Watch next ▶ What is a Passkey? ▶ kzbin.info/www/bejne/bJ2lmquClNajqNE
@sparklephoenix97435 ай бұрын
Hello Leo, I liked your video explaining passkeys. You explained it very clearly. I have some questions concerning passkeys left, e, g, 1. Google may know that its definitely me, but how do I know that it's Google asking ? This is even worse with you saying passkeys might work in the background without me even knowing. Let's assume someone breaks into Google and steals my public key. Computers are able to ask my number thousands of times in seconds. With enough returned numbers they might be able to "assemble" my private key. 2. If a passkey is stored in my device: What happens if I change hardware or have a major operating system update or change my operating system on this device? After a major OS-update my husband was in trouble. To what part of my device is this passkey linked? Hardware or software or both? 3. I use a password management tool and they do a lot of advertising for passkeys. I think it is a good idea concerning websites, but I won't change my master password to a passkey. If someone breaks into one of my devices, he will have access to my password management. My master password is only in my head. 4. I have a friend who is a mathematician. He told me, encryption is all based on large prime numbers. Of course there are infinite prime numbers, but the larger the more diffcult to identify they are. So there might be "doubles" in the known and frequently used range of prime numbers. This is another gateway a backentrance not mathematicians never know and think about. What do you think about these questions, especially No 1? Kind Regards Sparkle_phoenix
@CRan-ei6co4 ай бұрын
1. For phishing and fake websites passkeys are such an improvement over passwords. For one they would need access to the public keys assuming these aren't even protected in another layer of encryption on the servers end but even with that it wouldn't work as passkeys are tied to the origin (website) so a fake website wouldn't be able to authorise this request. (I'm not sure to the extent at which this can be worked around, possibly a passkey API vulnerability for a browser allowing you to fake the origin but this may also be tied specific secrets on that end such as public site certificate, etc). Keys stored on separate platforms like apple, andoid, etc. also use bluetooth when signing in from lets say windows which is another form of protection against phishing as the device needs to be physically in range for the authentication to be successful while also behind the extra layers of security your device offers like biometrics. 2. Passkeys can either be device bound or synced. For example, device bound passkeys can't be exported such as with windows storing them in the TPM but can be lost by design, what your probably looking for is synced passkeys like with apple, passkeys are stored in icloud keychain which is synced between your devices as well as many password managers supporting synced passkeys. For most services, you can also setup multiple passkeys for other devices. 3. Some people like to store their passkeys and passwords in the same password manager together which can be good and bad but ideally if you have a master password and two factor for your password manager then you should be good especially if stored locally (which I believe all password managers that you use should be) just making sure you follow the 3-2-1 backup strategy so you don't lose access keeping encrypted backups of your databases, keys and 2fa backup codes. Furthermore, most password managers offer extensions so you can automatically sign in with the passkey (if they support it). Adding onto the security, since the authentication with your private key is done locally and never leaves your device, it can't be intercepted because it's never transmitted and no third party will have access to it. 4. Some services so far have adopted the passkey standard greatly while others are still a bit of a hassle such as google. Since passkeys are cryptographically signed and verified, these can be used to identify you so you don't even need to provide something for identification like a username or an email, you can just straight up use the passkey. Mathematically, yes a hash collision can happen where two inputs can produce the same output but statistically it's functionally "impossible" that the chances of it happening are pretty much zero.
@jeannehallock9514 ай бұрын
As your normal stupid users, I just went through this with my son. He factory reset his phone which wiped his passkeys making it impossible to get into his google account (which he used for all of his college communication). Until learning about this technology about 2 days ago, I had no clue this is what happened. Safe maybe, but not "fool" proof if you have no idea that a passkey is automatically being set on your phone or that you are even setting up a passkey or what a passkey is. Nor would I call it less frustrating.
@VerticalBlank3 ай бұрын
Yeah I would only ever use passkeys with a password vault for this exact reason. Think of them like SSH keypairs.
