Big FIDO2 fan and may I offer my favorite best practice with regards to "What if I lose my key?" You can register multiple keys with your servers. The key pair on the key is only used to protect the key pairs you make for each server. Once you're authenticated, your server will allow you create another key pair for the additional FIDO key. Keep one in a safe and use the other for daily use. Love your videos! Keep up the great work.
@jeffcrume Жыл бұрын
Exactly right! I meant to include that in the video
@berndeckenfels11 ай бұрын
Not all sites allow multiple keys though. Would be good if the keys have some kind of backup tool to a paired key (although it increases risk for extraction)
@JorgenAndreStenersen8 ай бұрын
Yubikeys with a good backup plan in case you should be so unlucky to lose one is the way to go. I love all my Yubi's with a dear heart after an incident 6 years ago where I was targeted by some skillfull individuals. Not saying it's unhackable, but all the precautions I have implemented in my digital life will sure make it very hard for someone to hack'attack me at that scale that I was attacked. Keep up the great and important videoes @jeffcrume and @IBMTecknology 👍
@PeterRowe-k1o5 ай бұрын
Totally agree! With a Yubikey the private key never leaves the device, unlike multi-device passkeys from the likes of 1Password and Apple which store your private key in the cloud waiting for hackers to exploit it. A Yubikey is much less hackable than a phone or laptop/desktop, and you can air-gap it when not needed, and it is cheaper to have a backup. I have my own Yubikey, and my wife has another so we replicate each account with both. Hardware keys are not that well supported yet though
@BarryOGrady3 ай бұрын
Great video, thanks, Jeff. I have been wondering about passkeys, have watched vids on KZbin, and this is the best concise video that explains it in human language. Well done, IBM! I am lucky enough to have worked there, so it is gratifying to see they're still doing a great job.
@jeffcrumeАй бұрын
Thanks so much for saying so! Glad you liked it!
@NK-iw6rq4 ай бұрын
Thank you Professor Jeff ! Your videos on Cyber security have helped me ace some interview questions i've been asked recently.
@jeffcrume4 ай бұрын
Awesome! I love hearing that!
@jaidenrichard99 Жыл бұрын
Good teaching. He explain very important concept with easy example. Thanks.
@alejandrodelavega98579 ай бұрын
What do I use to sync the passkeys. A password manager like 1Password?
@kevinmcfarlane27527 ай бұрын
If you don't trust something like iCloud then yes. If you don't trust a password manager then don't sync, and use your Yubikey everywhere.
@Norm72643 ай бұрын
FIDO addresses the sync problem by making some suggestions, but leaving the actual implementation up to the actual device or OS manufacturer: fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases-March24.pdf
@lucas.n3 ай бұрын
@@kevinmcfarlane2752 i think YubiKeys can store a maximum of 25 passkeys, though
@herewearewayoutwest3 ай бұрын
Excellent best describes this presentation. I could listen all day.
@jeffcrumeАй бұрын
I’m glad you liked it!
@gasovensforqcult Жыл бұрын
As a PKI engineer, this warms my heart
@jeffcrume Жыл бұрын
I love it!
@zetectic79683 ай бұрын
Problem 1, only 4 accounts I have use passkeys Problem 2, websites still asking for an email address or even a password when using a passkey. Problem 3, it takes longer to logon using a passkey Problem 4, website still want to use another method of 2FA rather than a yubikey etc where the passkey is stored i.e. email code, text code or authenticator app code Problem 5 many will not use passkeys as they have been poorly implement & are less convenient than a password.
@jeffcrumeАй бұрын
Most of the issues you are referring to here sound like issues with poor implementations of the standard rather than an issue with passkeys, themselves. When properly implemented, they are easier, faster and more secure than passwords.
@toenytv7946 Жыл бұрын
We’ve come along way with passwords. Hind sight is 2020. Just thinking back at how great a tech this is and its importance. Great job keeping it open and secure. Threats shouldn’t be able to keep up. Just a thought security sure is my number1. Trust one of the keys to security. There sure is a lot of great tech in the process. Thanks for the points.
@toenytv7946 Жыл бұрын
infrastructure on the shoulder of giants. Nice work folks.
