Passkeys: The Future Of Authentication 

Diffie-Hellman key exchange paper was published in 1976. RSA came in 1977. PGP in the 90s. 2011-2013 Facebook SSL/TLS by default. 2012 HSTS RFC release. It has been a looooong and slow journey.

Indeed, essentially that's what PGP does. Problem is that now hackers will go after the keypass server, and with that they just got unlimited passkeys by pairing it with user's public key. There are always pros and cons with virtually everything.

​@@BillAntwth is keypass server

You cowards probably didn't even read PGP: Source Code and Internals (1995)

@@radomane Hehe and the exact same concept with Bitcoin keys being used to sign transactions.

Right, and now hackers will go after the passkey server, and with that they just got unlimited passkeys by pairing it with user's public key. There are always pros and cons with virtually everything.

I guess as long as there's a good open standard API which automates most of the auth steps, it could be a practically seamless experience.

​@@BillAnt what's a passkey server? There's no 3rd party server involved. This is password login but considerably more secure by default.

Same

@@Megaranator some password managers like 1password store passkeys in their servers. Device passkeys might also be stored somewhere else when it's not physical key and could also be stolen by malicious software. And if it's a physical key, then manufacturer could be storing origin keys without your knowledge. Buying a physical key from someone is like asking other company to create your password. In all, passkeys are worse than long good passwords since it's cryptographic keys are stored in digital media. Add simple 2FA TOTP and it's good enough.

If soneone has a good password, changing 2-3 chars doesn't make it easy to guess. If you have a key logger in your system you can have all the fancy protection and won't help.

​@@danielratiu4318we know that it'll go BobbyIsTheBestDog1 > BobbyIsTheBestDog12 > BobbyIsTheBestDog123 and so on.

This password changing bullshit is SO ANNOYING and really isn't needed. And yes people come up with the simplest password possible knowing they'll have to changebit soon anyways

Yeah, 90 day password rotations are insane when you already need like 8+ characters, special, number, capital, etc. Meanwhile my PHYSICAL access 4 digit combo (lmao) has been the same for 6 years.

It’s been NIST recommendations to not have frequent password changes for years now. The only reason it happens is because every other aspect of security is not even spared $10, so they assume the passwords get leaked frequently as well without even doing the most basic of security practices “becuz it costs too much”/“it’s too confuzing >:(“.

Basically you're sending a locked "container" for your secret data.

this is such a nice example, my teacher used this exact example back in school

Albeit not exact thisi s a very very VERY good analogy that I am going to steal real quick for when I have to explain this.

@@diablo.the.cheater a VERY good analogy indeed

Nice explanation. An asymmetric key pair has two keys, and both can be used to encrypt and decrypt a message. What makes the padlock "public" is that is sent over the network and should never be trusted, because someone might have seen its mechanism of encryption.

Awesome, that means there's a place for you to make a good in-depth video that explains the topic better! I'm subscribed, looking forward!

Theo confidently says a lot of misleading or wrong stuff, I always watch his videos with a grain of salt nowadays.

@@Melvin420x12 challenge accepted. luckily for me I made a full arbitrary bit length base rsa implementation in js in 2012 from the ground up, and a php rsa implementation using gmp for end to end encryption for my home brew rich chat server... all free for any use and open source- no integrated license. are we taking mechanics or a deep dive on the processes behind it, Or a discussion of the top level programs that use it that end users will be exposed to? or just a live rewatch of this video with tangent cut aways to fill in missing info? I'll always say that the best way to understand these things is to go code them yourself. let me know if you can solve the division issue. I gave up optimizing it over a decade ago.

@@Melvin420x12 apparently my reply got deleted. didn't say anything off... no links, no mention of any other site or self promo.... just a description of my previous efforts in rsa.

looks like I've been shadow banned. ha.

I'd say the risk is about the same if you lose the device, but significantly lower overall. I mean, even today, if you lose your device, and the thief could log in to your device, they'd likely have access to all of the accounts you check "keep me logged in" on, which likely includes email, which then includes nearly everything. Even still, if you lose your computer, it's a matter of invalidating the passkeys and you should be more or less safe. The point is: you'll know when you're breached, which is not the case with a password. Now, when you weigh that (worst-case) scenario with all the different ways passwords can be stolen/compromised/leaked/forgotten/etc., passkeys come out FAR on-top when it comes to security. The fact that with a passkey you can only sign in with the device (no way for remote account breaching), we're looking at a significantly smaller attack surface, with pretty much the only weakness being a thief with 1. physical access to your computer, and 2. knowledge of your computer password.