@Henry-sv3wv3 ай бұрын
passkey is foobar
@pierres_blog2 ай бұрын
Even with passkeys, we should be noticing what the passkey reset procedure is for any given account. Usually it's by an email - which is simultaneously handy and horribly insecure.
@newlynsteve9 ай бұрын
I always learn something from your videos Leo. Your full explanations and gentle pacing really help in communicating your knowledge. Thank you. Steve (in UK)
@KarlBeeThree8 ай бұрын
Wow Leo, you've just opened a new door for me to check out and see what's in there for me. This sounds very intriguing. Thanks Leo!
@BrotherMichaeloftheCross9 ай бұрын
You make really good points, but Microsoft's system glitches now and again and they prompt you to sign in. It happens too often for me and I don't know why. It is possible for Microsoft themselves to fail and you might have to work a little to get signed in. If the time arrived when their system didn't work, I would be unable to sign in, The break down of systems you described is not very likely, but Microsoft itself is subject to frequent glitches that leave you stuck until they are satisfied you are who you say you are.
@Ultrajamz6 ай бұрын
If I understand, the real advantage I see, is just that passkey’s are device specific. Is that always the case by definition? Also can they really replace passwords? Doesn’t the account need it anyways for the scenario of not having the original device anymore? Can’t malware get device info to allow it to be spoofed?
@askleonotenboom6 ай бұрын
Passwords are not needed, as long as there's a different way to authenticate -- like an email sent to the account of record, or a message sent to a phone.
@Ultrajamz6 ай бұрын
@@askleonotenboom I guess I am thinking of very critical items and odd situations. In another country, phone stolen, need to get into my email… can’t if its a passkey only. With a memorized password I have a chance. (Ignoring the hail mary of “question based password reset”)
@Ultrajamz6 ай бұрын
To add to that, it seems from what I see… we can’t export passkeys… meaning if I built up all this history of passkeys with windows hello (or whoever)… I’m pretty dang locked in… if they change policies or I don’t want windows apps installed on my linux box, or move to macos… issues!
@askleonotenboom6 ай бұрын
I don't see how you're locked in at all. Basically you set up a passkey on a new device, or you can invalidate the passkey on the current device and set it up anew.
@Ultrajamz6 ай бұрын
@@askleonotenboom so say I have 30 passkeys for 30 websites with windows hello. I decide I don’t want windows hello anymore I want to use bitwarden instead. I now need to 1 by 1 set this up all anew for each of the 30 sites because there is no “export/import” standard for the passkey… that friction is so high it may as well be lock-in, no?
@chrisluke22647 ай бұрын
Question. First, nice job explaining things. You provide a lot helpful information. Don’t you need/have a username and password to create an an account on a website? So, even if you have a passkey, couldn’t someone use your username and password to sign in? Even if you set the default sign in to be a passkey? Or, if you don’t have your phone handy and want to sign in on a friends computer to check your email. What happens in that case? I think passkeys are a great idea but before I start using them I want to know the “what if” scenarios. And what do you do when you get a new phone? Thanks.
@askleonotenboom7 ай бұрын
Not necessarily. Services are moving to being passwordless. When you attempt to sign in the first time they authenticate you some other way, like an email to an alternate email address, or a text message, or a notification on an app.
@chrisluke22647 ай бұрын
@@askleonotenboomThanks for the info.
@C69hJc42 ай бұрын
An absolutely killer video!!!! Great content as always. You break stuff down so simply and clearly. Thanks for the great content. Keep it coming!
@protectyourbusiness5 ай бұрын
Great video. I like how you talk about different attack vectors to have different levels of relevance and mitigations. It's crucial for people to understand the efficacy of security features like passkey.
@StijnHommes8 ай бұрын
16:00 Sending an email to an account and expecting someone to hit a link to login ignores that you should never click in links in an email. (and those emails often take not just a little while but more than 24 hours, or they simply never show up) 20:00 If I can't even use my password vault on a computer that doesn't have it installed, using it to store passkeys is not going to help me sign in, since you can't even practically type them. I still need to type in my password after opening my vault and keep my password storage offline.
