You need to start with at least 2 devices. The other assumption is if you lose your devices, you will always have at least 1 device still in your possession. If you ever think that there’s a chance that you would lose all of your devices at the same time, then you’re back to the beginning where you need passwords. In that case, you need to write your passwords down on a piece of paper or store them in a password manager somewhere on the cloud.
Leo, I’ve been a regular viewer for a number of years now. I’m overdue in expressing my gratitude for the excellent work you do. For me, your explanation of passkeys is much easier to comprehend than any other I’ve found.
BUT if you use a PIN to open your phone and your phone gets stolen by someone who also figured out your PIN, you’re kind of screwed. Which is why I prefer to use a separate device like a YubiKey.
Unless I'm missing something, just having access to your phone doesn't matter if the method on your phone to authenticate (activate) your passkey is biometric (i.e. face ID) and not a PIN. But if they have your phone login PIN and that same PIN is used to activate your passkeys then yeah, you're in trouble.
@JJ_in_Raleigh this is why I am not happy with Google keeping and synching my passkeys and the main pin (and I don't trust PINs, I use a proper long password). I prefer third party passkey services, services like proton pass. I think the yubikey manager also might have something. We should really have a list of alternatives and their pros and cons.
Thanks Leo for answering my questions in this new video. I believe in passkeys, but currently it is not yet transparent enough where and how they are stored: google, microsoft, several password managers,... They all claim they will store the passkeys for you. How nice😊. I read the comments posted below this video and it is clear that a bigger effort is needed to explain the what and where. Your video really contributes.
This will take time. Older and younger folks that are technology-challenged have a problem managing simple passwords. Now we are asking these folks to select and use platforms to manage these passkeys on multiple devices and still hang on to the passwords, e.g., Chrome, Edge, 1Password, Apple iCloud keychain. This is very difficult for the average person. Another issue is the adoption of this technology by the business world. How long will it take for the smaller organizations to implement passkeys?
There is so much with technology now that is not understood when it comes to the death of a person. All it takes is stopping one thing, and it can mess up several others, especially when the person left to deal with it hasn't a clue what you did! My thanks to Leo for his help to understand better what my guru husband did. I have managed a back up ready for windows 11. NOW passkeys? ARGH!
I don't want a passkey to completely replace passwords, in case the key is physically stolen or a device containing the key is hacked! I'm happy having both a passkey and a password.
PassKeys are for convenience. You'll need something else to login with to setup a passkey unless you signed up for an account using a passkey but then you'll need one of the devices with a passkey to that account to login to that account on another device but those devices will use a pin or password or maybe biometrics, which also uses a pin or password for backup, so we're really still using normal logins. This is just an alternative to a password manager.
Leo. Great Video. But there is a lot in it which is more a half truth: 1.) Passwords are also cryptography 2.) Passkeys can’t be stolen. You still have the password. Can be stolen. The message is again that passwords are like keys to locks. Be unique 3.) One passkey per account. We haven’t talked about limits - how many passkeys can be stored. Think of the amount of accounts we are talking about.
I use 1password for my passwords and my passkeys. I think the passkey resides on the 1password app. I never created an other passkey with any of my other devices, (desktop, cell phone or laptop). Yet I can sign in with any of my devices.
Auth apps like 1password use syncable passkeys, Leo in this video is talking about 'on device' passkeys. I think we're transitioning to the syncable type because they are more convenient and cross-platform. Microsoft will support Syncable passkeys in the future, they don't currently.
Hey Leo, nice explanation, thanks! I have a question though. Let's say I set up a Microsoft account on my phone without a password (i.e. passkey only) and that that phone is the only device on which I have that account setup. What happens if I lose my phone? I'm assuming there is a recovery process involving signing in via a magic link sent via an email or SMS etc., but assuming the phone was the only way to log in to those accounts as well, how do I bootstrap the process of logging into all my accounts while having access to NONE of them?