@jeffcrume Жыл бұрын
Thanks for the kind words! I can take no credit for standard but, as you said, a lot of “giants” contributed to this and thought through all the hard stuff for us
@eduardobuitrago4 ай бұрын
If you do not control the security, assume everything you send to that system, it is available to third parties allowed by that system. Keep your private keys private! Period!
@jeffcrumeАй бұрын
With FIDO you can keep your private key on your system and avoid the risk you’re referring to. You can’t do that with passwords since the server needs to have it as well
@phillipp1399Ай бұрын
Or, understand modern encryption and vaulting technologies so you can take advantage of secure, modern conveniences. It hasn’t been 1998 for an awfully long time.
@Education-yk5ug21 күн бұрын
So all security comes down to one barrier which is my device. How do you secure it to avoid a break-in? By password, yubkey, etc.? And how do you secure those? Where does it end and makes me feel I'm protected? Seems like not much better that just using a very complex passwords.
@jeffcrume15 күн бұрын
The alternative Is a password. How is that better? Most people write them down and reuse them. At least with a passkey that is stored on the device, it can be security with multifactor authentication (you must HAVE the device and BE the person who’s face matches, for example)
@Education-yk5ug15 күн бұрын
@@jeffcrume Passwords stored in your encrypted and protected password repository on your device, there are many commercial products. It seems much better to me. Using a good password management this approach seems more secure than one entry point for all access. Also, regarding face recognition or fingerprints. How do you address situations when an owner is seriously hurt, or even deceased, and their heirs need quick access? So far I haven't seen any reliable solution.
@con-f-use10 ай бұрын
It's funny how he says he's addressed SSH and PGP, but has done all but.
@samwang8054 Жыл бұрын
IMHO, the first two questions are as important as what currently FIDO is trying to standardise. Without addressing or standardising those two, it just cannot be counted as a complete solution. And, "eliminating the needs for password entirely" sounds quite ambitious.
@jeffcrume Жыл бұрын
They don’t really have to be covered in the standard since existing solutions already exist. For instance, 1Password and iCloud Keychain are just two examples of tools that already have this covered. I’m sure there are many more
@DeepDiveGames2 ай бұрын
I really like your contend and I appreciate the advantages of PKI and FIDO2, but I believe this video doesn't present a complete picture of modern password managers (PMs) that actually generates and stores unique, high-entropy passwords for each site automatically. With that in mind I'd like to clarify the two points: 1. In the phishing scenario (7:56): With properly configured PMs generating unique passwords per site, a compromised password from a phishing site doesn't put other sites at risk. 2. Regarding the offline attack (8:34): Cracking a properly generated password with 180+ bits of entropy is practically infeasible, and even if successful, would only compromise one site's credentials. While Passkeys may offer better protection for the average person, the video would benefit from a more balanced discussion of their limitations. Also worth noting that the current Passkey implementations are still in their infancy - most sites simply replace passwords with Passkeys while still requiring email verification and 2FA, rather than fully utilising the technology's potential. A thorough comparison should consider the pros and cons of both approaches, as each has its place depending on user needs and circumstances.
@jeffcrumeАй бұрын
The passwords still has to be stored (even if in hashed format) on the server. Passkeys don’t require this. Only the public key is at the server and, by definition, it contains public information
@phillipp1399Ай бұрын
Take some time to learn the new technology. There’s no need for a video about passkeys to go over long established and now outdated technology. Unfortunately, as you point out, even sites employing the modern tech haven’t taken the time to understand it and continue to blend it with outdated tech. Like comcast being greedy with ipv6 addresses, it doesn’t make sense. Learn more and you’ll understand.
@kenp41245 ай бұрын
Account recovery is always going to be the achilles heel. Even among the few sites that support passkeys, most force the user to enable a weak recovery method before they'll enable passkeys.
