I believe you would log on using another device you have like laptop, which assumes you have one.

​@@mokilokethen what should you do if you lose all your devices in the flood, fire or other emergency?

​@@hnv151so once you lose your iCloud account to an attacker. They have all your PassKeys as well??? Unless you use a passkey to sign in to your iCloud account. Therefore creating an infinite loop of lost passwords

This is what I want to know too: Right now it is intransparent where the private key actually is and where it is backed up. How can I ensure my personal privacy without to rely on Google or anyone else but myself.

Then the backup codes came into the picture.

This ^

So it seems like 2FA with TTOP seems more secure?

In a cybersecurity way, it's less secure. TOTP is susceptible to real-time phishing attacks. @@DroisKargva

Let's use a phone as an example. What about if you have sensitive photos inside it? Already connected accounts? If they have the device and the password, they can already get that information. The idea of passkeys, as I think, is to help with cyberattacks, as for right now it is the best secure way to connect to an account online, but of course, everything has ups and downs. If you just lost your phone, they can't get you passkeys, YOU would have to give it to them.

Passkeys require confirmation before using them, so the device will have to be unlocked twice. Same as with your 2FA scenario.

Passkeys are Device + Platform wise. e.g. each passkey is a combination for Browser + Website, BUT, depending on the platform and user settings, the same passkey can be used in a different device, like a phone, to grant access to the SAME platform in a different device ( around min 3 is explained )

By default, passkeys are device specific. Not OS-specific. Certainly not browser or application specific: DEVICE specific. So if you set up a passkey in (say) Chrome on your Windows laptop, you'll be able to use it immediately in Edge or Brave or Vivaldi ON THE SAME MACHINE. How's that work? Well, using a passkey in Windows basically ties into Windows Hello. But you will NOT be able to use that passkey on another Windows computer or any other computer: You'll have to recreate it there, too. Not a big deal. But that's the way it works - by default. I say "by default" because it's now possible to store passkeys in other places, including some password managers. NordPass, for example, can store your passkeys. Now the passkey's authentication process gets moved from Windows Hello on the specific device to NordPass's own method (which, just to keep you confused, might be Windows Hello on that specific device!). Advantage of using your password manager to store passkeys is that you don't have to create them on other devices. If you use a lot of different devices to access the same accounts, this MIGHT be a small help. But if you only use one computer and one phone, then storing passkeys in your password manager isn't really any easier. But seriously, after you create just a couple of passkeys, you'll realize that the process is quite easy. If the passkeys are created on your devices, then you're getting the benefit of hardware authentication. Give your password manager a really good (long, strong, unique) password and then DON'T USE IT unless you have to. That's why, although I work on a lot of different devices, I create the passkeys locally and I do NOT use NordPass (my main password manager) to store them. NOTE that sites with good support for passkeys (like Google) will allow you to rename your passkeys. When I log into my Google account on a new device, I create a local passkey for that device (again: doesn't matter which browser I do this in) and then I rename it immediately (e.g. I change "Windows Hello 3" to "Surface Pro 9"). That way I can tell, in the manage-your-account area in my Google account settings, which passwords are for which devices. If I sell a computer, I remove the passkey.

@m57-ux3ngCrickets

You would get a code from your phone that you copy into the browser

@@syawkcab I don't think it works that way. And you still need a connection between desktop and a phone to even initiate the authentication.

Pray lol

Recovery codes. It's the same as when you setup 2FA with an authenticator app. You get 10 or 20 codes that are one-time use for recovery. You simply write them down and store them somewhere save so when you do lose your phone or security key, you can simply enter one of those codes to get into your account again and setup a new method for login.

No as when you move to weird location or have different habit it will be detected and google you ask you one more "pass" sms or fingerprint, or to proof clicking in another device you have etc.

Yep I have some guy who logged into my alt account and I can't up my security bc google insists on pass key and everything I enter the key google says its wrong

Can't get the guy off my email

Synced Passkeys are an option, which can be synced to your devices using a Google/Apple account or (preferably imo) using a password/passkey manager like Bitwarden or 1Password

1. In practice, both Google and Apple have your private keys in the cloud, like they do your passwords now. 2. Impossible for now.

You can still make emergency calls without account access. There is no legit reason to gain access

@@portman8909 I don't think that was the question. Consider your mom had an accident and is in a hospital. You need to login to her email to retrieve some information for her while she can't. How could we get this legitimate access done?

