Hi Leo, back in the day, when CLI was a the only thing out there, PGP for email had caught on. I used to use a product called Eudora and similar email implementations. It seems like it took a while for this to come back in a different form. Better late than never.

@@debtfordwharf It never really went away. There was always a plugin for Thunderbird, and assorted others. The problem is it's still too complex for normal people to use.

If someone adopts Passkeys, should they delete all other methods of authentication they used previously? For instance, Google Prompts? Could someone exploit/intercept Google Prompts if used at some point despite the fact that we set up Passkey?

Exactly my thought to!

super clear

😮hjbfftttrr 0:33

Mk NM😅

Yes, wonderful job!

Sounds like an AI response! Have seen this same response on other videos.

This is a naive point of view. Passkeys will be stored in raw form 100% it's impossible to guarantee biometrics on everything and syncable is a core requirement for an everyday user. Because of that you open the opportunity to steal the passkeys from a device guaranteeing that a successful attacker will have access to every. single. account. ever. forever. As you have correctly stated, you have moved away from authenticating people to authenticating just the device. This is an inherent risk introduction.

Thanks. You explained a key point. The passkey is tied to/on the device, so if the device is unlocked, anyone who holds the device can access the account the passkey is associated with. It seems like an off-device password manager would be more secure, even though less convenient, a long as the account password is strong.

Super job Leo! Look forward to making it work...not instant.

1) your IT folks are misguided. :-) 2) We're moving to a passwordless future. In some cases you can choose that right now, in others you can simulate. So, no it does not defeat the purpose. 3) Passkeys will never be created without asking you first. 4) No. They'd still have to pass biometric or Windows Hello authentication when they attempt to use a passkey.

I guess there is no golden bullet in cryptography. Each solution has it's strengths and weaknesses, but what is considered a strength (or weakness) by one user might be the opposite for another user. Even though the passkey in it's current form is perhaps less elegant and definitely more cumbersome than the method you describe, I would still prefer the current solution. If I understand you correctly, I personally wouldn't like to have solution like SQRL that is based on a single private secret used to authenticate/unlock all (!) my accounts/logins. Sounds like the likelihood somebody would be able to crack my private secret in the future would increase with the number of accounts/logins and of course advances in technology with time.

It’s nifty but doesn’t scale the same. Passkeys are portable (once the standard is agreed upon) without exposing other logins/identities. Not only to other passkey safes, but to other individuals. The private key shared/transferred/stolen even if cracked, exposes nothing else.

Thank you!

If your operating system drive goes down, yeah. Or if for some other reason you can't access the computer with the private keys on it.

Good question on a passkey only set up, but if you use 2 hardware passkeys (1 set as backup) do you think that solves that problem?

@@Fregmazors Nice answer! Here is the end of "passkey magic". Who want to lose their google "only passkey" account along with a stolen smartphone?

Older person it's all word salad for a non technical person

Agreed, & same here

I think because all other explanations contain the "and then magic happens" part, this is the first one that explains that passkeys are just ssh-like authentication with a better UI.

thank you!

When you set up a passkey on a new device, yes, you login some other way. It could be password, but it need not be. It's more often something more secure like a confirmation email sent to the email address of record, or a text message to the phone number of record, or similar. Once you've confirmed your identity that way, the passkey is created. Losing your device has nothing to do with any of that. ANY new device on which you want to set up a passkey goes through that process. If you lose your device, however, once you've signed in to the account elsewhere you can remotely disable the passkey associated with that account.

Each time you set up a passkey on a new machine a different form of authentication is used. For example a code to your phone, or a message to your email. Once set up it becomes your authentication mechanism. But you're always able to set it up from scratch somehow.

This is an excellent question and one that bothered me for a while. You can’t make the argument that you are in a better security position with passkeys if the use of passkeys is in addition to an authentication method that was already present. Therefore, you have only improved your security posture if you remove the old auth method and only use passkeys. However, if you do this, you run into the issue you are asking about. I think for this scenario is exactly why having a 3rd party password manager (PM) in general, and 1Password in particular, makes sense. The PM collects and manages all the passkey private keys so no matter what happens to the device that actually created them, it doesn’t matter. You get your new phone, authenticate to the PM, and you are back in business. But now isn’t the PM vulnerable? Not with 1Password’s security architecture. There are two necessary pieces of information to access the 1P vault that are never stored in the cloud or even transmitted: your password AND a locally generated random security key. You pair those things with a hardware security key, stored in multiple secure locations, and I think you have a setup that’s nearly impossible to breach, but is also convenient

Well, I think passkeys are just a convenience mechanism in that you have to authenticate only once either in the key manager of your OS or in your password manager and then use the per device generated and stored passkeys to log in to the websites. No need to manage different passwords, and it also increases security as you are not exposing your password in your daily login routine. No chance of some man in the middle or some other malicious browser extension stealing your password. Now your concern about a data breach happening on the website on which you use the password to login, most of the companies don't store raw passwords in their databases. They store salted one way encrypted password. As soon as you supply the password and try to log in, it is immediately encrypted in the client side and transported to the server in an SSL tunnel ("s" in HTTPS indicates that the site uses SSL, which means all traffic is encrypted)

@@overtomanu123 The supplied password is "immediately encrypted" on the server side. The client does not know how to encrypt the password.

@@markanderson2904 yes I am telling that password along with all other traffic is encrypted by the SSL mechanism, so that MITM attack does not happen

Using whatever accout recover techniques or alternative sign-in techniques are available. PassKey is NEVER the ONLY way to sign it.

