I appreciate the presentation, Shannon. I do think that Passkeys become more ubiquitous, I will stick with a password manager, complex long passwords, 2FA wherever possible, and different passwords for every site.
Here's why I think passkey could potentially be better. A smooth passkey experience could mean easier login. Then logging out at the end of each session instead of "remember me" would mean no valid auth token that can be stolen between sessions. Stolen auth tokens is the primary weakness of hardware MFA.
When I upgraded my iPhone last week I had a bunch of issues where the passkey was valid but it was using an old password in the Microsoft wallet instead of the Apple chain.
@@jmr appreciate teasing but also in many cases member don't get to choose their technology their employe does. So I try to be agnostic and treat it like tool in a toolbox. I don't get mad at my hammer because its not a stanly.😏
Great video! Something to consider: I recently had a crash during holidays and had iCloud secured with hardware keys. I had the hardware key, but macOS (admittedly beta) crashed every time in recovery mode when checking the hardware key, so eventually lost all the data on FileVault. So be better than me and consider all points of failure and don't use half-popular authentication methods.
Thanks for sharing the pros and cons. I just ordered 2 yubikeys and will try out passkeys. As head of our IT dept, it behooves me to be aware of all options to be able to enable end users to best protect themselves.
@@arkvsi8142 As Andy mentioned, LOCAL is the key here, if you DONT trust ONLINE pass.managers ! I'm using local KeePass for over a decade (!!) ad I found in REALLY secure , if you know what you are doing ! And EVEN in 1password, or Bitwarden, or other ONLINE pass managers get hacked, your MASTER KEYS will never leave your local device (usb storage, laptop/desktop etc) HIGHLY recommended !
Ranked choice 1. Passkey 2. Strong Password + MFA 3. Strongest Possible Password Take steps to control your devices so multiple factors are needed to add a device resulting in a passkey being added to a new device and be sure to pay attention to notifications about new devices.
question, since NFC has a lot of Vulnerabilities, if I'm not mistaken, Can you use a small iphone Lightning or Usb connector? Is that possible, with Yubikey?
This is about the third time I've looked at pass keys and you've a great job. Thanks. For myself, at this point, I feel passwords generated by password manager and stored by the same are the way to go. Passkeys are attractive but still to new and I can see them being a slow down as one site may use but another may not. I'll keep your product in mind.
Great video, but I must admit, I spent much of it asking... "I suggest we form a..." form a what?... the suspense was killing me! For much of your video, I felt like Ralphie in A Christmas Story, anxious to decode the secret message from Little Orphan Annie but with no secret decoder pin and only my wits. 😜 Finally, I was able to see the word 'calming' and with the power of AI search, I found those shirts with the phrase "I suggest we form a calming circle." Mystery solved! ☺
If you loose a hardware authenticator, you need to have a backup one or to have recovery codes that you saved when creating it. If you loose a software one, most platforms are going to sync them in the cloud, so you will be able to recover them on a new device. Also, can you use the same passkey for multiple websites/applications => No, a passkey is completely unique and bound to a relying party (=website) domain as a security measure, so if you happen to be tricked into going to a phishing website, no passkey will be shown to login there as the domain will be unknown. and in multiple devices => if you mean to use the passkey for the same website on multiple devices, yes, the passkeys will be synced by the platform. But if the website uses a resident key (bound to the device) on a YubiKey, then no, you would have to create a new one for the same account on each YubiKey.
Interesting video but what is not clear is how passkeys on a phone are protected? I assume once a criminal gains access to your phone (e.g. by guessing a 4 digit PIN) then they can use all the passkeys stored on it, because those keys are automatically presented to any challenge? Using a complex unique password stored in a password manager plus a 2FA key generated by an authenticator app seems to me to be more secure because then the criminal has to break in to not only my phone, but my password protected password manager app AND my password protected 2FA key generating app. There's a saying in IT that the more convenient a security system is, the less secure it is.
I may be a minority here but this gets overwhelming. Trying to understand what a passkey is, vs a password manager and how to implement it all for my entire family. I just started learning to use Bitwarden but this makes me think that’s outdated and I should get a pass key. A lot to sift through, but I appreciate your site!
online security will remain a topic for all of us I would say as you use Bitwarden, and you probaly will slowly go through all of your accounts to give them long new passwords, get a yubikey or so as well to protect your Bitwarden account
Bitwarden is definitely not yet outdated. Still going to take a while for passkey to go mainstream and till then, your best bet is a good password manager AND an authenticator app (Aegis, Google Authenticator, etc.)
definitely want to see passkey becoming more accepted by more companies/applications, but using a password manager to make strong passwords if a good alternative till then for stuff that doesn't support passkeys. I still find some sites even limit passwords to less than 10-15 max characters like wow that is crazy.
