Another concise and engaging video that all IT/cyber folks would benefit from watching and considering the authentication options that are now available- passwords are SO insecure. Thank you Jeff!
You can never underestimate how important these videos from you, but for me some small things are so frustrating(as already mentioned here in comments), if on your android smartphone, if you failed to pass bio for some reason(wet fingers, bad angle, low light or sunglasses, whatever) after couple fail attempts you either should input pin code or pattern, which you have to hide in public area(can be catched by camera or pair of eyes) which make it a little bit inconvenient. On the other hand I still shocked how many high level organization's websites asking some ridiculous questions (usually set of them) like mother's maiden name, fav pets or first teachers and keeping them as the ultimate and only option. I guess many of this info bad acts can fish from media platforms, not mentioning that it's hard to remember what you put there couple years ago, overthinking to not make it obvious but more secure 🤯 But as always, Thank You for comprehensively clear and straightforward video
Thank you for the kind words! Yes, it really is complicated especially when dealing with the exception cases. On the whole, though, I think passwords are pretty awful and should be a last resort rather than a first one
I share your sentiment! However, I will say that I get around the simple Challenge Questions by ensuring every answer to them is a lie. It doesn't matter how personal or general the question, all of my answers are outright lies! It helps, but I am very much interested in going passwordless as soon as possible because managing them has become unweilding!
Great Video! One argument I do have against "have" and "are" options is the availability/reliability of the devices required to authenticate them. If I need my phone and its stolen/broken, then its inconvenient. If the biometric fingerprint reader malfunctions, then i am locked out. These are not easy to replace quickly. So while I agree these combinations are the most secure, I do believe these can be the most inconvenient when things go wrong.
Definitely there are tradeoffs and no perfect solution here. I would say, however, that given the proliferation of mobile devices with biometric readers built-in, this is less likely to be forgotten than a password and we typically know very quickly if they are stolen (unlike passwords) and get them fixed quickly because they are such an essential part of every day life
Not just inconvenient, but sometimes catastrophic! I lost my phone while on vacation last month and attempted to use my husband's phone to locate / lock it down. I knew all of my relevant passwords, but without the ability to verify via one 2FA method or another, I was completely stonewalled. The only saving grace was my laptop, with stored biometrics, waiting for me when I got home a week later. So, I agree. It's a great direction, but there are some major hurdles that need to be cleared.
FIDO eliminates the reliance on passwords, which are the primary target for credential harvesting there by reducing the attack surface but getting end users to always use mfa is no easy feat
True, but if we make MFA more accessible, the barriers go down. For instance, it is much more convenient to unlock a phone with facial recognition than to enter a passcode.
Thank you for the video. But I would disagree with the fact that passkeys are more secure than strong passwords in all situations. Mobile phones, mobile tablets and - to a less degree - laptops which you often take with you are a big question in this case. We know that the "Security is Only As Good As Your Weakest Link". If one of the above-mentioned devices is lost or stolen that it is only required to guess your PIN to get the access to ALL your personal and financial data. Yes, you can change your private keys for all the services, but it takes time. And sometime a lot of time depending on where you lost your device or when you realized that. Yes, IF you phone of laptop is powered off, and IF they have the entire data partition encrypted, than it will save your data (provided that your password is strong). Yes, IF you use face ID or Fingerprint unlock option, than it may protect your data to a certain degree (provided that you do not have your phone rooted), Such "protection" is not very strong as we know, it may give you more time to change your passkeys, but not much usually. And you still have your headache coming from the urgent passkeys cancellation or recall. Yes, IF you use a strong passphrase (I do not know if it is possible with online services though), than your data is protected, but what is the point in passkeys in this case? I would prefer to stick to using strong passwords at least on this type of devices. I also would use Keepass2Android/Keepass2 or my PGP keyring (but for encrypting the list with the passwords locally only) + a good open source 2FA app like aegis (Android) or WinAuth (Windows) which can also be protected with a password. 2FA can solve the issue with hash stealing. 2FA together with a properly configured antivirus and browser minimizes the risk of fishing even for beginners. In addition you can make your browsers to delete the session cookies so that session stealing is not possible. You can do it with passkeys to, but will you have too make it all over again (the process of setting your login with a passkey)? You can use passkeys on your home PC. But would it be convenient to you to have different modes of authorization to one particular service? And would this service allow this? These are the questions. P.S. But, of course, if a user has big risks of getting fished and does not want to take basic precations (at least not to open links from e-mails), than passkeys maybe the solution.