Of course! And it's so easy to remember! 😀

Passkey is more a replacement for a password, and not directly related to 2FA.

Each machine has it's own passkey. So you'd be starting over as outlined in the video/article by signing in some other way.

@@askleonotenboom But if it's possible to sign in some other way doesn't that lower the level of security? I apologize for seeming dense but considering the skills of those with less than honorable intentions and the amount of information stored in the cloud this system may be an improvement on the current model but it still isn't perfect. I suppose anyone with these concerns could just have two machines with access then if one died you wouldn't be stuck. It will be interesting to see how it will all work out in the end. Thanks for your prompt reply.

So, it should be strongly recommended to generate passkeys from more than one device for each account, inmediately after creation or activation of passkeys.

@@mfr2 Not necessarily. It depends on the service, but like I said, you probably signed up with an email address so an email to that address could also confirm you're you.

@@frederickclause2694 Of course it's not perfect. There's no such thing. But it is significantly more secure than password based authentication. AND it's easier to use. 🙂

I haven't seen hardware passkeys. Please don't confuse Yubikey devices with this. They are two-factor keys.

Actually if the yubikey can provide user verification via a pin, fingerprint, or something like that, it’s considered a passkey! Most people use them for 2SV, but they’re very much usable for passkeys (given they can perform user verification)

@@askleonotenboom Yubikey 5 series can be used for passkey (FIDO2/Webauthn) authentication. Actually, that seems to be the only (simple) way currently to use passkey authentication on Linux (not Android) devices.

3rd party password apps aren't necessary. The key pairs are known only to your computer (the private key) and the site you're accessing (the public key). No password for 3rd party password apps to manage.

@@HarshColby Some online 3rd party password managers can store your private key. That's how they sync your passkey between all devices where the password manager works. Some of those online apps include 1Password and Bitwarden. KeepassXC is an offline password manager that will soon support passkeys, too.

Depends on the system you're signing into. Worst case you start over, but in general it could be as simple as a one-time additional hoop to jump through (a text message to confirm, and email to respond to, or another device on which to approve the sign in).

I don't believe so. It's stored and used only on the device.

Pretty sure I mentioned that in the video, or at least the companion article. :-)

Exactly. The OS will ask for that.

@@askleonotenboom Is this 2FA? Exactly how?

@@viktorpaulsen627 Not really, no. It's closer to a plain old password replacement that's more secure. Kinda. Some think of it as 2FA because your device will prompt you for your PIN/fingerprint/face before providing a passkey, but that's still only one factor that you had to provide in the moment.

@Jack_Callcott_AU: Always log off or, at least, lock your screen.

www.passkeys.com/whos-using-it

"Does it leave you open" yes. Choose trustworthy repair people. (Or take extra steps to secure sensitive data while still leaving the machine operable.) Not understanding the emergency scenario you're describing, though.

Make sure you always make backups of your devices and authenticate with multiple devices if you use something like passkey

@@askleonotenboom Or remove the hard drive and install a new one, then do a clean install of the OS before taking to the repair shop.

There is ALWAYS another way to sign in. That other way may involve more steps and be less convenient (say, emailing you a code), but think about how you establish a passkey to begin with: you have to login somehow. Once you're logged in you can then revoke the passkey assigned to your phone.

Related encryption technology, but used for a different purpose.

Your passkey is never the only way authenticate. Remember, in order to set up the passkey on each device you had to authenticate some way that didn't involve a passkey. So that continues to work when you move to a new device. A common password-free example is a link sent to your email account.

Recover access: of course. There's ALWAYS a way to login without a passkey -- that's how you set up a passkey in the first place. (That "way" is usually more convoluted, like responding to an email sent elsewhere, but secure.)

"Require" no. Tedium, not really. It's basically one click when offered. But yes, it's a new passkey for each combo. (UNLESS you're using a password manager like 1Password, which allows you to save one for all.)

A passkey requires that you be able to authenticate some other way in order to be set up. A devices passkey can be individually revoked remotely.

The same way you got into the account when you first setup a passkey on that machine. Usually a different, more cumbersome, authentication process, like an email to your email address with a code or something similar.

It depends entirely on the system asking you for a password.

Whatever technique the service uses for you to set up a passkey on a new machine should be made available to your heirs.

@louisesmith575: "do they have to have my device to do so?" No, they can just use the passwords in the password file that gave them.

Yes, but that's a MUCH MUCH MUCH lower risk than a password being compromised in a breach, or by phishing.

Some password managers like 1Password will store your passkey for use elsewhere. Otherwise, passkeys are per-device, so you'd set one up on each device the first time you sign in to the account on each device.

No. It replaces passwords.

Microsoft allows you to remove passwords. In leiu of that, set the password to something ridiculously long and complex, and then don't save it anywhere. Nothing for hackers to steal, you'd never use it yourself, so it's as close to password-free as you can get.

@@askleonotenboom Thanks Leo. (I am in the Apple ecosystem.) Unless I misunderstood, which is entirely likely, the service still has my valid user ID and/or email and my long/complex password. Many companies use very poor data security practices and leave files exposed on cloud servers like it is a hobby, so I still believe the danger is being unable to have passwords removed from a service when you have switched entirely to passkeys. BTW, although companies frequently use poor data security practices, they are expert at apologizing after they have been breached. I currently have three different "free" identity theft services due to breaches. Being breached does not seem to cause the same reputation damage it used to. Keep up the good work! Karl