Тёмный

Passwords vs. Passkeys - FIDO Bites Back! 

IBM Technology
Подписаться 765 тыс.
Просмотров 33 тыс.
50% 1

Check out IBM's access management solution → ibm.biz/ibm-security-verify
The FIDO (Fast IDentity Online) standard eliminates the need for passwords entirely and can provide resistance to phishing and replay attacks. In this video, Jeff Crume answers many questions that viewers asked after watching his first FIDO video, "FIDO Promises a Life Without Passwords". If you haven't seen that one, check it out in the link below!
VIDEO: FIDO Promises a Life Without Passwords → • FIDO Promises a Life W...
Get started for free on IBM Cloud → ibm.biz/ibm-cloud-sign-up
Subscribe to see more videos like this in the future → ibm.biz/subscribe-now

Опубликовано:

 

19 дек 2023

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 103   
@maxquasar
@maxquasar 5 месяцев назад
Big FIDO2 fan and may I offer my favorite best practice with regards to "What if I lose my key?" You can register multiple keys with your servers. The key pair on the key is only used to protect the key pairs you make for each server. Once you're authenticated, your server will allow you create another key pair for the additional FIDO key. Keep one in a safe and use the other for daily use. Love your videos! Keep up the great work.
@jeffcrume
@jeffcrume 5 месяцев назад
Exactly right! I meant to include that in the video
@berndeckenfels
@berndeckenfels 3 месяца назад
Not all sites allow multiple keys though. Would be good if the keys have some kind of backup tool to a paired key (although it increases risk for extraction)
@jorgenstenersen
@jorgenstenersen 20 дней назад
Yubikeys with a good backup plan in case you should be so unlucky to lose one is the way to go. I love all my Yubi's with a dear heart after an incident 6 years ago where I was targeted by some skillfull individuals. Not saying it's unhackable, but all the precautions I have implemented in my digital life will sure make it very hard for someone to hack'attack me at that scale that I was attacked. Keep up the great and important videoes @jeffcrume and @IBMTecknology 👍
@jaidenrichard99
@jaidenrichard99 5 месяцев назад
Good teaching. He explain very important concept with easy example. Thanks.
@pipjersey8303
@pipjersey8303 5 месяцев назад
4:35 This guy knew exactly what he had done when he did it
@BM-jy6cb
@BM-jy6cb 23 дня назад
LOL😅
@daRich_X
@daRich_X 5 месяцев назад
Good info. Easy to understand and make sense of. Thanks.
@jeffcrume
@jeffcrume 5 месяцев назад
Glad you liked it!
@toenytv7946
@toenytv7946 5 месяцев назад
We’ve come along way with passwords. Hind sight is 2020. Just thinking back at how great a tech this is and its importance. Great job keeping it open and secure. Threats shouldn’t be able to keep up. Just a thought security sure is my number1. Trust one of the keys to security. There sure is a lot of great tech in the process. Thanks for the points.
@toenytv7946
@toenytv7946 5 месяцев назад
infrastructure on the shoulder of giants. Nice work folks.
@jeffcrume
@jeffcrume 5 месяцев назад
Thanks for the kind words! I can take no credit for standard but, as you said, a lot of “giants” contributed to this and thought through all the hard stuff for us
@ukranonymous
@ukranonymous 2 месяца назад
The best security is when you use all THREE: 1. something you KNOW, 2. something you HAVE and 3. something YOU ARE. For example a password + device + fingerprint. Passkey violates this. To get access to you online banking, a bad guy can catch you unconcious (or help you with that), grab your phone, unlock passkey with your finger and thats it. I know real case. Although password managers also violate the first mean. Therefore for critical services I don't use password managers.