Passwords are still there. The presentation doesn't say that, but you'll still have a password to your account if you can't get in using a passkey.

Same with the Google password manager, or indeed any password manager

⁠​⁠@@tommylehomme8695that’s not true at all. Bitwarden has zero knowledge architecture. Anything sent to them has already been hashed. They dont store private keys.

This is "largely due to the way ChromeOS encrypts data at rest residing on the Chromebook itself, specifically the decryption key being tied to the password" (from an Ars Technica article) I agree that it's quite a nuisance, but ChromeOS simply wasn't built with passkeys in mind, and so their introduction will require more time as, from what I understand, a low-level fix needs to be implemented, which could require restructuring the OS' entire encryption system. It'll take time.

Real

Fingerprints get hacked unless you use mark of the beast

bitwarden also will start using passkeys to logg in into master password (most likely at the end of this month). I still think 2FA seems the safest choise tho.

@@DroisKargva I read about that but how to use it was still never explained so I'm probably not going to use pass keys.

The reason why it's safer than a password manager is because there are no passwords at all. You can have the safest password manager, but if you stumble on a phishing site or a website gets breached, an attacker has that strong password. Passkeys use either your devices' internal TPM security chip or a USB security key with such chip to store a private key, the private key never leaves the chip and isn't stored in the normal filesystem. If you do get onto a phishing site and try to use your passkey, the information that an attacker gets is useless.

@@fabiandrinksmilk6205 hi. Thanks for explaining this. You seem like you know what passkeys are. So does that mean I physically need my device to log in to websites using a passkey? What if I lose my device or it is broken? Will I be locked out? Will I only be able to log in from THAT device? If someone takes my device will they be able to log in to websites since "they have my keys?" If there are no usable USB ports on the device I want to log into how would I log in if my passkey is on a USB? Since watching this video only two websites have asked if I want to use passkey but I declined because I didn't understand and the websites still never really explained what they were going to be doing and I don't want to accidentally lock myself out of my accounts the way my grandma accidentally locks herself out of her iPhone. For now I'm relying on 2 factor authorization, which I understand how that works and know how to get around if I lose a device.

You're right, every biometric scan will produce a different output so they can't be used to generate keys. It's used more like an authentication rather than a seed for key generation.

No. This is just single factor authentication, but this single factor requires a physical device so online hackers are out of the way.

It's not that 2FA is bad, it's just that it's too inconvenient for many people. Passkeys is a hardware-backed alternative to passwords, which prevents phishing attacks and like the video said, saves a lot of money for companies with costumer service that needs to reset people's password or for anyone with damages from getting hacked.

The new thing is the open source standard and the widespread use of security chips or TPM chips. The private keys are stored in that chip securely instead of your normal filesystem.

There's a white paper by the fido alliance that you can read.

It's an oversimplifcation, not 100% sure but I understand when you try to login it will prompt you to recognize some code, like a QR on a device you own. And authenticate with an existing (possibly local) method, like fingerprint. Yes, the keys *are* generated per device and are easily revokable if the account manager allows it. The way its setup it's 2 factor by default. Phone, fingerprint, account QR code to scan. It's kind of a lot and rather inconvenient if you don't carry around a device constantly. The second way of logging in is already covered by Google and they still allow you use passwords but this doesn't apply to other companies, it also may change in the future. The thing that concerns me is I'm not sure how they plan to impliment the "use this code to authenticate with passkeys" thing and passkeys management. It's a bit inconvenient to use a QR code the way its setup right now, not super reliable. and a bit liable to abuse if its implented too naively. Also transfering passkeys to other devices looks like an early problem. Same with 2FA

I'll stick with passwords. Why fix what ain't broken?

​@@jamestemple8970 I think this thingy is geared towards businesses and organizations, where there certainly are issues with passwords. In orgs a huge security issue is reusing passwords - it's de facto impossible to check if someone is reusing their workstation password at an online casino or their self-hosted wordpress blog or such. People also forget passwords all the time, and in a corporate or educational setting resetting passwords is often not trivial :/ A third issue with passwords is sometimes users have to be stopped from having access to resources, such as a compromised account or when a user leaves an org. If just username/password access is used, that can be an organizational challenge. I bet I still would have access to things like internal file sharing, bug tracking and web servers and such if I chose to remember the passwords of them.