I saw some new security beta programs for post quantum and something similar to fido but although they have two different origins i think as in the video they could in the near future especially be used with a mobile device that contains a much better build of security kit into it... Also i am just this year starting to hear or read about the potential of adapting the already researched bio computer stuff like the new buo computing or photonic computing languages built for ai driven purposes. I'm really interested🤔 to hear about it more. Thanks.
Just I worried about most of factors are rely on USIM and telephone system. When attacker steal your SIM card and If you not did SIM hardware-lock in case. It is very dangerous issue until you try to register your new SIM. (even the bio-key does not resist of this attack. it is similar with changing the phone. Bio auth is only authentication in hardware, not qualified by network or server or etc. ) Stealing SIM is not often occur in real world, but be aware of take care of your phone. And sometimes... SIM break down in naturally. I recommend backup system of telephone. May be use 2 or more phone number, email, recovery key which can use offline-based system. NOTE: recovery key same as password. don't take picture of this don't save any digital thing if it is important. Just write on your book and lock of it. recovery key is not used in most of case. Don't use it normal case.
It's definitely a risk, but far less of a risk than what we are facing now with people using self-chosen passwords, which are much easier to steal than a SIM
Just use an eSim. This is enabled by the telecom carrier if the phone supports it. So there is no physical sim. If the phone is stolen report it and the telecom carrier can block it so its useless.
@@jeffcrume Yes as video explained! Password is worst thing. But in future I hope may be better than using the phone or smartphone to authentication. I've experienced it before when telephone is totally break. In my country, there is no alternative calling method to fix the SIM problem, payphone is very rare.(SIM problem can't support with internet) I had assistance 3-way conversation phone call on telegram VOIP-VOIP-telephone.. very horrible :(
Another issue is that not everyone is using mobile phones (think of many older folks or visually challenged). I never use a phone for any banking or other serious work, instead I'm always using a laptop which may or may not have bio-metric features built in. Again, every method has its pros and cons, there's no perfect solution.
This issue all so pop up for youtube as google try something like this to sign into it an if you are logging in by desktop you most highly likely don't have face or finger scanner.
Hi. I have a question.i love the MFA initiatives. And great videos on security. I agree the passwordless is a blessing in disguise. On a device I also have a passcode. This system is faulty as the something I am is left open to something I know. On my device my passcode can get all my password and my cybersecurity team(‘just me myself and I) are left open to an attack of my bank account and access to personal information etc. I wonder if their may be suggestions of how to keep our devices more secure and yet accessible in case of a os problem camera problem/ fingerprint?my 4 or 6 digit passcode is the concern and I want security for my own device. The external it has done a great job but at home could have bad actors also. Any wise words would help. Thanks. And no keep your passcode hidden answers 🙏. Should have watched till the end thanks Jeff. See hope in the fact Siri may only listen to my voice not a child’s voice?
According to Apple, no. They say that “The TrueDepth camera captures accurate face data by projecting and analyzing thousands of invisible dots to create a depth map of your face and also captures an infrared image of your face.”
Really like your videos. Insane good. But now I would disagree. Costs of the HW Token is xx but fido is more expensive, even for the needed backup. For me FIDO is xxx at the costs.
Thanks for watching and for the great feedback. My reasoning is that FIDO passkeys can be generated on the fly for virtually no cost vs. a HW token which is inconvenient, has a fixed cost, can be lost or broken (and need replacing), etc.
The problem with any bio-metric method is that if a person passes away either young in an accident or of old age, then usually bio is not available for their loved ones to access bank and other accounts. Every method has pros and cons, there's no perfect solution.
Definitely there are pros and cons with every option. Typically, you would not rely exclusively on a biometric, though. It would be combined with other factors and offer a manual override/intervention as needed
@@jeffcrume - Once you have a backup password method, it kind of defeats the high security of bio-metrics authentication. Always pros and cons, there's no perfect system.
Another concise and engaging video that all IT/cyber folks would benefit from watching and considering the authentication options that are now available- passwords are SO insecure. Thank you Jeff!
Thank you for the great feedback!
