Do you find yourself using passkeys or strong 2FA to secure your accounts? Leave a comment with your experience and if you don't already have a good 2FA key, get $5 off your next Yubikey purchase: www.allthingssecured.com/yubikey5off
Thank You For Your Content ❤ you put so many videos which help people learn also I Brought 2 Yubikeys about one year ago love them I fell much safer the best 2FA method easy and secure
@@AllThingsSecured honestly, I use both. Passkey for my mobile device. This is preferred. I also use MFA and all services I use too, should an attacker choose to use a password login they would still need an MFA code.
Pass keys are far better than a password with 2FA. However, with software passkeys, there’s always a compromise for convenience. Hardfobs are by far the most secure.
@@ohiobumass the video compression algorithms try to limit the amount of data transferred (bandiwidth), it seems they can't deal well with the amount of details on the shirt, then instead of reducing detail they prefer to reduce the amount of frames, or something like that
Thank you for covering this! I bought keys like a year ago and I honestly couldn't figure out if I was using it incorrectly. Almost no sites allow the key to be anything more than a backup since you essentially still need to log in how you previously had. I was really wondering if it was something I set up incorrectly. So relieved it's just awkward to use them in many places
The advice in the video is on point for this: use the keys only for the most sensitive accounts, and you’ll find that these services are often the most mature as well. One thing the video didn’t mention: keep a record of which accounts you set them up on, because on the day you lose the main key, you’ll want to order a new one and set it up on these same accounts again (and revoke the lost key too)
Passkeys are probably intended for people who have so far been using simple passwords, memorising them and using them on multiple websites. Using passkeys will mean a big jump in security for them. Those who use password managers for creating and saving long, random, unique passwords for each website along with 2FA won't gain much by using passkeys. I have created passkeys on a couple of websites out of curiosity but I still use passwords on those sites.
You do make a valid point, however, passkey also protect against phishing, which is something a strong and unique password still won't protect against.
I totally agree. I love having my account secured and I do have a security key in place for as many accounts as I can, but yet still have not activated passkey on any of my accounts I feel the same way about passkey going to continue using what I’ve been using to me. I’m very happy with that.
Note that Amazon and Google both use password protected hardware tokens (like Yubikeys) as their method of authenticating to internal systems. It takes some additional infrastructure, but it is very robust and resistant to many types of attacks. But the human behind the keyboard will probably always be the weakest link.
If a website login (such as the Amazon example here) allows the user to choose either password or passkey, then the passkey seems to add zero security. An attacker in possession of the password would simply choose that option.
In some respects, yes. But there is added security if YOU as a user only use the passkey. It protects against phishing and it's not susceptible to keyloggers or other MITM attacks.
@@AllThingsSecured ah, good point. If that password is unique, safely guarded, and never used, then a user can enjoy the benefits of a passkey and just reserve that password as a last resort method.
That’s why for accounts like that - where someone can cost you money - use a password manager like 1Password to create an incredibly complex password and enable 2FA.
I should add that most sites are reticent to remove password authentication since passkeys are so unknown to most users. Once they become more accepted, I would expect password logins to be removed for new accounts and then ultimately for legacy accounts. That - of course - will take quite some time. All major changes do.
As someone who just implemented Passkeys on the server side, the username part as mentioned in 6:12 is not actually required. The passkey when you first sign into the server sends a sha256 hash of the public key along with it. Every time you use a passkey, that same hash is sent back along with the challenge response. The server can use the hash for the user lookup (so it doesn't have to check your challenge against n number of users to find out who it actually belongs to) and then check the challenge against the public key as stored in the database. I offer my users a simple button that allows them to sign in to their account with just their passkey. No username is required, just physical control of the passkey device (be that a phone, tablet, computer, or Yubi / Titan security key.)
The issue right now is you are required the enter the user ID. He is right about all these issue. UserIDless passkeys puts a point of weakness at the device/service you use to store the password. Since biometric data is supposed to stay in the device and not in the cloud, you will need to enter a password before you can register an account on the device to perform biometric. Long story short, the current passkey implementation is not very helpful.
also. These companies that have passkey support should also offer the user the ability to remove and delete the logging in with a username and PW. Defeats the purpose and security of passkeys if that old tech is still avail and could get hacked and stolen.
@@Toramt they can add a feature to unlock password authentication by sending sms with OTP to your phone and then after you're verified you can enter your password.
The title is very misleading. It seems that the message is: passkeys suck as a method in general, while in reality is the adoption and implementation that every company does that is up for debate. One example. The so much criticized Sony (Playstation), after many data breaches, is so far the only gaming publisher that introduced passkeys in a way that it invalidates password and 2FA. You want to remove the passkey, you need to set up a new password and 2FA.
"the only gaming publisher that introduced passkeys in a way that it invalidates password and 2FA. You want to remove the passkey, you need to set up a new password and 2FA." That's the way it ought to be on every website, starting with all financial websites, but so far I don't see any groups or individuals strongly advocating for that position.
@@AllThingsSecured your channel, your title 🙂 If the goal is convincing people to adopt passkeys and I read "passkeys suck", I think we're giving the wrong message. Keep up the good work
Thanks Josh, good to see someone discussing Passkeys in more depth. Here's what I'd like to know: 1. I note that I can turn off password and passkey sync'ing in my devices. In this case, I'd need to create a separate passkey for each device. Once that was done, wouldn't that be equivalent to having multiple yubikeys with separate passkeys? 2. Does the emergence of passkeys resident on devices threaten Yubico? Be interested to hear your thoughts.
Thanks for the questions, Michael. Yes, you can create single-device passkeys using your phone and that would be about the same as a Yubikey. The difference is that the phone is connected to the internet at all times while a Yubikey is not. And no, I don’t think this threatens Yubico. In fact, they helped develop the FIDO2 standard. Their key is just one of many ways that you can do 2FA or passkeys. Make sense?
I did a rant recently on Facebook , basically saying "what is a passkey and why should I trust Samsung to handle my authentication" I mistakenly assumed it was a string, similar to a session token or api key. Knowing it is asymmetric key is interesting and helpful. Thank you .
You didnˋt mention the most important thing and the reason why Iˋm not using passkeys at all. At least on my device, an S22 ultra, the passkeys asks for my fingerprint OR MY SMARTPHONE PIN. Thats completly absurd. Why would I swap a long and random password for an 8 digit pin? AND MORE, I live in a country (Brazil) thats possibile that someone would point a gun at me and ask for my pin, so sure, letˋs give the thief my device AND the password for all my passkeys. (!!!) Another possibility is someone being able to see me unlocking my device with the pin for some reason, something that also happens in the US. Until itˋs only possible to unlock with biometrics and not the deviceˋs pin, Iˋm out. Very unsafe.
It is possible for a person in any country to point a gun at you and demand your pin. And biometrics really aren't any better since someone could cut your finger right off, or your eyeball out, to use in bypassing your security if they considered your data valuable enough to be worth the crime.
at gunpoint they could demand you to unlock it with your face or thumb anyway i still agree the pin is not very secure if the passkey is satisfied with just your device pin, that's deterring me as well
every criticism in this video is aimed at the implementation of passkeys, instead of passkeys as such. i think its a great technology and since i have implemented it in my identity provider my life has become so much easier, i can log in into all my services with a single PIN or fingerprint
its only good for if you only wanna verify already logged in users before doing certain actions. its faster than typing password, but you can argue its faster for password manager to fill the password
If you are in the United States ALWAYS use a password as an obligatory factor in a logon process, no matter how many other factors you use. The government can compel you unlock a device with a fingerprint or a face but they can’t make you utter a password. My opinion says that you have a Fourth Amendment right to be secure in your person and a Fifth Amendment right to refrain from incriminating yourself but every court says otherwise.
In Belarus they totured activists to get the PINs and passwords. To avoid this they smash the screens of their phones as soon as they know about an raid or arrest.
I am quite in tune with security as I work on adjunct technologies. Passkeys are glorified randomly generated passwords for now. It require a few things that rooted in having password anyways. Passkeys need to be stored on major ecosystem platforms, or in password manager software. Current implementation and regulation on biometrics mean none of those are stored in the cloud, so if you ever try to provision a new device (that is the gate keeper for your passkeys), you will need to enter an account and password anyways. Those ecosystems or password manager serve as point of failure or attack point. Passkeys don't really solve most of these issues. The best and most flexible solution is to use a hardware device but not your phone or tablet.
glad i`m not stupid. i started to use passkeys and thought i might do something wrong. or i needed to change some settings, because all my accounts act just like the passkey is password ...
