. Plus loads of bugs in usability.
My fear:
Right now, with a password manager - if my master password is compromised, I can just change it - and the rest of my accounts are still fine. (Assuming I change it fast enough)
With Passkeys, if my passkey is compromised - then there’s no way to “change” it without going to each website one by one… right?
So if I’ve backed up my passkey to a USB drive and put it in a safe - but somehow it gets stolen - then I’m in trouble.
Vs if I’ve stored my password manager’s master password on a piece of paper in a safe - and that gets stolen - I can still quickly go and change it before the thief even discovers what it is they stole.
And also - what if Google themselves are attacked - with passwords, only the hash is stored on the server so if that hash is exposed, as long as it was salted, the rest of my websites are secure… but with passkeys, if that one key is exposed, all my other websites are exposed.
Or do I have this whole thing wrong?
Only public key is stored at google, and is useless when compromised. They could only sign in to google with it. To compromise passkey, you would have to have your private key compromised which is on your device
@@lorkano I thought "passkeys synchronise across devices" using Google Password manager? If so, that would imply that Private Keys are also synced across devices = stored in the cloud?
Does not work! Whenever I used saved password on PC it does not prompt for passkey. I had to set up Windows hello.. when logging on from mobile device there isn't any passkey prompt either. BTW passkeys have been setup in my Google account. Google is broken unless someone can fix the above 2 problems for me.
รหัสผ่านผิดบ่อย ทำไงดี ลองเปลี่ยนเป็นพาสคีย์ ดู
Soooo.... how can I share my netflix or similar with my whole family?
multiple ways, you can share access to the same passkey with a password manager like 1Password or iCloud Keychain.
But most websites that implement passkeys will allow multiple passkeys, so you could add them for each family member or friend.
basically if someone can login to your laptop/cellphone, they have access to everything
If you do allow them to.
Passkeys require you to have a biometric way of logging in, so a password can't be used to use a passkey.
Fingerprints get hacked unless you use mark of the beast
@@xE92vD finger print are easy to get when you are drunk or asleep. password don't. unless elon musk find a way to find your password using his neurolink 😂😂😂😂😂😂
@@Comments_From_All_Channels Was locked out of my own phone once cos the phone didn't recognize my own fingerprint. Had to do a factory reset to get back in.
Fingerprints, face scans and PINs are all a type of password. The assertion that this is will lead to a "passwordless future" is absurd and deceitful. Also, from Google themselves, "anyone who can unlock the device can sign back into your Google Account with the passkey." That would include every other account you use passkeys for. This does *not* sound secure at all. We aren't even told if buying a new device will cause us to be completely locked out of our accounts if we don't have access to our old device. And if it were possible to log into our accounts using a new device without the need of the old device, that basically defeats the whole purpose of passkeys.
As long as you have ANY way to get in, you are fine. I have registered Passkeys on my FIDO key, in Windows Hello and on the iPhone for the same account so pretty much whatever happens I will get back in unless there is a fire and all devices are lost. Place a key on a cheap USB FIDO and store it at your parents house. :)
Also, you can not view Passkeys as a kind of passwords. They are based on the FIDO spec and are not phishable. They are FAR from passwords in a technichal sense.
@@LivingInCloud1 Clearly, no one is complaining about the scenario where you still have access to an already whitelisted device. What happens when you run out of ways to authenticate yourself? How do you prove that you are who you say you are? (Yes, let's assume worst-case scenario.) The only thing I can think of is an account recovery system that necessarily hangs on one-factor authentication. But to take one step backwards defeats the whole point of 2FA. You wouldn't be able to rely on the device having the same phone number, for that is insecure and naive.
The whole notion of passkeys and 2FA appears to be self-refuting. On the one hand it asserts that passwords are the problem, while on the other hand it makes heavier use of passwords to solve the password problem. Sure, passkeys are a step above passwords in the sense that they are cryptographically strong and use a public-private key combo, but, lo and behold, a password in the form of either biometrics, face scan or PIN are still part of the picture.
