Do you find yourself using passkeys or strong 2FA to secure your accounts? Leave a comment with your experience and if you don't already have a good 2FA key, get $5 off your next Yubikey purchase: www.allthingssecured.com/yubikey5off

Oh boy, that shirt isn't good for youtube's bitrate ^^

Thank you for covering this! I bought keys like a year ago and I honestly couldn't figure out if I was using it incorrectly. Almost no sites allow the key to be anything more than a backup since you essentially still need to log in how you previously had. I was really wondering if it was something I set up incorrectly. So relieved it's just awkward to use them in many places

As someone who just implemented Passkeys on the server side, the username part as mentioned in 6:12 is not actually required. The passkey when you first sign into the server sends a sha256 hash of the public key along with it. Every time you use a passkey, that same hash is sent back along with the challenge response. The server can use the hash for the user lookup (so it doesn't have to check your challenge against n number of users to find out who it actually belongs to) and then check the challenge against the public key as stored in the database. I offer my users a simple button that allows them to sign in to their account with just their passkey. No username is required, just physical control of the passkey device (be that a phone, tablet, computer, or Yubi / Titan security key.)

Passkeys are probably intended for people who have so far been using simple passwords, memorising them and using them on multiple websites. Using passkeys will mean a big jump in security for them. Those who use password managers for creating and saving long, random, unique passwords for each website along with 2FA won't gain much by using passkeys. I have created passkeys on a couple of websites out of curiosity but I still use passwords on those sites.

Note that Amazon and Google both use password protected hardware tokens (like Yubikeys) as their method of authenticating to internal systems. It takes some additional infrastructure, but it is very robust and resistant to many types of attacks. But the human behind the keyboard will probably always be the weakest link.

Thanks , on searching KZbin for Passkeys , this was the best video among all . Great content . Thanks

If a website login (such as the Amazon example here) allows the user to choose either password or passkey, then the passkey seems to add zero security. An attacker in possession of the password would simply choose that option.

I totally agree. I love having my account secured and I do have a security key in place for as many accounts as I can, but yet still have not activated passkey on any of my accounts I feel the same way about passkey going to continue using what I’ve been using to me. I’m very happy with that.

So for security and safety, you should have two yubikeys, and a smart thing to do would be to have the second one stored off site, but since you have to have physical access to the spare key to be able to add it to your services, storing it off site becomes impossible.

Funny how a month after this video, a vulnerability in YubiKeys and other systems that use the Infineon library came to light.

Thanks for adding actual captions for the Deaf - and thanks for clear explaination

Thank you - very helpful. I was confused about the difference between physical and syncable passkeys and this is a good explanation.

I did a rant recently on Facebook , basically saying "what is a passkey and why should I trust Samsung to handle my authentication" I mistakenly assumed it was a string, similar to a session token or api key. Knowing it is asymmetric key is interesting and helpful. Thank you .

I have two yubico keys the issue i have is with banks, i can use the yubico key but they still allow for a code to be text to your phone as a second option. You can not disable that second option.

The title is very misleading. It seems that the message is: passkeys suck as a method in general, while in reality is the adoption and implementation that every company does that is up for debate. One example. The so much criticized Sony (Playstation), after many data breaches, is so far the only gaming publisher that introduced passkeys in a way that it invalidates password and 2FA. You want to remove the passkey, you need to set up a new password and 2FA.

EXCELLENT VIDEO!! Thank you.

you can use the yubikey as 2FA as well so you just use the key as a passkey then tap the key again to 2FA.

I wish banks took security seriously and gave us the option of hardware keys, banks 2FA are a joke, sad

also. These companies that have passkey support should also offer the user the ability to remove and delete the logging in with a username and PW. Defeats the purpose and security of passkeys if that old tech is still avail and could get hacked and stolen.

Thanks Josh, good to see someone discussing Passkeys in more depth. Here's what I'd like to know: 1. I note that I can turn off password and passkey sync'ing in my devices. In this case, I'd need to create a separate passkey for each device. Once that was done, wouldn't that be equivalent to having multiple yubikeys with separate passkeys? 2. Does the emergence of passkeys resident on devices threaten Yubico? Be interested to hear your thoughts.

