What Are Passkeys? - Are Passwords Going EOL?!

I personally would appreciate a more detailed and easy understanding of the steps needed to use and make a yubikey successful for greater security so YES to your query!

yes tutorials please wizard lady

As someone who works in infosec I love the work you do in raising public awareness. Great video.

A tutorial would be great, perhaps a series of tutorials. I used to use Yubikeys when they first came out but found the too inconvenient for home use. Having a physical key is great but when you have 3 or more devices spread out over work and home...

I like the chart at the beginning showing the time it takes hackers in 2023 to brute force passwords.
Yes, I have been using YubiKeys for at least the past 2 years. Yes, I have two Yubikeys as recommended by Yubico.
Yes, I've "Smart Card" paired both keys to all my devices which means I have to use my YubiKey to log into my devices.

The fact that I have better 2FA on my social media accounts than my financial accounts because a lot of financial sites still don't offer 2FA options drives me nuts.....

For the last decade I have been advocating for Password managers to be the norm. Passkey's are the next evolution of this.

Mahalo for this passkey info. I JUST watched another video at "The New Oil" about a passkey called "Nitrokey", and that was fascinating, too. My threat model is very...mahjongg-playing old guy...but information security is a totally absorbing topic for me. Keep up the EXCELLENT work on this subject! Aloha!

Great content! Yes, passkeys are great, but available information about it is kind of sketchy. Please, do more detailed video explanation on it. Thank you Shannon!!!

Yes, more videos on this topic, please

Shannon as always amazing content thank you so much for all the time you put into researching this and sharing it. I would also love to see tutorials, I'm on android and Linux computers (desktop and laptop), and it's not clear to me how to implement this. Thanks again, awesome content.

Thanks. I wish more financial companies supported even things like Yubikeys. It really stinks that to stay secure and maintain some ease of use I’m going to have to go all in and be locked into either Apple or Google.
I love those hash browns as well, especially once air fryers came out!

Thanks for sharing: very informative. I look forward to future videos. Blessings on your day!

Considering most websites prevent continued login requests, the threat of having your accounts brute-forced nowadays isn't really a concern. Maybe more so it's a concern for companies that apply poor cryptographic security for their data storage, if they lose the data and then some hacker can spend a long time trying to brute force it.

When Apple "presented" Passkeys last year I was really hoping it would catch on. however now over a year later only a couple of companies have adopted it. It does not seem to work in all browsers - and it is not clear which are actually supported. My biggest problem is, that is not clear to me how the process works technically.
In some videos people said in order to sign in on a foreign device - say you want to login to google on your office PC - you need BT on both devices but the devices do not need to be paired. I tried this and - we use edge - and the Google page did not give me the Passkeys login option. It just asked for a password. Why? This really needs to just work in any browser and when it does not there needs to be a clear error message why passkeys is not available so you can fix it.

Have a great weekend Sailor Moon Shannon 😊

Oh! This future tech is going to be big! As someone who often works with end users I know they mostly disregard password best practices. This may finally resolve that lingering issue.

CONGRATULATIONS, Shannon, 102,000 subscribers.

Of course! The three places, where I can use passkeys, will do.

I think a flowchart would be helpful.

Yes a tutorial in depth would be great. You cover a lot of details and unless I can transfer the information into a more visual form, it evaporates from my memory! Very useful update, thank you.

Great video, Shannon!

Good topic. I ordered a v5 Yubikey to replace my v4 (thanks for the code!). I look forward to your video on using it as a passkey (though I'll try to figure it out first. :) )

Threat modeling, good point! Please do a video on how a private individual can define their own threat model! 🙏

Hey Shannon, I’m a recent channel subscriber, and I am an IAM IT Pro. WOW! I’m so impressed with, and I am going try borrowing some of, your methods of explaining complex technical material (e.g., passkeys (multi-device FIDO Credential, WebAuthn)). Lord knows it will come in handy trying to explain this stuff to C-Suite folk. Kudos to you! I’ve watched the show 2x and will recommend it to others. MM. Oh! By the way, I loved the clever "Salty hash browns" innuendo analogy! :)

I've been working on this in my homelab. It started out with exposing services, then I wanted LDAP, so I set up FreeIPA, then I wanted to put IDM in front of that, so I am setting up Authentik (Yes, I know I could use Keycloak), and looking into Webauthn.
My kids aren't impressed...yet.

That's great info! Thank you!

The problem is that the password problem still exists. If you lose your passkey you must reauthenticate to the service which generally requires your user name and password. The account reset process, if you don’t have those, can become the weak link, especially if the designers of that process (which is NOT standardized) didn’t give enough or proper consideration of all the security details.

Some websites don't recognize the newly created Passkeys (created using a hardware key instead of biometric) at all. So a test of the new Passkeys right after the creation is needed.

