Was coming to say the same thing... would def be pretty sus lmao

Presumably the servers would also have to use the public key to encrypt a unique timecode in the data sent, and then verify the same timecode in the response, in order to prevent client playback attacks.

The "freest" country in the world 🤣🤣

@@pinky6863 So what if I'm required to give them 256-character password from my password manager? :) Passwords won't come cheap! :)

@@pinky6863 In germany both are protected under our "Grundgesetz"/ constitutional law, and also under the "Strafprozessordnung"/Code of Criminal Procedure. You don't have to give anything (information and things) to the government which *could* might incriminate yourself.

​@@pinky6863not sure your right as you are required to give prints and DNA samples if your arrested in the UK. And we have new laws effectively going to make it illegal to use these because of the lack of government back door

Exactly, but also people near you that can use your finger or Face ID to get access. Somehow, brains are protected 😅 i would not use Face or Touch ID to confirm.

To me the biggest limitation is losing control over my own Identity. PassKeys can be hacked just like LastPass, Comodo, Zero Ring, Golden Ticket, I mean... all this does is create a more valuable target... sure we might save the morons from being "hacked" but now even the geniuses will be forced into this ecosystem and they will now become less secure. Remember the old joke... if you are being chased by a bear... all you need to survive is be faster than the slowest person? It's the same concept. With "gimmicks" like this... it makes even the fast as slow as the slowest! Now... you have to rely on someone else's ability to to dictate your survival and you will not have any ability to understand this technology to fix it when it goes wrong... but the hackers will... they will know more about your own security than you ever will. You have a job to do and can't dedicate the attention necessary. But they have time... they have plenty of it since they get paid by their various governments to datamine your "identity" or just flat out NSL the data directly without any way for you to know or even challenge it. A day will come where an employee is fired because a government somewhere does something with their account and how is the poor sap going to be able to prove any of that? The entire ecosystem is completely outside of their ability to even "know" which means courts will throw out all of your challenges because you can't even prove harm... And just like that... the entire world is compromised. Especially as AI takes off. Nothing beats a personal password where your brain is the storage medium. These are only to fix the problems with the stupid and lazy.

Agreed. So far, even Amazon doesn't accept it (yet). However, because Google does, you can use it for any account you can access via Google including PayPal...which is pointless because PayPal accepts passkey.

I like the idea of passkeys, but yes it seems like the acceptance by apps & sites is woefully slow. 😎

@@freemagicfun It's just so complex. not many people even understand this, so even if the sites offer it, I imagine almost no one uses it.

All of the major email platforms and operating systems are supporting them (Apple, Google, MS, outlook, gmail). But true that most others services do not support them or hardware security keys. The banking industry is woefully behind on the security front.

Exactly! Nowadays a phone is an awfully weak link in a security chain, because it is both indispensable, as you mentioned, and extremely vulnerable to assault: if nicked while unlocked, and/or if your aggressors force your face or your finger on the phone, in a matter of seconds they own your Google or Apple account holding your private passkeys, and as far as I know, there is nothing you can do about it.

And their recent price increase 😡

I would highly recommend you don't buy security keys. If you enable googles highest level of security, and they detect a potential attempt to break into your account, google will immediately disable every way of logging into your account, and disable all of your security measures, including your password, then require you to reset your password via a link in your gmail, then only after reseting your password, will you be able to reset up your security keys. If google can't even trust a yubikey, a titan security key, 2fa via googles app, passkeys, and passwords, to verify who I am, you probably shouldn't trust them either.

Agreed. Also the "they need your PIN" - yeah cool... What I took from it is that the vector of compromising the secret holding service gets eliminated. So it's still no match for pw+(non sms)totp for corporate or self host scenarios. Big plus is that it is a convenient enough method to use for non tech people. About the amount of time to reset a password. Not a strong argument, this can be very streamlined.

I think he's talking about grabbing your account from some random website and cracking it with a rainbow table, not necessarily hacking the password manager's servers. A note about PIN codes, most modern devices have a secure element chip that is hard wired to prevent repeated attempts at brute forcing, so even if you have a 4 digit pin, while that's not great, a thief/spy/hacker would only get to try a couple dozen times before the timeout became days long. That would, in theory, give you time to mitigate the damage by updating your account information in the relevant places, unlink/remote erase the device, etc. Not all devices are equal though, so take it with a grain of salt. Might be worth looking up your device and how it handles that.

@@DFPercush True. The iPhone has the self destruct mode (erase the phone) after 10 failed attempts.

Also, have you seen how many dependencies FIDO2/WebAuthN has? It is so much work that most websites will probably never provide it, unless forced by their government...

Jones' Law: "Anything hit with a large enough hammer will break." All security mechanisms have limitations which should be considered when deciding whether or not to apply them in a particular environment. That said, Passkeys offer a balance of security and convenience that works for a broad range of applications and environments. As to "too much work," there are, or will be plug-n-play implementations for most environments. Compared to doing nothing, they are "work." Many, not to say most, managers of websites are reluctant to do any work until they get slammed. I never cease to be amazed at the number of managers who opt for cure over prevention. However, the environment is becoming increasingly hostile and password reuse is a favored method of attack. Perhaps, keeping one's resume up to date is the least work. However, being associated with the victim of an extortion attack may blot an otherwise spotless record.