@jeffcrume
@jeffcrume 2 месяца назад
You’re describing multi-factor authentication and passkeys leverage it as well. Check out the previous video to see how it works
@ukranonymous
@ukranonymous 2 месяца назад
@@jeffcrume Thanks for your answer! You are right, I tried a few pages and 2FA is still in place in addition to Passkeys. Still, the idea behind passwords is to keep the secret in your brain and passkeys eliminate this. Of course, this factor is present (if configured) when a user has to unlock the vault holding passkeys (phone or password manager) with the pin or password. My best experience is one service where I have to enter a password in the app for second factor auth. Then I have all three factors in place: Passkeys is something I HAVE, for 2FA I unlock my phone with biometric auth (something YOU ARE) and then I type my password which I do not store in a password manager (something I KNOW). A bit annoying but security should not be simple. And thanks for the video - it's just great! Subscribed :)
@user-jv9wc8sv3u
@user-jv9wc8sv3u 2 месяца назад
I think you can use cloud-based password manager for non-important accounts + FIDO2 security key for important accounts + most important account such as bank website which not relies on password manager. Also you can lock your device through applicable app, then biometrics won't work.
@samwang8054
@samwang8054 5 месяцев назад
IMHO, the first two questions are as important as what currently FIDO is trying to standardise. Without addressing or standardising those two, it just cannot be counted as a complete solution. And, "eliminating the needs for password entirely" sounds quite ambitious.
@jeffcrume
@jeffcrume 5 месяцев назад
They don’t really have to be covered in the standard since existing solutions already exist. For instance, 1Password and iCloud Keychain are just two examples of tools that already have this covered. I’m sure there are many more
@alejandrodelavega9857
@alejandrodelavega9857 2 месяца назад
What do I use to sync the passkeys. A password manager like 1Password?
@dinesharunachalam
@dinesharunachalam 5 месяцев назад
@Jeff, what is the cost involved? Both from new installation perspective and also migrating existing password based authentication
@jeffcrume
@jeffcrume 5 месяцев назад
Great question - sorry if this sounds like a commercial but I’ll use this to illustrate the point - IBM Security Verify Access is a tool that web sites can use to add FIDO/passkey support to their systems without having to recode everything. Without a tool like this, the web site will need to add support for FIDO on its own, and that can involve more cost.That said, the savings resulting from fewer security incidents and fewer help desk calls (no lost passwords) could easily offset the cost. The organization just has to be willing to make the initial investment and many are. IBM, Google, Amazon, Twitter/X, Meta, Microsoft, Apple, etc. all support it today
@gasovensforqcult
@gasovensforqcult 5 месяцев назад
As a PKI engineer, this warms my heart
@jeffcrume
@jeffcrume 5 месяцев назад
I love it!
@Strammeiche
@Strammeiche 4 месяца назад
I usually don't loose my passwords but phones break from time to time. I switched back from bitwarden to an encrypted keepass container in the cloud because of security concerns. This feels like going back to a single point of failure.
@jeffcrume
@jeffcrume 4 месяца назад
I know what you mean. I used to use a PW manager which could sync across a LAN to only my devices (no cloud needed), which I preferred, but everything has moved to the cloud now, it seems. That said, a good cloud provider lowers the risk and you encrypt the pws (or better yet, passkeys) in the pw manager client BEFORE it goes to the cloud. That way you can retrieve the info from anywhere and it isn’t exposed
@con-f-use
@con-f-use 2 месяца назад
It's funny how he says he's addressed SSH and PGP, but has done all but.
@marcopetaccia88
@marcopetaccia88 5 месяцев назад
I'm sorry this could sound like a silly question. But... if I'm able to create a new passkey for each device I own and trust, why would I need to sync them to the cloud? Am I missing something?
@jeffcrume
@jeffcrume 5 месяцев назад
You could do it that way but the implementations I’ve seen seem not to. It could also be an approach of both/and rather than either/or, it seems to me
@AlessandroBottoni
@AlessandroBottoni 5 месяцев назад
This depends on the level of security you are looking for. I do use FIDO 2 USB tokens since the beginning BUT... I still pair them with passwords and passphrases. Just in case someone steals my devices...