Thank you
Very clear explanation

Thanks for this informative video. As for another video on how to use Yubikeys, yes please.

Thank You. Good job as usual

Unless passkeys are implemented on *all* popular sites quickly, the passwords will remain the king for years.

Outstanding explanation and definitely something I will now think about implementing. As for further explanation videos, can we get one on your constant changing hair and nail colours lol Thanks for your videos, which at about 10 mins is perfect for doing bite size catch ups.

Very nicely done explanation. I could send this to my mom and she would get it.

You are such a beautiful asset to the technology world. Great video! Thank you for sharing!

Very informative thank you snubs

Had to use passkeys / keyfobs years ago at work. Was a pain in the arse...everytime you logged in.

Mmmm Salty Hashbrowns! 🤤

I got a couple of Yubico keys back when they first came out. As I remember they were real complicated to set up and a pain in the but to use. I didn't use it very long before I got tired of it.

uncle Roger meme clip was a top tier move

Uncle Roger? Fuiyoh!

Cool video

Comment for engagement

salty hashbrowns don't get enough love 😍😍

OMG I’d love to know how to use a pass key

At this moment in time one has to ask if one is looking at creating new public key standards, how does this deal with the post-quantum public key risks that many believe to be on the horizon?

Fantastic explanation! But it’s hackable using Flipper Zero 😂 . still vulnerable even with the not new fancy usb stick

Thanks for your tutorial. V helpful. Passkeys will make things more secure and it is clear that I can use all my devices. Where I am unsure is how this would work on a public computer such as a library or coffee shop? How would I authenticate using my phone onto such a computer? Do I then revert to user name and password (even if 2FA), which sort of defeats the objective? Thanks again.

Good video

The main question I still have is "does a passkey replace username/password?"
I have username/password set for a lot of accounts. I have seen some websites prompt me to add a passkey. But if it doesn't remove the password it is only adding a new way to log in. To be more secure the password should be revoked when the passkey is set.

Would really like to know the rollout for Passkeys. With most of us having numerous websites made up of stores, banks, forums, airlines and multiple streaming sites, when will they be onboard? How will we know?

I don't use a mobile device out in public. I only carry a HT. I use yubikey in my own home and my cell phones don't leave the area. Make sure all recovery are all backed up securely.

I bought a Yubikey and tried to set it up with my Google account. Almost all UA-camrs (this channel included) show how to set up the Yubikey with Google by adding it as a security key. But when I try that I get an error. Instead, Google sets up a passkey (without even letting me know) and I was finally able to use my Yubikey with my Google account after discovering this. It sure would be nice if it werent so difficult and confusing and if things were just clear. Especially since Yubico is sponsoring this video, they should also be more clear about how setting up a Yubikey works with Google and that it is now via passkey instead of security key.

Great video. Tutorials please.

Thank you for the video, Shannon! As I commented on your new video, the risk of losing or damaging the device is a concern holding me back from getting something like Yubico. Could you make a video explaining: What should you do when you lost the Passkey device? Can a Passkey device be backed up to another Passkey device? If so, do you need to back up (duplicate) only once (maybe if it only contains the private key?) or do you have to back up after registering onto new websites on a regular basis?

More security is great. however, the more you overtake the plumbing, the easier to stop up the drain. The Enigma machine was broken, so I am sure the pass key can be cracked by someone just like encryption is breakable. The only way to win is not to play, (War Games) UBI keys can work in the moment.

Great intro! I'm curious myself about local login with passkeys; do you know the state/possibility of this across Win/Mac/*nix systems?

Question for you Shannon… existing asymmetric public/private key algorithms are known not to be Quantum resistant. Do the existing passkey algorithms also suffer from a lack of Quantum resistance?

On higher security systems, registering the account / passkey should probably require MFA with an App or hardware key. You would only need that App / hardware key initially to setup the passkey authentication or when making other changes to your account. Some MFA methods now have a 2 digit code presented that you must type into the MFA App to complete the approval and biometrics could also be required.

Chia crypto currency uses Public and private keys to do mining. It's awesome. Your able to give your public to someone that if you want allow them to plot(what you mine) with their hardware. So instead of using my hardware someone else can, and then send me the HDDs to me to host where ever I want. Loving seeing more and more ways to stay safe on the internet everywhere.

I have no idea how to use these and am always wondering as it comes up everywhere and since I have been watching your videos especially
Yes please how get started 101 would be so appreciated 🙏

I was frustrated that the first appearance of a passkey definition didn't appear until 3:30 into the video. I'm happy to hear the background and context, but please, answer the question first, then you can provide the info required to understand the definition.

If your idea of using computers/internet is your phone, then this makes sense. But having to have your phone up and ready just to get into your laptop or desktop is bogus.