All fun and games until you lose your passkey XD I have one old MMO game I played that eventually required a mobile app to sell items in the in-game shop. It's tied to the physical phone you set it up with. Essentially a single device 2FA. I no longer have that phone, so there's no way I'll ever be able to use the player shops in that game again. It took MONTHS for the game's support team to respond to my ticket. By then I was long gone. Sometimes being 'too' secure just locks the end user out all together. It's fine to replace old methods with new ones, but companies better make DAMNED sure the new methods are as easy to use and RECOVER as the old methods.
Funny how a guy in the 1960’s thought multiple people may want to use 1 device; but in 2024 Apple still doesn’t allow more than one user on IOS or IPadOS devices.
Dude in the 60s was an engineer. Apple is a capitalist organisation. It’s that simple. Multiple user accounts on an iPad will result in fewer sales. And this isn’t an Apple thing, every other capitalist organisation is the same. The difference is Apple is in a position to commit fully to this route while other companies may need to allow multi user accounts in order to differentiate themselves, but they certainly wouldn’t if it meant making more money.
Good quality content. I agree with your view on passkeys. The quality of your video is not that great. Very often it looks like it's missing frames. Maybe it a result of how the overlay graphics are rendered!?
I do use Yubikeys, as a passkey and 2FA where I can, but also like the convenience of using my phone or laptop as the device sometimes instead of my Yubikey (not saving in iCloud Keychain or Google Password Manager). Where would you place the security of using your phone or laptop as the device vs. a Yubikey in the scheme of things?
I tried to answer that toward the latter half of the video. It depends on the sensitivity of the login. For me, the Yubikey is the ultimate form of security, so it gets used for the most sensitive logins.
Concerning the point of some websites requiring you to enter email then use passkey instead of password only then require 2fa(amazon), this differes accross different services. So Some services actually have on the login page a button to click to sign in with passkey directly without requiring entering the email and if you have setup 2fa this first passkey will bypass the 2fa (Microsoft for example). Some other like Proton let you decide if you want to use passkey as a replacement to password only while still requiring the 2FA method (or vice versa according to your settings). So to summarize, the implementation of passkeys is different accross websites.
I think email address is fine, I can see how the flow of a login would be easier to build for many existing websites. The email address can also be a simple auto-fill by the browser anyway.
Getting password manager and a couple of hardware keys has completely changed my life. I never need to remember a username or password ever again (except for work stuff)
@McWotsch no not correct. You choose a Master Password (text/numbers/symbols) and type it in to unlock 1Password. The 2FA is set up to only allow 1Password to open on specific devices, eg, phone, computer. If anyone tries to log into the password manager but is on a new device, it will ask for the Yubikey to verify, as 2FA. It's important to have two Yubikeys, in case the first is lost or broken, so the 2nd key can be used instead for 2FA. If both keys are broken or lost, then the only other way to access the password manager is using the recovery codes. If you lose them, then you pretty much lose all access to all accounts. It's very secure which is why you need backups.
Great video. But how is the "public key" aka "padlock" not private? Unlike a real padlock that can be seen by anyone in front of it, it has to be matched with the private key encrypted message - that seems pretty private to me. I think the terminalogy somewhat sucks. Its would be better called "key paddlock pair" authentication. Also no one seems to explain how a message is matched to its corresponding key or padlock? Are all keys or padlocks searched until one matches? This would be like me walking into an area of a 1,000 padlocked gargages and trying my key on each padlock until the key fits the padlock. I assume there is some kind of index, like a garage number, that helps speed up the matching process?
Amazon’s wrong implementation of passkeys isn’t the fault of the technology. They have much broken with MFA, especially if you had an MFA protected AWS account with the same account. You do know that the private keys stored and synced by google, Apple, or proton, etc are encrypted, right? So someone who compromises say Apple or google would also need to get you to use your biometrics (or their backup) to decrypt them before they can be used to access your data. Same as your master password for a synced password database. Also, look into how those private keys are encrypted on your yubikey. Is it with the tiny PIN you must set prior to using it for passkeys? I’d say so since on mine I never have to enter anything longer. So, if you have your yubikey stolen or leave it where someone knowledgeable finds it, how long before that PIN is compromised? Less time than my biometrics or well-chosen alphanumeric phone passphrase. Trust what’s new, just be smart about it and be patient while the paradigm shifts. Passkeys are the passwordless future.
Apple's one is secure but Google Password Manager did have a breach a while back that was pretty bad. Personally I store passkeys for all my accounts, even sensitive ones in Apple's password app. But I kind of understand why he suggests not to, it's also about having control over it yourself. Storing something in the cloud is always giving up some amount of control :)
@@martijnvanderwal3976I encourage everyone to read and understand how their passkeys (private side) are stored and synchronized securely, how additional devices are trusted, how MFA is important along the way, and how even a breach of cloud storage is incredibly unlikely to impact the security of these keys. Most importantly though, educate yourself how the recovery process works on your platform of choice. Make sure you understand it before you need it.
Right on target sir. I looked into what services allow the use of passkeys and found that very few of my important and most important accounts have adopted passkeys. I’m staying with username/passwords, password manager with very random mixed (letters, numbers, special characters) greater that 15 character passwords, and two factor authentication where ever it’s offered. What you have described says that passkeys are a bigger pain in the but than what I use now. Not very encouraging.
I forgot to say that I also set up alerts for my important/most important accounts so I get notified of activities on those accounts. Is all this a guarantee? No, but it is IMHO the best way to go at this time. I’ll check out passkeys sometime in the future when the Google/Microsoft/Technology industry has them better worked out and far more ubiquitous.
So your complaint about passkeys is that they were hard to understand in the past? Weird, I think. And no, I'm not here because I think the companies still have a long way to go, I'm here because it's unfathomable that someone would complain about passkeys today.
And your login example says "Amazon's implementation of Passkeys SUCK", not "Passkeys SUCK". Surely you're aware that clickbaits SUCK. I hope my dislike compensates for my two comments from the algorithm's perspective...
I believe Syncable passkeys, stored in a centralized password manager as a secure modern day replacement to the „sign in with google“ button. I just don’t like how some platforms have weird implementations that appear to try to use them for lock-in to their own password managers. Looking at you Apple.
Banks are notoriously conservative. It'll take years before they catch up. And in the end they have to deal with all types of people, even seniors who can barely use a phone, so I understand their reticence to adopt new technology.
Passkeys don't suck, it's the implementation that sucks (see passwordless SSH for how this should work). And whether it's in a password manager or a yubikey, if you can't disable other login methods, it's pointless to a threat actor. I've given up on passkeys, I just stick with a good password manager, strong passwords and 2FA. PSA: backup your 2FA codes!
I use Bitwarden password Manager and that supports passkeys. It’s a bit weird as it literally just works like another password. It is convenient in that it also works on non biometric devices like PCs. I have since moved away from apple/google password managers and use Bitwarden instead. Pretty sure things like keypads work similar.
The biggest issue is those accounts that people think are not important and have weak security on. The hackers get into these accounts easily still your identity get the answers to all your security questions and then use this information to get into all your other accounts and reset your passwords and get past your past keys.
@@russmarano3802 you seem to be under the impression that every single account/website on the internet supports 2fa keys. This is simply not true, most sites still do not even have basic 2fa let b alone physical keys. And yet you can get past logins that have this, it happens every day. You should watch some of these hacking videos on here and see how they do it.
Think they are available in USB A & C also in a version that has NFC support for phone that are so equipped. Not sure if the USB C version will work on a phone through the USB port or not though.
Yes, that’s part of what makes them so useful: they work on any device that as a USB port or NFC capabilities (most laptops, tablets and phones nowadays).
This was actually a really good presentation. Unfortunately I saw what looked like a click-bait title so almost didn't watch it. Indeed it took it a couple more times popping up on my suggestions before I was tempted in. I'm glad I was, and am not following you 🙂
Hatdware keys are great until you travel out the area of your backup keys. Imagine being on a cruise ship and you lose your yubikey and need to sign in somewhere that requires that key. You are scrod!
No. Apple has implemented this correctly. Using my Touch ID enabled MacBook, when I connect to an Apple site it pulls my passkey userid from my passwords keychain (which does NOT have to be an email or phone number), applies that and initiates the Passkey flow all in one step so the only thing I have to do to login is put my finger on the Touch ID button or present my face if logging in on my iPhone. The number of items I have to type-in drops from 3 (email, password, 2FA code) to zero!