I'm a (yet another) IT professional. I work in education. Shared computers are a common device deployment method for cost savings, so hardware-tied private keys would not work in this environment. There's also the problem of personal devices. 2FA implementation is always a controversial topic as for one, smartphone use tends to be discouraged, and two, staff are always against using their personal devices for work purposes, and schools do not have the budgets for hardware tokens.

@@HarmonicaMustang Admittedly, Passkeys are neither as convenient or secure on multi-user systems. On the other hand, the majority of modern computer users have never used a shared computer, not even a PC. Most have only used a mobile computer, a single user system. Many of our security risks today are relicts of shared systems. As the cost and scale of computers continue to shrink, solutions like Passkeys will become increasingly convenient and secure.

@@williamhughmurraycissp8405 This misses the knowledge that there are lots of situations both in work and at home where shared devices make lots and lots of sense. I'm thinking a shared public PC in a living area where random visitors might well need to check their e-mail, but don't carry a laptop (and find a full desktop a lot easier than their phone), a roku TV where a visitor would like to load their Netflix profile for one movie, etc. In the work environment I'm thinking all sorts of kiosks where you have manufacturing, scientific experiments, library style public access systems, projection control computers - anything needing walk up access that might require authentication as different users for cloud services, work processes, etc. And in work locations this is going to be even harder because you'll want to give access via many to many matrix for users - both if their laptop dies you want to hand a new one they can start using immediately, but also access to the corporate cloud e-mail, cloud storage, local services, plenty of shared systems you remote into for various reasons like terminal servers and more. And from a work location there's the reverse issue of many of these hardware things just not being available to all OSs - if you use Linux you can't (as far as I can tell) use a TPM to unlock FDE, and worse, the management is completely different between MacOS, Windows and Linux. Passwords have converged to it working the same across all platforms. Not to say passkeys won't potentially get there, but we have these special proprietary "secure enclaves" that often aren't as secure as we are told. So Apple doesn't use TPM from what I can tell, neither does Android. So we already have more Windows only, or Mac only, or Android only implementations.

You should be able to create a new passkey and the old passkey will no longer work.

How do you keep your car and house keys secure? Where do you store them to keep them safe? Or do you carry them with you at all times like on your keychain with your hardware passkeys? Seems like a personal decision based on threat assessment is my point.

Yubikeys are going nowhere. They exist to control concurrent usage of software programs and mostly replaced by storing the keys on an in-house server. They fail often from use and going through the washer and dryer. The software vendor overnights you a new one and deletes the old so even if it is found or starts working it won't work. The only reason this 2009 passkey technology has become usable is because the cell phone has become almost ubiquitous and is the only device that has the intelligence for now and the future. Even your car and house keys are going away. It's already your wallet, passport, visa, credit card, immigration form holder when you travel, map, calendar, secure and insecure communicator, airline tickets, where the gate is for your next flight, flight schedules, your seat, adjust your house environment when you are home and when you are not, guides you around the traffic tie-ups to and from work, lets you scan into the gym, your note taker, language translator, it will soon be carry your ID/driver's license, gets backed up encrypted to the cloud, and is becoming the only thing you need to take with you.

Google doesn't even trust the passkeys. They detected a potential attempt to break into my account, and completely disabled every security measure I have to verify my identity, logged me out of my email on all of my devices except my phone, refused to let me login even though I had every single method of verifying my identity, and required I change my password, through a link in my email, then after I reset my password, which didn't require any form of authentication beyond being logged in, I was able to reset up my many authentication methods. What is even the point of any of it if google won't even trust a single method of authentication, and won't even trust you to verify your identity if you have all of them at once. And then doesn't even bother to verify my identity, while it bypassas all of that authentication I have, and lets me reset my password, without verifying who I am.

They're technically more vulnerable than a website with just a password, as it's an additional attack vector..

I think this is an example of not yet perfect, but way better. Part of the benefit of passkeys (even as an alternative to still-active password auth) is that it makes certain attacks way harder to pull off. For example, if someone pointed you to a simple mis-spelling of a website, your browser will not reveal any details about your account to the imposter. It'll just tell you that no passkeys are available for the service without revealing anything. This should clue you in that this your being attacked. This benefit alone can help improve your security posture. Granted, ur right that it would be cool if more sites allowed those who are comfy to just go 100% passkey, eliminating the possibility of a compromise of those passwords on the server side altogether.

Apple support security and recovery key, eight character passcode

Biometric fingerprint scanners can easily be beaten.

@@MegaLokopo Yes it is, especially while gobble down a popcorn watching Mission Impossible.

Sorry, there is no remedy for stupid. "The dummies have it, hands down, now and forever."

@@williamhughmurraycissp8405 sure, but a password is easy to reset with these people, unlike a hardware key besides I wouldn't even call them stupid, it's just that given enough people, you will always have at least one person per day and it's always going to be somebody else

I agree that we should support free (libre) hardware, but Yubico sponsored this video. That’s why he mentions Yubikeys.