Better than 2fa where the secret is stored on the server side, yikes.

I think there's a relatively simple solution. Use a single password on the client side, use passkeys on the server-side. Passwords on the client side are used to decrypt the passkey into memory, use it, then immediately drop the memory. The server then can see the certificate is valid while never seeing your password. One might recognize a similarity to using an encrypted password manager that is accessed via your password. It's essentially the same thing, but now not even the server knows your real password, *nor* the passkey. Just the public key it corresponds to. This is simply far, far safer than what we have right now. And it comes with the added benefit of uniformity between large passkeys, meaning vulnerabilities like rainbow tables become utterly impractical. Now the only risk is you losing your password or writing it down somewhere. Rather than sending your password off to a server which is run by incompetents who end up leaking your password out, as we did in the old days. And still do, haha.

That's why you need to set a PIN or fingerprint for your passkey authenticator. Stealing a physical device is still way more effort than phishing, which is something that's effectively mitigated by using passkeys.

Agreed

Hopefully it also leads to better user experience and a good best-practice on how to secure all of it.

yeah. auth apps which do not let the keys out again. Posibility of having a second key for the site, login data is also something. Only e.g. passkey or another solution, in one yubikey etc. How to 'back up' this? I do not have a working solution for this/for me. Or it's not practicall for things that are on the highest level of importants. Or how is the fall back? Often you can do a 2fa with yubikey etc, but when the fall back is still email or a phone number... I do see the benefits against phishing with passkey but I also feel not good with it when it's in a phone. e.G. Google/android. When you use googles auth app, your phone breaks or get's stollen and you have no other google account/phone which is active, you really have a tough time getting that account back, even when you have the password.

Don't use Auth Google. Please. Use any other service.

​@@nopenope1for yubikey you should have two, one to carry with you and a another for backup in a secure place (or three, if you wish)

@@Waine2000 MS auth ;)

@@Waine2000do you mind elaborating

@@myspace_forever You still need credentials to create an account in the first place, so it's not "just using passkeys", innit?

Yeah, that's completely fine and equaly safe as passkeys. No need to change. Maybe MFA is a point, but most password managers support it today either.

I do the same as you. Except for clearing the clipboard. Thanks for that recommendation. I usually enter the password first so that the last thing I copy is the username. But your idea is better for sure as different systems sometimes store the last N clipboard items. I believe this method is perfectly safe so long as your PW database is appropriately protected. No one is guessing those strong passwords. The entire reason people say "passwords suck" is actually because users suck. Only ONE member of my family uses a password manager. Everyone else does the same nonsense of reusing the same passwords and making them combos of words and numbers that have significance to them (i.e pet_name+birthday). And of course they STILL forget them all the time.

@@turc1656 Yeah, clearing the clipboard is something not that obvious, but it's yet another way one might accidentally leak passwords. Many (most?) password managers have support for setting a timeout for that, like e.g. KeePass and its forks and variants and bitwarden.

Yeah, exactly this. The only online password I truly have to remember is my Google account's password because all my passwords are stored in the password manager included with it. I just have a ludicrously difficult password for that Google account that is impossible to guess and have had it memorized for years now. It's better than having multiple passwords to remember, or passkeys for that matter. Also, I kind of hate how the trend in authentication is going towards mobile phone dependence. Like, for me, a phone is pretty much disposable, and in a place like Karachi, Pakistan, can easily get snatched. Some forms of 2fa legitimately leave you locked out in those cases.

Sounds like the amount spent on both employees interacting: the service desk and the employee that needs the reset.

@@mosescosme8629 Yeah and out of that $15 go to mr Yacht

I don't think Theo or the writers care about real security protocols. Neither mention integration of auth chips to biometrics and passwords as a holistic system. They just want to talk about magical logins without the "effort" of passwords etc.

Agreed! I've stopped watching this video after seven minutes, because Theo is getting a lot of things wrong here (his drawing on how public/private key cryptography works, stating that you can only encrypt with the public key (which is wrong, because you can encrypt with a private key and then decrypt that with the public key), confusing Diffie-Hellman with RSA)

You are right, I did the same. After 7 minutes it was too much for me, even I am not specialist in this matter. Dear Theo, please make something to keep it "legit" - we can help with some proof-reading or suggest some articles, but you need to make something with this - what you told was just bit too far from true and with your fanbase it will hurt the public if someone will not rectify it imho

Lock in? How?

