How Can Passkeys Possibly Be Safe?
Вставка
- Опубліковано 17 чер 2024
- ❤️ Passkeys may feel confusing now, but they can be safe. Passkeys are a doorway to a less frustrating, passwordless future.
❤️ Passkeys & safety
Passkeys are a secure authentication method stored on specific devices that require user verification through mechanisms like Windows Hello. They enhance security by enabling passwordless sign-in and keep you safer by eliminating common vulnerabilities associated with traditional passwords and other authentication mechanisms.
Updates, related links, and more discussion: askleo.com/168902
🔔 Subscribe to the Ask Leo! UA-cam channel for more tech videos & answers: go.askleo.com/ytsub
✅ Watch next ▶ What is a Passkey? ▶ • What is a Passkey?
Chapters
0:00 How Can Passkeys Be Safe?
0:40 What are Passkeys?
1:30 Authentication steps
2:50 Windows Hello
3:35 Login scenerios
7:20 If someone steals your computer
12:25 Malware on your machine
14:30 Going Passwordless
16:55 [Im]Perfect Security
❤️ My best articles: go.askleo.com/best
❤️ My Most Important Article: go.askleo.com/number1
More Ask Leo!
☑️ askleo.com to get your questions answered
☑️ newsletter.askleo.com to subscribe to the Confident Computing newsletter.
☑️ askleo.com/patron to help support Ask Leo!
☑️ askleo.com/all-the-different-... for even more!
#askleo #passkey #security - Наука та технологія
Watch next ▶ What is a Passkey? ▶ ua-cam.com/video/6lBixL_qpro/v-deo.html
I always learn something from your videos Leo. Your full explanations and gentle pacing really help in communicating your knowledge. Thank you.
Steve (in UK)
You forgot that also with passkeys, no more Phishing as the key will not work on a fake website.
Who cares. Hackers will find a way to use them on the real website that is the target anyway. You can spoof an IP, you can spoof your GPS location. It might take slightly more effort, but you can also spoof my identity.
@@StijnHommes No, with a hardware key like Yubico the login is only possible with the key itself, no key, no login, is that simple.But even more important than that, is that there is nothing to hack because the only thing stored is public key that is complete useless, the private key is always in the hardware key itself in yours possession.
@@StijnHommes You are mistaken. With a passkey, a phishing site will only get your public key (not your private key). With only the public key, there is virtually no possibility that an attacker could reverse engineer your private key (which is what they would need to do in order to sign in to the real website).
I would have to better understand how the handshake works before changing to passkeys. Is the private key only ever on your device? Does your device do the comparison with the public key? (If so, couldn't the confirmation be spoofed to the server? And if not, couldn't someone pretend to be the server and request your private key?) Could someone spoof the public key after a data breach? I'm still not hearing the details.
@@freescape08 You can have only the key on the device, but I don't use that, I use hardware Yubikeys ( There is other brands but the principal is the same ), my keys can NOT be copy or replicated in any shape or form, no Yubikey no login as simple as that, obvious I have several so I don't get lock out in case I lose one, I have configured them with a pin also, wrong pin 3 times and that yubikey is blocked, security wise at the moment is the best method on the market, period.
Wow Leo, you've just opened a new door for me to check out and see what's in there for me. This sounds very intriguing. Thanks Leo!
Great information, thanks Leo.
One of your best, thank you.
Thank you for your explanation. Now I'm confident enough to use a passkey.
Great explanation, leo!
Thanks, Leo!
Thank you for this Leo. You have a new sub here ❤ I so far have 2 passkey protected accounts. I was prompted to activate the passing so I think the platform you're using has to implement it. Maybe Meta should think about introducing a passkey log on for users.
If you use password/passphrase vault (be it an extension for browser or desktop), it makes password less of a headache and can combo easily with passkeys. Setting it to clear clipboard after pasting where needed and combining with passkeys makes for solid security. Passkeys alone with traditional password usage (typing it) is very strong already.
excellent, thank you.
You make really good points, but Microsoft's system glitches now and again and they prompt you to sign in. It happens too often for me and I don't know why. It is possible for Microsoft themselves to fail and you might have to work a little to get signed in. If the time arrived when their system didn't work, I would be unable to sign in, The break down of systems you described is not very likely, but Microsoft itself is subject to frequent glitches that leave you stuck until they are satisfied you are who you say you are.
