(first link) this.video=video;

Actual link to the correct video: kzbin.info/www/bejne/b5_VdmeqaZJ8jqM

could you tell me what app or web app are you using for your transparent board? thanks

1:23 ❤

​@@neverhood78592:04

Yes, but they are also trying to tie to your personal identity, biometrics, so yeah nah, I will keep using normal pgp keys and regular passwords

Yeah they tie it to an account - like your Google or Apple or Facebook or whatever but do PKI between these parties. Not so different from SSO, just with more trust for device level authentication

@@marcopeterson805 Would you have a problem it everything was tranparent and it would all be local on your device?

@@marcopeterson805 was gonna comment that lol ..wellssaid

@marco The moment he said "biometrics" I said nope, my password is fine

If you lose your phone, traditional account recovery mechanisms are still possible (answers to “secret” questions, etc.) to generate new passkeys after proving your identity or passkeys can be synced across devices, in some cases

Instead of storing private key on a single device it can be stored on an encrypted cloud and the cloud encryption key can be printed on paper and can be kept in a safe. or an application can be built which will allow access to the device key holder only under certain conditions, like contraction and dilation of pupil and retina movement to make sure the person is alive and phone is not being misused, or a fingerprint scanner with pulse sensor etc.

@@jeffcrume Having to have and remember answers to secret questions is worse than having to have and remember passwords - it just requires more sensitive data maintenance. If problem of "lost/destroyed device" won't have a convenient solution - FIDO would have only a limited use in the future.

@@anonymous_1122_ Are you saying that the imperfect solution to a complex problem is not perfect so we should keep things as they are? What is your proposal?

@@anonymous_1122_ Don't answer on security questions by random strings and it will be much easier to deal with it.

You will loose your passwords but not accounts in that case because of 2FA

Passkeys are bounded with device , in this case you have reregister the device. Every org they have their own process to reregister the device.

@@jeffcrume You mentioned browser support. Where would the private key be stored typically? LocalStorage? Cookies? Very curious to know this since I remember that storing sensitive info on the browser can be trickier than, say, storing it in a mobile app. Thanks for the great video!

​@jeffcrume how are they being kept secured on the cloud?

@@muraliavarmathe private key is stored in some kind of a special-purpose secure hardware element on the device that the browser is running on. This element can be baked into the CPU in what’s known as a “Trusted Execution Environment” (TEE), or use a discrete module known as a Trusted Platform Module or TPM. There are good wiki articles on these.

Unless you have fixed IP’s, that could be a little cumbersome

​@jeffcrume Not necessarily. The server only acts as a rendezvous point for you to share your current IP address with each other. You both send a request to the server and the server responds with the other person's IP at which point it can remove itself from the equation since it's work is complete

did you just invent "dynamic dns"?

@@ivok9846it’s common enough already, has been used in online games.

That sounds a lot like WebRTC in browsers. You have ICE, STUN, and TURN servers to publish IP addresses, negotiate connection details, and if necessary, host a tunnel around NAT.

Thanks so much for saying so!

Here challenge is generated by the server using public key which can be decrypted only by private key on the device. Here Asymmetric encryption is used to authenticate like initial handshake of TLS

No message-level encryption is used in FIDO standards. Instead *signatures* are used. Private keys sign challenges and relying parties (websites) validate signatures using the pre-registered public key.

the explanation is theoretically correct, message encrypted by private key do require public key to decrypt. Your concern might be that in most case the message to be encrypted is a unique value, or digital signature for proofing the identity of the key owner, and not for encrypting secret. But in the video it is to respond to the challenge from the server, and it does no harm for anyone to know who you are (decrypt with public key) since you proof it without revealing your private key, which is still a suitable use case.

The flow is right, but at that step the message is signed rather than "encrypted" . Only the correct sender with access to that private key could sign the message. Anyone with the public key can verify the message. However, the reason for the step is to verify that the message originated from the correct sender, so it is fine if anyone with the public key can verify that. Noe that the unencrypted challenge originally sent by the server is generally also required for this verification step to occur, and that is not available to third parties outside the client / server.