If one of the principal motives for introducing passkeys is to eliminate the ability of wrongdoers to obtain our passwords by breaking into websites we use and/or buy stolen passwords on the dark web, then what is the point of websites not giving us the option to remove our user name and password after creating a working passkey into the site? It seems like an exercise in futility the way it is presently set up. This paradox substantially contributes to the slow adoption rate of passkeys by users, in my opinion. As things now stand, taking the time to set up passkeys wherever available, as I have done, feels more like a parlor game than a successful step to beef up our security. Or perhaps a sales argument for hardware keys instead of passkeys? Or simply, the biometrics option already available on most computers and phones?
I had set up passkeys wherever I could. But, long story short, I've backed off on that. When the dust settled, I'm back to using Yubikey's OTP, and Bitwarden's TOTP for 2fa. For me, Passkeys are too wonkie right now. Maybe one day when they gain more uniformity in implementation and scale?
Sorry, I refuse to use a security device that plugs into the computer. Years ago, to log into my employer's company network from home, I was required to use a credit-card sized device with a small screen that displayed a rolling code that I had to manually enter. These days, that credit-card sized device could have biometrics or some other form of authentication to provide some additional security if the device is lost or stolen before I have a chance to disable it.
Certain security devices that you plug in do have that option. You’re mainly looking for anything that implements the U2F standard, not just Yubikey (though they may have one, too). The benefit of a physical device is that the keys are not syncable. They cannot be copied, even if an attacker gets a hold of your computer. With most software-based implementations, a skilled attacker could bypass any biometric authentication you have. Biometrics are a fuzzy-matching logic, which means they can’t be used to decrypt data as they are not a definitive key of finite variations. Something like a Yubikey can get away with this by making custom ICs that do not provide any exposed method of accessing persistent memory. To bypass that, you’d have to de-lid the chip and analyze it under a microscope, and be able to decipher what’s happening at the electrical level
Passkey Does replace 2FA. As for whether it replaces typing in a Username or not.. I would say the End User should have control over whether the website will be registered on their FIDO2 token as a RESIDENT key. If it's a Resident key, then the website should be able to Prompt the user to PICK from a list which account they want to use. There is no requirement to prompt for a Username, but it's a design decision by the website operator. I don't understand why Amazon still prompt for it after a Passkey is supplied either. They should at LEAST make it an option to skip 2-step Login only when a Passkey is used.
My question is what happens if you lose the phone or it is stolen or malfunctions? I also wonder what happens if the passkey gets compromised. Nothing is totally secure. Is it possible to change it to a new one? I am looking at getting a yubikey as i trust that further than passkeys. As far as passkey go, until I get a satisfactory answer to those questions, I will keep using my offline password manager and not jump on the passkey bandwagon.
Until there is a standard and easier portability I'm only using my hardware keys as a 2FA method. Once all places allow me to store my passkeys in Bitwarden and use that as my Passkey everywhere and not just select sites then I'm not interested in Passkey. The other thing I don't like is not being able to turn off account recovery for Passkeys or Hardware keys because then it just lowers the security if someone gains access to your email or SIM-jack's your phone.
Hey, thanks for sharing! I am wondering why a physical device like Yubikey is safer than the authenticator app on the smartphone. All in all, an authenticator app can also be protected by biometrics and developed so that it only keeps the passkey or secrets stored on the smartphone without any sharing across the network. Is it about the fact that smartphones can get malware or viruses and the security of individual apps (the authenticator in this case) gets compromised? If so, if we can't trust the authenticator app just because it's an app, then in principle we should not be using any app for critical / sensitive data access like e-banking on smartphones at all. Thanks for any hint or link to videos that explain it!
This is oriented towards human users. The challenge is in using APIs and connecting devices that operate on our behalf. The worry is that this rolls us back to the days before people could write their own apps.
Our (very large software) company forced all employees to "switch" to using passkeys. I got it set up, and if anything it's Less convenient than before. Now there are More steps for me to log in - and I generally need to use username/password anyway because either a)I have my laptop closed so no access to the power button on the Mac for thumbprint; or b)when I do try to use my thumbprint it doesn't work more than half the time and I have to revert to using username password anyway. - It's all just More headache than before, not less.
First: Amazon is a very bad example to demo passkeys. Google, Apple and Microsoft (and Sony believe it or not) are some of the few who have implemented passkeys correctly, meaning you use a passkey in place of a password and MFA. They way you demo it makes it seem like "this is how passkeys work, sucks am I right?" Which comes off as a bit disingenuous in the light of you pushing yubikeys. Unless you didn't really know how the other actors I mentioned have implemented it? (Yes, Microsoft's setup process in particular sucks, but I'm specifically referring to the passkey usage at login.) Second: normal users are never going to use yubikeys. Yubikeys are for IT-experts or employees at a company. Syncable passkeys are the most likely used version going forward.
Thanks for the comment. Amazon may not be the best example, but Google wasn’t too much better in my experience. I find it interesting that you think I’m saying all this to push Yankees seeing as you can use the physical keys whether you use 2FA or passkeys. And if you decide to use 1Password or iCloud instead…great! As for “normal users,” I think that’s a cop out and underestimates what people are motivated to do now. Everything starts off with early adopter, but 2FA keys are far, far beyond that stage. I prefer to treat my audience as if they’re intelligent.
So I looked around turns out the limits, for websites, etc. specifically, is on: Discoverable Credentials / Resident Keys, which is the part you talked about how services don't offer it (you still need to specify the username), so their is actually a reason for it. Having to enter your email address (maybe auto-fill-in by the browser) and so bad and makes it easier to implement the flow for a website, maybe. Also means you aren't running into limits on your Yubikey (25).
The others are, unlimited, so that does also mean they use an algorithm to calculate the private key per website, based on a single private key: pk=(hash (lowercase (website-domain))+single private key) or similar, probably fine, but it does mean it doesn't generate a completely standalone private key per website.
My thoughts are that 100% people are going to use AI to crack any security measures people come up with, so what are your thoughts on the danger of AI breaking our security?
@@AllThingsSecured A good question? I asked ChatGPT and this was the answer. Cracking a YubiKey or any hardware-based authentication device is generally difficult due to its design and the security protocols it employs. However, if AI were to be used in an attempt to bypass or crack the security of a YubiKey, it might be applied in the following speculative ways: ### 1. **Social Engineering Attacks** - **Phishing**: AI could be used to craft highly convincing phishing emails or messages to trick users into divulging their OTPs or other authentication credentials. - **Deepfake Technology**: AI could generate deepfake audio or video to impersonate trusted individuals, convincing users to reveal security details or grant access. ### 2. **Brute-Force Attack Automation** - **Pattern Recognition**: AI could analyze patterns in user behavior, potentially predicting OTP sequences or other elements based on data from compromised systems. However, YubiKey’s security is specifically designed to resist such attacks. - **Enhanced Brute Force**: AI might assist in a brute-force attack by rapidly testing different combinations more efficiently, but given the limited number of attempts before the key locks or resets, this approach would likely be ineffective. ### 3. **Bypassing or Exploiting Software Vulnerabilities** - **Zero-Day Exploits**: AI could assist in finding vulnerabilities in the software that interfaces with YubiKey, potentially identifying flaws that could be exploited to bypass authentication. - **Behavioral Analysis**: AI might monitor and learn from the interactions between the YubiKey and software, identifying potential weaknesses or patterns that could be exploited. ### 4. **Physical Security and Side-Channel Attacks** - **Side-Channel Analysis**: AI could be used to analyze side-channel data (like electromagnetic emissions or power consumption patterns) to infer sensitive information during the authentication process. - **Physical Access Exploits**: AI could potentially assist in analyzing and automating physical attack methods (such as tampering with the device itself), though this would require access to the hardware and is more of a security research area than a realistic threat. ### 5. **Automation of Data Collection** - **Data Mining**: AI could automate the collection of large-scale data across platforms to find potential weaknesses or to cross-reference with known vulnerabilities related to YubiKey's implementation. - **User Behavior Analysis**: AI could analyze user behavior over time to predict when they are most likely to use the YubiKey, potentially helping in timing other forms of attacks. ### Limitations - **YubiKey’s Design**: The YubiKey is designed with strong security protocols, including physical presence requirements (e.g., touching the device), making it highly resistant to remote attacks. - **U2F and FIDO2 Security**: These protocols are built to protect against phishing, man-in-the-middle attacks, and other common threats, which limits the effectiveness of many AI-driven attacks. ### Conclusion While AI can theoretically assist in attempts to crack a YubiKey, the security architecture and protocols of such devices are specifically designed to resist these kinds of attacks. Most real-world attempts would likely focus on social engineering or exploiting vulnerabilities in the broader ecosystem (software or user practices) rather than directly attacking the YubiKey itself.