@dinesharunachalam
@dinesharunachalam 5 месяцев назад
Does the FIDO 2 USB tokens don't authenticate based on any biometric? I have not used one, so asking. Here FIDO private key is locked by biometric authentication of the device
@jeffcrume
@jeffcrume 5 месяцев назад
@@dinesharunachalamyou really don’t need to use passwords as a backup because you can have multiple private keys for each device on each account and those can be sync’d through a password manager, iCloud Keychain, etc.. This provides a recovery mechanism. As for USB tokens, they can vary but typically they could leverage a fingerprint to unlock them. Or, in most cases, you can just use your phone, tablet or laptop as the FIDO device since they probably have biometric support and secure storage of the keys
@jpp62200
@jpp62200 3 месяца назад
Fido2 hardware key which doesn't have biometric usually ask you a pin code to unlock the device (with auto erase after 3 attempt)
@dansanger5340
@dansanger5340 5 месяцев назад
I'm excited about Passkeys, but a little leery about synchronizing them across devices using a password manager with Passkey support, especially after the LastPass breach. My concern is putting all my eggs in one basket. With passwords, I could at least keep the 2FA information for the accounts in a separate authenticator, so that even if the password vault was decrypted the bad guys still couldn't log in to my accounts. But, if I use the password manager to synchronize Passkeys, and the vault or the synchronization process is somehow compromised, then the bad guys have everything they need to log in to my accounts. Or, maybe I don't understand how Passkeys are synchronized and this isn't a potential vulnerability. But, until I know better I'll probably just use device-bound Passkeys for logging in and regular passwords in a password manager (plus separate 2FA) for the case of a lost or new device.
@jeffcrume
@jeffcrume 4 месяца назад
It’s a risk, for sure, but IMHO it’s far less of a risk than the one posed by passwords, which are a badly broken and outdated approach
@michaelcox174
@michaelcox174 4 месяца назад
Phishing question: why can't a phishing website act as a live man in the middle? A user sign in request goes to the phish site, who passes it on unchanged to the real site. When the challenge request comes back, the phish site sends it to the user unchanged. The user challenge response gets sent back to the phish site, which again passes it on to the website, which successfully decrypts the response. Both ends assume authentication is successful, except now the phish site prevents further communication to the user and continues in the user's place. No passkey encryption/decryption by the phish site was needed. I must be missing something. (I'm assuming the passkeys are only for authentication purposes, but, if not, this would still be a problem.)
@jeffcrume
@jeffcrume 4 месяца назад
yes, passkeys are just for authentication, not confidentiality. TLS/SSL can help ensure that the site you are interacting with is authentic and not a MITM
@michaelcox174
@michaelcox174 2 месяца назад
Thanks. Now I have another scenario. One unknowingly goes to an invalid website to login using passkeys. The website provides a junk challenge to the user. The user decrypts and re-encrypts the challenge using its own private passkey and passes back the response to the challenge. The website accepts the challenge without decrypting and provides the user with a screen the user uses to provide valuable info back to the website. Thus a theft occurred. How does FIDO stop this? @@jeffcrume
@user-bp3mw2lp3t
@user-bp3mw2lp3t 5 месяцев назад
I would like to know if once a Passkey is setup, can I remove the 2FA for that site?
@jeffcrume
@jeffcrume 5 месяцев назад
It depends on how the web site is setup and your tolerance for risk, but, in general, I would say that if your devices are FIDO compliant and you don’t use trivial passcodes on them, then, yes, passkeys should be sufficient because they would already include MFA (i.e., the device with the private key - something you have - and a biometric to unlock it - something you are)
@myrajarenga9432
@myrajarenga9432 5 месяцев назад
Great content always following to learn more about security. Can I offer my services to put this content into an article for you?
@velo1337
@velo1337 5 месяцев назад
congrats to the promotion to CTO
@jeffcrume
@jeffcrume 5 месяцев назад
Thanks!
@vitormiguelsilva3025
@vitormiguelsilva3025 3 месяца назад
The website should generate a random password / passphrase instead of asking us to create one.
@jeffcrume
@jeffcrume 2 месяца назад
That’s essentially what is happening in the generation of the public/private key pair. You don’t have to remember these
@nikhilav
@nikhilav 4 месяца назад
Is Fido2 quantum safe?
@jeffcrume
@jeffcrume 4 месяца назад
Not yet, but that’s in the works
@gmailaaaa
@gmailaaaa 4 месяца назад
What is the difference between TPM 2.0 and FIDO 2.0?