@marcusaureliusf5 ай бұрын
What I'm worried about is this: now the same PIN that unlocks my device can unlock my accounts. So if you give your PIN to a family member to play some games or in case you're driving and you want somebody else to look something up on Google Maps (or, worst case scenario, if you need to give your PIN to a robber) they'll have access to everything. I think I'd miss the option to have at least two access levels to my stuff.
@CRan-ei6co4 ай бұрын
Yeah that seems to be one the main concerns (especially revolving around biometric laws pertaining to breach of a persons device) however you can use third party solutions like password managers and store passkeys there behind a master password and forms of MFA, these aren't device bound and can be synced as well allowing you to share certain passkeys if needed or easily backup. These apps can also be installed on your mobile device however I prefer not to sync things in the cloud and keep everything local and backed up.
@skeletala2 ай бұрын
How about ubikeys as a DB for your password manager? every OS should have a PM and the passwords should be stored in a ubkey or a normal USB key. 1. password managers generate secure passwords 2. the passwords DB (ubkey/usb stick) is the 2nd factor.
@GaryV-p3h9 ай бұрын
I would like to see sensitive data such as banking apps & websites protected by 2 factor biometrics, face ID plus fingerprint, making sure that it can only be me accessing these accounts.
@askleonotenboom9 ай бұрын
That's in a sense what Passkeys provide. If you have biometrics support on your device, that's how you unlock it so a passkey can be used.
@Ck87JF7 ай бұрын
I think maybe they're suggesting that banks and other such places that store highly sensitive info often use SMS or email based 2FA which are far less secure than TOTP or Passkeys.
@Mattias19952 ай бұрын
If I store my Passkey in a password manager, and that password manager is leaked (either through malware or hacking of the password manager vendor itself), doesn’t that mean the hacker has access to everything? Previously you would have passwords in the manager, and then say a 2FA code in another app or location, and that would require the hacker to hack both services, which is a lot less likely? Or am I missing something here?
@silvieb20243 күн бұрын
Absolutely 💯%.
@steelpanther888 күн бұрын
one thing that you always see in the CSI type TV shows just lift your greasy fingerprint off from a jar of glass and input that to unlock finger print ID. So, if it really is that simple to bypass fingerprint ID (and fingerprints are not private secrets - unlike secret knowledge like passwords) then whats the real benefit. So the real scenario is that if you are using fingerprint ID and passkey and you are in online cafe and windows is locked. then if someone has "stolen" your fingerprint, they can just unlock everything ?
@askleonotenboom8 күн бұрын
I'm not one to believe everything is as easy as they show on TV. Besides, you would have to be an EXPLICIT target for that scenario to even play out. Most of us just aren't that interesting.
@pbrigham9 ай бұрын
You forgot that also with passkeys, no more Phishing as the key will not work on a fake website.
@StijnHommes8 ай бұрын
Who cares. Hackers will find a way to use them on the real website that is the target anyway. You can spoof an IP, you can spoof your GPS location. It might take slightly more effort, but you can also spoof my identity.
@pbrigham8 ай бұрын
@@StijnHommes No, with a hardware key like Yubico the login is only possible with the key itself, no key, no login, is that simple.But even more important than that, is that there is nothing to hack because the only thing stored is public key that is complete useless, the private key is always in the hardware key itself in yours possession.
@aerialdude8 ай бұрын
@@StijnHommes You are mistaken. With a passkey, a phishing site will only get your public key (not your private key). With only the public key, there is virtually no possibility that an attacker could reverse engineer your private key (which is what they would need to do in order to sign in to the real website).
@freescape088 ай бұрын
I would have to better understand how the handshake works before changing to passkeys. Is the private key only ever on your device? Does your device do the comparison with the public key? (If so, couldn't the confirmation be spoofed to the server? And if not, couldn't someone pretend to be the server and request your private key?) Could someone spoof the public key after a data breach? I'm still not hearing the details.