@jeffcrume4 ай бұрын
Very true. I think there are better methods based upon the way that credit bureaus authenticate users based on historical info they have
@luffirton4 ай бұрын
@@jeffcrume Exaclty nothing is safer than the weakest link in the chain. I thought that when FIDO started on this project they would also address a secure standard for recovery of passkeys, but now its basically everyone can implement there own way to recover passkeys and no technological enforcement that prevent a service from using paskeys without implementing the secure passkey recovery method. One example could have been done in a way like you have to scan qr recovery code and the new device would prompt you to authenticate. You then follow a set of steps and it takes a picture of you. Using your NFC antenna in your phone you are asked to place your phone on your electronically readable passport the device gets the information and compares your information from the passport including the picture and compares that to information you entered in the previous steps and does a face analysis of the pictures, compares them and if they are matching then lets you create a new passkey and store it the same place or another place that supports storing passkeys. You could also have a option two after scanning the qr recovery code to instead send a SMS or email to your number or account with a security number/PIN that expire in 30 minutes you enter to authenticate you then get the option to save a new passkey.
@phillipp1399Ай бұрын
Once passkeys are well established and well supported by better informed services, account recovery will be a tiny percentage of what it is today. Like people with an upgraded phone and no contacts is a minuscule problem today.
@michaelcharl Жыл бұрын
Phishing question: why can't a phishing website act as a live man in the middle? A user sign in request goes to the phish site, who passes it on unchanged to the real site. When the challenge request comes back, the phish site sends it to the user unchanged. The user challenge response gets sent back to the phish site, which again passes it on to the website, which successfully decrypts the response. Both ends assume authentication is successful, except now the phish site prevents further communication to the user and continues in the user's place. No passkey encryption/decryption by the phish site was needed. I must be missing something. (I'm assuming the passkeys are only for authentication purposes, but, if not, this would still be a problem.)
@jeffcrume Жыл бұрын
yes, passkeys are just for authentication, not confidentiality. TLS/SSL can help ensure that the site you are interacting with is authentic and not a MITM
@michaelcharl10 ай бұрын
Thanks. Now I have another scenario. One unknowingly goes to an invalid website to login using passkeys. The website provides a junk challenge to the user. The user decrypts and re-encrypts the challenge using its own private passkey and passes back the response to the challenge. The website accepts the challenge without decrypting and provides the user with a screen the user uses to provide valuable info back to the website. Thus a theft occurred. How does FIDO stop this? @@jeffcrume
@minnced5 ай бұрын
Passkeys are usually bound to the origin as a relying party (RP ID), which prevents any phishing domain from being capable to do this challenge response process.
@karlking49804 ай бұрын
The major concern I have regarding the password-to-passkey transition period, is that the site (e.g., Amazon) I am accessing will actually have both the new public key for specific device(s) AND my original password. I mention this because I have created a few passkeys but have not seen an option to have the site permanently delete my password once the passkey was created; therefore, even if I create or share passkeys for all my devices to a particular site, a data breach of that site will cause the same pain it does with or without passkeys because my passwords are stored in the same old way "alongside" my public key. What am I missing? Thanks for the excellent video! Karl
@jeffcrume4 ай бұрын
Unfortunately, that will be true until they retire the password option for your account and that’s up to each web site to do that as they see fit. Hopefully, they will clean this up over time
@phillipp1399Ай бұрын
You’re not missing anything. Account recovery will always be a challenge and passwords are currently it. But, you’ll need a password manager for the foreseeable future anyway since this tech will take some time to be ubiquitous. Meanwhile, you can set those passwords to whatever that account’s max size is so you can be co fort able that as long as they’re encrypting them, your account won’t be compromised via that route. As the standard is released for vault portability I’d guess there’ll be some outside-the-cloud or alternate-cloud archiving options to facilitate recovery.
@dinesharunachalam Жыл бұрын
@Jeff, what is the cost involved? Both from new installation perspective and also migrating existing password based authentication
@jeffcrume Жыл бұрын
Great question - sorry if this sounds like a commercial but I’ll use this to illustrate the point - IBM Security Verify Access is a tool that web sites can use to add FIDO/passkey support to their systems without having to recode everything. Without a tool like this, the web site will need to add support for FIDO on its own, and that can involve more cost.That said, the savings resulting from fewer security incidents and fewer help desk calls (no lost passwords) could easily offset the cost. The organization just has to be willing to make the initial investment and many are. IBM, Google, Amazon, Twitter/X, Meta, Microsoft, Apple, etc. all support it today
@MartynStarkey Жыл бұрын
I would like to know if once a Passkey is setup, can I remove the 2FA for that site?