@jeffcrume
@jeffcrume 4 месяца назад
TPM deals with the hardware where the operations occur. FIDO is the protocol that could leverage that hardware for authentication
@gmailaaaa
@gmailaaaa 4 месяца назад
@@jeffcrume TPM 1.2 or 2.0 protocol?
@manta567
@manta567 5 месяцев назад
Malware? Vulnerabilities? Session Hijacking?
@jeffcrume
@jeffcrume 5 месяцев назад
All far more likely to impact passwords than passkeys
@krishields2
@krishields2 5 месяцев назад
The problem with passwords is NOT people. It's websites and software shifting the responsibility and accountability of security to their users. Again from the last video. Passwords are not inherently insecure. The ENTIRE process of logging in is just totally mismanaged by both software and website hosts.
@jeffcrume
@jeffcrume 5 месяцев назад
I take your point but I would say that passwords are inherently less secure that passkeys because they have no time limit and can be discovered by hacking the web site. Passkeys are time bound and there’s no secret stored in the web server so those are at least two aspects of risk reduction
@krishields2
@krishields2 5 месяцев назад
You're still thinking about passwords statically. Think more dynamically along the lines of rolling encryption standards, but better. Every time the user logs in, the fully encrypted password that is stored there should be different. The server should never even know what the password is if everything is done right. In no way shape or form should a server remain static in regards to username and password entries. This was always the mistake and frankly it's shocking that it persists. Static stored logins will never be secure.
@jaibunnisamohammad9988
@jaibunnisamohammad9988 4 месяца назад
phone/tab option is not available in mac safari! phone/tab is not available in android chrome
@jeffcrume
@jeffcrume 4 месяца назад
Not sure what you mean. iCloud Keychain syncs these across MacBook, iPad and iPhone today
@npc73x
@npc73x 4 месяца назад
One data breach of my private key, I am screwed
@jeffcrume
@jeffcrume 4 месяца назад
Same for your password but your password would be far easier to guess in most cases and since it also resides on the server, it could be hacked from that side as well
@jeffcrume
@jeffcrume 4 месяца назад
Besides, you have a different key for each site so the impact would be limited
@npc73x
@npc73x 4 месяца назад
Is there any service available to say, my password wallet root password got exposed, so does anyone have my email@address stop accepting login from anywhere and provide me a password challenge to my email account
@teleroel
@teleroel 4 месяца назад
With secret questions (your Mother's name, your favorite pet, whatever) just give a bogus answer that can't be found in your social media feeds (better even: don't put all these details online, unless you like identity theft). And I'm not switching to Passkeys, but will keep using my Yubikeys.
@jeffcrume
@jeffcrume 4 месяца назад
Yubikeys support passkeys, BTW
@IvanMoscow-vx3jo
@IvanMoscow-vx3jo 4 месяца назад
You are saying that I have to presume that the security is public knowledge if I am not in control of it. Like how, BY LAW, Google, Microsoft, Amazon, Facebook, and so on must implement backdoors and I have no control over their security? That is literally worse than a safe password in my head or offline password manager...
@jeffcrume
@jeffcrume 4 месяца назад
That’s not at all what I said. I said that the public key is public. Your private key is private. Only you know it. Therefore, only you can answer the challenge which is encrypted with your public key.
@StijnHommes
@StijnHommes Месяц назад
What you say about multiple devices is wrong. It's not something you can choose to use if you enable it. The system you're choosing to store your passkeys needs to support it too and right now, support for this is thin. Besides, putting your login details in the cloud makes the whole thing less secure. Just like putting your passwords in the cloud.
@jeffcrume
@jeffcrume Месяц назад
I’m doing it every day and the site you log into has no idea whether the keys were synced across devices or not. Granted, it would be best if you don’t put any of this in the cloud and you don’t have to if you want separate keys for each device but most people will opt for the sync and even if they do it’s far lower risk than what most do today in choosing their own passwords and setting them all to the same thing
@jessejames586
@jessejames586 2 месяца назад
How can he write backwards so easily?
