I personally would appreciate a more detailed and easy understanding of the steps needed to use and make a yubikey successful for greater security so YES to your query!
A tutorial would be great, perhaps a series of tutorials. I used to use Yubikeys when they first came out but found the too inconvenient for home use. Having a physical key is great but when you have 3 or more devices spread out over work and home...
I like the chart at the beginning showing the time it takes hackers in 2023 to brute force passwords. Yes, I have been using YubiKeys for at least the past 2 years. Yes, I have two Yubikeys as recommended by Yubico. Yes, I've "Smart Card" paired both keys to all my devices which means I have to use my YubiKey to log into my devices.
The fact that I have better 2FA on my social media accounts than my financial accounts because a lot of financial sites still don't offer 2FA options drives me nuts.....
Amen! At this time Bank of America is the ONLY major bank that allows hardware keys like Yubikeys to be used for 2FA. Vanguard is the only other major financial institution that allows Yubikeys for 2FA
Ditto. My banks only offer (now force) SMS and some emailed 2FA codes. (one is ONLY SMS codes). None of them allow me to use an authenticator app; forget about hardware keys. I am guessing the plan is to skip over all that until forced Digital IDs are implemented.
When Apple "presented" Passkeys last year I was really hoping it would catch on. however now over a year later only a couple of companies have adopted it. It does not seem to work in all browsers - and it is not clear which are actually supported. My biggest problem is, that is not clear to me how the process works technically. In some videos people said in order to sign in on a foreign device - say you want to login to google on your office PC - you need BT on both devices but the devices do not need to be paired. I tried this and - we use edge - and the Google page did not give me the Passkeys login option. It just asked for a password. Why? This really needs to just work in any browser and when it does not there needs to be a clear error message why passkeys is not available so you can fix it.
Considering most websites prevent continued login requests, the threat of having your accounts brute-forced nowadays isn't really a concern. Maybe more so it's a concern for companies that apply poor cryptographic security for their data storage, if they lose the data and then some hacker can spend a long time trying to brute force it.
Oh! This future tech is going to be big! As someone who often works with end users I know they mostly disregard password best practices. This may finally resolve that lingering issue.
Mahalo for this passkey info. I JUST watched another video at "The New Oil" about a passkey called "Nitrokey", and that was fascinating, too. My threat model is very...mahjongg-playing old guy...but information security is a totally absorbing topic for me. Keep up the EXCELLENT work on this subject! Aloha!
Thanks. I wish more financial companies supported even things like Yubikeys. It really stinks that to stay secure and maintain some ease of use I’m going to have to go all in and be locked into either Apple or Google. I love those hash browns as well, especially once air fryers came out!
Some websites don't recognize the newly created Passkeys (created using a hardware key instead of biometric) at all. So a test of the new Passkeys right after the creation is needed.
Great content! Yes, passkeys are great, but available information about it is kind of sketchy. Please, do more detailed video explanation on it. Thank you Shannon!!!
I've been working on this in my homelab. It started out with exposing services, then I wanted LDAP, so I set up FreeIPA, then I wanted to put IDM in front of that, so I am setting up Authentik (Yes, I know I could use Keycloak), and looking into Webauthn. My kids aren't impressed...yet.
I was frustrated that the first appearance of a passkey definition didn't appear until 3:30 into the video. I'm happy to hear the background and context, but please, answer the question first, then you can provide the info required to understand the definition.
Shannon as always amazing content thank you so much for all the time you put into researching this and sharing it. I would also love to see tutorials, I'm on android and Linux computers (desktop and laptop), and it's not clear to me how to implement this. Thanks again, awesome content.
This is basically a step closer to digital ID. With the intro of biometric authentication, phone manufacturers track you because they can determine the true identity of the device owner. With passkeys, all online sites that support passkeys will have that ability as well since your private keys will be tied to your device, which is tied to your biometrics.
Yes a tutorial in depth would be great. You cover a lot of details and unless I can transfer the information into a more visual form, it evaporates from my memory! Very useful update, thank you.
It is not just confusing, just add remembering a different password for everything and having to change them frequently. It is just a nightmare. Then also consider that some websites want the password in a different format (different number of characters, special characters and numbers). A person who has a hard time with memorizing things will feel hopeless!