@pbrigham8 ай бұрын
@@freescape08 You can have only the key on the device, but I don't use that, I use hardware Yubikeys ( There is other brands but the principal is the same ), my keys can NOT be copy or replicated in any shape or form, no Yubikey no login as simple as that, obvious I have several so I don't get lock out in case I lose one, I have configured them with a pin also, wrong pin 3 times and that yubikey is blocked, security wise at the moment is the best method on the market, period.
@cmsathe6668 ай бұрын
Leo Sir, Scenario 3 : Mobile owner created passkeys on the mobile, then if somebody creat his fingerprints clone or duplicate fingerprints then in that case, websites can be logged in with fake fingerprints with passkeys on it. is it possible? Thanks 🙏
@askleonotenboom8 ай бұрын
Pretty extreme scenario that I don't worry about, but sure. Once you realize your phone is missing you can disable all the passkeys stored on it, though.
@Ck87JF7 ай бұрын
@@askleonotenboomto be fair, that may present a challenge. For example, if you're traveling with only your phone and your computer is hundreds of miles away, how do you access your Passkeys, passwords, or email? Sure, it's an edge case, but one i think about sometimes. I've run into cases where my phone dies while I'm away from other tech, then i inevitably need some kind of access for some reason, and i feel paralyzed.
@ma3xiu17 ай бұрын
@@Ck87JF You can carry a physical security key (eg. like a yubikey) as a backup. They are small and light, and don't have any battery inside.
@Ck87JF7 ай бұрын
@@ma3xiu1 that's a good point. I have one! My cloud password manager's password is something I don't know, as it's stored in a local password manager on my laptop, but I just had an idea of using the yubikey to store its password.
@dav1dw9 ай бұрын
Can't the malware steal the cookies and get into the account even with passkeys?
@johnhpalmer60989 ай бұрын
Cookies I don't think do anything with passwords. Cookies are what is used to track your movement inside the site and that data is aggregated and sold off to other marketers who then can try to get you to buy something that is similar to what you just browsed for. That's it as far as I know.
@Samy-ck8oo9 ай бұрын
Unfortunately if your session cookies are stolen, they can get access to your account specifically if you don't log out of the account after using it !!
@STONE69_8 ай бұрын
@@Samy-ck8oo exactly, keeping the account open at all times is how they are doing it now a days.
@RC-12904 ай бұрын
What I don't understand is why discussions about Passkeys never seem to compare them with Password + second factor authentication. It seems to me that passkeys mainly remove one factor: the password. How is that safer?
@MarshallLevin9 ай бұрын
Isn't your Windows Hello PIN now a single point of failure?
@askleonotenboom9 ай бұрын
Assuming you use the same PIN everywhere, it can be, yes. Hence biometrics is preferred. But the PIN can be different for every device/computer. (And Windows PINs can also be as complex as you like, much like a password, if you're concerned.)
@dannyjennings96562 ай бұрын
Leo, how can my next of kin access my online accounts if they have access keys to login? As I understand, they have the option to use a password. But, how do they login if they have passkeys only? How will accounts be accessed after I am deceased? I have been organizing my files, accounts, login information for my wife and family after I pass. This is a serious concern of mine. Thanks.
@askleonotenboom2 ай бұрын
How 'bout this: askleo.com/passkeys-and-disaster-planning/
@mrscig26396 ай бұрын
Hi Leo, My concern is when someone hits you over the head. You're now lying on the floor, and the thief holds your phone, up to your face, and unlocks it. Now they have access to everything, that you setup to allow face ID to unlock.
@askleonotenboom6 ай бұрын
Do you hear of that happening often? I mean, other than in (fictional) television shows? It's not something I worry about.
@tablettablete1865 ай бұрын
@@askleonotenboomThat actually happens in my country 😢
@somebodyoncetoldme26645 ай бұрын
@@tablettablete186 You should probably be more concerned about your physical safety than securing your PH account LMAO
@JJ_in_Raleigh4 ай бұрын
I'm not sure the facial expression you would have while knocked out (e.g. eyes closed) would satisfy face ID.