You can verify someone knows a secret that is known by both parties. In this case the challenge is the shared knowledge. It is encrypted with the user’s private key. The server knows both the challenge and the public key, so it could verify the contents of the response.

If only it were true … 😂 kzbin.info/www/bejne/gpXRe6KKaq6Khq8

Are you sure the video wasn’t mirrored afterwards?

And he also wrote with his left hand being a righthanded person! Fantastic!!!

I wish … kzbin.info/www/bejne/gpXRe6KKaq6Khq8

Thanks for the kind complements but I have to admit I’m not that skilled kzbin.info/www/bejne/gpXRe6KKaq6Khq8

My thought is the video was reversed so he did not have to write backwards.

In fact, both of them already support it today, along with many other web sites

@@jeffcrume and it is called sign in with passkey right?

Yes, TLS/SSL will handle this

It really is much easier to use than passwords

@@jeffcrume agree sir, and thanks for this comprehensive explaination

Encryption and decryption can happen with either the public or private key in asymmetric cryptography

Something encrypted with the private key can only be decrypted with the public key. You *can* decrypt with the public key.

Yes, there are unique passkeys for each site, just as there should be with passwords (although, rarely is this the case since most people don’t even know what a password manager even is)

The passkey has an integrated private key and derivate a private/pub key based on the domain name.

Tell that to a guy that lost 25 Bitcoins because he was stupid and kept seed phrase protected by password manager. Password managers can be hacked,i never heard of,for example Yubikey to be hacked or bypassed in some way.

In practice probably little difference, but there is a technical difference with a challenge-response protocol and a password. Password manager + random passwords for each site seems plenty good.

@@gblargg What you're missing in that equation is the phishing resistance built into browsers with WebAuthn, that does not exist with password or password+OTP or push authentication systems.

Thank you for the kind words!

Both PUB and PVT keys can be used to encrypt or decrypt. Whatever you do with one can only be undone with the other and vice versa

@@jeffcrume Interesting, could you share a reference source that I can refer to?

@@toandv33What do you think "signing" is? Signing is encrypting, its just terminology. The entire point of public key crypto is that you can manipulate data with one key and only the other key can undo the manipulation. Call the manipulation whatever you want, a rose by any other name...

It depends on which public key algorithm is used: RSA (named after its inventors Rivest, Shavir and Adelman) has the feature described in the video. What is encrypted with the private key, can be decrypted with the public key, and this is used for electronic signatures or a challenge-response-authentication-scheme like that of FIDO. What's encrypted with the public key, can be decrypted with the private key, and that is used to send secret messages. But there is another family of public key algorithms called Diffie-Hellman-Key-Exchange and Digital Signature algorithm (DSA). Most often it is used with so called elliptic curve cryptography, the difference is way too much math to explain here, the technical advantage of EC-based algorithms is that the keys can be very much shorter and thus all calculations very much faster with the same level of security. The EC-variants of the algorithms mentioned above are ECDH (Elliptic Curve Diffie Hellman Key Agreement) and ECDSA, and although the same set of public and private keys is used for both, the math of both algorithms is anything else but symmetric like RSA is. E.g. in ECDH nothing gets encrypted, it is a scheme to generate a key for a symmetric encryption algorithm known at both ends of the communication, without the need to transmit this key or any other secret from one side to the other. With FIDO2, both algorithm types may be used. However, EC-cryptography has become very popular these days due to various advantages over RSA. So most likely a passkey implementation will use EC-keys and ECDSA to do passkeys.

Sorry but I don't get the idea either. If someone encrypts something with public key only I can decrypt it so this is understandable. On the other hand if I encrypt something with secret key and send it over to someone else and a third guy intercepts and he also has my public key right, becsue this is a public key what is the point of this kind of encryption.