Hey Shannon, I’m a recent channel subscriber, and I am an IAM IT Pro. WOW! I’m so impressed with, and I am going try borrowing some of, your methods of explaining complex technical material (e.g., passkeys (multi-device FIDO Credential, WebAuthn)). Lord knows it will come in handy trying to explain this stuff to C-Suite folk. Kudos to you! I’ve watched the show 2x and will recommend it to others. MM. Oh! By the way, I loved the clever "Salty hash browns" innuendo analogy! :)
The problem is that the password problem still exists. If you lose your passkey you must reauthenticate to the service which generally requires your user name and password. The account reset process, if you don’t have those, can become the weak link, especially if the designers of that process (which is NOT standardized) didn’t give enough or proper consideration of all the security details.
I don't use a mobile device out in public. I only carry a HT. I use yubikey in my own home and my cell phones don't leave the area. Make sure all recovery are all backed up securely.
I bought a Yubikey and tried to set it up with my Google account. Almost all UA-camrs (this channel included) show how to set up the Yubikey with Google by adding it as a security key. But when I try that I get an error. Instead, Google sets up a passkey (without even letting me know) and I was finally able to use my Yubikey with my Google account after discovering this. It sure would be nice if it werent so difficult and confusing and if things were just clear. Especially since Yubico is sponsoring this video, they should also be more clear about how setting up a Yubikey works with Google and that it is now via passkey instead of security key.
Would really like to know the rollout for Passkeys. With most of us having numerous websites made up of stores, banks, forums, airlines and multiple streaming sites, when will they be onboard? How will we know?
I got a couple of Yubico keys back when they first came out. As I remember they were real complicated to set up and a pain in the but to use. I didn't use it very long before I got tired of it.
Good topic. I ordered a v5 Yubikey to replace my v4 (thanks for the code!). I look forward to your video on using it as a passkey (though I'll try to figure it out first. :) )
Question for you Shannon… existing asymmetric public/private key algorithms are known not to be Quantum resistant. Do the existing passkey algorithms also suffer from a lack of Quantum resistance?
Thank you for the video, Shannon! As I commented on your new video, the risk of losing or damaging the device is a concern holding me back from getting something like Yubico. Could you make a video explaining: What should you do when you lost the Passkey device? Can a Passkey device be backed up to another Passkey device? If so, do you need to back up (duplicate) only once (maybe if it only contains the private key?) or do you have to back up after registering onto new websites on a regular basis?
On higher security systems, registering the account / passkey should probably require MFA with an App or hardware key. You would only need that App / hardware key initially to setup the passkey authentication or when making other changes to your account. Some MFA methods now have a 2 digit code presented that you must type into the MFA App to complete the approval and biometrics could also be required.
Outstanding explanation and definitely something I will now think about implementing. As for further explanation videos, can we get one on your constant changing hair and nail colours lol Thanks for your videos, which at about 10 mins is perfect for doing bite size catch ups.
The main question I still have is "does a passkey replace username/password?" I have username/password set for a lot of accounts. I have seen some websites prompt me to add a passkey. But if it doesn't remove the password it is only adding a new way to log in. To be more secure the password should be revoked when the passkey is set.
Thanks for your tutorial. V helpful. Passkeys will make things more secure and it is clear that I can use all my devices. Where I am unsure is how this would work on a public computer such as a library or coffee shop? How would I authenticate using my phone onto such a computer? Do I then revert to user name and password (even if 2FA), which sort of defeats the objective? Thanks again.
What if you loose your phone or your phone is damaged beyond repairs, what then. Qould love to see a tutorial on creating a passkey account and using one as well.
Question I have is how everyone is saying passkeys will replace passwords, but how would I set up a passkey to begin with if not with a password? For example say I set it up on my phone, with a password, get rid of the password, and then lose my phone. Am I screwed?
There is a fairly recent problem with Apple / Google mobile devices where if someone swipes your phone and runs off while it is unlocked. They could change the passcode and even your Apple / Google account password and hijack your account. This is because both Apple and Google trust the device because it was unlocked with biometrics. I don't know if this oversight has been fixed or not. During pandemic people used passcodes to unlock mobile device because of masks being an issue initially with biometrics. Thieves would observe you entering the passcode so they could unlock the device then hijack your Apple / Google account.
At this moment in time one has to ask if one is looking at creating new public key standards, how does this deal with the post-quantum public key risks that many believe to be on the horizon?
95% of the time I am using my desktop and not my phone for going into websites. How do passkeys work for that? I assume the site has to have passkeys enabled for it to work? Not sure on how to set this up.
So if I hear you right I would need two yubikeys. One that I carry and one that I store in a secure place in the event of device failure. Do these keys ever fail? Or is it better to have multiple devices? One day passkeys too be will breached, especially if you don't have a device updated all the time. Even with updates Zero days can happen. It's all about the risks and how to lower them. Example a chrome device over a windows device. Especially if all we do is online. Thanks for the video, there was a lot of great info.