Exactly, the bootstrap process is as you describe. HOWEVER the missing point: you need to configured a DIFFERENT recovery email or phone number for the account for just this kind of situation.
I watched the video twice, but I am still wondering what your response is to the 2nd query: "When creating a passkey for an existing account, the old password could still be stolen from the server." If that is the case, how do passkeys actually enhance security, given that passwords can still be used to sign in, as is the case with my Google account.
4:06 I think what people are concerned about is: what if they set their account and their only method of authentication is the passkey on the lost phone and have no alternative authentication methods (To make their account "more secure" as there can't be a password hack or sim swap for text verification), is that scenario possible?
@@marco31 This is a good solution, but if you also use a passkey for your email and only on the lost phone I'd think you would lose access forever. I of course would make certain to have a backup solution, but it's possible some people are going to set their accounts just like I described, if that is even possible.
I don't think you watched the (entire) video. There's ALWAYS a way back in. Consider: how did you set up the passkey in the first place? You had to authenticate some other way first.
@@askleonotenboom I did watch the whole video so there's no need to bash me, I posted my concern for the benefit and engaging of YOUR channel and audience and I don't think you understood me and I'll prove it. I once remember a Microsoft message offering to remove my password and setup a passkey. No password and passkey on lost phone (with no other backup) = no recovery (If this scenario is possible). Unless the system accepts the old "removed" password or forces you to have an alternative authentication method. Do you understand now?
@@Teisju And as I said in the video, there's ALWAYS another way to get in. With no password and a lost phone, you'll simply authenticate on a new device some other way, like a message sent to your alternate email address, your recovery phone number, a backup code you set up before hand, or something else. Like I (and the video) said, it's the exact same process you used to set up the passkey on the phone initially
If you need a password to validate your account and get a passkey......well, you still have a password which can be stolen so what's changed? Unless of course you need both the password and the passkey to gain access to your account. Which means life will become harder. I must be missing something here....
Passkeys are a precursor to going completely passwordless. So not only do you not use a password, there isn't even one associated with your account. This is the state of my Microsoft account right now, for example.
@@askleonotenboom Thanks for your reply. From videos I have seen it always seems that you have to have another way to access your account or at the very least you need a password to create the account. As you say, it is early days so we will see what happens.
@@StevieW-Steve It could be done without a password from the start, if providers wanted to. Initial Authorization could be via email or text confirmation, for example.
@@askleonotenboom Yes, that would make sense. Passkeys certainly sound quite 'comforting' with their approach to security. Let's hope more organisations take it up! Thanks Leo.
What would happen if I were to take over using an email account for an organization from the previous person who held the position? How would a passkey be established on my computer instead of theirs?
Why are you still trying to make passkeys relevant? They're not user-friendly or secure and people can't even agree on an implementation. Users are left to figure out if they passkey is device-bound or syncable. 4:00 When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't). How is that secure or convenient? Signing in using another method isn't an option when, like you, someone was dumb enough to remove their password leaving the passkey as the only option. Similarly, you can't invalidate a passkey if you can't get into the account either. 6:22 Your takeaway is concerning too. Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits. We already have passwords for those accounts. Nothing to set up, no time wasted. And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager.
"people can't even agree on an implementation"? There's multiple ways to implement passkeys, and that is by design. Some implementations are more convenient, and some are more secure. A federal government agency website/app might require device-bound passkeys only, while a video game website/app might allow synced passkeys and device-bound passkeys. "Users are left to figure out if they passkey is device-bound or syncable." They'll learn, like they learned about how some of their passwords are synced (e.g. Google Password Manager), and some of their passwords are not synced (e.g. local offline accounts on desktop PCs and laptops). "When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't)" This is why you remotely deactivate your phone when your phone is lost. Android and iOS devices can be remotely deactivated from another device. "Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits" One benefit is that you can still log in if you lose a device or lose access to a password manager. Another benefit is that you don't have to remember your passkeys or write them down. "And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager." Your passkeys can be locked away in a password manager, too. Android 14 and iOS 17 and macOS 14 support third-party password managers (Strongbox, KeePassDX, Bitwarden, 1Password, Proton Pass, etc.). Windows is gonna have that same support, too, according to the "device support" page on the "passkeysdev" website.