I fear what happens when my phone is broken or stolen 🤔

@@PavitraGolchha depends on what manager you use for passkeys. This won’t be an issue for example if you use the native passwords app which is on all Apple devices.

​@@PavitraGolchha Pretty sure Apple devices back up to iCloud and Google & Microsoft back up to their password managers as well. It's no different to if you lost your phone that you used to generate TOTP codes before, or a physical FIDO2/U2F security key.

How do you lock in someone to a services with passkeys?????

🤦‍♂

Depending on your password manager, they can change it for you with a random generation

ok I'm wrong. In above approach, servers will see user's device-specific password. Meaning if user signed into one malicious server, the server can then use this password to login other websites. While using digital signature, servers cannot see any secret of the user.

Yeah, that's basically what we're doing. The asynchronous cryptography stuff is just to add a bunch of extra security, better prevent pfhishing, and all that juicy stuff. Your system covers the main bases though. But once you have that system, it seems silly to not use public key cryptography on top since it's effectively free. Of course, this assumes you're properly salting, peppering, and hashing your passwords.

No, since Passkeys have phishing prevention. If you copy/paste the password into the wrong website, it’s compromised. But the passkey system ensures a hostile website can’t use the challenge response to log into your account.

@@Skyb0rg The password manager can have pishing prevention as well by just checking the URL's for you, this is not a counter-argument.

@@diadetediotedio6918 That isn’t always possible, ex. desktop apps which use web login windows. And it doesn’t rely on the security of an SSL certificate matching the domain name to the server, since password managers can only do text matching (though I’d agree it’s very hard to have that happen).

​@@Skyb0rg But it is possible, my point was not about "the lowest safer password manager", it was about password managers in general and their best capabilities. A steelman of this argument would follow this lines: "A good password manager with pishing protections (for example by having an extension in the browser that checks the certificates and stores them when creating accounts) and good password protections (for example, that never shows the user their passwords, that generates strong and safer passwords, that keeps them encrypted all the time but on the act of login, that never repeats passwords, that associates passwords created with the sites they were created, etc) equates in security level a passkey".

Passkeys are waaaay more secure than passwords for several reasons: 1. They are phishing resistant. Yes, password managers can help mitigate this risk, but only to a limited degree. The average user would probably think their PM is bugging out and mindlessly type in the password manually. 2. Passwords can be stolen even if you have good security practices. Data breaches happen all the time. With passkeys, even if a data breach occurs your authentication secret is not exposed. 3. Passkeys have cloning detection. Each time a passkey gets used, the auth response will contain a counter that monotonically increases. If the value ever decreases, that indicates someone cloned your passkey, and the web service can detect that to prevent unauthorized access. Lastly your password manager can also be protected using a passkey stored by a hardware key like a Yubikey. That provides the ultimate protection since you no longer have a master password which can be exposed.

That's where phone-based passkey auth comes into play. Most modern devices (Macs, Windows 11 [but not 10], Android, and IDK about iOS but Apple's pretty good about this so maybe) support using your phone to scan a QR code, the phone signs the request, and sends it back done and dusted. Lets you use your phone just like a FIDO2 security key. Does not create lasting credentials on the device; only one auth session.

Don't worry, clever hackers will figure out a way around this too. heh

Technically it's on the service to allow you to create multiple passkeys somehow. I was already working on implementing primarily-WebAuthn authentication for a bit now when this video came out and my scheme for multi-device auth is simple. You use an authenticated device (one that used a passkey to log in) to accept a request for a new passkey. New passkey requests themselves must be made with a password. This scheme is inherently less suceptable to social engineering since, with a decent UI, it's made clear to the user that they're authorizing a new device to use their account-not simply logging in. Even if the request password gets leaked somehow (password should be treated with normal levels of password security; salt, pepper, and hashing please), say through a phfishing site, the most they can do is do auth spam. The nice part, though? They can just reset their passkey request password and the auth spam goes away.

​@@BellCube - That's exactly what this video's sponsor does, it's a master password repository for creating duplicates in case a device is lost or stolen. Basically entrusting your passkey's master password to some cloud service.... what could possibly go wrong?! lol

@@BillAnt Yeah... that's not the point of the comment. The point is that there are solutions for the key duplication problem that don't rely on passwords to keep themselves secure. The scheme I mentioned only uses passwords as a form of required MFA and everything possible is stored on the user's devices. No third-party providers in sight.