More security is great. however, the more you overtake the plumbing, the easier to stop up the drain. The Enigma machine was broken, so I am sure the pass key can be cracked by someone just like encryption is breakable. The only way to win is not to play, (War Games) UBI keys can work in the moment.
I have no idea how to use these and am always wondering as it comes up everywhere and since I have been watching your videos especially Yes please how get started 101 would be so appreciated 🙏
I can't use a passkey created on an iPhone to log into a site when I'm using my PC, whereas a password can be used on both devices. Is that correct or am I barking up the wrong tree? Anyway, keep up the good work :)
Triple Factor for the win! I wish Yubico's new Yubikey Bio provided the full support that their 5 series does. I'd have upgraded all my Yubikeys to it.
I didn't understand this very well. When listening to an explanation, I think about, "How would this work for my situation?," and I don't know. Most of my "devices" are desktop computers with Ubuntu Linux. What would the process be to transfer passkeys to another Linux installation?
I'm so beyond confused Snubs. You have been preaching this for a couple years, yet I can't find ANY sites that I use that allow for the use of a 3rd party Key. NONE. My banks/credit unions, none of my credit cards, my IRA, 401k, Brokerage (investment) accounts...NONE. The group that prepares our taxes every year uses Google Authenticator to access the file site, but that's it. NONE that I can see allow for the use of anything like a Ubikey. I question the need for me to spend dime one on one of these if there isn't even a place to use it. EVERY place I've sent a question related to using a UbiKey or 3rd party system like this is answered with either "We have no interest in using these", "We don't even know what these keys are", "We use 2FA/MFA", or "We use Google Authenticator". My thinking here? They do not want to use it because it will greatly increase their workload and bottom line costs because only a tiny fraction of people will A) Use it, B) understand how to use it. They don't want to be spending thousands of man hours in support to teach the 'laymen' how to use these things. I mean, I'm tech savvy and this crap is confusing me.
Процедуру одобрения можно подделать, т.к. передается ответ, а не хэш. The approval procedure can be forged, because the response is transmitted, not the hash.
Absolutely. If a platform allows for multiple keys, you'd just need to add a second one. Adding secondary keys totally depends on each platform and what protocols they accept
If I have to sign into a device why do I need a password, or passkey for every web address. once I'm signed in there should be NO NEED for this headache
what about man in the middle? google sends the request to "my computer" to confirm the public passkey. My computer says nope it isn't right. But the person listening and sending somewhere in the middle sends a yes everything is good and then continues to hijack the session from there. Perhaps the explanation was too simplified on what is sent in return between google and my computer. I assume it would have to be time sensitive and wouldn't be the exact same thing every time? There is probably a lot more complexity than what I'm understanding.
So what happens when you cross an international border and they force you to unlock your device so they can search it or even just copy it outright. Surely they can then access everything because they now have your passkeys. With a password manager those authorities would still require your master password which if strong would I expect stop them or significantly slow them down. I suppose I'll need to properly research passkeys and inform myself how it all works as a security ecosystem.
Interesting. We will all need to get with users and promote this..I see there is an amateur radio callsign in your background, but it is not fully displayed. What is your callsign? De KB1PA
Please, create a detailed, step-by-step for "Smart Card pairing" of a Yubikey to a Mac & a PC. The steps are different between Macs & PCs. Yes, I've successfully, "Smart Card Paired" both of my YubiKeys to each of my Macs. Warm Regards from Reno, Nevada
So how long will it take, until you can buy a bunch of biometric data in the dw? Imagine the power you can gain over somebody if you can identity steal their biometrics and every provider like banking or courts will go with it?
If your idea of using computers/internet is your phone, then this makes sense. But having to have your phone up and ready just to get into your laptop or desktop is bogus.
Puzzled?? Password managers solve all the standard misuses of passwords. If you have a Yubikey, do you always have it with you away from home? If not, you are locked when browsing on your phone. If yes, what's the chance of misplacing, losing it? If so someone steals it, do they have access to all your accounts??
Chia crypto currency uses Public and private keys to do mining. It's awesome. Your able to give your public to someone that if you want allow them to plot(what you mine) with their hardware. So instead of using my hardware someone else can, and then send me the HDDs to me to host where ever I want. Loving seeing more and more ways to stay safe on the internet everywhere.