@jeffcrume Жыл бұрын
It depends on how the web site is setup and your tolerance for risk, but, in general, I would say that if your devices are FIDO compliant and you don’t use trivial passcodes on them, then, yes, passkeys should be sufficient because they would already include MFA (i.e., the device with the private key - something you have - and a biometric to unlock it - something you are)
@rytadz87864 ай бұрын
@@jeffcrumewas wondering if you can pair the passkey with a FIDO2 security key for sensitive websites like for your finances/banking?
@Education-yk5ug21 күн бұрын
If keys can be copied to multiple devices, what sops malware on my computer to copy my key and send it somewhere else?
@jeffcrume15 күн бұрын
This is the same risk with a password
@Education-yk5ug15 күн бұрын
@@jeffcrume But aren't we looking for a better security with passkeys? I the risk is the same how is it better? And if the only advantage is that my password on a server can be stolen, the hacker will have to break it first which is not that easy with very complex passwords. But if the passkey is stolen, then he has the access right away. So again if the risk is the same then no point in switching.
@dansanger5340 Жыл бұрын
I'm excited about Passkeys, but a little leery about synchronizing them across devices using a password manager with Passkey support, especially after the LastPass breach. My concern is putting all my eggs in one basket. With passwords, I could at least keep the 2FA information for the accounts in a separate authenticator, so that even if the password vault was decrypted the bad guys still couldn't log in to my accounts. But, if I use the password manager to synchronize Passkeys, and the vault or the synchronization process is somehow compromised, then the bad guys have everything they need to log in to my accounts. Or, maybe I don't understand how Passkeys are synchronized and this isn't a potential vulnerability. But, until I know better I'll probably just use device-bound Passkeys for logging in and regular passwords in a password manager (plus separate 2FA) for the case of a lost or new device.
@jeffcrume Жыл бұрын
It’s a risk, for sure, but IMHO it’s far less of a risk than the one posed by passwords, which are a badly broken and outdated approach
@marcopetaccia88 Жыл бұрын
I'm sorry this could sound like a silly question. But... if I'm able to create a new passkey for each device I own and trust, why would I need to sync them to the cloud? Am I missing something?
@jeffcrume Жыл бұрын
You could do it that way but the implementations I’ve seen seem not to. It could also be an approach of both/and rather than either/or, it seems to me
@kevinmcfarlane27527 ай бұрын
I recommend watching this video - kzbin.info/www/bejne/iYjSlKlqd812hMk (FIDO Alliance - Passkeys in Action). It shows cases for both re-using passkeys and creating new ones afresh.
@Strammeiche Жыл бұрын
I usually don't loose my passwords but phones break from time to time. I switched back from bitwarden to an encrypted keepass container in the cloud because of security concerns. This feels like going back to a single point of failure.
@jeffcrume11 ай бұрын
I know what you mean. I used to use a PW manager which could sync across a LAN to only my devices (no cloud needed), which I preferred, but everything has moved to the cloud now, it seems. That said, a good cloud provider lowers the risk and you encrypt the pws (or better yet, passkeys) in the pw manager client BEFORE it goes to the cloud. That way you can retrieve the info from anywhere and it isn’t exposed
@derekarmstrong14082 ай бұрын
What is the dog logo on your shirt?
@jeffcrumeАй бұрын
The guy that used to film, edit and do artwork for my videos came up with that on my very first video on Zero Trust where I needed “an angry dog” on the screen. He later had the shirt made for me and I wear it as a thanks to him for all his great work!
@Romahotmetytky7 ай бұрын
ok so private key on the device is used to decrypt the message sent by the server and send that message back for identification right ? what if this decrypted message is intercepted by a bad guy ? now they have public key and the decrypted message is this enough to cause a trouble ? or to event figure out the private key ?
@jeffcrume6 ай бұрын
You just said the key phrase, “they have the PUBLIC key” - which is PUBLIC in the first place. In other words, the public key reveals nothing about the private key other than the fact that the message was encrypted with it
@luffirton4 ай бұрын
@@jeffcrume I want to add that the the message/challenge sent by the server/website to the device is encrypted, then the device decrypt the challenge, verify it comes from the public key it is expecting and then signs the challenge/message, encrypts the message/challenge again and sends it back to the website/server to be verified.