Yep, unless your private key is being synced across devices

Yep, either server has two keys or you share the private key using an app like 1Password. By default it’s the prior

@@SharlosRevenkai Cross Device Authentication is also an option -- effectively sending the authentication request to another device without really syncing the keys. With persistent linking, the other device just becomes another option among others from which you can choose when authenticating. This isn't cloud syncing since I'm not even signed into my Chrome browser on my laptop. It basically communicates via bluetooth somehow. That's the one complaint I have about passkeys though that is making it difficult for us to really adopt it more at work. The UX is great if you are all-in on either the Google ecosystem or the Apple ecosystem, but less so if you have a more heterogeneous setup, like a Windows laptop and an iPhone. You can either use the OS level platform authenticator and bind the passkey to that single machine (which probably isn't going to sync anywhere) or use your phone, but since Chrome and iPhones don't support persistent linking between each other, you have to scan a QR code on chrome every time. That was a pretty common scenario that failed our UAT process. Things like Bitwarden (and 1password, I'm sure) kind of side step that issue at least on desktop. I'm not sure how/if password managers can be used as a passkey source for mobile yet. I sure haven't had much luck with it, although my primary testing ground has primarily been an Android phone running GrapheneOS rather than the standard Goolge suite.

or you can have the hardware device also store the origin so it authenticates the site before releasing the credential information back to the site. This is in fact how it works as this is all basically FIDO2 being rebranded.

Good hackers will find a way around it, either by directly stealing the algo from the keypass servers, or by social engineering. If there's a will, there's a way, and when million$ or billion$ are at stake, they'll do anything to get it.

​@@BillAntpasskey server?

​@@quinnherden - Yes initial key-exchange and time synchronization servers. Guess who sponsored this video?

​ @BillAnt If we look at the WebAuthn standard (what everyone considering passkeys should be using and, frankly, is probably talking about), here's why neither of those is a viable option. 1. Nabbing the Algorithm The algorithms used are all open-source and usable by anyone. A proprietary alrogithm is, in my opinion, an insecure one. The whole system works on zero-knowledge proofs, as one of the comments before noted. You have to prove you know something without ever telling me what it is. 2. Social Engineering We'll start with the fact that it's outright impossible to get the private key out of a device without root-level remote code execution with and, on 90% of devices (with the number increasing as newer devices are used), impossible without outright physical hardware access and a lot of reverse-engineering work. Realistically, you're not getting that private key. So let's try getting the user's browser to sign a request for us. First instinct might be a MITM attack. WebAuthn is only available in secure contexts (file URIs, localhost, and HTTPS). Well crap. OK, let's try using a phishing site. The WebAuthn standard requires you to sign a request for a particular server identified by hostname (like something like "auth.bellcube.dev"). OK, let's try spoofing it. Well, darn, the user's browser won't sign a request with a hostname other than the one in the browser window. Let's use our own hostname and try to pass that on to the real server anyway. User has no passkeys for this hostname. Shoot. But let's say they're using a badly-coded device that doesn't store keys with hostnames. You get them to sign your malicious request with a valid. So let's pass that on to the real server. Shoot, they denied it because it had the wrong hostname.

That's where phone-based passkey auth comes into play. Most modern devices (Macs, Windows 11 [but not 10], Android, and IDK about iOS but Apple's pretty good about this so maybe) support using your phone to scan a QR code, the phone signs the request, and sends it back done and dusted. Lets you use your phone just like a FIDO2 security key. Does not create lasting credentials on the device; only one auth session.

@@BellCube Thanks for the info. Now that you say it, it does sound very obvious. Just use whatever authenticator app is already on your phone. It still rubs me the wrong way that my private key is stored on an easily losable/stealable device. But with most of my concerns addressed now so I'll just trust that devs that are smarter than me or have more experience than me have figured this out (or will very soon).

@@borerofhope Better than an app-this is part of your phone's OS already!

The reason we haven't tried biometrics is because of the pfhishing potential. You've only got 11 reasonable sources of biometric data-10 fingers, one face. Most people only use 1-2 fingers or one face; they don't mix and match. Once your fingerprint is pfhished once, every single service you used that with is now compramised. Again, you only have one face. Can't change it if it gets compramised, either. Other problem with biometrics is that you can't use the to sign data without just being a private key with extra steps. With biometrics, you have to use fuzzy matching because the sensors aren't perfect. "Is it close enough" is all we're looking for. Which means you have to have some data to match against already. If you try to sign something using the raw sensor data as a key, you basically get a pseudorandom string back. Now, you could try using biometrics locally to initiate a signing process using an on-device private key... oh wait, that's what we're doing already with WebAuthn!