I'm also very enthusiastic since I tried WebAuthn back in 2018 and passkeys in the past year. It's even more urgent to switch to them since the most recent revelations that a quantuum computer can do in just a few seconds what would take 47 years to a normal computer. So our passwords will really be in danger within the next few years. And I'm trying to convince the most people I can to use them as soon as possible
@@Darkk6969 doing that since 2011 😉 at least 20 characters on sites that allows it. So many sites are still limiting to 12... It's for those ones that I'm afraid
There are two kinds of passkeys. Your phone can be a passkey or you can get an "offline" passkey, like a yubikey. Both are tied to a hardware device but one can be backed up to the cloud.
Hardware keys are just too expensive for most people. I wish companies like Yubico made more affordable keys. I wish i could buy 2-3 hardware keys for all authentication without completely handing over trust/locking into an ecosystem. Passkeys are a game changer especially since it’s synced with all devices and it’s free to have better security since we all have phones. If they were cheaper, I’d only trust government services and banking to hardware keys. If a hardware key only supported U2F and Fido 2. Older standards that are more expensive aren’t necessary for most individuals on the future.
$50.00 for a YubiKey is dirt cheap compared to otherwise possibly having my identity stolen. It's the absolutely cheapest form of insurance you can buy, anywhere.
@@azclaimjumper it’s expensive for most parts of the world as well as for the lower socioeconomic groups. It’s a week or 2’s food costs. I highly doubt the cost of production is more than $25. A 100% profit is outrageous if the same companies position their products as “essential” for security. Hopefully someone comes up with an open source hardware key so one can make it themselves or companies can adapt it to produce cheaply while software support is open source.
@@kushalraj Apparently you can afford computers, cell phones, & internet services. The cost of a Yubikey is a mere $50.00 compared to the cost of all your equipment + the cost of your vehicle(s).
@@azclaimjumper I can afford it but I know a lot of people in my life that can’t. And I live in a rather high GDP country. Less than the US, but still high. People in developing countries can’t afford worthy security because security key companies want to make more profits? For me personally, it’s not hard to pay for but it’s still significant amounts that I’d rather wait for them to be cheaper. The question isn’t if I can afford it but if the average person can afford it around the world or even in US. Tell me it’s so cheap that the average American can buy it without blinking an eye. Then imagine India or Brazil.
So your phone is lost, stolen or broken so you can't even open/login to it. Then what? I don't lose my head and in there is the "master-password" to a password manager that I can download and setup on any new phone, device, computer at any time. How much safer is it when someone can use your biometrics, what if you're drunk or unconscious. They can't ask my "master-password" and gain access that way can they. It just feels like it has some glaring risks and drawbacks. It wasn't long ago I dropped my phone and it cracked and couldn't gain entry into it. That is your "passkey authenticator". So are you SOL?
That's fair. Keep in mind biometrics aren't transmitted when you use them for authentication. They're stored locally and sandboxed, so they aren't even shared with other apps.
I personally would appreciate a more detailed and easy understanding of the steps needed to use and make a yubikey successful for greater security so YES to your query!
Especially in a cloud-only enterprise!
yes tutorials please wizard lady
As someone who works in infosec I love the work you do in raising public awareness. Great video.
A tutorial would be great, perhaps a series of tutorials. I used to use Yubikeys when they first came out but found the too inconvenient for home use. Having a physical key is great but when you have 3 or more devices spread out over work and home...
I like the chart at the beginning showing the time it takes hackers in 2023 to brute force passwords.
Yes, I have been using YubiKeys for at least the past 2 years. Yes, I have two Yubikeys as recommended by Yubico.
Yes, I've "Smart Card" paired both keys to all my devices which means I have to use my YubiKey to log into my devices.
For the last decade I have been advocating for Password managers to be the norm. Passkey's are the next evolution of this.
Yup they are!!
The fact that I have better 2FA on my social media accounts than my financial accounts because a lot of financial sites still don't offer 2FA options drives me nuts.....
Amen! At this time Bank of America is the ONLY major bank that allows hardware keys like Yubikeys to be used for 2FA. Vanguard is the only other major financial institution that allows Yubikeys for 2FA
Ditto. My banks only offer (now force) SMS and some emailed 2FA codes. (one is ONLY SMS codes). None of them allow me to use an authenticator app; forget about hardware keys. I am guessing the plan is to skip over all that until forced Digital IDs are implemented.
why you need security if you sell yourself for free?
When Apple "presented" Passkeys last year I was really hoping it would catch on. however now over a year later only a couple of companies have adopted it. It does not seem to work in all browsers - and it is not clear which are actually supported. My biggest problem is, that is not clear to me how the process works technically.