@jeffcrume
@jeffcrume 2 месяца назад
I can’t. Search this channel for “how we make them” and you’ll learn the secret
@EricS-uf9mv
@EricS-uf9mv 3 дня назад
I was wondering the same thing. I don't believe he is writing backwards. I think the recording system he's using is specifically built for see-through "whiteboard" teleconferencing presentations... it's inverting the video in realtime or doing it in post. The other option is he's using some type of high-tech, 2-layer/2-way, whiteboard that's doing the inversion.
@dav1dw
@dav1dw 5 месяцев назад
i think you need to find a different way to draw a pipe + server
@jeffcrume
@jeffcrume 5 месяцев назад
Sometimes a cigar is just a cigar, Dr. Freud...
@RedStarSQD
@RedStarSQD 4 месяца назад
I just modernized my desktop and created a pin. Microsoft allows the pin to be used as a passkey. My question is where is this information so that it can be manually backed up? I know onedrive would back up settings. But, i don't trust one drive.
@jeffcrume
@jeffcrume 4 месяца назад
A PIN is not a passkey. It may let you use a PIN to unlock a passkey or a PIN instead of a password but in either case, the strength of the security would be only as strong as its weakest link and that would be the PIN
@RedStarSQD
@RedStarSQD 4 месяца назад
@@jeffcrumethanks. I should not have said used as a passkey.. . But rather created or generated using the MS pin as one ingredient. The MS pin is not the traditional random pin you are thinking of. It is based on credentials and machine ID. This is why I want to know how to back this stuff up ... Where this security info is stored? Ultimately, I know you can store passkeys in bitwarden.
@tommygrandefors9691
@tommygrandefors9691 5 месяцев назад
I am shocked to hear that a ”Security Expert” says it’s ok to put your private key in the cloud. There are no guarantees on how your keys are stored there. A private key must be private for real. It shall be stored in protected hardware (enclave on your mobile phone, USB token etcetera) and all crypto related functions must be executed by that specific hardware. This is true 2FA since you now are in posession of that hardware. Account recovery can be solved by using other solutions e.g using a unique key pair for each device. There are unique key pairs for every site you login to anyway. Why decrease the level of security? To make it more user friendly? Well, here we go again. 😕
@toenytv7946
@toenytv7946 5 месяцев назад
I think blockchain can do all those things. I believe iBM would have a solution for that. These folks know their stuff.
@sonjaisaacs52
@sonjaisaacs52 5 месяцев назад
After listening to him for a While I would give him the benefit of the doubt. He probably has some reasoning behind his answer, there always is.
@maulren
@maulren 5 месяцев назад
I'm shocked to hear that someone has another opinion than me
@sarahpixley
@sarahpixley 5 месяцев назад
Both FIDO2 USB tokens and passkeys offer robust security, leveraging public key cryptography. The choice between them often depends on the user's specific needs, preferences, and the types of threats they are most concerned about. USB tokens offer strong security with the inconvenience of a physical device, while passkeys provide a more integrated and user-friendly experience with security that is largely dependent on the security of the user's device. Passkeys are not the same as putting your private key in the cloud. They are a more secure and user-friendly form of authentication that replaces traditional passwords. Passkeys use public key cryptography. They generate a pair of keys: a private key that stays on your device and a public key that is shared with the service you're accessing. The private key in a passkey system never leaves your device, which makes it more secure. It is not stored in the cloud. This contrasts with storing a private key in the cloud, which would be less secure because it could potentially be accessed by others When you authenticate with a passkey, the service you're logging into challenges your device. Your device responds by using the private key to sign the challenge, proving that you possess the corresponding private key without actually transmitting it. FIDO2 Tokens**: Require the user to carry the token and plug it into a device. This can be less convenient, especially for mobile users or those using multiple devices. - **Passkeys**: Generally offer a more seamless user experience, especially with features like cloud synchronization across devices. FIDO2 Tokens**: Might not be supported by all services and can require users to purchase the token. Passkeys**: Increasingly supported and often built into operating systems and browsers, making them more accessible. FIDO2 Tokens**: If you lose the token without a backup, you could be locked out of your accounts. Passkeys**: Typically have recovery methods associated with the user's account, like cloud synchronization or recovery codes Passkeys are designed to be more user-friendly than traditional password systems. They often work with biometric authentication (like a fingerprint or facial recognition) on your device, adding an extra layer of security without the need for complex passwords.