@mikey40162 ай бұрын
@@askleonotenboom The more these things become commonplace, the more those type of crimes will happen. And yes it's already happening all over the world.
@BigFarm_ah3652 ай бұрын
I've set up a bunch of Passkeys and as far as I know they have never worked between my desktop which has no biometrics and my phone which has a fingerprint scanner that takes up to 20 tries, but opens up dozens of apps when it's riding around in my pocket and says "no face detected" when I'm looking right at it. And how is my PIN more secure than a password, it's shorter with less entropy than a traditional password? And how are any password manager or vault safe against a Trojan. I've had all my passwords breached straight out of my 2FA password protected password manager. I went passwordless on Windows 10 immediately and every time I had a problem it would ask for a password. My managers all have multiple passwords saved even though I use autofill and tell the browser to update my password
@Romahotmetytky6 ай бұрын
how about scenario when someone goes to internet caffe and uses their PC to login to a server ? the private pass key is stored on that pc right ? then if other person logs is they potentially can be authenticated to same server ?
@askleonotenboom6 ай бұрын
I don't see how, no.
@Romahotmetytky6 ай бұрын
@@askleonotenboom if you device E.g PC has been bootstraped already and you are logged in to Gmail. Then when you log out of Gmail and try to log back in how does it work ? If you don't need password etc you just browse for Gmail and it logs you in automatically?
@Henry-sv3wv3 ай бұрын
i don't know how passkeys can be safe but big tec just want to protect us. we should use their cloud and let them send our PRIVATE keys around, they all have our best interest in mind!
@pierres_blog2 ай бұрын
Now that we have options to upgrade from passwords, it's password resetting that makes me nervous.
@itsmisterchris6 ай бұрын
What I don't understand is why systems don't ability to only be allowed from a device you authorized and added. Even if password got stolen then nobody else can log in.
@askleonotenboom6 ай бұрын
That's exactly what passkeys do.
@jvoldby3 ай бұрын
What is the difference between a password vault and a password manager? And if conceptual the same thing, would it not be easier to understand only mentioning a password manager?
@askleonotenboom3 ай бұрын
Same thing. Unfortunately both terms are used interchangeably throughout the industry,
@johnbaker28108 ай бұрын
Am I right: once set up, passkeys switch the default task of identifying you to a local device, instead of piping your payload of info requesting authentication over the cloud. So if I set up a passkey PIN of 12345 on a Windows machine, by default that PIN works for me only on that device.
@askleonotenboom8 ай бұрын
That's my understanding, yes.
@johnbaker28108 ай бұрын
@@askleonotenboom Thanks! Also, it seems my user account / password will still exist, so the benefit of passkeys is mostly the reduced incidence of keying and transmitting account names/pwds, because when keyed, they can be intercepted either on-device or in transit and used anywhere. But an intercepted passkey is useless beyond the device it was created on. Right?
@askleonotenboom8 ай бұрын
@@johnbaker2810 Yes, and even better, it's EXTREMELY difficult to intercept a passkey. (For one thing, that would require malware on your machine.)
@johnbaker28108 ай бұрын
@@askleonotenboom Very good! Last question (for now): if my account name/password still exist, with all their foibles, what's to stop someone from logging in and removing my created passkeys, or even creating their own on my account? I guess I'm starting to think the userID/password remains the threat it always was...minus a reduced exposure surface.
@askleonotenboom8 ай бұрын
@@johnbaker2810 I expect this to be step one to a password-less future. No password, no password based threat. One thing you can do that gets you close it to make your password ridiculously long (since you'd never use it). Save it in your password vault, of course, but simply never use it. The huge things Passkeys prevent is falling for many types of phishing attacks. No password to type means phishing has nothing to capture.