I think the weakest link is still the human, so using AI to mislead the human is going to be very common. That said: 1 of the big advantages of passkey is that every site has gets it's own keypair and thus you can't be mislead to authenticate to a fake site, this helps a bunch because that greatly reduces the number of possible misleading attacks.
Nice channel I think I'll subscribe. Years ago I trolled some stock forum for a company that sold one of those dongles that randomly changes numbers every 30 seconds to generate one-time passcodes. I said it would go nowhere, and more or less I was right. Today's "something that you have" (Ubikey) key is related and my opinion is still low. Not that I don't like the idea, but rather it reminds me of the adage "necessity becomes virtue". When enough people are doing something one particular way, like now with no such "Ubikey", then it becomes the virtuous "norm". If and when enough people adopt the "Ubikey" then and only then will it become the virtuous norm. Chicken and egg thing.
@@AllThingsSecured Network effects bro. Google it. As in your video (I think it was yours not another channel) even Google doesn't support Ubikey 100%. Bye.
Thanks for this updated video, but the bottom line still escapes me: How can we remove our long password and our SMS and our email as 2FA from the websites of our online bank accounts and credit cards (VERY FEW take passkeys) so as to defeat a wrongdoer from using Forgot my Password to intercept the link given to change our password? Can we do that with a Yubikey? Or set it up with our biometrics? If not, with what?
That’s part of the point - you can’t. And that has nothing to do with Yubikey, that’s all about how the different banks and services implement their login security.
@@AllThingsSecured I'm not criticizing Yubikey. I bought 3 of them. I'm just still baffled as to how I/we can use them to protect financial accounts like those mentioned from the most common form of interception.
@@utuber1000 it's simple, change your bank to one that lives in the 21st century. My condolences to my fellow Americans, who have to deal with these backwards companies.
we need to go passwordless and just use passkeys, i know Microsoft give you option to switch to passwordless, which means you must use a passkey from that point. and of course you can register multiple passkeys on your MS account.
Kind of. I think that's part of the problem, though - if you consider that a passkey (which isn't based on the FIDO 2 standard), then you just add confusion to the conversation.
Good stuff. Thanks for sharing. Also, the "Recommended 2FA Security Key" link doesn't seem to be working for me. I attempted to launch that link in 2 different browsers and got the same error message "Sorry, we couldn't find that page."
Yubikey looks cool but I like the idea of the onlykey for storing soecial passwords. Can anyone tell me if the onlykey has problems I should be aware of?
Thank you. I am still confused and I am very very computer literate but I’m still lost when it comes to pass keys. I rather have a text message sent to me with a code whenever I sign on.
I think one of the problems with adoption is that passkeys are not exactly cheap. Last I looked it would be ~$200 for a key and a backup key. Low income folks can't afford that. Heck, my son has a decent job and is working 2 jobs to make ends meet. If it really caught on then sooner or later someone is going to say this authentication method is racist (silly, but that's the world we live in). I don't think my bank even supports this method. I turn on 2FA everwhere possible and use a password manager with very long passwords. I don't even know what they are myself!
@@AllThingsSecured I did watch the video all the way through. I priced a couple models of Yubikeys and two of them would be ~$200 ish. I'm skeptical of anything free. It's usually worth what you paid for it. As for putting my passwords into Apple or Googles care (shudder) I would never go there.
I was really excited about passkeys until I learned I couldn’t get rid of my ID and password and therefore would still be vulnerable in that regard anyway.
So are passkeys similar to ssh keys and pgp/gpg keys? Also, biometrics are not protected by the Constitution as far as unreasonable searches and seizures. The Supreme Court ruled because biometrics are public (people can see you and your fingerprints are easily taken), they are not protected against searches and seizures. Passwords are protected, however.
And how do I plug that yubikey into my mobile devices? I guess there are dongles but... I refuse to do that for headphones, I'm not going to do it for this. 😅
How secure would syncable passkeys be if they were stored on a self hosted password manager like Bitwarden / Vaultwarden without any external access? Thanks!
I guess that depends on you. People assume it’s safer than with 1Password, but I would actually trust the security practices of 1Password more than an individuals.
2:05 im not a fan of security keys or any other physical device that gives permissions. only secure place for a private key or its seed is your mind, with an external signing device
Still trying to make sence of the syncable part. I setup passkeys on my three android phones separately for one outlook account. When does the syncing come into play?
@@AllThingsSecured Ok, makes sense. But I am trying to think of a case where syncing with passkeys occurs in the context of Android phones. I think with Windows Hello as well, you're creating a passkey for just that computer. I have never owned an Apple phone, so I don't have any experience with them.
Do you find yourself using passkeys or strong 2FA to secure your accounts? Leave a comment with your experience and if you don't already have a good 2FA key, get $5 off your next Yubikey purchase: www.allthingssecured.com/yubikey5off
Thank You For Your Content ❤ you put so many videos which help people learn also
I Brought 2 Yubikeys about one year ago love them I fell much safer the best 2FA method easy and secure
Strong, I forget my passwords and passkey save me I just need to use my fingerprint
@@AllThingsSecured honestly, I use both.
Passkey for my mobile device. This is preferred. I also use MFA and all services I use too, should an attacker choose to use a password login they would still need an MFA code.
Pass keys are far better than a password with 2FA. However, with software passkeys, there’s always a compromise for convenience. Hardfobs are by far the most secure.
Oh boy, that shirt isn't good for youtube's bitrate ^^
Haha! Yea, I’m learning that.
The video feels like it slows down
I don't think it's UA-cam that's the problem LOL.
Why is that? Can anyone explain it?
@@ohiobumass the video compression algorithms try to limit the amount of data transferred (bandiwidth), it seems they can't deal well with the amount of details on the shirt, then instead of reducing detail they prefer to reduce the amount of frames, or something like that
Thank you for covering this! I bought keys like a year ago and I honestly couldn't figure out if I was using it incorrectly. Almost no sites allow the key to be anything more than a backup since you essentially still need to log in how you previously had. I was really wondering if it was something I set up incorrectly. So relieved it's just awkward to use them in many places
Yea, passkey use is limited, but using it as a 2FA key is very useful!
The advice in the video is on point for this: use the keys only for the most sensitive accounts, and you’ll find that these services are often the most mature as well. One thing the video didn’t mention: keep a record of which accounts you set them up on, because on the day you lose the main key, you’ll want to order a new one and set it up on these same accounts again (and revoke the lost key too)
@@GuillaumeRossolinithat's the reason to have 2 of them. One you use and one stored in a safe place as a backup.
@@artos6209 no, I’m well aware and I was actually pointing out what happens when you lose one of the two keys
Passkeys are probably intended for people who have so far been using simple passwords, memorising them and using them on multiple websites. Using passkeys will mean a big jump in security for them. Those who use password managers for creating and saving long, random, unique passwords for each website along with 2FA won't gain much by using passkeys. I have created passkeys on a couple of websites out of curiosity but I still use passwords on those sites.
You do make a valid point, however, passkey also protect against phishing, which is something a strong and unique password still won't protect against.
Funny how a month after this video, a vulnerability in YubiKeys and other systems that use the Infineon library came to light.
I totally agree. I love having my account secured and I do have a security key in place for as many accounts as I can, but yet still have not activated passkey on any of my accounts I feel the same way about passkey going to continue using what I’ve been using to me. I’m very happy with that.
Glad to hear it. 👍🏻
I wish banks took security seriously and gave us the option of hardware keys, banks 2FA are a joke, sad
Note that Amazon and Google both use password protected hardware tokens (like Yubikeys) as their method of authenticating to internal systems. It takes some additional infrastructure, but it is very robust and resistant to many types of attacks. But the human behind the keyboard will probably always be the weakest link.
Always
Thanks for adding actual captions for the Deaf - and thanks for clear explaination
If a website login (such as the Amazon example here) allows the user to choose either password or passkey, then the passkey seems to add zero security. An attacker in possession of the password would simply choose that option.
In some respects, yes. But there is added security if YOU as a user only use the passkey. It protects against phishing and it's not susceptible to keyloggers or other MITM attacks.