I’m glad you liked it. Yes, there is no such thing as absolute security but this is a dramatic improvement IMHO. We will never eliminate all risk, but if we can lower the risk while making the system more usable, that’s a double win

Excellent point. And concisely boils down the main concept

> What if you want to log into a service from somebody else' device? That's a limitation of FIDO, If you want to access your account from a different device, you would need to register each device separately. >The only difference between a password and a private key is that of characters in the string. A private key is huge, a password is typically small. Thats it! You're mixing up passwords and pass-keys. They're conceptually different. I'll list down two main points on how they are different #1. passwords are transmitted over a network, while the private key never leaves your device. #2. passwords are usually single-factor authentication (unless you're using Authy.. etc), the private key (something you have) is often protected by an additional layer like a PIN or biometric data (something you know or are).

The passkey changes with each login. That’s a big difference over passwords

Assertions in this statement are not true. Cross-device authentication (aka hybrid) can be used to bootstrap a new device from a mobile phone that acts as an authenticator. That was not described in this video. Also WebAuthn offers phishing protection, which is completely unrelated to the entropy of the secrets involved.

Last I checked, Google, Apple, Microsoft and Meta/Facebook are just a few examples and those are huge

That’s pretty much my target demographic with these videos 😂

@@jeffcrume I'm not sure if it's a joke or an insult. But both are funny. :)

So glad you liked it!

I have the same question!

Exactly similar query

yes but what if I have not any other device, or lost access to them... my digital identity de facto becoming phisical again, but nt me as a person... another device... from a digital twin to a physical twin... ie back to a physical key? philosophising... but net net: I need to enter in my bank account from my brother PC because I have no other way to do that... my pw or passkey is known only by a system which I can't access anymore, or better it cannot recognise me anymore @@jeffcrume thanks anyway for you videos... the best ever seen in 30 years. If you stop by Rome please pay us a visit in our cyber academy

You’re focusing on a confidentiality use case. This is about authentication. The only thing that needs to be secret is the private key

It isn't he opposite, the hardware key has a private key that is derivated with the domain name. You can register a hardware key with a unlimited amount of website, no need for more memory on the hardware key.

HTTPS isn't covered here, and would have happened first. That's where the server proves who they are by sending their own public key, etc. etc. to get a symmetric session key. Then we need to let the user prove to the server over an already encrypted connection who they are. So... That's why it seems a bit loose -- there's an implied wrapper that he didn't talk about. (edit -- the reason we need to encrypt inside an encrypted connection is in case of my VPN provider or ISP being hacked, they might have set up a secure tunnel already, then set up a different secure tunnel with the user. The FIDO layer breaks this and is covered briefly as "resistant to replay attacks")

Similar but SSH secures the entire session - FIDO is just focused on authentication

You need a your phone or physical key (like a yubico key) to authenticate

Or losing the phone.

@@jeffcrume I respect your answer. Is that something a grandmother can do? What about a shared device?

​@@CreachterZif you share your phone that's your problem

Please see the pinned comment at the top

Thanks for saying so!

that's where the MFA like Fingerprint and Face recognition comes into picture

Exactly! A biometric (something you are) combined with something you have (the phone) is likely to be stronger than a user-selected password

There's another question. If your device gets stolen, MFA solves the problem of the thief impersonating you. How do you handle the fact that without your device (which the thief has) you're now locked out of everything?

​@@hardlygamaliel455when you register, you are asked to register at least 2 key. So you can login with the other key, unenroll the lost one and enroll new key to replace the lost one.

Most platforms sync your passkeys. So if you have access to another device of the same platform then it should sync there. If you lose all your devices, you’ll need to fall back to offline recovery methods if the platform supports it.

Then you would have separate passkeys for each, just like with passwords

You’re probably in the small percentage of the population who actually does this. Most just use the same guessable password on everything

Some password managers like Bitwarden also support storing passkey.

Except those managers get hacked rather frequently. And there's still a boatload of not terribly secure passwords floating around. The best password autogenerated by Safari or Google is still weak sauce compared to actual cryptographic keys.

@@jeffcrume did that really ever cause you a problem? Obviously, I'm not everyone, but since I came up with a simple password when I was a kid in 2012, I've always used it everywhere. I never understood this security craze, like everyone is a millionaire or something. what really pissed me off was the constant emails to the mail because "we didn't recognize your device" As if I gave permission for this kind of security. And in general this FIDO looks like we still have 2 passwords, only they are generated by the server. And if we're talking about a single device, then you could always just save the passwords.

there are also methods you can use to know all of your passwords my only remembering a master password, that you dont need any external assistance with and it can all be stored inside your head.