Also think of like ssh keys

So like the part where I talked about the cons of passkeys you mean?

Although some types of attack remain possible as long as your account allows password login, the point of passkeys is to give you the option of choosing when to use a password. Whether it's *never* is up to you. If you choose to still login with a password, this is what makes your enrollment of passkeys useless :) When you do login with ur passkey, instead of typing your password into a website and submitting it, your browser (after verifying that the website is...the website) will simply ask you which passkey to use, then prove that you have the passkey in a way that cannot easily be man-in-the-middle'ed unless your device is compromised. The idea is your browser will never attempt to log into an imposter website, and if one of your devices is compromised, depending on how, you may be able to un-enroll it from the service from an uncompromised device. This makes it significantly harder for someone to convince you to log into a website that proxies any part of your login attempt, and also allows you to reduce the blast radius of a device compromise to maybe that device (depending on the compromise). Stepping back, the whole idea is to give you a more secure way to login. Eventually, it'll also allow websites to just stop storing (even salted/hashed) passwords altogether. But baby steps.

Insert [doubt] meme here...

Hah! To be fair...that was 3 years ago.

You’re not even required to have a cell phone at all.

@@CrosstalkSolutions I'm just a bit nervous about large companies driving this. Making things "easy" comes at a cost. Apple is especially bad at forcing users to do things "their way".

Lol😂😂😂😂

Enroll multiple passkeys. When you no longer think you have one of them, unenroll it. Until you do, it must have had a layer of security on it before it could generate the passkey (a strong pin or a pin and a biometric lock) that whoever stole it needs to crack. TLDR: You can lose it but you can also prevent that particular key from ever being used to log you into stuff without affecting anything else that isn't lost/stolen from logging you in.

double dutch@@seetentees

You're right - there is always a risk of someone shoulder surfing your PIN and then stealing your phone. But that's not the point here - the point is that your example is extremely rare compared to the amount of phishing and hacking attempts that hit people from far far away. If we eliminated ALL but your specific concern, it would be a HUGE win for security world-wide. And a singular edge case of "well...it can still be compromised in this very specific way..." is not an excuse for rejecting this technology.

@@CrosstalkSolutions I agree with you but just thought it's important to understand all the risks before entertaining any new endeavor

Exactly my same question. My take is that passkeys (plus other authentication factor) should become the primary login method and username + password the fallback option. Probably in the future we won't even set up a new account like we do today (username + password).

Did you check his site? I seem to remember he's demonstrated how to use Yubikeys before.

We should support open source alternatives, not Yubico

You are thinking of Yubikeys or hardware authentication tokens. Passkeys don't require USB or hardware token.

Agreed. It was a bit confusing and I came out of the video still not certain about what it is and what it does. Simplicity is the passkey for many of us.

I watched this video and al it did was convince me to not use passkeys until I have to. What happens if you lose you smart phone or don't even have one?

@@jamestemple8970 it's not a great answer, but the idea is that any passkeys on your smartphone are synced with the mobile ecosystem owners cloud password sync provider. So if you happen to have multiple e.g. Google or Apple devices already enrolled with Google or Apple's cloud password syncing service, they'll all magically have all of the passkeys either device has every created. If one device breaks, you can use another device to enroll a new device into ur ecosystem account, and it'll magically get all the passkeys synced up. This has obvious implications which are kinda concerning (mobile ecosystem vendor lock-in), but it is what it is. If a passkey is only on one of the devices from an ecosystem (e.g. if you made an account somewhere, provisioned a passkey on your solitary Android phone, and never enrolled a passkey elsewhere for that site) if you lose that device, you have two options: Option 1: Start the recovery process for the mobile ecosystem account tied to the device: So continuing the example, if you lost your solitary Android phone, buy a new Android phone, and use the recovery options for your Google account to sign back into into it. Then it'll magically have all the passkeys previously provisioned. Option 2: Buy a new other device (iPhone or Windows device with Microsoft Hello, or any device plus compatible hardware security keys), then go down your list of actual passkey protected accounts and invoke each one's recovery process to enroll new passkeys. At least for now, it's a great idea to enroll your convenient to use (but breakable/stealable) mobile device *and also* additional hardware security keys that you can lock up somewhere. Passkey auth requires some different factor (mobile device pin or biometric lock, or hardware key PIN) so the idea is that even if someone stole your backup, they won't be able to log into anything. BUT if they destroyed all ur backups and your main device, you're in trouble. The same trouble you'd be in if you lost your password pre-Passkeys. The crap thing is that you cannot simply remember ur passkey, and you can't practically write it down. Practically, each passkey's private key will be hidden (even in some cases totally inaccessible) on a physical device, so you just need to make backups in the form of ... enrolled devices upfront.

@@jamestemple8970 One thing he highlighted is that password managers now allowing management of passkeys. I think a password manager secured with a hardware key is more secure for managing you passkeys, vice a device or Apple keyring.

I could not agree more, clear as mud. You expect the millennials to have even considered that scenario?@@jamestemple8970