I’d not heard of them until all of a sudden on the PC, after needing to log back in to certain sites, such as Coinbase and Microsoft I started seeing an option for using a passkey. So I started looking into them.
They’re one of those things where it takes a while to get a feel for them. That is, you’ll need to read a few things and watch a few videos. John Savill has a deep dive for example. An hour long video.
First of all, my phone is pin protected. I then use an app, which i set a password to open, then I choose any app on my device, i need protected. It even takes a photo of anyone who tries to unlock any app. with a wrong password. lol
I have not yet understood "passkey". I have a couple of mobile devices. One of them I simply turn it on if I plan to use it. The other one I turn on if I plan to use it and I have set-up a code to unlock it for actually actively using it for anything. I do not remember at any time giving or making any passkey. Is that code I put in for unlocking the front screen of the second device actually called a "passkey"?
No, that's a PIN to simply use the phone. The password is the public key/private key and works behind the scenes. Public key on the server and private key on the device. Lose the device and it's not a problem since the server will generate a new private key for your new device.
![Lp. Сердце Вселенной #30 ДВА В ОДНОМ [Один человек]• Майнкрафт](http://i.ytimg.com/vi/nrXy15orKhY/mqdefault.jpg)
You need to start with at least 2 devices. The other assumption is if you lose your devices, you will always have at least 1 device still in your possession. If you ever think that there’s a chance that you would lose all of your devices at the same time, then you’re back to the beginning where you need passwords. In that case, you need to write your passwords down on a piece of paper or store them in a password manager somewhere on the cloud.
Leo, I’ve been a regular viewer for a number of years now. I’m overdue in expressing my gratitude for the excellent work you do. For me, your explanation of passkeys is much easier to comprehend than any other I’ve found.
BUT if you use a PIN to open your phone and your phone gets stolen by someone who also figured out your PIN, you’re kind of screwed. Which is why I prefer to use a separate device like a YubiKey.
At that point it’s not an issue with the technology, that’s a user problem.
Unless I'm missing something, just having access to your phone doesn't matter if the method on your phone to authenticate (activate) your passkey is biometric (i.e. face ID) and not a PIN. But if they have your phone login PIN and that same PIN is used to activate your passkeys then yeah, you're in trouble.
Same thing if someone got your password so it's not so different. In most cases you would be using biometric so passkey are still more secure.
@JJ_in_Raleigh this is why I am not happy with Google keeping and synching my passkeys and the main pin (and I don't trust PINs, I use a proper long password). I prefer third party passkey services, services like proton pass. I think the yubikey manager also might have something. We should really have a list of alternatives and their pros and cons.
Thanks Leo for answering my questions in this new video. I believe in passkeys, but currently it is not yet transparent enough where and how they are stored: google, microsoft, several password managers,... They all claim they will store the passkeys for you. How nice😊. I read the comments posted below this video and it is clear that a bigger effort is needed to explain the what and where. Your video really contributes.
This will take time. Older and younger folks that are technology-challenged have a problem managing simple passwords. Now we are asking these folks to select and use platforms to manage these passkeys on multiple devices and still hang on to the passwords, e.g., Chrome, Edge, 1Password, Apple iCloud keychain. This is very difficult for the average person. Another issue is the adoption of this technology by the business world. How long will it take for the smaller organizations to implement passkeys?
Given that some services still have a six character minimum for their passwords(!), I expect it will take a very long time.
There is so much with technology now that is not understood when it comes to the death of a person. All it takes is stopping one thing, and it can mess up several others, especially when the person left to deal with it hasn't a clue what you did! My thanks to Leo for his help to understand better what my guru husband did. I have managed a back up ready for windows 11. NOW passkeys? ARGH!