I would like to see sensitive data such as banking apps & websites protected by 2 factor biometrics, face ID plus fingerprint, making sure that it can only be me accessing these accounts.
That's in a sense what Passkeys provide. If you have biometrics support on your device, that's how you unlock it so a passkey can be used.
I think maybe they're suggesting that banks and other such places that store highly sensitive info often use SMS or email based 2FA which are far less secure than TOTP or Passkeys.
Thank you. The role of passkeys in the security ecosystem had never been really clear to me.
i love passkey just not alot of apps and sites dont use it yet
Upon creating the passkey, when the public key is generated/sent/stored on the service servers, and there happens to be a data breach that render that public key useless, what then happens with public key. Is it regenerated upon login attempt or how does that work.
Nice and how to administrate Passkeys for a company with 2000 People, so I don't have to configure each one of those manually?
Question. First, nice job explaining things. You provide a lot helpful information. Don’t you need/have a username and password to create an an account on a website? So, even if you have a passkey, couldn’t someone use your username and password to sign in? Even if you set the default sign in to be a passkey? Or, if you don’t have your phone handy and want to sign in on a friends computer to check your email. What happens in that case? I think passkeys are a great idea but before I start using them I want to know the “what if” scenarios. And what do you do when you get a new phone? Thanks.
Not necessarily. Services are moving to being passwordless. When you attempt to sign in the first time they authenticate you some other way, like an email to an alternate email address, or a text message, or a notification on an app.
@@askleonotenboomThanks for the info.
Is automatic password on chrome considered pass vault ? can I use a key pass for it ?
Chrome can create a passkey for you that is only on your device.
16:00 Sending an email to an account and expecting someone to hit a link to login ignores that you should never click in links in an email. (and those emails often take not just a little while but more than 24 hours, or they simply never show up)
20:00 If I can't even use my password vault on a computer that doesn't have it installed, using it to store passkeys is not going to help me sign in, since you can't even practically type them.
I still need to type in my password after opening my vault and keep my password storage offline.
GREAT.
According to Chat GPT / Gemini answers, Passkeys are designed with security in mind, and by default, there currently isn't a way for a surviving spouse/partner to access your data directly if you pass away. This is because passkeys rely on biometric authentication (like fingerprint or facial recognition) or a physical security key for verification. Any thoughts on that?
Or a PIN, on Windows machines. Not sure what thought you'd want me to have? Disaster planning is important, and I have videos/articles on the topic. Passkeys don't alter that.
As Leo suggested, you want to plan these things with your partner. You can set up a password manager with shared access in which you store very long & complicated passwords for certain systems like email and banking. And then if you store Passkeys in them, that should get you in without needing biometrics.
Windows Hello and other systems that do the back end authentication can usually take multiple fingerprints, so you could store prints from both of you. The backup Windows pin could be a long phrase like "apple zebra sander ketchup beach horse 385326$" that you store in the shared password manager so even if biometrics don't work, you can still access the computer.
What I don't understand is why systems don't ability to only be allowed from a device you authorized and added. Even if password got stolen then nobody else can log in.
That's exactly what passkeys do.
If I understand, the real advantage I see, is just that passkey’s are device specific. Is that always the case by definition? Also can they really replace passwords? Doesn’t the account need it anyways for the scenario of not having the original device anymore? Can’t malware get device info to allow it to be spoofed?
Passwords are not needed, as long as there's a different way to authenticate -- like an email sent to the account of record, or a message sent to a phone.
@@askleonotenboom I guess I am thinking of very critical items and odd situations. In another country, phone stolen, need to get into my email… can’t if its a passkey only. With a memorized password I have a chance. (Ignoring the hail mary of “question based password reset”)
To add to that, it seems from what I see… we can’t export passkeys… meaning if I built up all this history of passkeys with windows hello (or whoever)… I’m pretty dang locked in… if they change policies or I don’t want windows apps installed on my linux box, or move to macos… issues!
I don't see how you're locked in at all. Basically you set up a passkey on a new device, or you can invalidate the passkey on the current device and set it up anew.