In some videos people said in order to sign in on a foreign device - say you want to login to google on your office PC - you need BT on both devices but the devices do not need to be paired. I tried this and - we use edge - and the Google page did not give me the Passkeys login option. It just asked for a password. Why? This really needs to just work in any browser and when it does not there needs to be a clear error message why passkeys is not available so you can fix it.
Considering most websites prevent continued login requests, the threat of having your accounts brute-forced nowadays isn't really a concern. Maybe more so it's a concern for companies that apply poor cryptographic security for their data storage, if they lose the data and then some hacker can spend a long time trying to brute force it.
Oh! This future tech is going to be big! As someone who often works with end users I know they mostly disregard password best practices. This may finally resolve that lingering issue.
Mahalo for this passkey info. I JUST watched another video at "The New Oil" about a passkey called "Nitrokey", and that was fascinating, too. My threat model is very...mahjongg-playing old guy...but information security is a totally absorbing topic for me. Keep up the EXCELLENT work on this subject! Aloha!
Thanks. I wish more financial companies supported even things like Yubikeys. It really stinks that to stay secure and maintain some ease of use I’m going to have to go all in and be locked into either Apple or Google.
I love those hash browns as well, especially once air fryers came out!
Some websites don't recognize the newly created Passkeys (created using a hardware key instead of biometric) at all. So a test of the new Passkeys right after the creation is needed.
Great content! Yes, passkeys are great, but available information about it is kind of sketchy. Please, do more detailed video explanation on it. Thank you Shannon!!!
I've been working on this in my homelab. It started out with exposing services, then I wanted LDAP, so I set up FreeIPA, then I wanted to put IDM in front of that, so I am setting up Authentik (Yes, I know I could use Keycloak), and looking into Webauthn.
My kids aren't impressed...yet.
I was frustrated that the first appearance of a passkey definition didn't appear until 3:30 into the video. I'm happy to hear the background and context, but please, answer the question first, then you can provide the info required to understand the definition.
Yes, more videos on this topic, please
Shannon as always amazing content thank you so much for all the time you put into researching this and sharing it. I would also love to see tutorials, I'm on android and Linux computers (desktop and laptop), and it's not clear to me how to implement this. Thanks again, awesome content.
This is basically a step closer to digital ID. With the intro of biometric authentication, phone manufacturers track you because they can determine the true identity of the device owner. With passkeys, all online sites that support passkeys will have that ability as well since your private keys will be tied to your device, which is tied to your biometrics.
Yes a tutorial in depth would be great. You cover a lot of details and unless I can transfer the information into a more visual form, it evaporates from my memory! Very useful update, thank you.
CONGRATULATIONS, Shannon, 102,000 subscribers.
It is not just confusing, just add remembering a different password for everything and having to change them frequently. It is just a nightmare. Then also consider that some websites want the password in a different format (different number of characters, special characters and numbers). A person who has a hard time with memorizing things will feel hopeless!
Hey Shannon, I’m a recent channel subscriber, and I am an IAM IT Pro. WOW! I’m so impressed with, and I am going try borrowing some of, your methods of explaining complex technical material (e.g., passkeys (multi-device FIDO Credential, WebAuthn)). Lord knows it will come in handy trying to explain this stuff to C-Suite folk. Kudos to you! I’ve watched the show 2x and will recommend it to others. MM. Oh! By the way, I loved the clever "Salty hash browns" innuendo analogy! :)
Great video, Shannon!
The problem is that the password problem still exists. If you lose your passkey you must reauthenticate to the service which generally requires your user name and password. The account reset process, if you don’t have those, can become the weak link, especially if the designers of that process (which is NOT standardized) didn’t give enough or proper consideration of all the security details.
I don't use a mobile device out in public. I only carry a HT. I use yubikey in my own home and my cell phones don't leave the area. Make sure all recovery are all backed up securely.
Thanks for sharing: very informative. I look forward to future videos. Blessings on your day!
I think a flowchart would be helpful.
I bought a Yubikey and tried to set it up with my Google account. Almost all UA-camrs (this channel included) show how to set up the Yubikey with Google by adding it as a security key. But when I try that I get an error. Instead, Google sets up a passkey (without even letting me know) and I was finally able to use my Yubikey with my Google account after discovering this. It sure would be nice if it werent so difficult and confusing and if things were just clear. Especially since Yubico is sponsoring this video, they should also be more clear about how setting up a Yubikey works with Google and that it is now via passkey instead of security key.
Would really like to know the rollout for Passkeys. With most of us having numerous websites made up of stores, banks, forums, airlines and multiple streaming sites, when will they be onboard? How will we know?