@pipjersey8303 Жыл бұрын
4:35 This guy knew exactly what he had done when he did it
@BM-jy6cb8 ай бұрын
LOL😅
@manta567 Жыл бұрын
Malware? Vulnerabilities? Session Hijacking?
@jeffcrume Жыл бұрын
All far more likely to impact passwords than passkeys
@AlessandroBottoni Жыл бұрын
This depends on the level of security you are looking for. I do use FIDO 2 USB tokens since the beginning BUT... I still pair them with passwords and passphrases. Just in case someone steals my devices...
@dinesharunachalam Жыл бұрын
Does the FIDO 2 USB tokens don't authenticate based on any biometric? I have not used one, so asking. Here FIDO private key is locked by biometric authentication of the device
@jeffcrume Жыл бұрын
@@dinesharunachalamyou really don’t need to use passwords as a backup because you can have multiple private keys for each device on each account and those can be sync’d through a password manager, iCloud Keychain, etc.. This provides a recovery mechanism. As for USB tokens, they can vary but typically they could leverage a fingerprint to unlock them. Or, in most cases, you can just use your phone, tablet or laptop as the FIDO device since they probably have biometric support and secure storage of the keys
@jpp_vh10 ай бұрын
Fido2 hardware key which doesn't have biometric usually ask you a pin code to unlock the device (with auto erase after 3 attempt)
@minnced5 ай бұрын
Using a passkey without username (known as a resident key or discoverable credential) usually requires user verification using either a biometric or pin entry (pin length depends on the key).
@aaronrobinson44465 ай бұрын
Will employing the use of a Passkey AND a Password offer even more security?
@jeffcrume4 ай бұрын
I suppose it could but I think it would add more complexity than it’s worth
@ukranonymous10 ай бұрын
The best security is when you use all THREE: 1. something you KNOW, 2. something you HAVE and 3. something YOU ARE. For example a password + device + fingerprint. Passkey violates this. To get access to you online banking, a bad guy can catch you unconcious (or help you with that), grab your phone, unlock passkey with your finger and thats it. I know real case. Although password managers also violate the first mean. Therefore for critical services I don't use password managers.
@jeffcrume10 ай бұрын
You’re describing multi-factor authentication and passkeys leverage it as well. Check out the previous video to see how it works
@ukranonymous9 ай бұрын
@@jeffcrume Thanks for your answer! You are right, I tried a few pages and 2FA is still in place in addition to Passkeys. Still, the idea behind passwords is to keep the secret in your brain and passkeys eliminate this. Of course, this factor is present (if configured) when a user has to unlock the vault holding passkeys (phone or password manager) with the pin or password. My best experience is one service where I have to enter a password in the app for second factor auth. Then I have all three factors in place: Passkeys is something I HAVE, for 2FA I unlock my phone with biometric auth (something YOU ARE) and then I type my password which I do not store in a password manager (something I KNOW). A bit annoying but security should not be simple. And thanks for the video - it's just great! Subscribed :)
@리오-j4i9 ай бұрын
I think you can use cloud-based password manager for non-important accounts + FIDO2 security key for important accounts + most important account such as bank website which not relies on password manager. Also you can lock your device through applicable app, then biometrics won't work.
@phillipp1399Ай бұрын
What’s best today isn’t always what was best yesterday. New can be hard.
@jaibunnisamohammad9988 Жыл бұрын
phone/tab option is not available in mac safari! phone/tab is not available in android chrome
@jeffcrume Жыл бұрын
Not sure what you mean. iCloud Keychain syncs these across MacBook, iPad and iPhone today
@velo1337 Жыл бұрын
congrats to the promotion to CTO
@jeffcrume Жыл бұрын
Thanks!
@RedbackssАй бұрын
There is one weakness, I see, and its the "syncing to a cloud services", seriously!, now who owns your paaskeys in the cloud services ? Since the user is leaving the passkeys in the cloud it becomes vuneralbe to hackers. I don't use cloud services for anything, it is only a matter of time before hackers figure it out.