@jx51894 ай бұрын
I think pure passwordless will not happen for the forseeable future admins will always use passwords as a backup. What happens when the user loses the passkey or access to the passkey.
@libbyd10019 ай бұрын
One of your best, thank you.
@albatross77 ай бұрын
Passkeys should also be portable between different password managers. I don’t want to be held hostage by a service.
@Flexin0106 ай бұрын
They are. Bitwarden started using passkeys 😊
@albatross76 ай бұрын
@@Flexin010 Can it be exported to other password managers like we do for passwords and notes?
@Flexin0106 ай бұрын
@@albatross7 yes. I've tested last pass and keepass xc. They both can import/export vaults
@David.M.9 ай бұрын
Great information, thanks Leo.
@williamwilliams77069 ай бұрын
If you phone is your passkey is it vulnerable to sim swapping?
@steves17499 ай бұрын
Had my SIM swapped last week. And I’m diligent. Cam out of nowhere.
@MaxPower-119 ай бұрын
No. Passkeys are safe from SIM swapping as they are tied to the device, not the SIM.
@RohitKumar-qt1hr6 ай бұрын
Great explanation, leo!
@verdedoodleduck9 ай бұрын
Thank you. The role of passkeys in the security ecosystem had never been really clear to me.
@chriscodrington54647 ай бұрын
so should someone manage to crack Windows Hello, access to a myriad of passkeys would be accessible?
@Ck87JF7 ай бұрын
Windows Hello face recognition has been cracked insofar as someone with a very specific intent to access your computer can take a picture of you, convert it into a special type of image, and use some specialized hardware to trick your computer that a new webcam has been plugged in and that you're sitting in front of the computer. But this is a very targeted attack vs one that can be launched across the world automatically, so it's less likely to occur. But yes, with this attack, whatever Passkeys that Hello is securing would be made available. You could instead secure Windows Hello with a security key like a Yubikey (and secure that with a strong PIN you've not used anywhere else).
@TomCarrollJr8 ай бұрын
According to Chat GPT / Gemini answers, Passkeys are designed with security in mind, and by default, there currently isn't a way for a surviving spouse/partner to access your data directly if you pass away. This is because passkeys rely on biometric authentication (like fingerprint or facial recognition) or a physical security key for verification. Any thoughts on that?
@askleonotenboom8 ай бұрын
Or a PIN, on Windows machines. Not sure what thought you'd want me to have? Disaster planning is important, and I have videos/articles on the topic. Passkeys don't alter that.
@Ck87JF7 ай бұрын
As Leo suggested, you want to plan these things with your partner. You can set up a password manager with shared access in which you store very long & complicated passwords for certain systems like email and banking. And then if you store Passkeys in them, that should get you in without needing biometrics. Windows Hello and other systems that do the back end authentication can usually take multiple fingerprints, so you could store prints from both of you. The backup Windows pin could be a long phrase like "apple zebra sander ketchup beach horse 385326$" that you store in the shared password manager so even if biometrics don't work, you can still access the computer.
@markd.95387 ай бұрын
What happens when you drop your phone (with passkey) into a toilet and lose its contents completely?
@justinlloyd-jones16583 ай бұрын
Great video Leo. Explaining the situation really well. I like that you also welcome challenges and it made it perfectly clear that there is no perfect system. Like risk in general, you can't get rid of it completely but you can try to reduce it.
@nigelogilvie94509 ай бұрын
OK, Leo, I'm convinced. But how can I initiate this?
@johnhpalmer60989 ай бұрын
One way, do a little research on how.
@askleonotenboom9 ай бұрын
Just check to see which of your services have it as an option. Google does, for example.
@mikepanchaud19 ай бұрын
Eg Google log out and in, and it will offer pass key as an option. Or should be in account settings.
@nigelogilvie94509 ай бұрын
@@johnhpalmer6098 Such as asking an expert whoo has just posted a youtube video, you mean?