@@AllThingsSecured ah, good point. If that password is unique, safely guarded, and never used, then a user can enjoy the benefits of a passkey and just reserve that password as a last resort method.
That’s why for accounts like that - where someone can cost you money - use a password manager like 1Password to create an incredibly complex password and enable 2FA.
I should add that most sites are reticent to remove password authentication since passkeys are so unknown to most users. Once they become more accepted, I would expect password logins to be removed for new accounts and then ultimately for legacy accounts. That - of course - will take quite some time. All major changes do.
@@AllThingsSecured AITM
As someone who just implemented Passkeys on the server side, the username part as mentioned in 6:12 is not actually required. The passkey when you first sign into the server sends a sha256 hash of the public key along with it. Every time you use a passkey, that same hash is sent back along with the challenge response. The server can use the hash for the user lookup (so it doesn't have to check your challenge against n number of users to find out who it actually belongs to) and then check the challenge against the public key as stored in the database. I offer my users a simple button that allows them to sign in to their account with just their passkey. No username is required, just physical control of the passkey device (be that a phone, tablet, computer, or Yubi / Titan security key.)
The issue right now is you are required the enter the user ID. He is right about all these issue. UserIDless passkeys puts a point of weakness at the device/service you use to store the password. Since biometric data is supposed to stay in the device and not in the cloud, you will need to enter a password before you can register an account on the device to perform biometric. Long story short, the current passkey implementation is not very helpful.
also. These companies that have passkey support should also offer the user the ability to remove and delete the logging in with a username and PW. Defeats the purpose and security of passkeys if that old tech is still avail and could get hacked and stolen.
I agree, but I think they're going to be slow to do that for a number of reasons.
They'll still need a mechanism for you to gain access if you lose your passkey.
@@Toramt they can add a feature to unlock password authentication by sending sms with OTP to your phone and then after you're verified you can enter your password.
The title is very misleading. It seems that the message is: passkeys suck as a method in general, while in reality is the adoption and implementation that every company does that is up for debate.
One example. The so much criticized Sony (Playstation), after many data breaches, is so far the only gaming publisher that introduced passkeys in a way that it invalidates password and 2FA. You want to remove the passkey, you need to set up a new password and 2FA.
"the only gaming publisher that introduced passkeys in a way that it invalidates password and 2FA. You want to remove the passkey, you need to set up a new password and 2FA."
That's the way it ought to be on every website, starting with all financial websites, but so far I don't see any groups or individuals strongly advocating for that position.
Sorry you didn't like the title. Saying "The implementation of passkeys suck" just didn't have the same ring to it.
@@AllThingsSecured your channel, your title 🙂
If the goal is convincing people to adopt passkeys and I read "passkeys suck", I think we're giving the wrong message.
Keep up the good work
A title on a UA-cam video has a truth to it, but also a bit clickbaity ? Say it ain't so ! 🙂
Thanks Josh, good to see someone discussing Passkeys in more depth.
Here's what I'd like to know:
1. I note that I can turn off password and passkey sync'ing in my devices. In this case, I'd need to create a separate passkey for each device. Once that was done, wouldn't that be equivalent to having multiple yubikeys with separate passkeys?
2. Does the emergence of passkeys resident on devices threaten Yubico?
Be interested to hear your thoughts.
Thanks for the questions, Michael. Yes, you can create single-device passkeys using your phone and that would be about the same as a Yubikey. The difference is that the phone is connected to the internet at all times while a Yubikey is not.
And no, I don’t think this threatens Yubico. In fact, they helped develop the FIDO2 standard. Their key is just one of many ways that you can do 2FA or passkeys. Make sense?
the more widespread these technologies are, they might sell less percentage wise, but the market itself will be many many times larger
I did a rant recently on Facebook , basically saying "what is a passkey and why should I trust Samsung to handle my authentication"
I mistakenly assumed it was a string, similar to a session token or api key. Knowing it is asymmetric key is interesting and helpful. Thank you .
You didnˋt mention the most important thing and the reason why Iˋm not using passkeys at all.
At least on my device, an S22 ultra, the passkeys asks for my fingerprint OR MY SMARTPHONE PIN. Thats completly absurd. Why would I swap a long and random password for an 8 digit pin? AND MORE, I live in a country (Brazil) thats possibile that someone would point a gun at me and ask for my pin, so sure, letˋs give the thief my device AND the password for all my passkeys. (!!!) Another possibility is someone being able to see me unlocking my device with the pin for some reason, something that also happens in the US.
Until itˋs only possible to unlock with biometrics and not the deviceˋs pin, Iˋm out. Very unsafe.
It is possible for a person in any country to point a gun at you and demand your pin. And biometrics really aren't any better since someone could cut your finger right off, or your eyeball out, to use in bypassing your security if they considered your data valuable enough to be worth the crime.
at gunpoint they could demand you to unlock it with your face or thumb anyway
i still agree the pin is not very secure if the passkey is satisfied with just your device pin, that's deterring me as well
Thank you - very helpful. I was confused about the difference between physical and syncable passkeys and this is a good explanation.
Glad it was helpful!
It's really sad that he said some only allowed syncable passkeys.
every criticism in this video is aimed at the implementation of passkeys, instead of passkeys as such. i think its a great technology and since i have implemented it in my identity provider my life has become so much easier, i can log in into all my services with a single PIN or fingerprint
Using a physical device for 2fa codes feels so cumbersome for logging in from mobile devices!
How were you able to autofill two-factor codes like that, that's super neat!
This is an indictment of the websites that don’t know how to implement Passkeys well, not an indictment of Passkeys.
Passkeys are new IPv6
its only good for if you only wanna verify already logged in users before doing certain actions.
its faster than typing password, but you can argue its faster for password manager to fill the password
If you are in the United States ALWAYS use a password as an obligatory factor in a logon process, no matter how many other factors you use. The government can compel you unlock a device with a fingerprint or a face but they can’t make you utter a password.
My opinion says that you have a Fourth Amendment right to be secure in your person and a Fifth Amendment right to refrain from incriminating yourself but every court says otherwise.
They will give you contempt charges if you don't in some cases but if you have something that important than setting it to destroy itself is better
In Belarus they totured activists to get the PINs and passwords. To avoid this they smash the screens of their phones as soon as they know about an raid or arrest.
In amazon the passkey is just replacing the password but in Google and Microsoft they are replacing the 2nd auth 2FA as well.
Is it my computer or is there a weird framerate in some parts of the video?
Yea, sorry about the dropped frame rates. It’s a new piece in my studio and I’m working on it. Thanks for your understanding.
I'm watching this on my work computer and the FPS get me thinking "Is this laptop really that bad?" lol
I am quite in tune with security as I work on adjunct technologies. Passkeys are glorified randomly generated passwords for now. It require a few things that rooted in having password anyways. Passkeys need to be stored on major ecosystem platforms, or in password manager software. Current implementation and regulation on biometrics mean none of those are stored in the cloud, so if you ever try to provision a new device (that is the gate keeper for your passkeys), you will need to enter an account and password anyways. Those ecosystems or password manager serve as point of failure or attack point. Passkeys don't really solve most of these issues. The best and most flexible solution is to use a hardware device but not your phone or tablet.
In my experience some financial service providers have already doing passkey with device binding.
Interesting…which ones?
glad i`m not stupid. i started to use passkeys and thought i might do something wrong. or i needed to change some settings, because all my accounts act just like the passkey is password ...
Ha! Yea, you’re not alone, nor are you stupid 😂
All fun and games until you lose your passkey XD
I have one old MMO game I played that eventually required a mobile app to sell items in the in-game shop. It's tied to the physical phone you set it up with. Essentially a single device 2FA. I no longer have that phone, so there's no way I'll ever be able to use the player shops in that game again. It took MONTHS for the game's support team to respond to my ticket. By then I was long gone. Sometimes being 'too' secure just locks the end user out all together. It's fine to replace old methods with new ones, but companies better make DAMNED sure the new methods are as easy to use and RECOVER as the old methods.
Funny how a guy in the 1960’s thought multiple people may want to use 1 device; but in 2024 Apple still doesn’t allow more than one user on IOS or IPadOS devices.
Dude in the 60s was an engineer. Apple is a capitalist organisation. It’s that simple.