Because they are broken @@jamestemple8970

Yes

If you have multiple ways to login, the weakest option ultimately determines the security. You should simply think about what works for you and how you would recover your account in case you lose or forget a method. Ideally, you should delete the other methods and write down the recovery codes to store somewhere save. That way you use your passkey for your daily login, but in the event of you losing a passkey device, you can use a recovery code.

Passkey is just a new term for different ways to login other than passwords. This video focused on a new form of passkey, which is the security chip (TPM) already inside your device, but USB security keys like the Yubikey do the same, but as a pluggable device that you can take with you and use on different devices. When it comes to backup, you actually don't need to buy 2 USB security keys. Instead, the website you setup 2 factor authentication or passkeys gives you one-time recovery codes. When you lose your security key, you go to the website and try to login and when it tells you to use your security key, you select recovery code instead so you can get into your account to block that security key and setup a new one.

@@fabiandrinksmilk6205 yes i got that also not the yubico key . now there is another key but not a object more to study .

I think this is going to be problematic unless people use a password manager with passkey support for cross platform support?

Just register another key for the same account on the Android. Done. Use either device to log on.

@@LivingInCloud1 but the thing is, how do you register that? I mean, what if for example my phone is lost and now I have bought a replacement phone. How can i log in to add another key? You would still need to use a password in this case I assume?

@@frituurvlieg In that case you need another way to auth. Always keep a spare FIDO key around as a fallback, that way you can get back in and also in a phishproof way.

@@LivingInCloud1 seems like a headacke. just stick with 2FA with TTOP and that solves all the problems

This. While my Macbook had a fingerprint scanner, I use it 98% in clamshell mode with external keyboard/mouse/display. No biometric scanner available.

I believe they mentioned, that device PINs, Patterns or Passcode would work as well. From 2:00 to 2:10 Also, a person should be able to scan a QR code and use their mobile device to scan and verify using biometrics using the hybrid method (as mentioned in the video)

@@daniel.s8126 user 1234

@@daniel.s8126 It's not brain surgery.

Google, Apple and third-party password managers will take care of that

It actually isn't 100% secure in that aspect. But this is the same for passwords. If you choose to use a service that stored your passwords/passkeys on a server, there is always a chance of it getting breached. But two things to keep in mind. You could choose to keep your passkey only on your device, or buy a security key to store the passkeys on. Another thing to keep in mind is that passkeys are still more secure in other aspect, like being phishing resistant.

You’d probably get a recovery code in case you lose the phone

iCloud chain already supports passkeys so you can generate one for that. Also, 1Password is coming up with passkeys support you you can use something like that for cross platform.

They will eventually, there is no need for the username in the traditional sense now

Pin.

same way you unlock your desktop.

@@jayantrohila But I don't ever unlock my desktop. Why would I? I also don't lock my phone.

@@nicolasparada What is the difference between a pin and a password?

@@jamestemple8970 that the pin is local to the device.

No 😅. Passkeys are a replacement for passwords. Once created you can use them by unlocking your device (that's where the face id/fingerprint comes into play). Also don't think of them as a master password, each account to each website could have it's own passkey.

it's like SSH public/private key authentication.

You OKAY there? I will add then more complications. Also, what happens if you break your fingers and burn off the face? How do you validate your identity then? And if police will believe your relatives, what if you kill all your relatives and friends? How can you validate then? If you still have workplace, what if it burns down and everybody will burn along the building? How can you verify then?

(the sending my documents part would be a long process considering that as I mentioned I would have lost everything in that situation, so it would take quite a while even just to get those documents printed and delivered back)

@@DarkH4X0 All you need is a new device, an ability to sign in to your Google account, then the PIN of your previous device to resurrect the passkeys.

Account recovery isn't going away, phone carriers can help you recovery your mobile number and backups can help you get access to your passkeys. The passkeys should be unlockable with biometric data so importing directly from a backup should be possible in future. Google aren't removing password logins *for now*

Advertising ID

Phishing protection. And it's easier to push normies using passkeys than a password manager.

@@_Hespro_ password managers aren't super strong because they don't strictly prevent phising attacks, just make it slightly more resistant if it has a safe autofill. Worse password managesr are liable to database breaches where as passkeys are very *very* strongly compromise resistant since the authentication credentials are local only. and *encoraged* to use biometric backing

Fingerprints get hacked unless you use mark of the beast

@@Comments_From_All_Channels having a fingerprint is useless in passwordless because its tied to an authenticator with 1 device. only maybe being at risk if you break both a cloud backup of the pairing, and phish a fingerprint, and restore the backup without it being flagged, and don't get kicked out for using a new device

How would they unlock the stolen phone?