@@askleonotenboom so say I have 30 passkeys for 30 websites with windows hello. I decide I don’t want windows hello anymore I want to use bitwarden instead. I now need to 1 by 1 set this up all anew for each of the 30 sites because there is no “export/import” standard for the passkey… that friction is so high it may as well be lock-in, no?
OK, Leo, I'm convinced. But how can I initiate this?
One way, do a little research on how.
Just check to see which of your services have it as an option. Google does, for example.
Eg Google log out and in, and it will offer pass key as an option. Or should be in account settings.
@@johnhpalmer6098 Such as asking an expert whoo has just posted a youtube video, you mean?
@@mikepanchaud1 Thanks
Can't the malware steal the cookies and get into the account even with passkeys?
Cookies I don't think do anything with passwords. Cookies are what is used to track your movement inside the site and that data is aggregated and sold off to other marketers who then can try to get you to buy something that is similar to what you just browsed for. That's it as far as I know.
Unfortunately if your session cookies are stolen, they can get access to your account specifically if you don't log out of the account after using it !!
@@Samy-ck8oo exactly, keeping the account open at all times is how they are doing it now a days.
Hi Leo,
My concern is when someone hits you over the head. You're now lying on the floor, and the thief holds your phone, up to your face, and unlocks it. Now they have access to everything, that you setup to allow face ID to unlock.
Do you hear of that happening often? I mean, other than in (fictional) television shows? It's not something I worry about.
I swear, if a combination lock had a voice it would sound like Leo 😂
"Access Denied"
🤨 .... Better Ask Leo, to figure out why
Am I right: once set up, passkeys switch the default task of identifying you to a local device, instead of piping your payload of info requesting authentication over the cloud. So if I set up a passkey PIN of 12345 on a Windows machine, by default that PIN works for me only on that device.
That's my understanding, yes.
@@askleonotenboom Thanks! Also, it seems my user account / password will still exist, so the benefit of passkeys is mostly the reduced incidence of keying and transmitting account names/pwds, because when keyed, they can be intercepted either on-device or in transit and used anywhere. But an intercepted passkey is useless beyond the device it was created on. Right?
@@johnbaker2810 Yes, and even better, it's EXTREMELY difficult to intercept a passkey. (For one thing, that would require malware on your machine.)
@@askleonotenboom Very good! Last question (for now): if my account name/password still exist, with all their foibles, what's to stop someone from logging in and removing my created passkeys, or even creating their own on my account? I guess I'm starting to think the userID/password remains the threat it always was...minus a reduced exposure surface.
@@johnbaker2810 I expect this to be step one to a password-less future. No password, no password based threat. One thing you can do that gets you close it to make your password ridiculously long (since you'd never use it). Save it in your password vault, of course, but simply never use it. The huge things Passkeys prevent is falling for many types of phishing attacks. No password to type means phishing has nothing to capture.
If you phone is your passkey is it vulnerable to sim swapping?
Had my SIM swapped last week. And I’m diligent. Cam out of nowhere.
No. Passkeys are safe from SIM swapping as they are tied to the device, not the SIM.
Would there be a way of using them to authenticate emails, meaning they couldn't be faked/spoofed. I really hate spam emails & would really like to see a time when not only could thy not be faked but also traceable back to whoever sent them, so I only receive them from genuine, identifiable sources. IMPO everyone using the internet should be 100% accountable for everything they say or do on it.
There's already technology in place for email verification. No one's using it because it's too cumbersome. (Passkeys are related only in that they use cryptography as well, but they don't apply to email.)
Isn't your Windows Hello PIN now a single point of failure?
Assuming you use the same PIN everywhere, it can be, yes. Hence biometrics is preferred. But the PIN can be different for every device/computer. (And Windows PINs can also be as complex as you like, much like a password, if you're concerned.)
Do we still need 2FA with passkeys or can we turn it off?
You still want it on.
Leo Sir, Scenario 3 : Mobile owner created passkeys on the mobile, then if somebody creat his fingerprints clone or duplicate fingerprints then in that case, websites can be logged in with fake fingerprints with passkeys on it. is it possible? Thanks 🙏
Pretty extreme scenario that I don't worry about, but sure. Once you realize your phone is missing you can disable all the passkeys stored on it, though.