You’re very welcome!

Please see the pinned comment

Yep, they keep trying to change something that is perfect .. atleast it's the best we can get.

What if you died on the street and you have bitcoin wallet locked with a password? This way I can have your bitcoins and they are not lost forever

Not being able to remember a hundred or more unique 20-character random strings, is a ME problem???

Good luck with staying safe from phishing then... passwords offer zero protection for that, and its both the most common, and most expensive initial attack vector for breaches.

​@@nullx2368"perfect" yea definitely.

You’re right in saying the technology to do this isn’t new but it’s only recently that this is being rolled out in a significant way across web sites that lots of people use so most aren’t aware of it yet

There’s not a need for something you know if what you are and have can provide equal (or better) proof

@jeffcrume the problem is that what you are isn't safe from being cloned. E.g. fingerprints, face recognition, iris scanning, etc. There are lots of examples of partners, kids, etc holding an iPhone up to the owner's face to unlock it. That's essentially saying all these other individuals are authorized to their accounts.

FIDO has what is called a UV (user verification) requirement. Authenticators are supposed to require users to authenticate to use them. This is only between the human and the authenticator. Some authenticators (like phones and certain models of hardware security keys) offer local biometric authentication, others use a PIN.

@@sbweeden so they are punting and moving the point of trust. I don't necessarily agree with this security model.

Take a look at the follow up video I did on this (search the channel since I can’t add the link here, unfortunately). The short answer is that these can be synced with a password manager

I wish I could … kzbin.info/www/bejne/gpXRe6KKaq6Khq8

quite nice how they do such videos, write on a glass pane and then during editing flip the video

RSA is the most common asymmetric algorithm but it’s just that - an algorithm. You need a protocol to fill in the blanks on how it will be used such as TLS/SSL, FIDO, etc. for a specific use case. There is no issue with revealing public keys. That’s why they are called “public”

Actually, I would highly advise against this scenario. If you don’t control the system you’re using, you should assume that that everything you type of the keyboard is public information since keystroke logging malware could be installed

You use your device that has Bluetooth and a camera on it to scan a QR code that the internet cafe computer shows to you when you want to use a passkey to log in. In some cases, you might not need a camera. Or you can use a physical security key like a Yubikey or Titan Security Key, as long as they have your passkeys on them. No password is required when you use those things. You're only required to have your device that has the passkeys stored on it and unlock the device. Or have a device that has a password manager installed that stores the passkeys you need to use to log in, and unlock your password manager. Online password managers like Bitwarden and 1Password can sync passkeys across your devices. Offline password managers like KeePass are safer, but less convenient than their online counterparts.

If you absolutely have to, passkeys support hybrid which means that you can scan a QR code on the computer that doesn’t have a passkey with a phone that does have a passkey. That establishes a Bluetooth connection between the two and allows you to use your phone passkey to log in. But yeah don’t sign into an Internet cafe in general

With your phone authorization 🤡

Please see my response to this same question previously in the comments

I’m really glad you liked the video! Good questions: 1) FIDO2, the newest version, adds some capabilities that I think have gotten many off the fence but the bottom line is that vendors, web site operators, etc., typically need a business justification for such changes and it has taken a while for them to realize just how messed up the password-based system was - inertia is a tough thing to overcome. 2) We will never get rid of all social engineering attacks but this technology certainly helps with the ones that are focused on stealing passwords (which won’t exist to be stolen), but attackers will more on to other forms or social engineering. 3) FIDO is for end user authentication, as far as I know. 4) It’s really not a good idea to logon from a device you don’t control in the first place. There could be a keystroke logger installed that would capture sensitive information

Hey, I think you can login through a system with which you might not have registered by possessing the device you registered with. For eg. You want to log in to your computer and you have setup your passkey on phone, you can absolutely do that! You just have to have your phone around when doing so.