This is an indictment of the websites that don’t know how to implement Passkeys well, not an indictment of Passkeys.

In amazon the passkey is just replacing the password but in Google and Microsoft they are replacing the 2nd auth 2FA as well.

Using a physical device for 2fa codes feels so cumbersome for logging in from mobile devices!

every criticism in this video is aimed at the implementation of passkeys, instead of passkeys as such. i think its a great technology and since i have implemented it in my identity provider my life has become so much easier, i can log in into all my services with a single PIN or fingerprint

This Was a really informative video thank you for sharing and education for the public

Passkeys are ZERO good as someone I know has died and the spouse wants to access the email as he was the only person set it up and knew of the passwords. No good asking him for a fingerprint or eye or anything really. Totally losing my mind over it, plus like everything else in life the older you get the less you can cope with technology and as we all know all big major companies are now putting bills online and I defy anyone who is old to try and teach an older person about what our generation has built up growing up with tech. I hope that makes sense.

I am quite in tune with security as I work on adjunct technologies. Passkeys are glorified randomly generated passwords for now. It require a few things that rooted in having password anyways. Passkeys need to be stored on major ecosystem platforms, or in password manager software. Current implementation and regulation on biometrics mean none of those are stored in the cloud, so if you ever try to provision a new device (that is the gate keeper for your passkeys), you will need to enter an account and password anyways. Those ecosystems or password manager serve as point of failure or attack point. Passkeys don't really solve most of these issues. The best and most flexible solution is to use a hardware device but not your phone or tablet.

One problem with the big providers is that they don't have tiered permissions. Let's take Google as an example. A username, a password and 2FA. It doesn't matter whether someone just wants to read emails or whether they want to change the password or delete the account. Of course it's unpleasant if someone reads my emails without authorization. But it's of vital interest whether I lose access to my emails - because they are often 2FA for another service. Separate permissions and different access restrictions would be very helpful here. If you lose your Android phone or it gets stolen and they know your pattern, you're lost.

glad i`m not stupid. i started to use passkeys and thought i might do something wrong. or i needed to change some settings, because all my accounts act just like the passkey is password ...

You didnˋt mention the most important thing and the reason why Iˋm not using passkeys at all. At least on my device, an S22 ultra, the passkeys asks for my fingerprint OR MY SMARTPHONE PIN. Thats completly absurd. Why would I swap a long and random password for an 8 digit pin? AND MORE, I live in a country (Brazil) thats possibile that someone would point a gun at me and ask for my pin, so sure, letˋs give the thief my device AND the password for all my passkeys. (!!!) Another possibility is someone being able to see me unlocking my device with the pin for some reason, something that also happens in the US. Until itˋs only possible to unlock with biometrics and not the deviceˋs pin, Iˋm out. Very unsafe.

Finally i understand....thank you so much! 😅 Greeetings from Austria. 🇦🇹

How were you able to autofill two-factor codes like that, that's super neat!

In my experience some financial service providers have already doing passkey with device binding.

I agree hardware tokens are the better concept. I use a bunch of yubikeys too. I don‘t use passkey at all because that concept does not really increase security, but could brings a lot more trouble in the game for users as you also mentioned in the video. And storing passkeys in a password manager is a bad idea, except you use one only for that purpose.

Concerning the point of some websites requiring you to enter email then use passkey instead of password only then require 2fa(amazon), this differes accross different services. So Some services actually have on the login page a button to click to sign in with passkey directly without requiring entering the email and if you have setup 2fa this first passkey will bypass the 2fa (Microsoft for example). Some other like Proton let you decide if you want to use passkey as a replacement to password only while still requiring the 2FA method (or vice versa according to your settings). So to summarize, the implementation of passkeys is different accross websites.

When you add a physical passkey to the sequence of other layers of password managers, 2FA authentication, etc, you are already complicating the log in process all over again. Which brings us back to Square One 😂, the good old password. Your secured access is only as good as the sentry you put at the gate, which is you and your memory or, the methodology in creating /maintaining a password. Every additional steps only add more vulnerable points to outside exploits.