@nigelogilvie94509 ай бұрын
@@mikepanchaud1 Thanks
@IsabelleIsabelle019 ай бұрын
Is automatic password on chrome considered pass vault ? can I use a key pass for it ?
@CraigLong8 ай бұрын
Chrome can create a passkey for you that is only on your device.
@mitchellsmith46014 ай бұрын
I think public key cryptography using your face or fingerprint for the private key is pretty close to perfection, Leo.
@mikey40162 ай бұрын
Until you get injured and lose all access.
@thecatlady-n3n7 ай бұрын
Thank you for this Leo. You have a new sub here ❤ I so far have 2 passkey protected accounts. I was prompted to activate the passing so I think the platform you're using has to implement it. Maybe Meta should think about introducing a passkey log on for users.
@luckymapache8 ай бұрын
Thank you for your explanation. Now I'm confident enough to use a passkey.
@roobscoob476 ай бұрын
Thanks, Leo!
@VanNguyen-bs5kw4 ай бұрын
Thanks for your explanation, Sir. 💟💟🎀🎀
@Flexin0106 ай бұрын
I like bitwarden. If my device is stolen, i can login from another computer and revoke and log out all devices.
@davidblack19238 ай бұрын
Nice and how to administrate Passkeys for a company with 2000 People, so I don't have to configure each one of those manually?
@franciscohorna55429 ай бұрын
question can passkey be hacked
@Samy-ck8oo9 ай бұрын
Bypassed by session cookies theft
@franciscohorna55429 ай бұрын
@@Samy-ck8oo really
@MaxPower-119 ай бұрын
@@Samy-ck8ooTrue. However, it’s important to note session cookie theft is a vulnerability that applies to just about every other form of secure authentication including password coupled with MFA using SMS-based or authentication app login.
@MaxPower-119 ай бұрын
@@Samy-ck8oo yes, but so can practically any other form of secure authentication.
@askleonotenboom9 ай бұрын
Passkey itself cannot, no. (Well, yes, but it would take thousands of years of cryptographic analysis / brute force.)
@rustyrob8 ай бұрын
Do we still need 2FA with passkeys or can we turn it off?
@askleonotenboom8 ай бұрын
You still want it on.
@markallen82267 ай бұрын
excellent, thank you.
@frankduxfan8 ай бұрын
i love passkey just not alot of apps and sites dont use it yet
@DavidPereiraLima1239 ай бұрын
If you use password/passphrase vault (be it an extension for browser or desktop), it makes password less of a headache and can combo easily with passkeys. Setting it to clear clipboard after pasting where needed and combining with passkeys makes for solid security. Passkeys alone with traditional password usage (typing it) is very strong already.
@wmbriggz2 ай бұрын
I don’t understand this-- I have windows laptop, android phone, chrome book, kindle, Roku tv, iPad. During my day , I log into a couple of video apps…email accounts multiple times…. All… using no password-- or fingerprint….they are just on…..will I have to use a passkey each and every time I access one of these? That’s dozens of times a day…
@DaveYostCom5 ай бұрын
“Extremely unlikely” does not apply for a person who is a high value target.
@askleonotenboom5 ай бұрын
Which is generally not my viewers or readers.
@DaveYostCom5 ай бұрын
@@askleonotenboom How can you know? Most high value targets are not techies. And I think HVT is a very important concept that people need to know about. Some people who are not a HVT know one or more.
@benpennington75325 ай бұрын
I don’t think one’s own passkey is sent to the service as you say. That’s the major feature that gives the improved security. I think you misinformed and spreading that misinformation.
@askleonotenboom5 ай бұрын
Then I wasn't clear, because you are correct, passkeys are not sent. They are USED, cryptographically.
@johnwagoner22798 ай бұрын
How can pass keys be made on Android devices?
@askleonotenboom8 ай бұрын
Depends on the service you want to use Passkeys with. Check with them.
@janem35754 ай бұрын
could you make a video on malware / anti virus protection?