Multiple user accounts on an iPad will result in fewer sales. And this isn’t an Apple thing, every other capitalist organisation is the same. The difference is Apple is in a position to commit fully to this route while other companies may need to allow multi user accounts in order to differentiate themselves, but they certainly wouldn’t if it meant making more money.
Surely such devices are personal ie only you or spouse/child would use them .
Good quality content. I agree with your view on passkeys. The quality of your video is not that great. Very often it looks like it's missing frames. Maybe it a result of how the overlay graphics are rendered!?
No, it’s my fault on skipped frames due to some new equipment. It’s a one-time event.
I do use Yubikeys, as a passkey and 2FA where I can, but also like the convenience of using my phone or laptop as the device sometimes instead of my Yubikey (not saving in iCloud Keychain or Google Password Manager).
Where would you place the security of using your phone or laptop as the device vs. a Yubikey in the scheme of things?
I tried to answer that toward the latter half of the video. It depends on the sensitivity of the login. For me, the Yubikey is the ultimate form of security, so it gets used for the most sensitive logins.
Concerning the point of some websites requiring you to enter email then use passkey instead of password only then require 2fa(amazon), this differes accross different services. So Some services actually have on the login page a button to click to sign in with passkey directly without requiring entering the email and if you have setup 2fa this first passkey will bypass the 2fa (Microsoft for example). Some other like Proton let you decide if you want to use passkey as a replacement to password only while still requiring the 2FA method (or vice versa according to your settings). So to summarize, the implementation of passkeys is different accross websites.
You are correct. I think I said in the video that every website implements it differently.
I think email address is fine, I can see how the flow of a login would be easier to build for many existing websites. The email address can also be a simple auto-fill by the browser anyway.
Getting password manager and a couple of hardware keys has completely changed my life. I never need to remember a username or password ever again (except for work stuff)
Did I understand it right: You use one Yubikey for the master password to your password manager and a second one as 2FA ?
@McWotsch no not correct. You choose a Master Password (text/numbers/symbols) and type it in to unlock 1Password. The 2FA is set up to only allow 1Password to open on specific devices, eg, phone, computer. If anyone tries to log into the password manager but is on a new device, it will ask for the Yubikey to verify, as 2FA.
It's important to have two Yubikeys, in case the first is lost or broken, so the 2nd key can be used instead for 2FA. If both keys are broken or lost, then the only other way to access the password manager is using the recovery codes. If you lose them, then you pretty much lose all access to all accounts.
It's very secure which is why you need backups.
This Was a really informative video thank you for sharing and education for the public
You're welcome, Darryl!
Great video. But how is the "public key" aka "padlock" not private? Unlike a real padlock that can be seen by anyone in front of it, it has to be matched with the private key encrypted message - that seems pretty private to me. I think the terminalogy somewhat sucks. Its would be better called "key paddlock pair" authentication. Also no one seems to explain how a message is matched to its corresponding key or padlock? Are all keys or padlocks searched until one matches? This would be like me walking into an area of a 1,000 padlocked gargages and trying my key on each padlock until the key fits the padlock. I assume there is some kind of index, like a garage number, that helps speed up the matching process?
Amazon’s wrong implementation of passkeys isn’t the fault of the technology. They have much broken with MFA, especially if you had an MFA protected AWS account with the same account.
You do know that the private keys stored and synced by google, Apple, or proton, etc are encrypted, right? So someone who compromises say Apple or google would also need to get you to use your biometrics (or their backup) to decrypt them before they can be used to access your data. Same as your master password for a synced password database.
Also, look into how those private keys are encrypted on your yubikey. Is it with the tiny PIN you must set prior to using it for passkeys? I’d say so since on mine I never have to enter anything longer. So, if you have your yubikey stolen or leave it where someone knowledgeable finds it, how long before that PIN is compromised? Less time than my biometrics or well-chosen alphanumeric phone passphrase.
Trust what’s new, just be smart about it and be patient while the paradigm shifts. Passkeys are the passwordless future.
Apple's one is secure but Google Password Manager did have a breach a while back that was pretty bad. Personally I store passkeys for all my accounts, even sensitive ones in Apple's password app. But I kind of understand why he suggests not to, it's also about having control over it yourself. Storing something in the cloud is always giving up some amount of control :)
@@martijnvanderwal3976I encourage everyone to read and understand how their passkeys (private side) are stored and synchronized securely, how additional devices are trusted, how MFA is important along the way, and how even a breach of cloud storage is incredibly unlikely to impact the security of these keys. Most importantly though, educate yourself how the recovery process works on your platform of choice. Make sure you understand it before you need it.
If I have set up multiple YubiKeys for an account, should I then disable the use of SMS 2FA?
If you can, I would advise that you do.
Because text messages is the main vector for SIM cloning. I would suggest if you can use your Yubikey everywhere you can
Finally i understand....thank you so much! 😅 Greeetings from Austria. 🇦🇹
Greetings to you as well!
Right on target sir. I looked into what services allow the use of passkeys and found that very few of my important and most important accounts have adopted passkeys. I’m staying with username/passwords, password manager with very random mixed (letters, numbers, special characters) greater that 15 character passwords, and two factor authentication where ever it’s offered. What you have described says that passkeys are a bigger pain in the but than what I use now. Not very encouraging.
I forgot to say that I also set up alerts for my important/most important accounts so I get notified of activities on those accounts. Is all this a guarantee? No, but it is IMHO the best way to go at this time. I’ll check out passkeys sometime in the future when the Google/Microsoft/Technology industry has them better worked out and far more ubiquitous.
So your complaint about passkeys is that they were hard to understand in the past? Weird, I think. And no, I'm not here because I think the companies still have a long way to go, I'm here because it's unfathomable that someone would complain about passkeys today.
And your login example says "Amazon's implementation of Passkeys SUCK", not "Passkeys SUCK". Surely you're aware that clickbaits SUCK. I hope my dislike compensates for my two comments from the algorithm's perspective...
I believe Syncable passkeys, stored in a centralized password manager as a secure modern day replacement to the „sign in with google“ button.
I just don’t like how some platforms have weird implementations that appear to try to use them for lock-in to their own password managers.
Looking at you Apple.
They’ve managed to make this as complicated and confusing and convoluted as using PGP, which went absolutely nowhere in the consumer space.
Yea, I don’t think I’ve appreciated how important consumer packaging and user experience play a role in security standard adoption.
LPL says that we should never show our keys publicly.
Tracking passkeys is an interesting thought experiment.
here in Italy there are no BANK accepting authentication via ubkey or other similar producs... wondering why
Banks are notoriously conservative. It'll take years before they catch up. And in the end they have to deal with all types of people, even seniors who can barely use a phone, so I understand their reticence to adopt new technology.
Passkeys don't suck, it's the implementation that sucks (see passwordless SSH for how this should work). And whether it's in a password manager or a yubikey, if you can't disable other login methods, it's pointless to a threat actor. I've given up on passkeys, I just stick with a good password manager, strong passwords and 2FA.
PSA: backup your 2FA codes!
I agree, and despite the title, I tried my best to explain that in the video.
I use Bitwarden password Manager and that supports passkeys. It’s a bit weird as it literally just works like another password. It is convenient in that it also works on non biometric devices like PCs. I have since moved away from apple/google password managers and use Bitwarden instead. Pretty sure things like keypads work similar.
The biggest issue is those accounts that people think are not important and have weak security on. The hackers get into these accounts easily still your identity get the answers to all your security questions and then use this information to get into all your other accounts and reset your passwords and get past your past keys.
they still cannot get past the physical key, change pw/un all they want, the physical key stops them dead in their tracks.
@@russmarano3802 you seem to be under the impression that every single account/website on the internet supports 2fa keys. This is simply not true, most sites still do not even have basic 2fa let b alone physical keys.
And yet you can get past logins that have this, it happens every day. You should watch some of these hacking videos on here and see how they do it.
Do Yubikeys work across different devices? I would want one key I can use on my PC laptop, google phone and tablet. Good video, thanks
Think they are available in USB A & C also in a version that has NFC support for phone that are so equipped. Not sure if the USB C version will work on a phone through the USB port or not though.
Yes, that’s part of what makes them so useful: they work on any device that as a USB port or NFC capabilities (most laptops, tablets and phones nowadays).
This was actually a really good presentation. Unfortunately I saw what looked like a click-bait title so almost didn't watch it. Indeed it took it a couple more times popping up on my suggestions before I was tempted in. I'm glad I was, and am not following you 🙂
Hatdware keys are great until you travel out the area of your backup keys. Imagine being on a cruise ship and you lose your yubikey and need to sign in somewhere that requires that key. You are scrod!