@jeffcrume
@jeffcrume 5 месяцев назад
What you described is, indeed, better and is the way a lot of implementations of FIDO work. That said, iCloud Keychain, 1Password and plenty of other password managers have leveraged encrypted cloud storage/sync for many years
@ProfessorJayTee
@ProfessorJayTee 4 месяца назад
TERRIBLE idea. Once they figure out how to "spoof" the passkeys? We're ALL fucked. Now, I have dozens of passwords, so if hackers manage to find one, they don't have ALL OF THEM. If they spoof my passkey, they have access to EVERYTHING I have access to... banks, investments, social media... everything.
@jeffcrume
@jeffcrume 4 месяца назад
Passkeys are unique for each site (just like passwords) and time limited (unlike passwords), making them even more secure
@EricS-uf9mv
@EricS-uf9mv 3 дня назад
You can't "spoof" a passkey. Passkeys are UNIQUELY generated (ie. unique per website) "key PAIRS" creating FROM a DEVICE BOUND "Master Key". The Master Key and the Private key half of the Public/Private key PAIRs it generates is LOCALLY stored. In fact the Master Key is hardware bound inside a hardware security module (HSM) , a physical security chip inside your device, which cannot be divulged. Only the Public key half of the Public/Private Key PAIR is ever shared. Jeff isn't explaining the intricacies b/c frankly nobody on YT would understand the full crypto/authentication flow. The spec has been around for well over a decade and has been slowing evolving/expanding ever since. You can go read it for yourself, but you won't bc there's VOLUMES and VOLUMES of documents composing the FIDO, FIDO2/WebAuthn (Passkeys) spec.... and simply reading the spec won't get you "there" b/c you 1st need a DEEP technical foundation in cryptography basics... Authenticated Encryption (secure message signing), knowing the difference between symmetric vs asymmetric ciphers and their strength/weakness use cases, integer factorization and the discrete log problem and how this relates to PKI implementations leveraging RSA, DSA, DH, and ECC vs a symmetric cypher like AES-256 in CCM mode which passkeys also utilizes. The bottom line is you can't simply "spoof" a passkey. It's literally a UNIQUE 256-bit random number bound to a hardware device, bound to an AppID (a website domain or app), and linked to a EPHEMERAL challenge generated randomly & in REAL-TIME by the Relying Party(RP)/website.
@datastop400
@datastop400 3 месяца назад
Gadgets no. They get lost broken. Good luck with recovery. PW can work if you’re not just “people”. Massively complex PW. Done.
@jeffcrume
@jeffcrume 3 месяца назад
As I said in the video, these can be sync securely in the cloud so that you aren’t dependent upon a single device
@oprrrah3498
@oprrrah3498 2 месяца назад
Yeah, Google is so trustworthy....
@jeffcrume
@jeffcrume 2 месяца назад
That’s the value in the standard. You don’t have to trust the service provider. You trust the protocol
Далее
Cyber Attack Trends: Global Identity Crisis
15:02
Просмотров 35 тыс.
FIDO Promises a Life Without Passwords
9:58
Просмотров 391 тыс.
#kikakim
00:11
Просмотров 2,6 млн
What Is a Prompt Injection Attack?
10:57
Просмотров 38 тыс.
How Can Passkeys Possibly Be Safe?
21:47
Просмотров 16 тыс.
Top 5 Cloud Misconfigurations
14:25
Просмотров 11 тыс.
Debunking 5 MYTHS About Yubikey
15:36
Просмотров 184 тыс.
Steve's Take on Google Passkeys
19:44
Просмотров 27 тыс.
I Tested 7 Password Managers: the BEST of 2024 is…
5:48
How FIDO2 Works And Would It Stop MFA Fatigue Attacks?
10:14