Right on target sir. I looked into what services allow the use of passkeys and found that very few of my important and most important accounts have adopted passkeys. I’m staying with username/passwords, password manager with very random mixed (letters, numbers, special characters) greater that 15 character passwords, and two factor authentication where ever it’s offered. What you have described says that passkeys are a bigger pain in the but than what I use now. Not very encouraging.

Is it my computer or is there a weird framerate in some parts of the video?

Educational as always. Thank you!

It’s still to be proven whether there are any vulnerabilities to using passkeys stored in iCloud for instance. That is if your iCloud account is encrypted. I can’t see any way for your login credentials to be compromised.

Passkeys are new IPv6

If I have set up multiple YubiKeys for an account, should I then disable the use of SMS 2FA?

I do use Yubikeys, as a passkey and 2FA where I can, but also like the convenience of using my phone or laptop as the device sometimes instead of my Yubikey (not saving in iCloud Keychain or Google Password Manager). Where would you place the security of using your phone or laptop as the device vs. a Yubikey in the scheme of things?

Good quality content. I agree with your view on passkeys. The quality of your video is not that great. Very often it looks like it's missing frames. Maybe it a result of how the overlay graphics are rendered!?

If one of the principal motives for introducing passkeys is to eliminate the ability of wrongdoers to obtain our passwords by breaking into websites we use and/or buy stolen passwords on the dark web, then what is the point of websites not giving us the option to remove our user name and password after creating a working passkey into the site? It seems like an exercise in futility the way it is presently set up. This paradox substantially contributes to the slow adoption rate of passkeys by users, in my opinion. As things now stand, taking the time to set up passkeys wherever available, as I have done, feels more like a parlor game than a successful step to beef up our security. Or perhaps a sales argument for hardware keys instead of passkeys? Or simply, the biometrics option already available on most computers and phones?

I am trying to change my Google Passkey to a Yubikey. It looks like Google will not let me. What do you suggest?

here in Italy there are no BANK accepting authentication via ubkey or other similar producs... wondering why

Getting password manager and a couple of hardware keys has completely changed my life. I never need to remember a username or password ever again (except for work stuff)

Passkeys are great, but the way they are adopted is…horrible. I tried to use passkeys at Discord and ended up with passkeys used as a…well…third factor of authentication. This is definitely not the way how this should be implemented.

What is teh difference between Yubikey 5c and Yubikey 5c NFC ?

I believe Syncable passkeys, stored in a centralized password manager as a secure modern day replacement to the „sign in with google“ button. I just don’t like how some platforms have weird implementations that appear to try to use them for lock-in to their own password managers. Looking at you Apple.

2:05 im not a fan of security keys or any other physical device that gives permissions. only secure place for a private key or its seed is your mind, with an external signing device

Thanks, I am trying to change my Google Passkey to a Yubikey. Google has made it difficult and still not able to change my Google Passkey to a Yubikey. Any suggestions.

Nice Lego Globe my guy!

The biggest issue is those accounts that people think are not important and have weak security on. The hackers get into these accounts easily still your identity get the answers to all your security questions and then use this information to get into all your other accounts and reset your passwords and get past your past keys.

Tracking passkeys is an interesting thought experiment.

Until there is a standard and easier portability I'm only using my hardware keys as a 2FA method. Once all places allow me to store my passkeys in Bitwarden and use that as my Passkey everywhere and not just select sites then I'm not interested in Passkey. The other thing I don't like is not being able to turn off account recovery for Passkeys or Hardware keys because then it just lowers the security if someone gains access to your email or SIM-jack's your phone.

So, if I create a passkey in 1Password, then isn’t my passkey behind the same master password/2FA as the rest of my passwords?

What if you lose it?

If you are in the United States ALWAYS use a password as an obligatory factor in a logon process, no matter how many other factors you use. The government can compel you unlock a device with a fingerprint or a face but they can’t make you utter a password. My opinion says that you have a Fourth Amendment right to be secure in your person and a Fifth Amendment right to refrain from incriminating yourself but every court says otherwise.

a yubikey is a passkey, right? im not sure if i understand this correctly.

