What kind of questions do you have about passkeys? Be sure to check the chapter markers to see if it was answered during this Q&A. And be sure to grab your Yubikey security keys with this discount: www.allthingssecured.com/yubikey5off
I would add security basics to this video. Why do they call it multifactor authentication? It just means you are using more than 1 type of authentication. There are 3 categories: 1. What you know: passwords, security questions 2. What you have: yubi key, cell phone 3. What you are: biometrics
As an IT person it's odd to me that passkeys are still so cryptic with so few good explanations of how to properly use them. I appreciate your efforts! One thing that's kept me from adopting (and please correct me if I've got this wrong, but) if I'm in a mixed ecosystem (Android, macOS, and Windows) don't I still need to have passwords as backups? Come to think of it, is it possible to even have/use passkeys w/o having a user/pw backup for the account?? Are backups always required when you "switch" to a passkey for an account? Case in point: I currently use a password manager. Let's say I setup a passkey for my Google account. OK - I can store the passkey in my pw manager - and then when I'm logging in via my phone I can authenticate via fingerprint or face ID. Logging in from my Macbook I can also use fingerprint. But if I'm going to try to login from Windows, I don't have any biometric devices to use for authentication, so I'm assuming I'd have to use old school user/pw/2FA to login. At that point, if I'm already using a pw manager, and I have to keep a "backup" user/pw/2fa for the account - what benefit am I getting from moving to passkeys (other than the 100% phising protection)? I keep thinking that I must be missing something, but maybe I'm not?
My understanding is that if you store a passkey in your password manager, and your device doesn't support biometric authentication, you can use your password manager's master password to authenticate
Hello Josh! I am planning to use a password manager. Should I use an Email Alias to register, or should I use my main email since it is security software? Thanks
Hey should I get a faraday bag/ emp bag for my spare yubikeys or no? Because I’m not 100% sure if they would need it or for some bizarre dumb reason damage them.
While I was the guy you probably thought was being a smart azz, but I wasn't. I've been implementing passkeys and yubikeys and the concept of synchronizing passkeys is and was confusing to me in my Android/windows/linux world. FWIW, while I am only half way through your video, I am sharing something I saw on a goocle support page below: Do I have to set up a passkey on all my devices individually? Will there be separate passkeys on my phone and laptop? If Google detects that you don’t have a passkey on a device yet, we’ll prompt you to create one. You’ll need one passkey per device, unless the device has some mechanism to “synchronize” passkeys to other devices already, like with Apple iCloud. In this case only a single passkey for all your iCloud devices is required
When watching the video I assumed it was possible to update your Yubikeys to the latest firmware, mine are only 5.4.x apparently its not possible the firmware is whatever it is which is a real shame, I understand they don't want you to be able to probably to stop people hacking the keys, but it feels like the fact I ordered mine off Amazon, and the ones received clearly have old firmware means you have no control over whether you are buying the latest firmware or not :(
Hey Josh, this isn't an isolated incident unfortunately. In these cases, I always recommend people set up a credit freeze (this is US and many other countries now) and if you have reason to believe your SSN number was taken, then doing identity theft monitoring isn't a bad idea as well, although that's not free (credit freeze is free).
You’ve said in the past how you’ve been stopped and asked for your phone/had it plugged into a device. Can passkeys stored in the new Apple passwords app be copied and or duplicated?
So dont password managers have some phishing protections with autofill or am i wrong??? Because if i can just use a password and username and have equal phishing protection then i dont need a passkey but i can see why they would be good to protect against keyloggers and spyware
In a way, yes. But there have been multiple times where I've been asked to log into a website where autofill doesn't work and I've had to copy/paste. This has happened for a number of reasons (i.e. I'm connecting two services and the password manager doesn't recognize the URL of the first service), but it's not extremely common.
What kind of questions do you have about passkeys? Be sure to check the chapter markers to see if it was answered during this Q&A. And be sure to grab your Yubikey security keys with this discount: www.allthingssecured.com/yubikey5off
I would add security basics to this video. Why do they call it multifactor authentication? It just means you are using more than 1 type of authentication. There are 3 categories:
1. What you know: passwords, security questions
2. What you have: yubi key, cell phone
3. What you are: biometrics
Great summary, Robert. Thanks for sharing.