Bring a backup…
@@martinlutherkingjr.5582 to loose that too lol
@@myhandle8 You could also lose your memory
No. Apple has implemented this correctly. Using my Touch ID enabled MacBook, when I connect to an Apple site it pulls my passkey userid from my passwords keychain (which does NOT have to be an email or phone number), applies that and initiates the Passkey flow all in one step so the only thing I have to do to login is put my finger on the Touch ID button or present my face if logging in on my iPhone. The number of items I have to type-in drops from 3 (email, password, 2FA code) to zero!
If one of the principal motives for introducing passkeys is to eliminate the ability of wrongdoers to obtain our passwords by breaking into websites we use and/or buy stolen passwords on the dark web, then what is the point of websites not giving us the option to remove our user name and password after creating a working passkey into the site? It seems like an exercise in futility the way it is presently set up. This paradox substantially contributes to the slow adoption rate of passkeys by users, in my opinion. As things now stand, taking the time to set up passkeys wherever available, as I have done, feels more like a parlor game than a successful step to beef up our security. Or perhaps a sales argument for hardware keys instead of passkeys? Or simply, the biometrics option already available on most computers and phones?
I had set up passkeys wherever I could. But, long story short, I've backed off on that. When the dust settled, I'm back to using Yubikey's OTP, and Bitwarden's TOTP for 2fa.
For me, Passkeys are too wonkie right now. Maybe one day when they gain more uniformity in implementation and scale?
Sorry, I refuse to use a security device that plugs into the computer. Years ago, to log into my employer's company network from home, I was required to use a credit-card sized device with a small screen that displayed a rolling code that I had to manually enter. These days, that credit-card sized device could have biometrics or some other form of authentication to provide some additional security if the device is lost or stolen before I have a chance to disable it.
Certain security devices that you plug in do have that option. You’re mainly looking for anything that implements the U2F standard, not just Yubikey (though they may have one, too).
The benefit of a physical device is that the keys are not syncable. They cannot be copied, even if an attacker gets a hold of your computer. With most software-based implementations, a skilled attacker could bypass any biometric authentication you have. Biometrics are a fuzzy-matching logic, which means they can’t be used to decrypt data as they are not a definitive key of finite variations. Something like a Yubikey can get away with this by making custom ICs that do not provide any exposed method of accessing persistent memory. To bypass that, you’d have to de-lid the chip and analyze it under a microscope, and be able to decipher what’s happening at the electrical level
Passkey Does replace 2FA. As for whether it replaces typing in a Username or not..
I would say the End User should have control over whether the website will be registered on their FIDO2 token as a RESIDENT key.
If it's a Resident key, then the website should be able to Prompt the user to PICK from a list which account they want to use.
There is no requirement to prompt for a Username, but it's a design decision by the website operator.
I don't understand why Amazon still prompt for it after a Passkey is supplied either.
They should at LEAST make it an option to skip 2-step Login only when a Passkey is used.
My question is what happens if you lose the phone or it is stolen or malfunctions? I also wonder what happens if the passkey gets compromised. Nothing is totally secure. Is it possible to change it to a new one?
I am looking at getting a yubikey as i trust that further than passkeys.
As far as passkey go, until I get a satisfactory answer to those questions, I will keep using my offline password manager and not jump on the passkey bandwagon.
Losing a passkey isn’t terrible as long as you have a backup. In that case yes, you can go in, revoke the old passkey and create a new one.
Until there is a standard and easier portability I'm only using my hardware keys as a 2FA method. Once all places allow me to store my passkeys in Bitwarden and use that as my Passkey everywhere and not just select sites then I'm not interested in Passkey. The other thing I don't like is not being able to turn off account recovery for Passkeys or Hardware keys because then it just lowers the security if someone gains access to your email or SIM-jack's your phone.
👍🏻👍🏻
Hey, thanks for sharing! I am wondering why a physical device like Yubikey is safer than the authenticator app on the smartphone. All in all, an authenticator app can also be protected by biometrics and developed so that it only keeps the passkey or secrets stored on the smartphone without any sharing across the network.
Is it about the fact that smartphones can get malware or viruses and the security of individual apps (the authenticator in this case) gets compromised? If so, if we can't trust the authenticator app just because it's an app, then in principle we should not be using any app for critical / sensitive data access like e-banking on smartphones at all.
Thanks for any hint or link to videos that explain it!
This is oriented towards human users. The challenge is in using APIs and connecting devices that operate on our behalf. The worry is that this rolls us back to the days before people could write their own apps.
Nice Lego Globe my guy!
Educational as always. Thank you!
You bet!
You remind me of my friend's Dad, he's poor and smells like salmon.
Our (very large software) company forced all employees to "switch" to using passkeys. I got it set up, and if anything it's Less convenient than before. Now there are More steps for me to log in - and I generally need to use username/password anyway because either a)I have my laptop closed so no access to the power button on the Mac for thumbprint; or b)when I do try to use my thumbprint it doesn't work more than half the time and I have to revert to using username password anyway. - It's all just More headache than before, not less.
Uwielbiam ten kanał! 😊
1:10 Nope! Passwords hash are stored by server and not plain password. This has been a practice by most companies for over a decade.
First: Amazon is a very bad example to demo passkeys. Google, Apple and Microsoft (and Sony believe it or not) are some of the few who have implemented passkeys correctly, meaning you use a passkey in place of a password and MFA. They way you demo it makes it seem like "this is how passkeys work, sucks am I right?" Which comes off as a bit disingenuous in the light of you pushing yubikeys. Unless you didn't really know how the other actors I mentioned have implemented it? (Yes, Microsoft's setup process in particular sucks, but I'm specifically referring to the passkey usage at login.)
Second: normal users are never going to use yubikeys. Yubikeys are for IT-experts or employees at a company. Syncable passkeys are the most likely used version going forward.
Thanks for the comment. Amazon may not be the best example, but Google wasn’t too much better in my experience. I find it interesting that you think I’m saying all this to push Yankees seeing as you can use the physical keys whether you use 2FA or passkeys. And if you decide to use 1Password or iCloud instead…great!
As for “normal users,” I think that’s a cop out and underestimates what people are motivated to do now. Everything starts off with early adopter, but 2FA keys are far, far beyond that stage. I prefer to treat my audience as if they’re intelligent.
The limits on the Yubikey kind of scared me, especially because as I understand that some systems/services end up using slots indirectly.
So I looked around turns out the limits, for websites, etc. specifically, is on: Discoverable Credentials / Resident Keys, which is the part you talked about how services don't offer it (you still need to specify the username), so their is actually a reason for it. Having to enter your email address (maybe auto-fill-in by the browser) and so bad and makes it easier to implement the flow for a website, maybe. Also means you aren't running into limits on your Yubikey (25).
The others are, unlimited, so that does also mean they use an algorithm to calculate the private key per website, based on a single private key: pk=(hash (lowercase (website-domain))+single private key) or similar, probably fine, but it does mean it doesn't generate a completely standalone private key per website.
Look at the Token2 Swiss company's products - they have a lot more slots than Yubikeys.
My thoughts are that 100% people are going to use AI to crack any security measures people come up with, so what are your thoughts on the danger of AI breaking our security?
How in the world is AI going to break security measures?
@@AllThingsSecured A good question?
I asked ChatGPT and this was the answer.
Cracking a YubiKey or any hardware-based authentication device is generally difficult due to its design and the security protocols it employs. However, if AI were to be used in an attempt to bypass or crack the security of a YubiKey, it might be applied in the following speculative ways:
### 1. **Social Engineering Attacks**
- **Phishing**: AI could be used to craft highly convincing phishing emails or messages to trick users into divulging their OTPs or other authentication credentials.
- **Deepfake Technology**: AI could generate deepfake audio or video to impersonate trusted individuals, convincing users to reveal security details or grant access.
### 2. **Brute-Force Attack Automation**
- **Pattern Recognition**: AI could analyze patterns in user behavior, potentially predicting OTP sequences or other elements based on data from compromised systems. However, YubiKey’s security is specifically designed to resist such attacks.
- **Enhanced Brute Force**: AI might assist in a brute-force attack by rapidly testing different combinations more efficiently, but given the limited number of attempts before the key locks or resets, this approach would likely be ineffective.
### 3. **Bypassing or Exploiting Software Vulnerabilities**
- **Zero-Day Exploits**: AI could assist in finding vulnerabilities in the software that interfaces with YubiKey, potentially identifying flaws that could be exploited to bypass authentication.