@@LivingInCloud1 I mean you wouldn't be able to login anywhere.

@@chadsexinton Create another key on a FIDO and also in Windows Hello. Done. 🍺🍺

@@chadsexinton Also, you would have an iPhone keychain backup?

That was one of the many questions I had.

Yeah I mostly agree. Passwords will never be truly gone. But they should be rare, you should only have a handful of password to very important accounts/devices. I looked in my password manager, I have 500 passwords. 490 of them could easily be replaces by a passkey.

You are questioning that passwords breaches are useless because the passwords could be hashed? 😂 You can brute force them, you can run a huge list of known passwords and their hash. You can use dictionary attacks, you can use credential stuffing. There are so many ways of breaking into an account protected by a password. With passkeys these attacks don't really exists.

Its not. Its agnostic to how it is being secured itself. But biometrics are a common way to secure the Passkeys.

usar la contraseña o pin almacenada para iniciar en tu dispositivo, además debes adaptarla al cambio en caso de que decidas cambiar la contraseña

You can create passkeys within your browser, i imagine you have to be logged it for them to be saved

Windows Hello, FIDO Keys...

Excelente sistema de protección

Only public key is stored at google, and is useless when compromised. They could only sign in to google with it. To compromise passkey, you would have to have your private key compromised which is on your device

@@lorkano I thought "passkeys synchronise across devices" using Google Password manager? If so, that would imply that Private Keys are also synced across devices = stored in the cloud?

they could already do that when you use Google Password Manager with passwords. I'd put more trust in 1Password or another password manager

So? How would they get into it? You do secure your devices already today we hope?

multiple ways, you can share access to the same passkey with a password manager like 1Password or iCloud Keychain. But most websites that implement passkeys will allow multiple passkeys, so you could add them for each family member or friend.

Register multiple fingers. If Hello, use also PIN and face recognition.

real

because earlier we do not have quantum computers. we are in a different ERA now. your password can be cracked easily if you don't make one that is 20 alphanumeric password with special characters.

I use KZbin that’s basically all…

It's actually not much different. If you forget your password you also need a recovery via email or something else. It's the same with passkeys. Also, passkeys are usually backed up in some cloud, like with iCloud Keychain, Google Password Manager, or 1Password. Also, why would it be "Good for corps" when you loose your passkey? they just want you to sign in quickly to use their website/app.

passkey is not the same as a fingerprint or any other biometric. why not: passkeys are stored on your device, and you can only access them once you unlocked your device. It is not a device token, it doesn't even indicate what device it was used from. It is a public/private keypair, yes. If someone steals your fingerprint, then yeah they could sign in using your passkeys. This argument comes up a lot, but how common do you think that is? Believe me, you would have so many more problems if someone is specifically recreating your fingerprint 😜

this is good approach. what if robber comes and grabs your phone and forces you to give him your phone pin. then he can use passkey to access any resource from your phone.

​@@DroisKargvawhat is the same robber just demands for your bank password instead then? it's the same deal really almost ALL account hacking is done through phishing attacks and data breaches, which passkeys are MUCH more resistant to

If you do allow them to. Passkeys require you to have a biometric way of logging in, so a password can't be used to use a passkey.

Fingerprints get hacked unless you use mark of the beast

@@xE92vD finger print are easy to get when you are drunk or asleep. password don't. unless elon musk find a way to find your password using his neurolink 😂😂😂😂😂😂

@@Comments_From_All_Channels Was locked out of my own phone once cos the phone didn't recognize my own fingerprint. Had to do a factory reset to get back in.

You can still use 2factor, go to your security settings

Agreed, this whole thing is convenient, but must be corporations wet dream, knowing you location, phone number, etc, all through one convenient tracker.

Why? Google will always watch your back.

@@Carlito_El_Gooner They actually had a breach a while back... I'd use 1Password...

Google said in a blog that your pass keys are send to end encrypted so Google can't access your login credentials

​@@camoelmaobut google knows what encryption is used. And they most likely have the resources to break the encryption.

@@camoelmao i believe these would be stored locally on the device the only thing google would have access to is the public key

If you say password sharing, do you mean having access to another person's password so that you can log into their online accounts?