Passkey Does replace 2FA. As for whether it replaces typing in a Username or not.. I would say the End User should have control over whether the website will be registered on their FIDO2 token as a RESIDENT key. If it's a Resident key, then the website should be able to Prompt the user to PICK from a list which account they want to use. There is no requirement to prompt for a Username, but it's a design decision by the website operator. I don't understand why Amazon still prompt for it after a Passkey is supplied either. They should at LEAST make it an option to skip 2-step Login only when a Passkey is used.

I had set up passkeys wherever I could. But, long story short, I've backed off on that. When the dust settled, I'm back to using Yubikey's OTP, and Bitwarden's TOTP for 2fa. For me, Passkeys are too wonkie right now. Maybe one day when they gain more uniformity in implementation and scale?

What’s the 2FA app that you use? I’d like to move away from Authy.

What happens if you lose the Yubikey?

Yubikey looks cool but I like the idea of the onlykey for storing soecial passwords. Can anyone tell me if the onlykey has problems I should be aware of?

How is a pin different from or more secure than a password? I don’t get it.

1:10 Nope! Passwords hash are stored by server and not plain password. This has been a practice by most companies for over a decade.

Amazing video Josh - thank you for your work 🙌🏽

just to be curious, what be your daily work?

All fun and games until you lose your passkey XD I have one old MMO game I played that eventually required a mobile app to sell items in the in-game shop. It's tied to the physical phone you set it up with. Essentially a single device 2FA. I no longer have that phone, so there's no way I'll ever be able to use the player shops in that game again. It took MONTHS for the game's support team to respond to my ticket. By then I was long gone. Sometimes being 'too' secure just locks the end user out all together. It's fine to replace old methods with new ones, but companies better make DAMNED sure the new methods are as easy to use and RECOVER as the old methods.

Who wants to carry around a usb passkey all the time? This is not practical.

This was actually a really good presentation. Unfortunately I saw what looked like a click-bait title so almost didn't watch it. Indeed it took it a couple more times popping up on my suggestions before I was tempted in. I'm glad I was, and am not following you 🙂

How do you use those physical keys when accessing websites from a phone or tablet without a USB port?

2:32…*this is a very simplified way to explain passkeys. The actual authentication process is much more complicated.

Do Yubikeys work across different devices? I would want one key I can use on my PC laptop, google phone and tablet. Good video, thanks

How would I use a key like Yubikey to log onto sites on my mobile devices?

They’ve managed to make this as complicated and confusing and convoluted as using PGP, which went absolutely nowhere in the consumer space.

This is oriented towards human users. The challenge is in using APIs and connecting devices that operate on our behalf. The worry is that this rolls us back to the days before people could write their own apps.

Funny how a guy in the 1960’s thought multiple people may want to use 1 device; but in 2024 Apple still doesn’t allow more than one user on IOS or IPadOS devices.

I use the passkey as the second factor to the password which I let the browser store.

Our (very large software) company forced all employees to "switch" to using passkeys. I got it set up, and if anything it's Less convenient than before. Now there are More steps for me to log in - and I generally need to use username/password anyway because either a)I have my laptop closed so no access to the power button on the Mac for thumbprint; or b)when I do try to use my thumbprint it doesn't work more than half the time and I have to revert to using username password anyway. - It's all just More headache than before, not less.

No. Apple has implemented this correctly. Using my Touch ID enabled MacBook, when I connect to an Apple site it pulls my passkey userid from my passwords keychain (which does NOT have to be an email or phone number), applies that and initiates the Passkey flow all in one step so the only thing I have to do to login is put my finger on the Touch ID button or present my face if logging in on my iPhone. The number of items I have to type-in drops from 3 (email, password, 2FA code) to zero!

Passkeys don't suck, it's the implementation that sucks (see passwordless SSH for how this should work). And whether it's in a password manager or a yubikey, if you can't disable other login methods, it's pointless to a threat actor. I've given up on passkeys, I just stick with a good password manager, strong passwords and 2FA. PSA: backup your 2FA codes!

Great video. But how is the "public key" aka "padlock" not private? Unlike a real padlock that can be seen by anyone in front of it, it has to be matched with the private key encrypted message - that seems pretty private to me. I think the terminalogy somewhat sucks. Its would be better called "key paddlock pair" authentication. Also no one seems to explain how a message is matched to its corresponding key or padlock? Are all keys or padlocks searched until one matches? This would be like me walking into an area of a 1,000 padlocked gargages and trying my key on each padlock until the key fits the padlock. I assume there is some kind of index, like a garage number, that helps speed up the matching process?