Don't worry. Cybercrime will evolve, for example, to the implantation of nanobots to steal neural information or to control a person's nervous system. Strange times are coming.

It also isn't much help agaisnt MITM, mind you neither are passwords

FIDO wasn’t popular because the users controlled the keys. Now that the capitalists can store & sync your keys behind their servers via passkeys, they will start pushing it to appease law enforcement with the backdoor to your accounts by handing over your keys when asked.

"clear window technology" aka glass and pen 🎉

Thanks so much for the kind complements! kzbin.info/www/bejne/gpXRe6KKaq6Khq8

Please see the pinned comment at the top

@@jeffcrume already read it man, im just listing the possible risks from it 😞

As long as a password exists, it can be phished, cracked or stolen. FIDO reduces all those risks substantially and reduces the size of the attack surface by removing the need to keep a secret on the server side

Not necessarily … even if your phone is stolen, if you’ve chosen a strong password and/or biometric, they won’t be able to unlock your private key

Please see the pinned comment

A SIM swap wouldn’t help the attacker in this case because the private key is still stored on the authorized user’s device

@@jeffcrume From what I understand, the attacker had access to the client's email address. But, the attacker didn't have access to the private key, which was on the smartphone. The SIM swap allowed the attacker to spoof the identity of the client. The attacker called customer service, claiming that they no longer had access to the private key. Instructions were sent to make a new private key.

Yep. Either this system leaves you out of luck if your hardware device with the key fails, or it provides a recovery method, which uses traditional passwords or recovery questions and an email address, and thus can be hacked using the usual methods. The phishing site just presents an error when they try to use their hardware device, and ask the user to recover the key using their secret questions.

​@@posthocpriorTHANK YOU! I'd assumed it was again down to faking it past a human trying to be helpful.

This is why FIDO isn't the default login method to your bank. Phones are not good candidates for storing private keys in any way shape or form. We don't have a good answer for balancing security against the desire of people to carry their entire net worth around in a shiny device with an Apple on the back.

You can’t. The user’s device would need to do this. Fortunately, the user doesn’t have to deal with this as it’s done by the FIDO supported device. But this is really no different from a service provider perspective than with passwords. In both cases you are dependent on the user side to do its job correctly

😂 I only wish I was that capable … kzbin.info/www/bejne/gpXRe6KKaq6Khq8

You wouldn't really need to. You can write as normal then in post production apply a filter to reverse the direction.

I would argue that this is far easier because there is no password to remember

System has been around for decades. Issue is not public adoption, but lack of cohesive browser API for developers. Also for loosing the device, you can store encrypted private keys on a cloud/ private server if you are comfortable.then you would still need a password, albeit just one

The difference is that with public key cryptography you can use just one key for every website without trusting the server to store your credentials securely. Sure if every website I use has good security practices they will never store my password in plain text. But if any of them ever screw up, that password is exposed, so I'm forced to use a unique password everywhere if I don't want a vulnerability on one server affecting other accounts. That's just not an issue with public key cryptography, because the private key never gets shared at all. That's why new credit cards use chips with public key cryptography, which is more secure than swiping the magnetic strip.

I don't think you understood what it was I was saying. You can use the same key and the same username and password at every website. The browser takes, for example, the URL of the website and utilizes that as a source of entropy to mix the key for that specific site. Every site will see a unique set of credentials and never even know what the plaintext username and password actually are. Even if it's plaintext stored by mistake or otherwise at the server, it's already an encrypted version of your password and username before it even gets there so it just doesn't matter.

Weakest password with strongest hashing algorith still can be guessed with brute force😂

​@@telaferrum on the other side of that, its easy to mishandle a private key and lose access permanently. Especially if you are an individual that doesn't have organizational key management. the middle ground would be a key extension protocol that can generate a keypair from a large but memorable password. The generated key is possibly less secure than a high entropy random key but it does not have the downside of being weak to forgetfulness and physical theft. Yes, you can create backups. But now you have to manage the security of those backups too, and the majority of users would be back in the situation that is effectively 'passwords on a sticky note on my monitor'. A little security and idiot-proof access is often the perfect compromise.