How about passkeys in password managers? I'm wondering if this makes them less secure than 2FA (with an OTP for instance). If someone gets access to my password manger, they can use the passkeys stored there without requiring any additional factor. This means having access to my password manager automatically gives them access for all passkey related accounts. If they get "only" my password for a given account by accessing my password manager, they still would need another factor that is not stored there, assuming that I have 2FA enabled for all accounts in question. That's also the reason I don't store 2FA tokens in my password manager. That all said, the question might be what is more likely: Some attacker getting access to my password manager or if I get phished using 2FA.
Maybe err, don't tell everyone on the internet that your passwords are weak. At least while no one knows that you have insecure passwords, you have some (minimal protection) from the herd (ie, those of us who practice better password security) By drawing attention to yourself like this, you are actively making yourself a target. Best of luck and hope you do take on some of the suggestions in the vid!
I want to be on team passkey but there is another big con of Passkeys you didn't mention that breaks them for me. Remote access. If you utilize remote access tools like Teamviewer, Anydesk, or Parsec then passkeys are not for you. Passkeys currently only allow authentication on the local host so unless whatever machine I am accessing remotely is close enough to go and log in with the passkey then I am sunk. Then again if I am close enough to walk over and authenticate with my passkey why would I be using a remote access tool in the first place?
With integrated authenticators ones (with Windows Hello for example, you could type your computer's password instead of scanning your fingerprint to unlock the passkey) you will not have that issue. And with password managers (which are going to become passkeys managers in the future), that gap is going to be filled as well, as they will allow you to have your passkeys on all your devices. 1Password is already doing it very well on its beta version. But with hardware or external authenticators (e.g. using an Android phone to log in on a website on a Windows computer), yes you are currently screwed in that scenario, as they require proximity with the device (by being plugged in or with Bluetooth) as a security measure to avoid any possible remote attack or someone tricking the user into accepting a request.
@@mmaxime Yeah my use case is the one you reference in the last paragraph. I regularly log into a remote system and have it up on one of my monitors. Hardware tokens work great unless I want to sign into something on that remote system. When that happens it doesn't work hence why I said it was an issue that wasn't mentioned.
Mstsc.exe (RDP Client) will allow the Yubikey to get full passthrough to the remote device. Pair with tailscale for VPN to the remote network. I have even gotten yubikey to work from client, through a local network VM, and subsequently into a VM that is cloud hosted with VPN to access it.
I use my phone to check the weather, but I do use Yubikeys on both my computers. Dont leave home without it. Where did you find those stickers you put on your keys?
If your phone is the source of your passkey, doesn't that mean that your account access has been downgraded to the 4 digit PIN? Even with face/fingerprinting the PIN is still the fallback.
Totally confused about how a backup key can be kept current when it is located in a safe deposit box and I am using the main key to create passwords on new websites frequently. So if you need both keys onsite at all times in order to have them both current then you've lost the advantage of having a backup safely tucked away. What am I missing here?
So, if you use your phone to keep the passkeys, and you back up with Apple and you use a password for logging into your Apple ID…. Then all you passkeys are secured by a password! Am I missing something?
How about using a Cardano Hardware Wallet like the Keystone 3 Pro to act as the Passkey? It has a PIN/Fingerprint requirement to access it AND requires you to use your PIN/Fingerprint again on the device to confirm presence when Signing in. So, essentially, a Passkey with MFA built-in.
Why should customers trust Apple or Google, which are primarily advertising companies with securing their login credentials? I can understand using a service from a company like Yubico which is primarily a security solution company but I don't get the idea of why we should use other cloud storage?
Thank you for the video. Is there a list of vendors that do and don't support open biometric auth? For example, I can use Windows Hello as a passkey for my Google account. However, I couldn't set up my Pixel6 Pro as a security key for my M365 account.
When I started playing with my YubiKey I got from your link I think ideally, I'd still use another authentication method. I'd love a world were more companies got on board with the Biometric one, I saw that the one without had more compatibility across sites, so I went without it. I'd love to have a YubiKey, with Biometric, and then still be asked for a PIN, Microsoft Hello, a notification push, or something (the push notification doesn't work when I'm in office.) I'm all on board for making passwords disappear.
How good is Microsoft Edge password Manager? Is it better than Google Password Manager? Every time Microsoft Edge asks to save the password in their browser.
Device based security (such as your phone or computer) adds another layer to software based authentication. Services are increasingly combining this in their authentication systems. The risk that quantum computing represents to authentication cryptography is also important to understand. Encrypted data is being stored now until quantum computing advances sufficiently to easily decrypt it.