As far as I can tell, 2FA is not about protecting the user from other users. As it stands, it benefits companies more than it does users. It is no surprise why no one claims it is a perfect solution, and simply resort to it being a "better solution." Not even FIDO attempts to offer up a solution for cases where the user has lost all possible forms of authentication. Instead, FIDO places that burden on companies to come up with a solution for that. But I have yet to hear of anyone proposing a solution. Granted, it is not straight-forward to solve, but forcing people to have 2FA before a solution is implemented is absurd.
@@YourComputer In a company setting, its a no-brainer to use Passkeys as there will be an admin available to let the user back in.
Private accounts may turn into a problem, so again make sure you have multiple ways to authenticate. Like an extra FIDO at your parents house. ;) The added security is easily worth the small cost of a FIDO.
PINs are involved for sure, but only on the device itself. That PIN is not possible to abuse/guess over the Internet, like a password is, for an attacker.
There is a reason Passkeys are invented and the fact that you have to go to extremes to find a "weakness" is telling. What if you forget your password, lose access to the recovery e-mail address and your phone breaks down, all at the same time? What do you do now? :)
@@LivingInCloud1 Yeah, in a company setting, replacing passkeys is not difficult. But the issue with passkeys would still apply, in that losing the key and the key falling into the wrong hands, anyone with that key can enter. It would be no different than someone gaining access to your phone which has all the passkeys stored on it, therefore gaining access to all accounts that make use of passkeys. Like Google said, "anyone who can unlock the device can sign back into your Google Account with the passkey."
The fact that something like SIM swapping exists is what makes worst-case scenarios difficult to impossible to account for. In the worst-case scenario where you lose all possible ways to authenticate yourself, how do you prove that you are who you say you are? You can't rely on the phone number, you can't rely on your home address, you can't rely on your full name, you can't rely on even social security number, etc, etc.
If you can verify yourself by means other than 2FA, then 2FA is rendered useless. So long as I can pretend to be you, it wouldn't matter how many passkeys or secondary devices you have. For as long as this issue exists, 2FA will offer nothing but a false sense of security.
This video is very hard to follow: the off-voice intonation is very wavy, and the voice does not detach much from the background music... For a non-native English audience, it requires a lot of attention to understand what she says.
1:15 it was good until you said fingerprint
Bro, don't mention fingerprints again. Once my phone did not recognize my fingerprint no matter how much i tried. I was locked out of my phone and had to do a factory reset to get back in. Lost everything.
Seems to be more one thing to make impossible to live without the gapps in your phone.
I use UA-cam that’s basically all…
I hate this video I need to know how to get it out that’s all I’m not locked out of phone I can’t sign in to google
Backing up passkeys with google. That sounds like a bad idea
Why? Google will always watch your back.
@@Carlito_El_Gooner They actually had a breach a while back... I'd use 1Password...
Mention in the title "non mathematically" too
Ohhh, let's store the private key on an implant! 😅
Great info, but music? Really??
I learned little to nothing from this video. I have no problems using passwords, I don't see myself changing anytime soon.
Lol, yeah an identity security method from the 60s is probably the best one in 2023... You are asking to get phished or MITM'd. Good luck..
2AF with TTOP seems better option than passkeys@@LivingInCloud1
literal simp
@@j1j1j1j1j1 Why fix a problem when there is no problem?
that's good,I'm want forget password
Yet again that hated background music overlapping the voice.
There is absolutely no value in any of the content prior to 1:55
Sounds like a data breach would mean a bad actor could spoof a login using your private key anyway.
Depends where you store your passkey, the private key can be kept on your device or security key if you want. But by default they will most likely be stored in a password manager in the cloud, like 1Password or iCloud Keychain, which have both never had a breach...
So basically everyone has a crypto wallet now