Have a great weekend Sailor Moon Shannon 😊
I got a couple of Yubico keys back when they first came out. As I remember they were real complicated to set up and a pain in the but to use. I didn't use it very long before I got tired of it.
Good topic. I ordered a v5 Yubikey to replace my v4 (thanks for the code!). I look forward to your video on using it as a passkey (though I'll try to figure it out first. :) )
Question for you Shannon… existing asymmetric public/private key algorithms are known not to be Quantum resistant. Do the existing passkey algorithms also suffer from a lack of Quantum resistance?
Thank you for the video, Shannon! As I commented on your new video, the risk of losing or damaging the device is a concern holding me back from getting something like Yubico. Could you make a video explaining: What should you do when you lost the Passkey device? Can a Passkey device be backed up to another Passkey device? If so, do you need to back up (duplicate) only once (maybe if it only contains the private key?) or do you have to back up after registering onto new websites on a regular basis?
Great intro! I'm curious myself about local login with passkeys; do you know the state/possibility of this across Win/Mac/*nix systems?
On higher security systems, registering the account / passkey should probably require MFA with an App or hardware key. You would only need that App / hardware key initially to setup the passkey authentication or when making other changes to your account. Some MFA methods now have a 2 digit code presented that you must type into the MFA App to complete the approval and biometrics could also be required.
Outstanding explanation and definitely something I will now think about implementing. As for further explanation videos, can we get one on your constant changing hair and nail colours lol Thanks for your videos, which at about 10 mins is perfect for doing bite size catch ups.
What pass key is best for iPhone 14???
Of course! The three places, where I can use passkeys, will do.
The main question I still have is "does a passkey replace username/password?"
I have username/password set for a lot of accounts. I have seen some websites prompt me to add a passkey. But if it doesn't remove the password it is only adding a new way to log in. To be more secure the password should be revoked when the passkey is set.
Thanks for your tutorial. V helpful. Passkeys will make things more secure and it is clear that I can use all my devices. Where I am unsure is how this would work on a public computer such as a library or coffee shop? How would I authenticate using my phone onto such a computer? Do I then revert to user name and password (even if 2FA), which sort of defeats the objective? Thanks again.
What if you loose your phone or your phone is damaged beyond repairs, what then. Qould love to see a tutorial on creating a passkey account and using one as well.
Question I have is how everyone is saying passkeys will replace passwords, but how would I set up a passkey to begin with if not with a password? For example say I set it up on my phone, with a password, get rid of the password, and then lose my phone. Am I screwed?
There is a fairly recent problem with Apple / Google mobile devices where if someone swipes your phone and runs off while it is unlocked. They could change the passcode and even your Apple / Google account password and hijack your account. This is because both Apple and Google trust the device because it was unlocked with biometrics. I don't know if this oversight has been fixed or not. During pandemic people used passcodes to unlock mobile device because of masks being an issue initially with biometrics. Thieves would observe you entering the passcode so they could unlock the device then hijack your Apple / Google account.
At this moment in time one has to ask if one is looking at creating new public key standards, how does this deal with the post-quantum public key risks that many believe to be on the horizon?
95% of the time I am using my desktop and not my phone for going into websites. How do passkeys work for that? I assume the site has to have passkeys enabled for it to work? Not sure on how to set this up.
When adding a passkey to google, do you first have to disable all existing 2fa within the account?
So if I hear you right I would need two yubikeys. One that I carry and one that I store in a secure place in the event of device failure. Do these keys ever fail? Or is it better to have multiple devices? One day passkeys too be will breached, especially if you don't have a device updated all the time. Even with updates Zero days can happen. It's all about the risks and how to lower them. Example a chrome device over a windows device. Especially if all we do is online. Thanks for the video, there was a lot of great info.
Threat modeling, good point! Please do a video on how a private individual can define their own threat model! 🙏
More security is great. however, the more you overtake the plumbing, the easier to stop up the drain. The Enigma machine was broken, so I am sure the pass key can be cracked by someone just like encryption is breakable. The only way to win is not to play, (War Games) UBI keys can work in the moment.
Is the new weak spot when using passkeys losing or having the device stolen when the passkey is on the device?
You are such a beautiful asset to the technology world. Great video! Thank you for sharing!
Thanks for this informative video. As for another video on how to use Yubikeys, yes please.