Great presentation of this new tool. One question, why is there a creeper clip of the lady on the bus? Totes inaprops.
I don't want a passkey to completely replace passwords, in case the key is physically stolen or a device containing the key is hacked! I'm happy having both a passkey and a password.
The key is not hacked. It's still secured by the security of the device it was on. AND you can immediately deactivate that key remotely if you like.
PassKeys are for convenience. You'll need something else to login with to setup a passkey unless you signed up for an account using a passkey but then you'll need one of the devices with a passkey to that account to login to that account on another device but those devices will use a pin or password or maybe biometrics, which also uses a pin or password for backup, so we're really still using normal logins. This is just an alternative to a password manager.
Leo. Great Video. But there is a lot in it which is more a half truth:
1.) Passwords are also cryptography
2.) Passkeys can’t be stolen. You still have the password. Can be stolen. The message is again that passwords are like keys to locks. Be unique
3.) One passkey per account. We haven’t talked about limits - how many passkeys can be stored. Think of the amount of accounts we are talking about.
I use 1password for my passwords and my passkeys. I think the passkey resides on the 1password app. I never created an other passkey with any of my other devices, (desktop, cell phone or laptop). Yet I can sign in with any of my devices.
Auth apps like 1password use syncable passkeys, Leo in this video is talking about 'on device' passkeys. I think we're transitioning to the syncable type because they are more convenient and cross-platform. Microsoft will support Syncable passkeys in the future, they don't currently.
Hey Leo, nice explanation, thanks! I have a question though. Let's say I set up a Microsoft account on my phone without a password (i.e. passkey only) and that that phone is the only device on which I have that account setup.
What happens if I lose my phone?
I'm assuming there is a recovery process involving signing in via a magic link sent via an email or SMS etc., but assuming the phone was the only way to log in to those accounts as well, how do I bootstrap the process of logging into all my accounts while having access to NONE of them?
Exactly, the bootstrap process is as you describe. HOWEVER the missing point: you need to configured a DIFFERENT recovery email or phone number for the account for just this kind of situation.
I watched the video twice, but I am still wondering what your response is to the 2nd query: "When creating a passkey for an existing account, the old password could still be stolen from the server." If that is the case, how do passkeys actually enhance security, given that passwords can still be used to sign in, as is the case with my Google account.
4:06 I think what people are concerned about is: what if they set their account and their only method of authentication is the passkey on the lost phone and have no alternative authentication methods (To make their account "more secure" as there can't be a password hack or sim swap for text verification), is that scenario possible?
@@marco31 This is a good solution, but if you also use a passkey for your email and only on the lost phone I'd think you would lose access forever. I of course would make certain to have a backup solution, but it's possible some people are going to set their accounts just like I described, if that is even possible.
I don't think you watched the (entire) video. There's ALWAYS a way back in. Consider: how did you set up the passkey in the first place? You had to authenticate some other way first.
@@askleonotenboom I did watch the whole video so there's no need to bash me, I posted my concern for the benefit and engaging of YOUR channel and audience and I don't think you understood me and I'll prove it. I once remember a Microsoft message offering to remove my password and setup a passkey. No password and passkey on lost phone (with no other backup) = no recovery (If this scenario is possible). Unless the system accepts the old "removed" password or forces you to have an alternative authentication method. Do you understand now?
@@Teisjuit took me two seconds to google: Microsoft account recovery.
@@Teisju And as I said in the video, there's ALWAYS another way to get in. With no password and a lost phone, you'll simply authenticate on a new device some other way, like a message sent to your alternate email address, your recovery phone number, a backup code you set up before hand, or something else. Like I (and the video) said, it's the exact same process you used to set up the passkey on the phone initially
If you need a password to validate your account and get a passkey......well, you still have a password which can be stolen so what's changed? Unless of course you need both the password and the passkey to gain access to your account. Which means life will become harder. I must be missing something here....