My question is what happens if you lose the phone or it is stolen or malfunctions? I also wonder what happens if the passkey gets compromised. Nothing is totally secure. Is it possible to change it to a new one? I am looking at getting a yubikey as i trust that further than passkeys. As far as passkey go, until I get a satisfactory answer to those questions, I will keep using my offline password manager and not jump on the passkey bandwagon.

Hey, thanks for sharing! I am wondering why a physical device like Yubikey is safer than the authenticator app on the smartphone. All in all, an authenticator app can also be protected by biometrics and developed so that it only keeps the passkey or secrets stored on the smartphone without any sharing across the network. Is it about the fact that smartphones can get malware or viruses and the security of individual apps (the authenticator in this case) gets compromised? If so, if we can't trust the authenticator app just because it's an app, then in principle we should not be using any app for critical / sensitive data access like e-banking on smartphones at all. Thanks for any hint or link to videos that explain it!

How secure would syncable passkeys be if they were stored on a self hosted password manager like Bitwarden / Vaultwarden without any external access? Thanks!

Websites/services are slow to adopt passkeys, so I don't expect 2FA to go away anytime soon

I use deviceless Passkeys and it's fine. Sole problem is not enough providers use it. So my devices are my passport.

Amazon’s wrong implementation of passkeys isn’t the fault of the technology. They have much broken with MFA, especially if you had an MFA protected AWS account with the same account. You do know that the private keys stored and synced by google, Apple, or proton, etc are encrypted, right? So someone who compromises say Apple or google would also need to get you to use your biometrics (or their backup) to decrypt them before they can be used to access your data. Same as your master password for a synced password database. Also, look into how those private keys are encrypted on your yubikey. Is it with the tiny PIN you must set prior to using it for passkeys? I’d say so since on mine I never have to enter anything longer. So, if you have your yubikey stolen or leave it where someone knowledgeable finds it, how long before that PIN is compromised? Less time than my biometrics or well-chosen alphanumeric phone passphrase. Trust what’s new, just be smart about it and be patient while the paradigm shifts. Passkeys are the passwordless future.

Sorry, I refuse to use a security device that plugs into the computer. Years ago, to log into my employer's company network from home, I was required to use a credit-card sized device with a small screen that displayed a rolling code that I had to manually enter. These days, that credit-card sized device could have biometrics or some other form of authentication to provide some additional security if the device is lost or stolen before I have a chance to disable it.

Thank you. I am still confused and I am very very computer literate but I’m still lost when it comes to pass keys. I rather have a text message sent to me with a code whenever I sign on.

Thanks for this updated video, but the bottom line still escapes me: How can we remove our long password and our SMS and our email as 2FA from the websites of our online bank accounts and credit cards (VERY FEW take passkeys) so as to defeat a wrongdoer from using Forgot my Password to intercept the link given to change our password? Can we do that with a Yubikey? Or set it up with our biometrics? If not, with what?

Hatdware keys are great until you travel out the area of your backup keys. Imagine being on a cruise ship and you lose your yubikey and need to sign in somewhere that requires that key. You are scrod!

Don't most of the websites support Google sign-in? Wouldn't adding two keys on Google account be as good as using keys on each website?

Nice channel I think I'll subscribe. Years ago I trolled some stock forum for a company that sold one of those dongles that randomly changes numbers every 30 seconds to generate one-time passcodes. I said it would go nowhere, and more or less I was right. Today's "something that you have" (Ubikey) key is related and my opinion is still low. Not that I don't like the idea, but rather it reminds me of the adage "necessity becomes virtue". When enough people are doing something one particular way, like now with no such "Ubikey", then it becomes the virtuous "norm". If and when enough people adopt the "Ubikey" then and only then will it become the virtuous norm. Chicken and egg thing.

Even if you someone manages to steal a syncable passkey, wouldn't it be useless to them, since they need biometrics to actually activate it?

In my opinion currently passkeys are 1fa. I personally think use a password or something else afterwards to create 2fa