I have no idea how to use these and am always wondering as it comes up everywhere and since I have been watching your videos especially
Yes please how get started 101 would be so appreciated 🙏
I can't use a passkey created on an iPhone to log into a site when I'm using my PC, whereas a password can be used on both devices. Is that correct or am I barking up the wrong tree? Anyway, keep up the good work :)
Had to use passkeys / keyfobs years ago at work. Was a pain in the arse...everytime you logged in.
Triple Factor for the win!
I wish Yubico's new Yubikey Bio provided the full support that their 5 series does. I'd have upgraded all my Yubikeys to it.
So what happens to the key if you have to factory reset
Unless passkeys are implemented on *all* popular sites quickly, the passwords will remain the king for years.
I didn't understand this very well. When listening to an explanation, I think about, "How would this work for my situation?," and I don't know. Most of my "devices" are desktop computers with Ubuntu Linux. What would the process be to transfer passkeys to another Linux installation?
So how would you use a passkey to login at an internet cafe ?
I'm so beyond confused Snubs. You have been preaching this for a couple years, yet I can't find ANY sites that I use that allow for the use of a 3rd party Key. NONE. My banks/credit unions, none of my credit cards, my IRA, 401k, Brokerage (investment) accounts...NONE. The group that prepares our taxes every year uses Google Authenticator to access the file site, but that's it. NONE that I can see allow for the use of anything like a Ubikey. I question the need for me to spend dime one on one of these if there isn't even a place to use it. EVERY place I've sent a question related to using a UbiKey or 3rd party system like this is answered with either "We have no interest in using these", "We don't even know what these keys are", "We use 2FA/MFA", or "We use Google Authenticator".
My thinking here? They do not want to use it because it will greatly increase their workload and bottom line costs because only a tiny fraction of people will A) Use it, B) understand how to use it. They don't want to be spending thousands of man hours in support to teach the 'laymen' how to use these things. I mean, I'm tech savvy and this crap is confusing me.
what happens if we change or remove windows login password for example ?
Процедуру одобрения можно подделать, т.к. передается ответ, а не хэш. The approval procedure can be forged, because the response is transmitted, not the hash.
Very nicely done explanation. I could send this to my mom and she would get it.
Great content & very well explained. Can I opt out of using passkeys and return to username, password, and my YubiKey?
Yes, at least right now you can. 👍
@ShannonMorse If I use a hardware-based passkey like a Yubikey, is there a way for me to have my Spouse have a key synced or duplicated for her use?
Absolutely. If a platform allows for multiple keys, you'd just need to add a second one. Adding secondary keys totally depends on each platform and what protocols they accept
Is there a point to all this if it doesn't really end the password?
If I have to sign into a device why do I need a password, or passkey for every web address. once I'm signed in there should be NO NEED for this headache
what about man in the middle? google sends the request to "my computer" to confirm the public passkey. My computer says nope it isn't right. But the person listening and sending somewhere in the middle sends a yes everything is good and then continues to hijack the session from there. Perhaps the explanation was too simplified on what is sent in return between google and my computer. I assume it would have to be time sensitive and wouldn't be the exact same thing every time? There is probably a lot more complexity than what I'm understanding.
So what happens when you cross an international border and they force you to unlock your device so they can search it or even just copy it outright. Surely they can then access everything because they now have your passkeys. With a password manager those authorities would still require your master password which if strong would I expect stop them or significantly slow them down. I suppose I'll need to properly research passkeys and inform myself how it all works as a security ecosystem.
Luckily this isn't a threat vector that I have to deal with in my day to day lifem get yo'self a burner phone, my friend.
Interesting. We will all need to get with users and promote this..I see there is an amateur radio callsign in your background, but it is not fully displayed. What is your callsign? De KB1PA
Please, create a detailed, step-by-step for "Smart Card pairing" of a Yubikey to a Mac & a PC. The steps are different between Macs & PCs.
Yes, I've successfully, "Smart Card Paired" both of my YubiKeys to each of my Macs.
Warm Regards from Reno, Nevada
What is the difference between 2fa and passkeys?
Would love to see a video where you actually go through doing the account setup and then an account login and so on.
Fantastic explanation! But it’s hackable using Flipper Zero 😂 . still vulnerable even with the not new fancy usb stick
Very informative thank you snubs
So how long will it take, until you can buy a bunch of biometric data in the dw?
Imagine the power you can gain over somebody if you can identity steal their biometrics and every provider like banking or courts will go with it?
If your idea of using computers/internet is your phone, then this makes sense. But having to have your phone up and ready just to get into your laptop or desktop is bogus.
Why not cover yubikey security key as it is a cheeper choice. There are few if almost none that talk about the key being diffrent.
Great video. Tutorials please.