@askleonotenboom4 ай бұрын
Like this? kzbin.info/www/bejne/m5S1gZmEbNBjsNk
@GaryV-p3h9 ай бұрын
Would there be a way of using them to authenticate emails, meaning they couldn't be faked/spoofed. I really hate spam emails & would really like to see a time when not only could thy not be faked but also traceable back to whoever sent them, so I only receive them from genuine, identifiable sources. IMPO everyone using the internet should be 100% accountable for everything they say or do on it.
@askleonotenboom9 ай бұрын
There's already technology in place for email verification. No one's using it because it's too cumbersome. (Passkeys are related only in that they use cryptography as well, but they don't apply to email.)
@toby99994 ай бұрын
Very interesting but it sadly went right over my head. This is an area of IT that I struggle to understand. This and pretty much everything related to how the web works... IPs, ports, end points, URLs, TCP, etc.
@stevenbliss9897 ай бұрын
I will NEVER sign to any service on my phone, NO BIG BROTHER FOR ME!!!!!!!!!!!!!!!!!!!!!!
@salmonsteve2 ай бұрын
How is that any different to signing in on your laptop?
@silvieb20243 күн бұрын
Trust companies like Google with your passkeys???
@Meowski_28 ай бұрын
I swear, if a combination lock had a voice it would sound like Leo 😂
@askleonotenboom8 ай бұрын
"Access Denied"
@Meowski_28 ай бұрын
🤨 .... Better Ask Leo, to figure out why
@ninakim72826 ай бұрын
GREAT.
@bme74915 ай бұрын
I couldn't care less about Google or Microsoft. The real disaster is that almost every banking/financial institution website in the US doesn't offer passkey 2FA.
@askleonotenboom5 ай бұрын
Agreed. They should offer 2FA options beyond SMS ... and yet, here we are.
@mikey40162 ай бұрын
More ways to get hacked. If you want your banking to be secure, don't use online banking and tell your bank that any attempts to set up online banking are fraudulent.
@StijnHommes8 ай бұрын
Passkeys can't be safe, but more importantly, they increase the risk of the account owner not being able to get in and that is a serious problem.
@askleonotenboom8 ай бұрын
This is incorrect. You will not lose access to your account if you lose your passkeys. See "Passkeys are never the only way in" in askleo.com/passkeys-and-disaster-planning/
@StijnHommes8 ай бұрын
@@askleonotenboom So the other ways in can get leaked as well. As long as there are recovery options, they will be abused, so effectively, it's no safer than using a PIN number on the account itself. And if the device carrying your passkey is ever lost, broken or stolen, you have to reauthenticate to all your accounts with the new device to get new passkeys. And that is skipping another important point, logging into Windows with a PIN is much, MUCH less secure than a well-chosen long and unique password, because a PIN has a much more limited character set that can easily be brute-forced. [and no, not every device has a camera or fingerprint scanner, and even if they do, those things can also break -- and we should have to leak biometrics to get into our accounts.]
@StijnHommes8 ай бұрын
@@askleonotenboom Let me be clear: if someone knows your Windows Hello PIN number and is thus able to unlock your PC, a passkey offers no additional protection because it opens with the EXACT same credentials. The passkey itself might be entirely unique, but it is sent based on the exact same code you enter. Using a password means they need to know your Windows Hello PIN AND the password to the account they want to sign into. Two [different] steps is automatically more secure than one.
@CraigLong8 ай бұрын
@@askleonotenboom Can we keep the hacker from using those other methods of getting in? To use a less secure method it would be nice to use some authentication.
@Ck87JF7 ай бұрын
@@CraigLongsome sites allow you to disable some methods of authentication, but other sites are much less configurable.
@monza88449 ай бұрын
It's not a good system when it takes 22 min to explain.
@mikepanchaud19 ай бұрын
Not true. I set up my Google account with my finger print in a minute before I saw this video. I now feel secure and educated, having watched it!
@Kenionatus3 ай бұрын
Ideally, end users don't need to know how it works behind the scenes. It's already that way with sessions cookies and similar tokens.