- **Behavioral Analysis**: AI might monitor and learn from the interactions between the YubiKey and software, identifying potential weaknesses or patterns that could be exploited.
### 4. **Physical Security and Side-Channel Attacks**
- **Side-Channel Analysis**: AI could be used to analyze side-channel data (like electromagnetic emissions or power consumption patterns) to infer sensitive information during the authentication process.
- **Physical Access Exploits**: AI could potentially assist in analyzing and automating physical attack methods (such as tampering with the device itself), though this would require access to the hardware and is more of a security research area than a realistic threat.
### 5. **Automation of Data Collection**
- **Data Mining**: AI could automate the collection of large-scale data across platforms to find potential weaknesses or to cross-reference with known vulnerabilities related to YubiKey's implementation.
- **User Behavior Analysis**: AI could analyze user behavior over time to predict when they are most likely to use the YubiKey, potentially helping in timing other forms of attacks.
### Limitations
- **YubiKey’s Design**: The YubiKey is designed with strong security protocols, including physical presence requirements (e.g., touching the device), making it highly resistant to remote attacks.
- **U2F and FIDO2 Security**: These protocols are built to protect against phishing, man-in-the-middle attacks, and other common threats, which limits the effectiveness of many AI-driven attacks.
### Conclusion
While AI can theoretically assist in attempts to crack a YubiKey, the security architecture and protocols of such devices are specifically designed to resist these kinds of attacks. Most real-world attempts would likely focus on social engineering or exploiting vulnerabilities in the broader ecosystem (software or user practices) rather than directly attacking the YubiKey itself.
I think the weakest link is still the human, so using AI to mislead the human is going to be very common.
That said: 1 of the big advantages of passkey is that every site has gets it's own keypair and thus you can't be mislead to authenticate to a fake site, this helps a bunch because that greatly reduces the number of possible misleading attacks.
AI is not in a position to crack secure codes, and won't be for many years, if ever. Nothing to worry about at the moment.
Nice channel I think I'll subscribe. Years ago I trolled some stock forum for a company that sold one of those dongles that randomly changes numbers every 30 seconds to generate one-time passcodes. I said it would go nowhere, and more or less I was right. Today's "something that you have" (Ubikey) key is related and my opinion is still low. Not that I don't like the idea, but rather it reminds me of the adage "necessity becomes virtue". When enough people are doing something one particular way, like now with no such "Ubikey", then it becomes the virtuous "norm". If and when enough people adopt the "Ubikey" then and only then will it become the virtuous norm. Chicken and egg thing.
RSA Securid? Massively successful company, widely used in the corporate world. Not sure about the stock, but the product was/is sound.
I’m not sure I follow your logic here.
@@AllThingsSecured Network effects bro. Google it. As in your video (I think it was yours not another channel) even Google doesn't support Ubikey 100%. Bye.
The polo shirt that UA-cam's codecs hate.
Yea, I realize that now.
Thanks for this updated video, but the bottom line still escapes me: How can we remove our long password and our SMS and our email as 2FA from the websites of our online bank accounts and credit cards (VERY FEW take passkeys) so as to defeat a wrongdoer from using Forgot my Password to intercept the link given to change our password? Can we do that with a Yubikey? Or set it up with our biometrics? If not, with what?
That’s part of the point - you can’t. And that has nothing to do with Yubikey, that’s all about how the different banks and services implement their login security.
@@AllThingsSecured I'm not criticizing Yubikey. I bought 3 of them. I'm just still baffled as to how I/we can use them to protect financial accounts like those mentioned from the most common form of interception.
@@utuber1000 it's simple, change your bank to one that lives in the 21st century. My condolences to my fellow Americans, who have to deal with these backwards companies.
I think having multiple steps is good in case the pass key gets stolen.
Websites/services are slow to adopt passkeys, so I don't expect 2FA to go away anytime soon
Agreed.
we need to go passwordless and just use passkeys, i know Microsoft give you option to switch to passwordless, which means you must use a passkey from that point. and of course you can register multiple passkeys on your MS account.
If you use your fingerprint to unlock your cellphone, you already use passkeys.
Kind of. I think that's part of the problem, though - if you consider that a passkey (which isn't based on the FIDO 2 standard), then you just add confusion to the conversation.
good info but still too convoluted to send to my tech challenged relatives to help them understand.
Sorry to hear that
Good stuff. Thanks for sharing. Also, the "Recommended 2FA Security Key" link doesn't seem to be working for me. I attempted to launch that link in 2 different browsers and got the same error message "Sorry, we couldn't find that page."
Yubikey looks cool but I like the idea of the onlykey for storing soecial passwords. Can anyone tell me if the onlykey has problems I should be aware of?
Thank you. I am still confused and I am very very computer literate but I’m still lost when it comes to pass keys.
I rather have a text message sent to me with a code whenever I sign on.
2:32…*this is a very simplified way to explain passkeys. The actual authentication process is much more complicated.
I think one of the problems with adoption is that passkeys are not exactly cheap. Last I looked it would be ~$200 for a key and a backup key. Low income folks can't afford that. Heck, my son has a decent job and is working 2 jobs to make ends meet. If it really caught on then sooner or later someone is going to say this authentication method is racist (silly, but that's the world we live in). I don't think my bank even supports this method. I turn on 2FA everwhere possible and use a password manager with very long passwords. I don't even know what they are myself!
I don’t think you watched the video. A passkey can be done easily for free, which invalidates your given concern completely.
@@AllThingsSecured I did watch the video all the way through. I priced a couple models of Yubikeys and two of them would be ~$200 ish. I'm skeptical of anything free. It's usually worth what you paid for it. As for putting my passwords into Apple or Googles care (shudder) I would never go there.
Even if you someone manages to steal a syncable passkey, wouldn't it be useless to them, since they need biometrics to actually activate it?
All of this insanely confusing tech is just too much for this old man. I'm totally confused.
I was really excited about passkeys until I learned I couldn’t get rid of my ID and password and therefore would still be vulnerable in that regard anyway.
stop it with apple, what about Microsoft Windows? Windows uses Windows Hello which you can setup passkey or yubikey
I mentioned both Apple and Microsoft.
So are passkeys similar to ssh keys and pgp/gpg keys?
Also, biometrics are not protected by the Constitution as far as unreasonable searches and seizures. The Supreme Court ruled because biometrics are public (people can see you and your fingerprints are easily taken), they are not protected against searches and seizures. Passwords are protected, however.
And how do I plug that yubikey into my mobile devices? I guess there are dongles but... I refuse to do that for headphones, I'm not going to do it for this. 😅
Don't most of the websites support Google sign-in? Wouldn't adding two keys on Google account be as good as using keys on each website?
How secure would syncable passkeys be if they were stored on a self hosted password manager like Bitwarden / Vaultwarden without any external access? Thanks!
I guess that depends on you. People assume it’s safer than with 1Password, but I would actually trust the security practices of 1Password more than an individuals.
Some sites charge extra to use a Yubikey as a HW Passkey 😞
just to be curious, what be your daily work?
I be working online
2:05 im not a fan of security keys or any other physical device that gives permissions.
only secure place for a private key or its seed is your mind, with an external signing device
Still trying to make sence of the syncable part. I setup passkeys on my three android phones separately for one outlook account. When does the syncing come into play?
It depends on how you've set it up, I guess. If the passkeys are bound to that single device and they aren't syncing, then you have your answer.
@@AllThingsSecured Ok, makes sense. But I am trying to think of a case where syncing with passkeys occurs in the context of Android phones. I think with Windows Hello as well, you're creating a passkey for just that computer. I have never owned an Apple phone, so I don't have any experience with them.
Passkeys, bad. Yubikey, awesome. Totally unrelated - this video sponsored by Yubikey.
You’re funny. It’s really better to actually watch the video and then comment, then you’d know that passkeys and 2FA keys aren’t mutually exclusive.
Amazing video Josh - thank you for your work 🙌🏽
Glad you enjoyed it!
How is a pin different from or more secure than a password? I don’t get it.
What happens if you lose the Yubikey?
Same as losing a key to a padlock. Which is WHY you want to buy TWO Yubikeys, same as getting 2 keys when you buy a padlock.
Yes, what @azclaimjumper said.
Use your back up to login and remove the lost key from the account
buy two or none
Anyways, thank you, for single device or multiple devices, wish someone told me this in the beginning.