You can never underestimate how important these videos from you, but for me some small things are so frustrating(as already mentioned here in comments), if on your android smartphone, if you failed to pass bio for some reason(wet fingers, bad angle, low light or sunglasses, whatever) after couple fail attempts you either should input pin code or pattern, which you have to hide in public area(can be catched by camera or pair of eyes) which make it a little bit inconvenient. On the other hand I still shocked how many high level organization's websites asking some ridiculous questions (usually set of them) like mother's maiden name, fav pets or first teachers and keeping them as the ultimate and only option. I guess many of this info bad acts can fish from media platforms, not mentioning that it's hard to remember what you put there couple years ago, overthinking to not make it obvious but more secure 🤯 But as always, Thank You for comprehensively clear and straightforward video
Thank you for the kind words! Yes, it really is complicated especially when dealing with the exception cases. On the whole, though, I think passwords are pretty awful and should be a last resort rather than a first one
I share your sentiment! However, I will say that I get around the simple Challenge Questions by ensuring every answer to them is a lie. It doesn't matter how personal or general the question, all of my answers are outright lies! It helps, but I am very much interested in going passwordless as soon as possible because managing them has become unweilding!
Great Video!
One argument I do have against "have" and "are" options is the availability/reliability of the devices required to authenticate them. If I need my phone and its stolen/broken, then its inconvenient. If the biometric fingerprint reader malfunctions, then i am locked out. These are not easy to replace quickly. So while I agree these combinations are the most secure, I do believe these can be the most inconvenient when things go wrong.
Definitely there are tradeoffs and no perfect solution here. I would say, however, that given the proliferation of mobile devices with biometric readers built-in, this is less likely to be forgotten than a password and we typically know very quickly if they are stolen (unlike passwords) and get them fixed quickly because they are such an essential part of every day life
Not just inconvenient, but sometimes catastrophic! I lost my phone while on vacation last month and attempted to use my husband's phone to locate / lock it down. I knew all of my relevant passwords, but without the ability to verify via one 2FA method or another, I was completely stonewalled. The only saving grace was my laptop, with stored biometrics, waiting for me when I got home a week later. So, I agree. It's a great direction, but there are some major hurdles that need to be cleared.
Jeff, old friend. Very well described.
So glad you liked it!
FIDO eliminates the reliance on passwords, which are the primary target for credential harvesting there by reducing the attack surface but getting end users to always use mfa is no easy feat
True, but if we make MFA more accessible, the barriers go down. For instance, it is much more convenient to unlock a phone with facial recognition than to enter a passcode.
@@jeffcrumeAs MFA use grows, I can see more concern over privacy regarding users biometric and location-based data.
Thank you for the video. But I would disagree with the fact that passkeys are more secure than strong passwords in all situations. Mobile phones, mobile tablets and - to a less degree - laptops which you often take with you are a big question in this case.
We know that the "Security is Only As Good As Your Weakest Link". If one of the above-mentioned devices is lost or stolen that it is only required to guess your PIN to get the access to ALL your personal and financial data. Yes, you can change your private keys for all the services, but it takes time. And sometime a lot of time depending on where you lost your device or when you realized that.
Yes, IF you phone of laptop is powered off, and IF they have the entire data partition encrypted, than it will save your data (provided that your password is strong). Yes, IF you use face ID or Fingerprint unlock option, than it may protect your data to a certain degree (provided that you do not have your phone rooted), Such "protection" is not very strong as we know, it may give you more time to change your passkeys, but not much usually. And you still have your headache coming from the urgent passkeys cancellation or recall. Yes, IF you use a strong passphrase (I do not know if it is possible with online services though), than your data is protected, but what is the point in passkeys in this case?
I would prefer to stick to using strong passwords at least on this type of devices. I also would use Keepass2Android/Keepass2 or my PGP keyring (but for encrypting the list with the passwords locally only) + a good open source 2FA app like aegis (Android) or WinAuth (Windows) which can also be protected with a password. 2FA can solve the issue with hash stealing. 2FA together with a properly configured antivirus and browser minimizes the risk of fishing even for beginners. In addition you can make your browsers to delete the session cookies so that session stealing is not possible. You can do it with passkeys to, but will you have too make it all over again (the process of setting your login with a passkey)?
You can use passkeys on your home PC. But would it be convenient to you to have different modes of authorization to one particular service? And would this service allow this? These are the questions.
P.S. But, of course, if a user has big risks of getting fished and does not want to take basic precations (at least not to open links from e-mails), than passkeys maybe the solution.
If you think mobile devices and laptops aren’t secure, take a look at people’s brains (which is where passwords are typically generated and stored) 😊
Great video Jeff.