Passkeys are a precursor to going completely passwordless. So not only do you not use a password, there isn't even one associated with your account. This is the state of my Microsoft account right now, for example.
@@askleonotenboom Thanks for your reply. From videos I have seen it always seems that you have to have another way to access your account or at the very least you need a password to create the account. As you say, it is early days so we will see what happens.
@@StevieW-Steve It could be done without a password from the start, if providers wanted to. Initial Authorization could be via email or text confirmation, for example.
@@askleonotenboom Yes, that would make sense. Passkeys certainly sound quite 'comforting' with their approach to security. Let's hope more organisations take it up! Thanks Leo.
What would happen if I were to take over using an email account for an organization from the previous person who held the position? How would a passkey be established on my computer instead of theirs?
You would set up the passkey like any other first time use of a device: signing in some other way first.
Why are you still trying to make passkeys relevant? They're not user-friendly or secure and people can't even agree on an implementation. Users are left to figure out if they passkey is device-bound or syncable.
4:00 When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't). How is that secure or convenient? Signing in using another method isn't an option when, like you, someone was dumb enough to remove their password leaving the passkey as the only option. Similarly, you can't invalidate a passkey if you can't get into the account either.
6:22 Your takeaway is concerning too. Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits. We already have passwords for those accounts. Nothing to set up, no time wasted.
And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager.
"people can't even agree on an implementation"?
There's multiple ways to implement passkeys, and that is by design. Some implementations are more convenient, and some are more secure.
A federal government agency website/app might require device-bound passkeys only, while a video game website/app might allow synced passkeys and device-bound passkeys.
"Users are left to figure out if they passkey is device-bound or syncable."
They'll learn, like they learned about how some of their passwords are synced (e.g. Google Password Manager), and some of their passwords are not synced (e.g. local offline accounts on desktop PCs and laptops).
"When someone "finds" your lost phone and knows the PIN, not only can they access the device, thanks to passkeys they can now also get into your accounts (while you can't)"
This is why you remotely deactivate your phone when your phone is lost. Android and iOS devices can be remotely deactivated from another device.
"Setting up multiple passkeys for all your accounts takes an ongodly amount of time without offering any benefits"
One benefit is that you can still log in if you lose a device or lose access to a password manager. Another benefit is that you don't have to remember your passkeys or write them down.
"And let's not forget, once unlocked, your device spills all its passkeys. Passwords would be locked away in a password manager."
Your passkeys can be locked away in a password manager, too. Android 14 and iOS 17 and macOS 14 support third-party password managers (Strongbox, KeePassDX, Bitwarden, 1Password, Proton Pass, etc.). Windows is gonna have that same support, too, according to the "device support" page on the "passkeysdev" website.
Based on all the confusion in the comments section, it suggests the video didn't explain the topic well enough?
Interesting video. I'd never heard of a passkey before. Probably because I don't have a phone.
I’d not heard of them until all of a sudden on the PC, after needing to log back in to certain sites, such as Coinbase and Microsoft I started seeing an option for using a passkey. So I started looking into them.
Still unclear what it is
They’re one of those things where it takes a while to get a feel for them. That is, you’ll need to read a few things and watch a few videos. John Savill has a deep dive for example. An hour long video.
First of all, my phone is pin protected. I then use an app, which i set a password to open, then I choose any app on my device, i need protected. It even takes a photo of anyone who tries to unlock any app. with a wrong password. lol
I have not yet understood "passkey". I have a couple of mobile devices. One of them I simply turn it on if I plan to use it. The other one I turn on if I plan to use it and I have set-up a code to unlock it for actually actively using it for anything. I do not remember at any time giving or making any passkey. Is that code I put in for unlocking the front screen of the second device actually called a "passkey"?
No, that's a PIN to simply use the phone. The password is the public key/private key and works behind the scenes. Public key on the server and private key on the device. Lose the device and it's not a problem since the server will generate a new private key for your new device.
Microsoft says passwordless accounts are safer. They do offer passwordless account or passkey