First - thanks for the video. My big concern with passkeys is that they seem to belong to only one or two companies, and there is no open-source project (e.g.,V-risc, etc..) which you can buy these devices from. I don't trust a commercial enterprise, offering a "privacy and security measure". The more attractive they seem, the greater odd that you're somehow the product. -Seem paranoid? -Just follow what most people "from the industry" have being saying for years..I think its benefits are great, but also, that commercial interests are driving it, due several factors: the costs of password breaches on the client side, as well as ensuing costs of insurance, and proliferation of 3rd party companies that produce MFA authenticators. So much so that NAS companies, provide customers with their own proprietary authenticators (e.g., Synology..). If in the future, external fingerprint readers are standardized so they all can function as Passkeys, I would trust it more, since there are a multitude of companies producing them, which serves as an obfuscating layer against a potential hacker.
Talk about a memory trigger... dl'ing music from Napster or Limewire over a 56K connection was an all nite thing for 10 trax. Then cable modems came into play, game changer. That same 10 trax now took 10 minutes or less.
Smelly cat, smelly cat. What are they feeding you? Sorry it’s stuck in my head now. Hope it’s stuck in your head now too. Awesome Video Snubs I forgot about Napster and Limewire, 90’s nostalgia
Excellent video. Thank you. I love the yubikeys, but the 25 key limit on passkeys is/will be a huge limitation. Maybe storing the passkeys in the pasword manager might be an option while using tthe Yubikey to get to the password manager.
Hello! As of their newest firmware, the capacity has increased! Check out yubikeys website for more info. I'll also be referring to this updated information in future sponsored videos, as this news broke just this month. 😊
Hmmm if your apple id or google account is secured with a passkey, you wouldn't be able to log in without your previous device 🤔 So i suppose at its best it'll cost money as you do have to have a spare passkey device to keep access
I hope that too, but it will be more like 10 years. For example, some websites still have a limit of twelve characters and prevents you from using characters that could make a SQL injection... And many don't have 2FA yet. So all the major sites will get it pretty quickly, but the rest of them will take more time to implement it. The only thing that could make it quicker to adopt if used is the fact that there are already open-source solutions that implement it right out of the box.
Password+MFA is not a comparable same-level thing as Passkeys. Passkeys are phish-resistant while PW + MFA is not. This is a big deal that makes Passkeys win the evaluation every day.
No one talks about how it's easier for someone to be forced to use their finger or iris to unlock anything VS a password that is in your head (and a physical key like a yubikey). Extracting hidden info in someone's brain is more difficult that scanning someone's finger. Yes, alone at home in front of Amazon, it's all good. Then there is the real world. On top of that, we have to trust private entities to not store, share, duplicate biometric data. Something that is unique to everyone. Last thing. You can always have different passwords/security key combo. Combined with vpns or else. With biometrics, you can't hide from anything. And if it's stolen, you cant change it.
I've mentioned LEO and constitutional rights MANY times on my channel. Look around and you'll find that I did a whole segment about it in one of my security videos in the last month.
@@ShannonMorse It was a general statement for the readers of the comments, not directed a you or this particular video - I know the position of hak5 and you on these subjects :) - I watched hundreds of your videos over the years. Don't forget that for some people, this video is the first one (and maybe the last one) they are going to watch. Comments are just another source of information (imo). I hope you don't took it the wrong way. It wasn't my goal.
My passwords are PERFECT! I take the first password I ever used, and simply iterate by one digit at the end for every new account created since the 90's! Lol
@@ShannonMorse I had one that PayPal issued way back in the mid 2000s. It had a button and lcd. Pressing the button generated a code to use for logging into your account.
If services / browsers provided and shared a unique seed for every base url to hash usernames / passwords client side prior to submission and then hash again using a secondary algorithm server side to authenticate, passwords would never be a problem.
I ran into a 2FA issue that is not easily resolved. I was upgrading my phone from an iPhone 11 Pro to a 13 Pro. as part of the installation Gmail was transferred over. Gmail uses 2FA. It wanted to send a 2FA code to my old iPhone 11 which had completed its transfer and been wiped. This left googles 2FA with nowhere to send the 2FA code. I wanted it to send it to my tablet. buit when I brought gmail up on the tablet it wanted to send the 2FA to my phone (The old phone because the new one had not validated yet) Needless this left me in a chicken and egg scenario. Luckily gmail was still opene on my laptop and I was able to disable the 2fa long enough to bring up Gmail on the phone and rehome it to the new phone. The rep in the store claimed he had never heard of this issue. I am surprised and was wondering if this is an issue anyone else has come across. with passkeys I hope this issue will go away.
We encountered this issue when a coworker lost her phone. As you describe, the ability to turn off MFA, and back on is vital in these scenarios. Tho we've also had to set up new accounts when that has failed...
@@PWingert1966 when a third party authenticator;s account recovery fails and they won't set up another account using the same email address/phone number, it poses a problem. That's why it's vitally important to save those account recovery codes - and remember where they are!