Thanks!
I saw some new security beta programs for post quantum and something similar to fido but although they have two different origins i think as in the video they could in the near future especially be used with a mobile device that contains a much better build of security kit into it... Also i am just this year starting to hear or read about the potential of adapting the already researched bio computer stuff like the new buo computing or photonic computing languages built for ai driven purposes. I'm really interested🤔 to hear about it more. Thanks.
Clear explanation
Just I worried about most of factors are rely on USIM and telephone system. When attacker steal your SIM card and If you not did SIM hardware-lock in case. It is very dangerous issue until you try to register your new SIM. (even the bio-key does not resist of this attack. it is similar with changing the phone. Bio auth is only authentication in hardware, not qualified by network or server or etc. ) Stealing SIM is not often occur in real world, but be aware of take care of your phone. And sometimes... SIM break down in naturally.
I recommend backup system of telephone. May be use 2 or more phone number, email, recovery key which can use offline-based system.
NOTE: recovery key same as password. don't take picture of this don't save any digital thing if it is important. Just write on your book and lock of it. recovery key is not used in most of case. Don't use it normal case.
It's definitely a risk, but far less of a risk than what we are facing now with people using self-chosen passwords, which are much easier to steal than a SIM
Just use an eSim. This is enabled by the telecom carrier if the phone supports it. So there is no physical sim. If the phone is stolen report it and the telecom carrier can block it so its useless.
@@jeffcrume Yes as video explained! Password is worst thing. But in future I hope may be better than using the phone or smartphone to authentication.
I've experienced it before when telephone is totally break. In my country, there is no alternative calling method to fix the SIM problem, payphone is very rare.(SIM problem can't support with internet) I had assistance 3-way conversation phone call on telegram VOIP-VOIP-telephone.. very horrible :(
FIDO is definitely by design the solution
Another issue is that not everyone is using mobile phones (think of many older folks or visually challenged). I never use a phone for any banking or other serious work, instead I'm always using a laptop which may or may not have bio-metric features built in. Again, every method has its pros and cons, there's no perfect solution.
This issue all so pop up for youtube as google try something like this to sign into it an if you are logging in by desktop you most highly likely don't have face or finger scanner.
Great video.
Hi. I have a question.i love the MFA initiatives. And great videos on security. I agree the passwordless is a blessing in disguise. On a device I also have a passcode. This system is faulty as the something I am is left open to something I know. On my device my passcode can get all my password and my cybersecurity team(‘just me myself and I) are left open to an attack of my bank account and access to personal information etc. I wonder if their may be suggestions of how to keep our devices more secure and yet accessible in case of a os problem camera problem/ fingerprint?my 4 or 6 digit passcode is the concern and I want security for my own device. The external it has done a great job but at home could have bad actors also. Any wise words would help. Thanks. And no keep your passcode hidden answers 🙏. Should have watched till the end thanks Jeff. See hope in the fact Siri may only listen to my voice not a child’s voice?
yes sir that is true, pls kept it thanks
Thanks!
Is it possible to create a FaceID on one phone from a picture displayed on another phone without the actual physical face?
According to Apple, no. They say that “The TrueDepth camera captures accurate face data by projecting and analyzing thousands of invisible dots to create a depth map of your face and also captures an infrared image of your face.”
Can you affiliate link to a secure password manager program/app?
Really like your videos. Insane good.
But now I would disagree. Costs of the HW Token is xx but fido is more expensive, even for the needed backup. For me FIDO is xxx at the costs.
Thanks for watching and for the great feedback. My reasoning is that FIDO passkeys can be generated on the fly for virtually no cost vs. a HW token which is inconvenient, has a fixed cost, can be lost or broken (and need replacing), etc.
The problem with any bio-metric method is that if a person passes away either young in an accident or of old age, then usually bio is not available for their loved ones to access bank and other accounts. Every method has pros and cons, there's no perfect solution.
Definitely there are pros and cons with every option. Typically, you would not rely exclusively on a biometric, though. It would be combined with other factors and offer a manual override/intervention as needed
@@jeffcrume - Once you have a backup password method, it kind of defeats the high security of bio-metrics authentication. Always pros and cons, there's no perfect system.
push-bio vs FIDO-bio/pki.. that's a bit confusing to compare
Must have phone. Must have internet connection. Almost forgot, must have credit card.
Why a credit card, though?
I love cakes as well
Chocolate cake is my favorite vegetable! 😋