And if you compare the risk and probability to get hacked between these two options? Passkeys are invented for a reason! ;)

​@@LivingInCloud1 Yah. Where a website actually supports passkeys, an attachment to passwords is a lot about comfort at this point. Passkeys aren't familiar, so it gets people thinking of scenarios that are less likely than the multitude of scenarios that are possible with preshared passwords. For example, a lot of the attacks @Lleanlleawrg mentioned require physical access. Passwords can be phished remotely. I mean sure, it's possible for a Yubikey to be stolen, and for someone to guess the PIN before it locks itself out. And sure, someone who knows that your passkey is on a susceptible keystore can steal one, hack it, and log into your accounts, but a lot needs to happen _just to you_ before this happens. And it's likely that you'll notice you've been compromised and can start revoking the passkey since all that can be triggered when you can't find your key or learn about a vulnerability.

@@LivingInCloud1 So you lose your phone and stored biometrics. How are you going to log into anything? Relying on a passkey without a password as a backup login is a liability and if you need a password as a backup you might as well use it as the main login so you notice when it is compromised.

Thanks so much. Hey have you taken a look at Microsoft Lighthouse? It's free and will help you do just that :-)

Thanks Christopher 👍

Or you could learn it now and be ahead of the game instead of catching up later.

@@AndyMaloneMVP looking forward to not have to pay for fido keys.

Thank you :-)

There was some research done a few years back that showed that two-step verification features such as phone calls and texts could potentially be intercepted and thus these methods are not phishing resistant. Whereas authentication methods linked to hardware such as Fido keys are the Microsoft authenticator app are resistant.

As time goes on it will increase

If you could show me something that’s 100% secure, I’ll give you $1 million. Unfortunately nothing comes with 100% guarantee.

The key will follow you.

Exactly! But a million times more secure and are phishing resistant

@@AndyMaloneMVP No one has ever figured out my passwords nor will they. This fixes a problem where there is none and just looks like a pain in ass.

@@jamestemple8970 a very real problem with password auth is that you could be fooled into providing account info to a phishing site if that website asks you to login. So someone who has never touched, or installed malware on your computer could convince you to give them your username and password and perhaps even log in for one or many sessions on your behalf. If an attacker with similar access (none to your physical computer, but with the ability to fool you) tried to convince you to do a passkey login to a phishing site, your browser would divulge nothing about your account to this site: It wouldn't know how to divulge your account information. It's still not perfect, but it's significantly harder for people to get scammed in the same ways when they're conditioned to always use passkey login. Another real problem is session hijacking. After you've logged into a website, it's possible for someone to move your login session to another computer. If a website provides a more convenient, more secure way to login (like passkeys) it can reduce the max duration of sessions, reducing the impact of a session hijack.

I assume you me flaw? This is but one a number of methods. Your passkeys are backed up and could be transferred to a replacement device 👍

Great questions. They are obviously based on the same tech so would have the same pro's and cons. It's pretty robust so far. As MS have not released their options for Entra ID it will be interesting to see how admins can manage this in Antra ID as well as device management in Intune. We shall see soon I guess.

No and No. Passkeys generate a unique fingerprint. You could always use a fido key which has a portable private key.

@@AndyMaloneMVP You sure about the second No? The passkey ends up on the iOS keyring that can be backed up and transferred to a new phone. In essence, you give up a little security with a software Passkey compared to a physical FIDO key, trading security for usability. This said, Passkeys are WAY better than any password there is. If you want truly private key handling, stay with physical FIDOs.

This is merely one form of authentication

You are incorrect, I’m afraid. Fido is a standard

Pies are stored on your device, which are then backed up either to your azure key vault or your iTunes account. Also this is one of the reasons why you would have multiple keys on multiple devices to prevent such an issue.

You’re talking about physical Fido2.0 keys. You’re right. Another reason to use passkeys stored on devices and backed up into Keychain or similar system

@@AndyMaloneMVP an alternative is to enroll multiple passkeys on devices including ones that don't have a battery. The ones w/o a battery or that are in a less durable phone can be backed up by passkeys on physical security keys that you keep in a safe. Behind all of these, most websites have recovery methods that you can use if you lose all other authentication methods, but it's important to confirm these before you get locked out lmfao. In a corporate environment, your IT department will always be able to recover your accounts. BUT if they encourage you to have backup keys, they'll need to do this less often and may even allow you to self serve rotating your backup key if it goes missing.

I believe so yes.

Rolling out from January 24

The whole point of this video was to move away from passwords

@@AndyMaloneMVPsome websites or apps do not support passkeys then what should we do.Where should we save password because remembering multiple accounts and passwords is a difficult task?

@@sheikhhasnainiqbal3715 It’s new tech. It’ll come

It’s backed up to either your Azure key vault or your iCloud, or equivalent. No, you won’t lose your life 😊

Passwords are device specific but can be backed up. Goog also have there own passkeys for their sites. No they don't delete your password YET! Best to have multiple passkeys on multiple devices :-)

Without access to a physical device that will be tough.

Buy a camera first 😊👍

Yes it will

@@AndyMaloneMVPawesome do you have any documentation you can direct me at? Also will this work for both Windows, MacOS and IOS when available in Entra? Thanks for making great videos 💪

A passkey is for of authentication. When you add a fingerprint or face that’s a second. Plus the device itself is the third. Hence the term multi factor/

If you really must! Use a password manager use an encrypted key store

It's a client to service authentication method. For example device to website or app authentication, so a connection would be required.

1 and the same

Great point. You are correct about Fido. However Passkeys can be backed up to let say your iCloud account or Azure Key Vault which can then aid in recovery / transfer to a new device :-)

support.apple.com/en-gb/HT204085

Make sure that you run in the very latest version of Windows 11 as anything earlier does not support passkeys

I agree and good suggestion

Apple key vault is far superior at storing passwords and many commercial systems. It’s completely encrypted and passwords are shared across Apple devices.