@@askleonotenboomto be fair, that may present a challenge. For example, if you're traveling with only your phone and your computer is hundreds of miles away, how do you access your Passkeys, passwords, or email? Sure, it's an edge case, but one i think about sometimes. I've run into cases where my phone dies while I'm away from other tech, then i inevitably need some kind of access for some reason, and i feel paralyzed.
@@Ck87JF You can carry a physical security key (eg. like a yubikey) as a backup. They are small and light, and don't have any battery inside.
@@ma3xiu1 that's a good point. I have one! My cloud password manager's password is something I don't know, as it's stored in a local password manager on my laptop, but I just had an idea of using the yubikey to store its password.
I will NEVER sign to any service on my phone, NO BIG BROTHER FOR ME!!!!!!!!!!!!!!!!!!!!!!
so should someone manage to crack Windows Hello, access to a myriad of passkeys would be accessible?
Windows Hello face recognition has been cracked insofar as someone with a very specific intent to access your computer can take a picture of you, convert it into a special type of image, and use some specialized hardware to trick your computer that a new webcam has been plugged in and that you're sitting in front of the computer. But this is a very targeted attack vs one that can be launched across the world automatically, so it's less likely to occur.
But yes, with this attack, whatever Passkeys that Hello is securing would be made available. You could instead secure Windows Hello with a security key like a Yubikey (and secure that with a strong PIN you've not used anywhere else).
I like bitwarden. If my device is stolen, i can login from another computer and revoke and log out all devices.
What happens when you drop your phone (with passkey) into a toilet and lose its contents completely?
How can pass keys be made on Android devices?
Depends on the service you want to use Passkeys with. Check with them.
Passkeys should also be portable between different password managers. I don’t want to be held hostage by a service.
They are. Bitwarden started using passkeys 😊
@@Flexin010 Can it be exported to other password managers like we do for passwords and notes?
@@albatross7 yes. I've tested last pass and keepass xc. They both can import/export vaults
question can passkey be hacked
Bypassed by session cookies theft
@@Samy-ck8oo really
@@Samy-ck8ooTrue. However, it’s important to note session cookie theft is a vulnerability that applies to just about every other form of secure authentication including password coupled with MFA using SMS-based or authentication app login.
@@Samy-ck8oo yes, but so can practically any other form of secure authentication.
Passkey itself cannot, no. (Well, yes, but it would take thousands of years of cryptographic analysis / brute force.)
It's not a good system when it takes 22 min to explain.
Not true. I set up my Google account with my finger print in a minute before I saw this video. I now feel secure and educated, having watched it!
Passkeys can't be safe, but more importantly, they increase the risk of the account owner not being able to get in and that is a serious problem.
This is incorrect. You will not lose access to your account if you lose your passkeys. See "Passkeys are never the only way in" in askleo.com/passkeys-and-disaster-planning/
@@askleonotenboom So the other ways in can get leaked as well. As long as there are recovery options, they will be abused, so effectively, it's no safer than using a PIN number on the account itself.
And if the device carrying your passkey is ever lost, broken or stolen, you have to reauthenticate to all your accounts with the new device to get new passkeys. And that is skipping another important point, logging into Windows with a PIN is much, MUCH less secure than a well-chosen long and unique password, because a PIN has a much more limited character set that can easily be brute-forced. [and no, not every device has a camera or fingerprint scanner, and even if they do, those things can also break -- and we should have to leak biometrics to get into our accounts.]
@@askleonotenboom Let me be clear: if someone knows your Windows Hello PIN number and is thus able to unlock your PC, a passkey offers no additional protection because it opens with the EXACT same credentials. The passkey itself might be entirely unique, but it is sent based on the exact same code you enter. Using a password means they need to know your Windows Hello PIN AND the password to the account they want to sign into.
Two [different] steps is automatically more secure than one.
@@askleonotenboom Can we keep the hacker from using those other methods of getting in? To use a less secure method it would be nice to use some authentication.
@@CraigLongsome sites allow you to disable some methods of authentication, but other sites are much less configurable.
xkcd comic 538 is relevant here.