As an IT person it's odd to me that passkeys are still so cryptic with so few good explanations of how to properly use them. I appreciate your efforts! One thing that's kept me from adopting (and please correct me if I've got this wrong, but) if I'm in a mixed ecosystem (Android, macOS, and Windows) don't I still need to have passwords as backups? Come to think of it, is it possible to even have/use passkeys w/o having a user/pw backup for the account?? Are backups always required when you "switch" to a passkey for an account?
Case in point: I currently use a password manager. Let's say I setup a passkey for my Google account. OK - I can store the passkey in my pw manager - and then when I'm logging in via my phone I can authenticate via fingerprint or face ID. Logging in from my Macbook I can also use fingerprint. But if I'm going to try to login from Windows, I don't have any biometric devices to use for authentication, so I'm assuming I'd have to use old school user/pw/2FA to login.
At that point, if I'm already using a pw manager, and I have to keep a "backup" user/pw/2fa for the account - what benefit am I getting from moving to passkeys (other than the 100% phising protection)? I keep thinking that I must be missing something, but maybe I'm not?
My understanding is that if you store a passkey in your password manager, and your device doesn't support biometric authentication, you can use your password
manager's master password to authenticate
Hello Josh! I am planning to use a password manager. Should I use an Email Alias to register, or should I use my main email since it is security software? Thanks
Hey should I get a faraday bag/ emp bag for my spare yubikeys or no? Because I’m not 100% sure if they would need it or for some bizarre dumb reason damage them.
While I was the guy you probably thought was being a smart azz, but I wasn't. I've been implementing passkeys and yubikeys and the concept of synchronizing passkeys is and was confusing to me in my Android/windows/linux world. FWIW, while I am only half way through your video, I am sharing something I saw on a goocle support page below:
Do I have to set up a passkey on all my devices individually? Will there be separate passkeys on my phone and laptop?
If Google detects that you don’t have a passkey on a device yet, we’ll prompt you to create one. You’ll need one passkey per device, unless the device has some mechanism to “synchronize” passkeys to other devices already, like with Apple iCloud. In this case only a single passkey for all your iCloud devices is required
Great show 👏🏼👏🏼
Am I able to have keypass and a 2fa yubikey?
When watching the video I assumed it was possible to update your Yubikeys to the latest firmware, mine are only 5.4.x apparently its not possible the firmware is whatever it is which is a real shame, I understand they don't want you to be able to probably to stop people hacking the keys, but it feels like the fact I ordered mine off Amazon, and the ones received clearly have old firmware means you have no control over whether you are buying the latest firmware or not :(
What are your thoughts on the social security number leak and how should people address this?
What was stolen that hasn’t already been stolen countless times already?
Hey Josh, this isn't an isolated incident unfortunately. In these cases, I always recommend people set up a credit freeze (this is US and many other countries now) and if you have reason to believe your SSN number was taken, then doing identity theft monitoring isn't a bad idea as well, although that's not free (credit freeze is free).
You’ve said in the past how you’ve been stopped and asked for your phone/had it plugged into a device. Can passkeys stored in the new Apple passwords app be copied and or duplicated?
Hmm...that's an interesting question. I don't think so (passkeys should be stored in an encrypted part of the phone), but I can't say definitively.
So dont password managers have some phishing protections with autofill or am i wrong??? Because if i can just use a password and username and have equal phishing protection then i dont need a passkey but i can see why they would be good to protect against keyloggers and spyware
In a way, yes. But there have been multiple times where I've been asked to log into a website where autofill doesn't work and I've had to copy/paste. This has happened for a number of reasons (i.e. I'm connecting two services and the password manager doesn't recognize the URL of the first service), but it's not extremely common.
Your lack of expertise in this area shows, and is very distracting. Thumb down, my friend.
Passkeys are being pushed on us. That is a huge red flag.
How are they being pushed? People are advocating for them.
You should see how fast "passwords" can be cracked.... even faster with a little social engineering and osint...passkeys are just another option.