@jeffcrumeАй бұрын
Syncing is optional. You don’t have to do it. If you do, then it is secured through iCloud or the password manager of your choice so it’s encrypted BEFORE it goes into the cloud. FIDO is working on a sync standard, BTW
@nvsv_wintersport Жыл бұрын
With secret questions (your Mother's name, your favorite pet, whatever) just give a bogus answer that can't be found in your social media feeds (better even: don't put all these details online, unless you like identity theft). And I'm not switching to Passkeys, but will keep using my Yubikeys.
@jeffcrume Жыл бұрын
Yubikeys support passkeys, BTW
@fastrobreetus3 ай бұрын
TY!
@nikhilav Жыл бұрын
Is Fido2 quantum safe?
@jeffcrume11 ай бұрын
Not yet, but that’s in the works
@cyberJali1234 Жыл бұрын
Great content always following to learn more about security. Can I offer my services to put this content into an article for you?
@npc73x11 ай бұрын
One data breach of my private key, I am screwed
@jeffcrume11 ай бұрын
Same for your password but your password would be far easier to guess in most cases and since it also resides on the server, it could be hacked from that side as well
@jeffcrume11 ай бұрын
Besides, you have a different key for each site so the impact would be limited
@npc73x11 ай бұрын
Is there any service available to say, my password wallet root password got exposed, so does anyone have my email@address stop accepting login from anywhere and provide me a password challenge to my email account
@kevinmcfarlane27527 ай бұрын
The key (pun) to all this is to note that passkeys do not provide absolute security. Nothing does. But they provide much better security than the existing paradigm. Also, it's going to be a gradual process. In the transition you'll use both "legacy" passwords with or without 2FA and passkeys. In fact, I inadvertently tested that the other day when I set up my first passkey in the browser and password manager. But it couldn't find it on my phone, so I had to use password + 2FA. Though the passkey did work on my iPad. I discovered later that this was because Google was the default passkey provider for Android. I've since changed that to my password manager, but haven't retested. I've spent a fair bit of time reading and watching stuff in the past couple of weeks or so and I've only now just tried a passkey on a relatively minor site, in that it's public for reading anyway. The best thing to do is to keep watching and reading and then proceed gingerly. I only started exploring this stuff when a few of my websites started popping up "would you like to use a passkey?" I answered No but then later started Googling about them. There are also a few interactive test sites you can try them out on. I did that too.
@hskimny4 ай бұрын
@jeffcrume is this correct though? The passkey in this case is derived from my biometric data, no? Which is unique to me and cant be recreated in a new way. So once I lose that, I would be vulnerable to all passkey enabled sites, like my bank accounts?
@jessejames58610 ай бұрын
How can he write backwards so easily?
@jeffcrume10 ай бұрын
I can’t. Search this channel for “how we make them” and you’ll learn the secret
@EricS-uf9mv7 ай бұрын
I was wondering the same thing. I don't believe he is writing backwards. I think the recording system he's using is specifically built for see-through "whiteboard" teleconferencing presentations... it's inverting the video in realtime or doing it in post. The other option is he's using some type of high-tech, 2-layer/2-way, whiteboard that's doing the inversion.
@chawlagrv7 ай бұрын
its called lightboard. creator's website - lightboard[.]info
@lyettetybursky492Ай бұрын
Can you share your passkey with your children
@kevincooper3850Ай бұрын
Passkeys are per account per device
@StijnHommes9 ай бұрын
What you say about multiple devices is wrong. It's not something you can choose to use if you enable it. The system you're choosing to store your passkeys needs to support it too and right now, support for this is thin. Besides, putting your login details in the cloud makes the whole thing less secure. Just like putting your passwords in the cloud.
@jeffcrume9 ай бұрын
I’m doing it every day and the site you log into has no idea whether the keys were synced across devices or not. Granted, it would be best if you don’t put any of this in the cloud and you don’t have to if you want separate keys for each device but most people will opt for the sync and even if they do it’s far lower risk than what most do today in choosing their own passwords and setting them all to the same thing
@StijnHommes5 ай бұрын
@@jeffcrume If people decide to use the same password for every single site instead of using proper password hygiene, they deserve to get hacked.