@ra6160 A password that has been encrypted is not even remotely the same as a password that is hashed. A weak hashed password can be brute forced and often cracked with a look-up table. A weak password that is encrypted cannot, unless you're using encryption from 1978 lol.

Similar but without the securing the entire session - just authentication

Good luck 😂

I like it too!😊

It's typically called a lightboard. You need to use the specialized hardware and to mirror the video before publishing.

Indeed, see ibm.biz/write-backwards for more.

If you lose your phone, traditional account recovery mechanisms are still possible (answers to “secret” questions, etc.) to generate new passkeys after proving your identity or passkeys can be synced across devices, in some cases

kzbin.info/www/bejne/gpXRe6KKaq6Khq8 😊

I unlock my mobile phone without a password all the time - face recognition

The real difference though is that shared secret is between the human and the device, NOT the human and the server, which in turn means that attacks against it are not remotely scalable.

@@jeffcrume I'm guessing your mobile phone also has a PIN you can type in to unlock it as well. Just in case face recognition fails. Or if it's been awhile since you last typed it in.

Similar but a password can be reused. A passkey is one time only so less vulnerable over time

Glad you liked it! Sort of, but the device is secured with a biometric so there is still authentication and at a level that far surpasses what most self-chosen passwords would be. Please take a look at the pinned comment at the top regarding your other points

The keys are “randomly” generated (to the extent you can do anything random on a deterministic finite state machine) on the user’s device and are accessed through strong authentication of the user to the device

Hardware keys must have to possibility to create clones. If the key is damaged or lost I want to be able to just continue using a clone instead of losing everything.

If you take care of your grandma's online things. And she should also have access to these services. As an example, access to your bank account, the easiest way would be to use a hardware key for your access (FIDO2 Security Key) and her iPad, smartphone, laptop or computer for your grandma's access. Just like you do with the apartment key. And if you want to do it for many protégés, then either have one hardware key for everyone or, better yet, a separate key for each one that you attach to the key ring.

I would say that passwords are far more crackable

A cybersecurity breach wouldn’t matter in this case since all the attacker gets access to are public keys and those are public so it doesn’t matter if the attacker can see them. The main benefit here is unphishability.

@actisenergy Tell me you didn't understand it, without telling me you didn't understand it.

just get your bar code tattoo already @@jeffcrume

With the user’s PUBLIC key

@@jeffcrume so anyone with the public key can decrypt the response? If yes then won't that be an easy way for replay attacks?

Please see the pinned comment

Depends on how the compromise occurs. Typically these passkeys are stored in a secure computing chip so that access is not easy. That said, if someone gets complete control (including possession) of your unlocked device, then this would be the same risk as we have today with password managers or (worse) password filled flat files or spreadsheets

Signatures are used in FIDO for message level validation, not encryption. I believe Jeff may have been using poetic license to simplify crypto-stuff for not-so-technical viewers into just encryption paradigms, but signatures are what it's really all about.

You missed the part where the device/client uses the private key to decrypt the challenge from the server (which the server encrypted with the corresponding public key), reads the unencrypted challenge then re-encrypts the challenge (or something proving the client read the unencrypted challenge) using the private key and sends that as a response to the server, which the server can use (decrypt with public key) to confirm that the client was able to decrypt/read the challenge. In particular, you missed the first part of step 3, where the device/client encrypts the challenge response, using the private key.

That’s not what’s happening. Passwords are replaced by much stronger passkeys which are then protected far better than just putting them in a file

First they are not passwords 🤡 Second they are stored in TPM chip of your device

Similar but not exactly the same. A variation that only deals with authentication and not confidentiality of the entire session

@@jeffcrume thank you for your prompt response. At least the concepts are pretty similar, so we can think of it like an analogy.

@IBMTechnology

Public keys should be signed by a trusted third party. Verifying the digital signature would expose that the MITM is not who you intend to be communicating with. kzbin.info/www/bejne/ZpTXkqdsh6elfNEsi=ld38U222TeXe5VIX

I had the same concern...