I think so

Woow. From a security standpoint, that is quite inappropriate. If letting other users access your online account(some controls) is the goal then a delegate access will be the best way to go where they will also have separate credentials to log in. However, if existing password managers allow for password sharing, then allowing for passkeys sharing with others should be possible now or in the future based on user requests.

@@mickeymond Yes like with Netflix and other paid services where sharing is caring, and brings down the cost by division, that corporates absolutely hate and go through hoops to have you stop.

@@nagarajansubramani 🤣🤣🤣 Then let's pray hard that Netflix and the likes do not migrate to Passkeys soon. And even worse, make it a mandatory login technique. Profiles in Netflix could be sub accounts that also log in to Netflix but enjoy their parent account's subscription but I guess it isn't a win for Netflix so they won't do that. Passkeys can actually be a frustration for Netflix account sharers a whole lot.

Bro, don't mention fingerprints again. Once my phone did not recognize my fingerprint no matter how much i tried. I was locked out of my phone and had to do a factory reset to get back in. Lost everything.

Depends where you store your passkey, the private key can be kept on your device or security key if you want. But by default they will most likely be stored in a password manager in the cloud, like 1Password or iCloud Keychain, which have both never had a breach...

As long as you have ANY way to get in, you are fine. I have registered Passkeys on my FIDO key, in Windows Hello and on the iPhone for the same account so pretty much whatever happens I will get back in unless there is a fire and all devices are lost. Place a key on a cheap USB FIDO and store it at your parents house. :)

Also, you can not view Passkeys as a kind of passwords. They are based on the FIDO spec and are not phishable. They are FAR from passwords in a technichal sense.

​@@LivingInCloud1 Clearly, no one is complaining about the scenario where you still have access to an already whitelisted device. What happens when you run out of ways to authenticate yourself? How do you prove that you are who you say you are? (Yes, let's assume worst-case scenario.) The only thing I can think of is an account recovery system that necessarily hangs on one-factor authentication. But to take one step backwards defeats the whole point of 2FA. You wouldn't be able to rely on the device having the same phone number, for that is insecure and naive. The whole notion of passkeys and 2FA appears to be self-refuting. On the one hand it asserts that passwords are the problem, while on the other hand it makes heavier use of passwords to solve the password problem. Sure, passkeys are a step above passwords in the sense that they are cryptographically strong and use a public-private key combo, but, lo and behold, a password in the form of either biometrics, face scan or PIN are still part of the picture. As far as I can tell, 2FA is not about protecting the user from other users. As it stands, it benefits companies more than it does users. It is no surprise why no one claims it is a perfect solution, and simply resort to it being a "better solution." Not even FIDO attempts to offer up a solution for cases where the user has lost all possible forms of authentication. Instead, FIDO places that burden on companies to come up with a solution for that. But I have yet to hear of anyone proposing a solution. Granted, it is not straight-forward to solve, but forcing people to have 2FA before a solution is implemented is absurd.

@@YourComputer In a company setting, its a no-brainer to use Passkeys as there will be an admin available to let the user back in. Private accounts may turn into a problem, so again make sure you have multiple ways to authenticate. Like an extra FIDO at your parents house. ;) The added security is easily worth the small cost of a FIDO. PINs are involved for sure, but only on the device itself. That PIN is not possible to abuse/guess over the Internet, like a password is, for an attacker. There is a reason Passkeys are invented and the fact that you have to go to extremes to find a "weakness" is telling. What if you forget your password, lose access to the recovery e-mail address and your phone breaks down, all at the same time? What do you do now? :)

@@LivingInCloud1 Yeah, in a company setting, replacing passkeys is not difficult. But the issue with passkeys would still apply, in that losing the key and the key falling into the wrong hands, anyone with that key can enter. It would be no different than someone gaining access to your phone which has all the passkeys stored on it, therefore gaining access to all accounts that make use of passkeys. Like Google said, "anyone who can unlock the device can sign back into your Google Account with the passkey." The fact that something like SIM swapping exists is what makes worst-case scenarios difficult to impossible to account for. In the worst-case scenario where you lose all possible ways to authenticate yourself, how do you prove that you are who you say you are? You can't rely on the phone number, you can't rely on your home address, you can't rely on your full name, you can't rely on even social security number, etc, etc. If you can verify yourself by means other than 2FA, then 2FA is rendered useless. So long as I can pretend to be you, it wouldn't matter how many passkeys or secondary devices you have. For as long as this issue exists, 2FA will offer nothing but a false sense of security.

❤