Puzzled?? Password managers solve all the standard misuses of passwords. If you have a Yubikey, do you always have it with you away from home? If not, you are locked when browsing on your phone. If yes, what's the chance of misplacing, losing it? If so someone steals it, do they have access to all your accounts??
That's great info! Thank you!
OMG I’d love to know how to use a pass key
Chia crypto currency uses Public and private keys to do mining. It's awesome. Your able to give your public to someone that if you want allow them to plot(what you mine) with their hardware. So instead of using my hardware someone else can, and then send me the HDDs to me to host where ever I want. Loving seeing more and more ways to stay safe on the internet everywhere.
I'm also very enthusiastic since I tried WebAuthn back in 2018 and passkeys in the past year. It's even more urgent to switch to them since the most recent revelations that a quantuum computer can do in just a few seconds what would take 47 years to a normal computer. So our passwords will really be in danger within the next few years. And I'm trying to convince the most people I can to use them as soon as possible
For quick fix is use a password manager and much longer random passwords.
@@Darkk6969 doing that since 2011 😉 at least 20 characters on sites that allows it. So many sites are still limiting to 12... It's for those ones that I'm afraid
@@Darkk6969 and I had to change almost 600 after the lastpass hack. I was not using it anymore but things were still stored there "to be deleted"
Cool video
Thank You. Good job as usual
Thank you!
Thank you
Very clear explanation
Confused! I thought a passkey was the physical key you could buy. It sounds like there is a online key of sorts.
There are two kinds of passkeys. Your phone can be a passkey or you can get an "offline" passkey, like a yubikey. Both are tied to a hardware device but one can be backed up to the cloud.
Hardware keys are just too expensive for most people. I wish companies like Yubico made more affordable keys. I wish i could buy 2-3 hardware keys for all authentication without completely handing over trust/locking into an ecosystem. Passkeys are a game changer especially since it’s synced with all devices and it’s free to have better security since we all have phones. If they were cheaper, I’d only trust government services and banking to hardware keys. If a hardware key only supported U2F and Fido 2. Older standards that are more expensive aren’t necessary for most individuals on the future.
$50.00 for a YubiKey is dirt cheap compared to otherwise possibly having my identity stolen. It's the absolutely cheapest form of insurance you can buy, anywhere.
@@azclaimjumper it’s expensive for most parts of the world as well as for the lower socioeconomic groups. It’s a week or 2’s food costs. I highly doubt the cost of production is more than $25. A 100% profit is outrageous if the same companies position their products as “essential” for security. Hopefully someone comes up with an open source hardware key so one can make it themselves or companies can adapt it to produce cheaply while software support is open source.
@@kushalraj Apparently you can afford computers, cell phones, & internet services. The cost of a Yubikey is a mere $50.00 compared to the cost of all your equipment + the cost of your vehicle(s).
@@azclaimjumper I can afford it but I know a lot of people in my life that can’t. And I live in a rather high GDP country. Less than the US, but still high. People in developing countries can’t afford worthy security because security key companies want to make more profits? For me personally, it’s not hard to pay for but it’s still significant amounts that I’d rather wait for them to be cheaper. The question isn’t if I can afford it but if the average person can afford it around the world or even in US. Tell me it’s so cheap that the average American can buy it without blinking an eye. Then imagine India or Brazil.
@@kushalraj If a person can afford to "Smoke" or "Drink" or "Drive" or own a "Smart Phone" then they can afford a YubiKey which is merely my opinion
uncle Roger meme clip was a top tier move
hahaha you can thank my editor for that one
salty hashbrowns don't get enough love 😍😍
So your phone is lost, stolen or broken so you can't even open/login to it. Then what? I don't lose my head and in there is the "master-password" to a password manager that I can download and setup on any new phone, device, computer at any time.
How much safer is it when someone can use your biometrics, what if you're drunk or unconscious. They can't ask my "master-password" and gain access that way can they. It just feels like it has some glaring risks and drawbacks. It wasn't long ago I dropped my phone and it cracked and couldn't gain entry into it. That is your "passkey authenticator". So are you SOL?
Uncle Roger? Fuiyoh!
Mmmm Salty Hashbrowns! 🤤
but the websites ive seen that use passkeys still have my password, so how does this help?if there's a password leak someone can still get in.
That screen fills in so slow, I'd hate to have something mission critical going on
I've been very leery about biometric authentication because I'm sure your biometrics can get hacked as well. If it does, you can't change that.
That's fair. Keep in mind biometrics aren't transmitted when you use them for authentication. They're stored locally and sandboxed, so they aren't even shared with other apps.