Yep, while watching it I was like wait a minute.... a rhombus is basically a parallelogram like a diamond. heh

Pedantic, but wrong. A square is by definition a special sort of rhombus. The same way a cat is a special sort of animal.

Square extends Rombus {

does it make u happy correcting minuscule mistakes in other's speech xd

I used to read Better Explained a lot because I was taught to remember math formula without understanding anything. Now I usually appreciates math a bit, a lot when it’s explained. The difficult part for me is that my foundation is so weak, I have to look up every concept that most explanation refers to.

​@@RobGThaiImo the fact that you need to look up every concept math related is not only due to your lack of foundation, but also due to the way math works. Every definition, if not based on the axioms themselves is based on another definition. From those objects we derive properties and theorems (aka the truth). To understand any concept in math, you take a definition and start digging. You become good at math when you've digged enough and enough times that you don't need to look that many concepts anymore, because you know them. It's similar to learning a language, except instead of a dictionary of what a word means you need a degree-level experience to start to get it.

In theory the advantage can be of passkey is that the key is stored in hardware where it can't be exported.

​@@autohmaeBut why couldn't it be? It's just information right?

@@crancpiti look up what a ARM secure element/trustzone and TPM (trusted platform module) and Apple Secure Enclave

Max password length is dumb, but you also shouldn't be resusing passwords on different sites.

Same thing with passkeys. They're protected in your systems keychain just like an ssh key

In an ideal setup (which is 90% of devices in 2024), the private key is generated on a separate hardware device like a TMP module or a FIDO2-compliant security key (like a Yubikey). The key never leaves the device, either-all you get are the signatures and encrypted data you ask for. The device can implement their own forms of user verification; for example, when using my Yubikey with Cloudflare, they require me to use a PIN with the key. There's a bunch of security measures in place that make it effectively impossible to pfhish even a single signature out of a device without direct software access, too. And on mobile, it's locked down by app.

Most services are older than the tech's adoption into browsers, frankly. Hard to switch to passkey-based auth when all of your users use passwords. When this video came out, I was already working on a service that used WebAuthn as the primary mode of authentication. With my auth scheme, you have to request a new passkey from an authenticated device. You get no notification on your devices so you have to go to settings to approve the new device for yourself. Additionally, requesting a new passkey requires you to enter a password that only exists for this purpose.

@@BellCube I’m not expecting anyone to make passkeys the only method of auth for all their users. But they should allow any individual user to do so.

Passkeys will thrive in enterprise. For regular users? Most of them don't use password manager so I wouldn't expect them to use Passkeys

Because passwords are just better.

@@Aerroon one time use? sure... long term and for critical accounts? don't joke, unless you are _jiatan_ type agent

At least on all Apple devices, with the apple passwords app, it natively therefore supports passkeys. Most of my passwords have therefore become passkeys

@@game_time1633 And what happens if something happens to your apple devices and you have to use an Android phone or a Windows PC for a bit?

To clarify, WebAuthN wasn't renamed to passkeys. Passkeys are a technology built on the FIDO2 spec, which in turn is composed of two protocols, WebAuthN and CTAP2. Passkeys are actually just a rebranding of FIDO2 resident credentials.

They don’t require a password. If you use them as a passkey, all you need is the yubikey (and possibly a short PIN). Of course, you can also just use them as a 2nd factor for logins that still require a password, too, but that’s not what this is about. Passkeys go a step further and get rid of the password. If you are concerned about breaking or loosing the yubikey (or any other hardware key that supports Fido2, for that matter), just get a second one as backup and set up all accounts on both, but only use one for regular usage and have the other one in a safe place.

@@johannesloher2817 I use it at work, and we have to enter in a password every time we use them for authenticating in an application. Maybe my situation is different. Also, setting them up on the computer was a pain in the ass.

​@@johannesloher2817 Some services do request that the authenticating device do something called "user verification"; for a standalone FIDO2 security key, this typically means entering a PIN. Not all services request this.

@@johannesloher2817 Getting rid of all additional factors so that only the passkey is necessary will be a monumental blunder of predictable mayhem.