I think the interpretation here is that the public key is the user identity. No public key infrastructure or verification that your name is actually Alice, if your real name is Bob. They correlate your key to your real identity via fingerprinting or third-party channels.

The TLS channel is standard web https connection. Midm is almost impossible because you need a certificate of your domain name registered with a CA . It follow also the registered dns CA authorities or pinned CA... To impersonate you would need to hack the user's DNS server/connection and be able to register the impersonate domain name with a rogue CA authorities (very unlikely those days)

What do you mean by brute forcing the server? The public key, uname, and resp are perfectly okay to be known by anyone. The purpose of the challenge and response is for the server to verify that the user *actually* has the private key. I guess the MitM can also verify that the user is correct, but how does that help them at all? That's not useful information to an attacker. The point is, nothing that an attacker could ever use maliciously is sent anywhere.

Similar but not identical. SSH supports passwords, certificates, etc.

marketing ;D

Please see the pinned comment

The PUBLIC key is PUBLIC. No one has to steal it. It’s PUBLIC

​@@jeffcrumeyea i know it's public, it's like saying your telephone number is public so no one have to steal it 😂. It's still personal data. What he meant is how the hacker can acquire the public key man😅 because everyone won't give public key voluntarily to some random guy. They have to "steal" it from the original website.

Thanks!

FIDO doesn’t use SMS (which can be intercepted). However, the passkey can be protected with a biometric (e.g., fingerprint). Not sure if they will be using FIDO or not, though, but since it’s an industry standard being used by most of the largest web site in the world, it would make sense for them to

In this case there is no password to steal and the passcode is never sent

Please see the pinned comment

I think the private exponent is used for both decryption, and signature generation, and the public exponent is used for both encryption and signature verification. The private key consists ot a modulus, private exponent, and public exponent, and the public key consists of a modulus and public exponent.

It depends on what you’re trying to accomplish. Encrypting with my private key proves it came from me. Encrypting with your public key proves only you can read it.

The challenge response is encrypted with the private key to prove that it came from the authorized user (who is the only one that has the private key)

Or he just mirrored the video

@@dmytrokovtun3561 seeesh you are right :D damn i'm stupid

​@@dmytrokovtun3561 Damn, you are right! His Watch on the right and pen in left! ( I'm left handed, and also using watch on a right wrist ). But I've got one more evidence - logo on t-shirt is on the right, usually it's on the left (99.9%).

Please see the pinned comment at the top

Remember that the private key is never sent out so the attacker never sees it

You wouldn't even be able to see your private key, and it would be some really long string of characters, not a short thing to reasonably paste into a website.

@@jeffcrumeyes, but for the system to work during authentication, a website would request the key wouldn't it?

​@@theelmagooNothing ever requests your private key. A server would request that you _sign_ something (e.g. a random challenge message) with your private key, which it can verify using your public key. The request is also signed with the server’s private key so your device can verify who’s asking for authentication, and the response is _encrypted_ using the server’s public key so only the originating server can verify your signature.

I was also intrigued by the board technique. I assume the video was shot from the other side then mirrored, and he’s not that proficient at writing backwards. The right hand watch would also be a clue that’s the case.

I’m glad you liked it. I actually don’t know where we got the board but there are many out there. Here’s how we make the videos … kzbin.info/www/bejne/gpXRe6KKaq6Khq8

@@Firethorne You're saying that is actually his _left_ hand/arm?! 😮😂

100% correct. I felt like I was the only person here thinking you're making it even worse. Put all eggs into one basket, and you crack them all at once.

The thief would still need to unlock the device and if you’ve done a good job of choosing a device password and have a good biometric, then you are still safe

FIDO is designed to mitigate the major remotely scalable attacks against todays current authentication systems, which are phishing (both credential phishing and session phishing from MITM), and credential stuffing (due to the problem with re-used passwords). User verification required to unlock the phone helps mitigate device theft (which is not remotely scalable) and synchronized passkeys help mitigate lost device scenarios.

yeeaa😂 the russian attacker will fly over to my country, break into my house and then steal my Mac. what a f*** great business model!