Would love to see a video where you actually go through doing the account setup and then an account login and so on.

Triple Factor for the win!
I wish Yubico's new Yubikey Bio provided the full support that their 5 series does. I'd have upgraded all my Yubikeys to it.

What if you loose your phone or your phone is damaged beyond repairs, what then. Qould love to see a tutorial on creating a passkey account and using one as well.

95% of the time I am using my desktop and not my phone for going into websites. How do passkeys work for that? I assume the site has to have passkeys enabled for it to work? Not sure on how to set this up.

Great content & very well explained. Can I opt out of using passkeys and return to username, password, and my YubiKey?

That screen fills in so slow, I'd hate to have something mission critical going on

Me too!!!!

Google selling technology that has existed for 30 years (biometry, public key) as something new

There is a fairly recent problem with Apple / Google mobile devices where if someone swipes your phone and runs off while it is unlocked. They could change the passcode and even your Apple / Google account password and hijack your account. This is because both Apple and Google trust the device because it was unlocked with biometrics. I don't know if this oversight has been fixed or not. During pandemic people used passcodes to unlock mobile device because of masks being an issue initially with biometrics. Thieves would observe you entering the passcode so they could unlock the device then hijack your Apple / Google account.

So what happens when you cross an international border and they force you to unlock your device so they can search it or even just copy it outright. Surely they can then access everything because they now have your passkeys. With a password manager those authorities would still require your master password which if strong would I expect stop them or significantly slow them down. I suppose I'll need to properly research passkeys and inform myself how it all works as a security ecosystem.

So how long will it take, until you can buy a bunch of biometric data in the dw?
Imagine the power you can gain over somebody if you can identity steal their biometrics and every provider like banking or courts will go with it?

What pass key is best for iPhone 14???

man her hair. 😮. ❤

So if I hear you right I would need two yubikeys. One that I carry and one that I store in a secure place in the event of device failure. Do these keys ever fail? Or is it better to have multiple devices? One day passkeys too be will breached, especially if you don't have a device updated all the time. Even with updates Zero days can happen. It's all about the risks and how to lower them. Example a chrome device over a windows device. Especially if all we do is online. Thanks for the video, there was a lot of great info.

Please, create a detailed, step-by-step for "Smart Card pairing" of a Yubikey to a Mac & a PC. The steps are different between Macs & PCs.
Yes, I've successfully, "Smart Card Paired" both of my YubiKeys to each of my Macs.
Warm Regards from Reno, Nevada

When adding a passkey to google, do you first have to disable all existing 2fa within the account?

Very informative but I think some of my friends would have been a bit lost when you use a lot of acronyms.

Процедуру одобрения можно подделать, т.к. передается ответ, а не хэш. The approval procedure can be forged, because the response is transmitted, not the hash.

@ShannonMorse If I use a hardware-based passkey like a Yubikey, is there a way for me to have my Spouse have a key synced or duplicated for her use?

So how would you use a passkey to login at an internet cafe ?

Question I have is how everyone is saying passkeys will replace passwords, but how would I set up a passkey to begin with if not with a password? For example say I set it up on my phone, with a password, get rid of the password, and then lose my phone. Am I screwed?

Is the new weak spot when using passkeys losing or having the device stolen when the passkey is on the device?

If I have to sign into a device why do I need a password, or passkey for every web address. once I'm signed in there should be NO NEED for this headache

Interesting. We will all need to get with users and promote this..I see there is an amateur radio callsign in your background, but it is not fully displayed. What is your callsign? De KB1PA

What is the difference between 2fa and passkeys?

deff need this

So what happens to the key if you have to factory reset

what happens if we change or remove windows login password for example ?

I didn't understand this very well. When listening to an explanation, I think about, "How would this work for my situation?," and I don't know. Most of my "devices" are desktop computers with Ubuntu Linux. What would the process be to transfer passkeys to another Linux installation?

Yes need more information please :) from a Yubikey owner for a few years. Always learning how to be a few steps ahead.

Why not cover yubikey security key as it is a cheeper choice. There are few if almost none that talk about the key being diffrent.

passkey with biometric and physical 2FA one time password generator

I'm also very enthusiastic since I tried WebAuthn back in 2018 and passkeys in the past year. It's even more urgent to switch to them since the most recent revelations that a quantuum computer can do in just a few seconds what would take 47 years to a normal computer. So our passwords will really be in danger within the next few years. And I'm trying to convince the most people I can to use them as soon as possible

I'm aging, and wondering if the whole bloody thing is worth it.

I can't use a passkey created on an iPhone to log into a site when I'm using my PC, whereas a password can be used on both devices. Is that correct or am I barking up the wrong tree? Anyway, keep up the good work :)

So it's basically PGP in hardware.