My work requires a min 12+ alphanumeric special character password + yubikey. I actually want to stab out my eyes by the time I get into every application required just to start work. The yubikey is wire chained to the actual PC too so hopefully it's in a port you don't mind sacrificing forever cause it's not moving 😂🫠

There's nothing stopping web services from setting up their own proprietary login system today. The reason FIDO2/WebAuthN supports restricting certain authenticators is to help mitigate risks from untrustworthy authenticator manufacturers, and even that functionality would really only be used in corp scenarios. For example, your company probably wouldn't want to allow authentication using a hardware key manufactured in Russia.

Real, data collection in disguise.

Ok but it's actually good info, which isn't a clerk specific feature. Passkeys are awesome for UX and security.

To be fair this is a really big issue ATM and we're even talking about this in my work right now. So, it's helpful.

What's the problem 💀

Tbh really liked the video

you store the passkey inside of 1password. 1password gets installed on all your devices. Even if they get your phone, they have to know the passwordto y0ur 1password

@@alastairtheduke i store ma password in passkey the same way now its a 32 random utf8 symbolic password. Basically nothing changes

A better way would be to use fingerprint instead of the password. All u need is a scanner and your hand. Kinda more continent that either passwords or passkey imo

Physical access to your device is pretty much always doom if the attacker knows their stuff. Steal session tokens, nab saved passwords, etc. It is on the service to allow you to create multiple passkeys somehow. I was already working on implementing primarily-WebAuthn authentication for a bit now when this video came out and my scheme for multi-device auth is simple. You use an authenticated device (one that used a passkey to log in) to accept a request for a new passkey. New passkey requests themselves must be made with a password. This scheme is inherently less suceptable to social engineering since, with a decent UI, it's made clear to the user that they're authorizing a new device to use their account-not simply logging in. Even if the request password gets leaked somehow (password should be treated with normal levels of password security; salt, pepper, and hashing please), say through a phfishing site, the most they can do is do auth spam. The nice part, though? They can just reset their passkey request password and the auth spam goes away.

@@MrJloa Problem with using biometrics for non-local authentication is pfhishing. Bluntly put, you've only got 11 sources of biometric data-your fingies and your face. Most people only use 1 or 2 fingers or a face. Mixing and matching is rare. If your password gets compramised, you can reset it. If your device gets stolen, another authenticated device could be used to revoke access. You can't change your fingers. Once your biometrics are compramised, they're compramised.

That's the real tradeoff, now isn't it. Even if you have a hundred passkey'd devices, you can lose all hundred of those and lose access. There's a distinction I heard once between different authentication factors. "What you know" would be something like a password or your mother's maiden name. "What you are" would be biometrics (fingerprint or Face ID). "What you have" would be something like, say, a private key stored deep in the depths of your machine's TPM or similar kind of hardware authentication chip. The problem with "are" authenticators is that you only have one set of fingers and one face. Password reuse ensues. Someone pfhishes your biometrics and you're done for. Can't use those. I think we've all seen the problems with "know" factors by now. You forget, it gets leaked, the database gets hacked and it turns out the service only encrypted the password with an encryption key that's RIGHT THERE and now they have the password you used for 100 different sites because password reuse is very common, etc. "Have" factors are the last remaining bastion. But, of course, these are suceptable to losing access. But so are your glasses. So are your car and house keys. So is your phone. So the next best option is to do what you do with your car and house keys. You make copies. So, the tradeoffs tl;dr: "know" (passwords, mother's maiden name) is suceptable to leakage, forgetting, and very much so to cracking "are" (biometrics; fingerprints, FaceID) is so pfhishable it should only ever be used locally "have" (keys, devices) can be lost relatively easily

12 in one keyboard? Wouldn't that make it easier to predict?

@@quinnherden Guess it depends on the AI. If it just predicts the volume of each keystroke, it will not work. But let it know and hear a few sentences I have written and I am out of luck.

It's even worse for small business who might need additional software or hardware to just use a more secured device/ system... most probably just don't.

If the service lets you use "resident" credentials (a passkey that can only be used for one device), your phone's passkey (a"roaming" credential) would serve more as a backup than the primary authenticator. Using a resident credential on Windows, for example, all you do is type your Windows account password into the prompt that appears and you're off to the races.

​@@PrograError At least for newer businesses and businesses who keep their software up to date, you usually aren't on software/hardware so old it doesn't support WebAuthn or other implementations of this system. Windows 10 and Chrome; decently-recent versions of Android or iOS; those are the only things you need.

If a hacker compromised a service, that usually means they have access to the service, yes.