They are, believe me

@@AndyMaloneMVP What examples of existing, practical, mainstream web sites can you name where passwords have been eliminated as an option for new or existing accounts?

@@Larry821What I’ve gathered from other articles and videos is that there will be a transition, quite a long one, in which both passwords and passkeys will be used. Plus right now, only a handful of sites and services support them. It will take ages for the whole world to implement them!

It's backed up to your iCloud

@@AndyMaloneMVP So one would not be able to access any accounts until the device was replaced? But after replacing the device, at least one would not have to regenerate the passkeys.

There will be an option in conditional access for this coming in January👍

Delete it.

Unlikley

Unlikely? That doesn't address the concern or offer any comfort-- it makes it more concerning!

It's pretty common to replace OSs and hardware.

Your biometrics is not what is passed to the online service. So stealing your fingerprint is useless. Unless they also steal the physical device with the passkey that is locked with your biometric. But even in that case you can use another device to revoke the passkey in the stolen device.

Although I haven't tried it I think you can reinstall OS and not lose passkey because it is handled by hardware TPM chip. If you need to move to a new mobile device you can just link up new device and it creates a new linked passkey. You can also create backup keys in printed form...and they can be revoked if you lose them. Anytime a new device is linked you'd be alerted. It's all well thought out. There are multiple things in action that are not obvious. It's both complex in security while being simple to use.

No idea, sorry

A user account can have passkeys on multiple devices. In terms of how MS will deploy .. watch this space for more details 😊

For an example, the passkey is associated with your keychain in Apple. So it’s irrelevant for the device. So if you lose your phone, it’s not a problem, passkey it’s for the user to identify themselves

does android offer keychain?

or Windows for that matter

@@aaronster to be honest, I don’t use android due to his poor security. So I don’t feel qualified to answer this question sorry.

This feature will be available soon. A Passkey will be associated with a users device.

You would setup a passkey on each of your devices

Passkeys is not a virus. It’s an authentication mechanism. I’m not using Google sorry.

@@AndyMaloneMVP I solved the problem by editing my passwords in Edge and then syncing Autofill and then syncing on Chrome. You call it a feature. I call it a virus.

Hopefully this will be removed

@@AndyMaloneMVP My understanding is that, in the consumer space, the challenge will always be regaining access to an account if you loose your phone for example. The fall back would be to standard username and password and maybe another MFA mechanism. It's not an easily solved problem. I think the point is that such cases would be outside of normal behavior and make phishing attacks considerably harder. The enterprise space is a little easier. With federated SSO there are fewer credentials to manage so getting your help desk to let you back in should be easier. Not that that pathway won't be abused by attackers..... ☹️

@@AndyMaloneMVP We said that back in 2000 when we started using RSA fobs... still waiting ;-)

Generally no, however, you would typically use a Paske to authenticate to a server or website via an app

Oh, and yes, passwords are bullsh!t passkeys are awesome

🤪

You can customise MFA n Authentication strengths 👍

As I said, at the end of the video Microsoft will be introducing passkeys into Microsoft 365 admin centre and Entra ID. Watch out for more details to come.

For enterprise, passkeys will be implemented in enter ID very shortly.

@@AndyMaloneMVP I'll be watching, and waiting for, the mobile support with interest.

I agree with what you say about physical passkeys, but not the ones attached to mobile devices or computers. These will be free.

@@AndyMaloneMVP the ones that are attached to computer are they physical? Because I know a lot companies in Canada that still do a part-time WFH model and also have floors of desks and computers for users who need to come in and work, no one user has their own machine.

@@andrewenglish3810 yup. You can use a physical (removable) key as part a FIDO2 2FA or Passkey auth attempt. You can also have multiple physical keys attached to an account, and do whatever you need to do to prevent someone from grabbing and PIN-unlocking them.

Not at all trust me. It’s as easy as paying for goods with Apple Pay

2:24

3:30

​@@AndyMaloneMVP😮 0:37

1:04

I because it’s protected by your biometrics

@@AndyMaloneMVP Biometrics on your phone can be circumvented by entering a password instead which an armed robber will ask for. I see a pass key as more of a convenience device so you don’t have to keep entering passwords. It appears secure until the biometrics are circumvented.

Exactly

This is an updated video that answers all these questions Phishing Resistant MFA How it Works! kzbin.info/www/bejne/kGGmkJemrKiCmbs

You own the private key which stays on the device that it’s installed on. You can install multiple keys on multiple devices. Public keys are shared with relating to party servers, for example, a vendor. But only you have access to the private key.

In addition, private keys are backed up to either your iCloud, Keychain, and, or your Azure key vault

Please don’t be paranoid. 🙂

Password managers are supporting passkeys, so they are an alternative if you don’t want to trust Microsoft, Google or Apple. I’m currently using a password manager for the two or three I’ve set up so far. Otoh if you don’t trust the password manager. Well, at the end of the day something has to be trusted somewhere! 😊

Well my friend times are a changin😊

Carry a Secure Token instead 😮😅😊

This will change

You are correct, google was one of the founding bodies of Fido

In that case, you can use a hardware, token

I think you’re letting your imagination run away with you 😊

It's coming. One way or another. Passwords are on there way out!

@@AndyMaloneMVP Well, I guess I'll prepare for an offline life then. We're screwed anyway when Microsoft ends support for Windows 10 anyway. I'll just have to figure out how to do my banking without a computer or phone.

@@StijnHommes When you find an answer, make sure you let me know please 😊

​@@AndyMaloneMVPWhy? You'll be using passkeys, won't you?

All hackable and soon to be obsolete