MFA is a right pain, often it is tied to your phone, this makes a big assumption, that the phone is always available and never fails. The other day I was at church, and I needed to read an email, no worries, I'll just log onto my provider via a church computer - except they wanted 2FA via my phone, that I didn't have because I was at church (if I did then I'd just use the phone in the first place). This has kind of made my ISP's webmail all but useless, I used to use it as a backup should my primary access fail. Password managers are almost great, I use one, However if I'm at a foreign computer trying to log it, manually transcribing a long and cryptic password into that computer is bordering on impossible at times. Now for passkeys, well I better watch some more Shannon vids.
I thought yubikeys must be used every time log in.... that's why they have the nano keys that you can leave plugged in, say if you're working from home all day. No, am I wrong?
I think I'll just stick with my password manager. I changed all my passwords and emails to randomly generated stuff and I'm fine with 2 step authentication. I think chances are it'll be more secure since I worry I'll lose my phone and maybe then loose access to my accounts. Not all sites that support passkeys support setting up a password at the same time like playstation .
Lots of luck selling your latest device on solving our password problems. It costs more money and has many unfriendly features. I am locked out of over 1/2 of the apps on my devices because it is impossible to keep up and remember all the passwords.
The question is what happens when you die and relatives want and have legitimate right ot access your laptop for family recipes, or important documents. You need to do a whole videoon preparingg your laptop and accounts for being inherited and legally transferred.
In the early days, I came across users whose password was 'password' literally.🤫🤭😉 But, now I personally feel that I'm in the same 'password' category and failed to understand Passkeys.
A physical passkey is the worst option since it assumes you never forget to have it with you and you don’t lose it. Password managers with strong passwords for each service provide convenience and security in one package. Some password managers even alert you if a password is used for multiple services.
You can just as well forget your 2FA device so I think that concern is overstated. Passkeys, when they are finally implemented everywhere, are much easier and force good security habits. For older people who are overwhelmed by even password managers that will be huge. My parents despite my best efforts cannot handle password managers and 2FA.
@@pastramiking password managers such as LastPass are always on your device (laptop, smartphone, tablet). Very rare not to have your smartphone with. Granted not everyone has a smart device. I’ll also concede that even password managers can be a little challenging for some, even though how well they’re integrated to auto fill. I know multiple people that constantly can’t remember where they placed their phone and keys. IMO the solution should be based on the individual, but in the end a password manager would be a lot better fit for the masses.
You are not correct. When setting up a passkey on a hardware Key, eg. A yubikey, you are FORCED to set up a device pin or the key. Therefore You still have 2fa so to speak and no one can use the ardware key without it.
When you’re trying to teach people new things, the background music is REALLY distracting and interferes with concentration when you’re trying to pay attention.
Couldn't you just write down your password in your notes in something only YOU would be able to understand? Like if you spoke Spanish and English and Piglatin make some gibberish that only you could comprehend? Keys can get lost and corrupted, data breach like Lastpass can happen frequently, if your phone gets snapped while you talking on it they are past the first line of defence anyway. Idk maybe im old-school bit it seems like new fangaled technology
Sure! Use whatever is best for your specific scenario. In my case, it's easier and more convenient to use password managers + 2fa keys., I have 400 + passwords and all of them are different, I don't even know what they are bc they're all randomly generated. I also live in a fire hazard part of the US, so I'm not gonna take the time to write them down in a notes app OR a physical binder where it could easily be destroyed or in notes where I could mistype something. Notes apps aren't as secure as 2fa plus an encrypted vault either, so I trust a pw manager more than a notes app.
Thank you 😁 Yes, I've watched many hours of your videos! You're great! So my question is, I'm a world traveler and I need to protect my privacy, figure out a way to get back in if I'm locked out of my Google account, need to come to terms with someone stealing my backpack or phone, logging in on a unknown device to get back into my accounts AND my phone number from Verizon is now ported to Google voice. (Plus I can't get a yubi key in most countries as I'm in the far reaches of Asia) So.... Since your the most knowledgeable person here .... If you were me, what would you suggest? I do have a ton of data on my GOOGLE DRIVE, phone and laptop. I'm a designer so I need my gear, and if it gets stolen access my files and start fresh 😮 *whew! It's a lot! Any advice would be MASSIVELY helpful and I'll definitely recommend you to my fellow world nomads❤
I want passkeys to be a thing already -- especially for banks! I also want other companies to compete against Yubico. Seriously, these things shouldn't be so overpriced. It needs competition.
Are hackers select a computer to hack randomly, or have specific targets? I think hackers target RU-vid presenters first. So, you seem a good target for hackers.
I use both, but it took me awhile to figure it out. Just like when I tried to buy my first crypto currency. Everyone said it was easy. But seemed like it took me 2 days to figure it out.