@minnced5 ай бұрын
@@StijnHommes security isn't only about protecting one user. One user being hacked can have drastic consequences for the entire system and every user on it.
@tommygrandefors9691 Жыл бұрын
I am shocked to hear that a ”Security Expert” says it’s ok to put your private key in the cloud. There are no guarantees on how your keys are stored there. A private key must be private for real. It shall be stored in protected hardware (enclave on your mobile phone, USB token etcetera) and all crypto related functions must be executed by that specific hardware. This is true 2FA since you now are in posession of that hardware. Account recovery can be solved by using other solutions e.g using a unique key pair for each device. There are unique key pairs for every site you login to anyway. Why decrease the level of security? To make it more user friendly? Well, here we go again. 😕
@toenytv7946 Жыл бұрын
I think blockchain can do all those things. I believe iBM would have a solution for that. These folks know their stuff.
@sonjaisaacs52 Жыл бұрын
After listening to him for a While I would give him the benefit of the doubt. He probably has some reasoning behind his answer, there always is.
@maulren Жыл бұрын
I'm shocked to hear that someone has another opinion than me
@sarahpixley Жыл бұрын
Both FIDO2 USB tokens and passkeys offer robust security, leveraging public key cryptography. The choice between them often depends on the user's specific needs, preferences, and the types of threats they are most concerned about. USB tokens offer strong security with the inconvenience of a physical device, while passkeys provide a more integrated and user-friendly experience with security that is largely dependent on the security of the user's device. Passkeys are not the same as putting your private key in the cloud. They are a more secure and user-friendly form of authentication that replaces traditional passwords. Passkeys use public key cryptography. They generate a pair of keys: a private key that stays on your device and a public key that is shared with the service you're accessing. The private key in a passkey system never leaves your device, which makes it more secure. It is not stored in the cloud. This contrasts with storing a private key in the cloud, which would be less secure because it could potentially be accessed by others When you authenticate with a passkey, the service you're logging into challenges your device. Your device responds by using the private key to sign the challenge, proving that you possess the corresponding private key without actually transmitting it. FIDO2 Tokens**: Require the user to carry the token and plug it into a device. This can be less convenient, especially for mobile users or those using multiple devices. - **Passkeys**: Generally offer a more seamless user experience, especially with features like cloud synchronization across devices. FIDO2 Tokens**: Might not be supported by all services and can require users to purchase the token. Passkeys**: Increasingly supported and often built into operating systems and browsers, making them more accessible. FIDO2 Tokens**: If you lose the token without a backup, you could be locked out of your accounts. Passkeys**: Typically have recovery methods associated with the user's account, like cloud synchronization or recovery codes Passkeys are designed to be more user-friendly than traditional password systems. They often work with biometric authentication (like a fingerprint or facial recognition) on your device, adding an extra layer of security without the need for complex passwords.
@jeffcrume Жыл бұрын
What you described is, indeed, better and is the way a lot of implementations of FIDO work. That said, iCloud Keychain, 1Password and plenty of other password managers have leveraged encrypted cloud storage/sync for many years
@dav1dw Жыл бұрын
i think you need to find a different way to draw a pipe + server
@jeffcrume Жыл бұрын
Sometimes a cigar is just a cigar, Dr. Freud...
@RedStarSQD11 ай бұрын
I just modernized my desktop and created a pin. Microsoft allows the pin to be used as a passkey. My question is where is this information so that it can be manually backed up? I know onedrive would back up settings. But, i don't trust one drive.
@jeffcrume11 ай бұрын
A PIN is not a passkey. It may let you use a PIN to unlock a passkey or a PIN instead of a password but in either case, the strength of the security would be only as strong as its weakest link and that would be the PIN
@RedStarSQD11 ай бұрын
@@jeffcrumethanks. I should not have said used as a passkey.. . But rather created or generated using the MS pin as one ingredient. The MS pin is not the traditional random pin you are thinking of. It is based on credentials and machine ID. This is why I want to know how to back this stuff up ... Where this security info is stored? Ultimately, I know you can store passkeys in bitwarden.
@datastop40011 ай бұрын
Gadgets no. They get lost broken. Good luck with recovery. PW can work if you’re not just “people”. Massively complex PW. Done.
@jeffcrume11 ай бұрын
As I said in the video, these can be sync securely in the cloud so that you aren’t dependent upon a single device
@Adventures_of_Marshmallow Жыл бұрын
The problem with passwords is NOT people. It's websites and software shifting the responsibility and accountability of security to their users. Again from the last video. Passwords are not inherently insecure. The ENTIRE process of logging in is just totally mismanaged by both software and website hosts.
@jeffcrume Жыл бұрын
I take your point but I would say that passwords are inherently less secure that passkeys because they have no time limit and can be discovered by hacking the web site. Passkeys are time bound and there’s no secret stored in the web server so those are at least two aspects of risk reduction
@Adventures_of_Marshmallow Жыл бұрын
You're still thinking about passwords statically. Think more dynamically along the lines of rolling encryption standards, but better. Every time the user logs in, the fully encrypted password that is stored there should be different. The server should never even know what the password is if everything is done right. In no way shape or form should a server remain static in regards to username and password entries. This was always the mistake and frankly it's shocking that it persists. Static stored logins will never be secure.
@IvanMoscow-vx3jo Жыл бұрын
You are saying that I have to presume that the security is public knowledge if I am not in control of it. Like how, BY LAW, Google, Microsoft, Amazon, Facebook, and so on must implement backdoors and I have no control over their security? That is literally worse than a safe password in my head or offline password manager...
@jeffcrume Жыл бұрын
That’s not at all what I said. I said that the public key is public. Your private key is private. Only you know it. Therefore, only you can answer the challenge which is encrypted with your public key.
@vitormiguelsilva302510 ай бұрын
The website should generate a random password / passphrase instead of asking us to create one.
@jeffcrume10 ай бұрын
That’s essentially what is happening in the generation of the public/private key pair. You don’t have to remember these
@oprrrah349810 ай бұрын
Yeah, Google is so trustworthy....
@jeffcrume9 ай бұрын
That’s the value in the standard. You don’t have to trust the service provider. You trust the protocol
@ProfessorJayTee Жыл бұрын
TERRIBLE idea. Once they figure out how to "spoof" the passkeys? We're ALL fucked. Now, I have dozens of passwords, so if hackers manage to find one, they don't have ALL OF THEM. If they spoof my passkey, they have access to EVERYTHING I have access to... banks, investments, social media... everything.
@jeffcrume Жыл бұрын
Passkeys are unique for each site (just like passwords) and time limited (unlike passwords), making them even more secure
@EricS-uf9mv7 ай бұрын
You can't "spoof" a passkey. Passkeys are UNIQUELY generated (ie. unique per website) "key PAIRS" creating FROM a DEVICE BOUND "Master Key". The Master Key and the Private key half of the Public/Private key PAIRs it generates is LOCALLY stored. In fact the Master Key is hardware bound inside a hardware security module (HSM) , a physical security chip inside your device, which cannot be divulged. Only the Public key half of the Public/Private Key PAIR is ever shared. Jeff isn't explaining the intricacies b/c frankly nobody on YT would understand the full crypto/authentication flow. The spec has been around for well over a decade and has been slowing evolving/expanding ever since. You can go read it for yourself, but you won't bc there's VOLUMES and VOLUMES of documents composing the FIDO, FIDO2/WebAuthn (Passkeys) spec.... and simply reading the spec won't get you "there" b/c you 1st need a DEEP technical foundation in cryptography basics... Authenticated Encryption (secure message signing), knowing the difference between symmetric vs asymmetric ciphers and their strength/weakness use cases, integer factorization and the discrete log problem and how this relates to PKI implementations leveraging RSA, DSA, DH, and ECC vs a symmetric cypher like AES-256 in CCM mode which passkeys also utilizes. The bottom line is you can't simply "spoof" a passkey. It's literally a UNIQUE 256-bit random number bound to a hardware device, bound to an AppID (a website domain or app), and linked to a EPHEMERAL challenge generated randomly & in REAL-TIME by the Relying Party(RP)/website.
@xXx-lfg13 күн бұрын
So do things like Metamask or crypto wallets, use FIDO?