Passwords vs. Passkeys - FIDO Bites Back!

preview_player
Показать описание

The FIDO (Fast IDentity Online) standard eliminates the need for passwords entirely and can provide resistance to phishing and replay attacks. In this video, Jeff Crume answers many questions that viewers asked after watching his first FIDO video, "FIDO Promises a Life Without Passwords". If you haven't seen that one, check it out in the link below!

  1. IBM Technology
  2. IBM
  3. IBM Cloud
  4. Fido
  5. Cyber security
  6. Cybersecurity
Рекомендации по теме
Passwords vs. Passkeys 0:11:05

Passwords vs. Passkeys - FIDO Bites Back!

FIDO Promises a 0:09:58

FIDO Promises a Life Without Passwords

Passkeys vs Hardware 0:08:09

Passkeys vs Hardware Keys - Which One Works Best For You?

Passkeys Vs Passwords 0:11:22

Passkeys Vs Passwords & MFA - Weighing the Pros and Cons!

Understand passkeys in 0:03:49

Understand passkeys in 4 minutes

Passkeys vs Passwords 0:00:59

Passkeys vs Passwords — Explained! #shorts

Apple's NEW Passwords 0:06:30

Apple's NEW Passwords app (+ why I’m NOT using it)

How FIDO2 Works 0:10:14

How FIDO2 Works And Would It Stop MFA Fatigue Attacks?

FIDO Alliance | 0:01:01

FIDO Alliance | Free Yourself From Passwords With Passkeys

Goodbye Passwords, Hello 0:01:00

Goodbye Passwords, Hello Passkeys: The FIDO Revolution #fido #passwordless #security #passkeys

Passwords vs Passkeys: 0:00:57

Passwords vs Passkeys: FIDO's Resurgence #aifacts #passkeys #FIDO #aitechnology

PassKeys - FIDO 0:05:09

PassKeys - FIDO authentication: learn how it works

PASSKEY: la GUIDA 0:11:09

PASSKEY: la GUIDA DEFINITIVA alla 2fa e chiavi FIDO 2 per la MASSIMA SICUREZZA del TUO PC!

Which security key 0:00:50

Which security key should you use?

FIDO Alliance | 0:01:25

FIDO Alliance | Passkeys Explainer Video

Passkeys in Action 0:14:12

Passkeys in Action | FIDO Alliance Demo Video

Authenticate 2023 Importance 0:55:00

Authenticate 2023 Importance of UX in FIDO Deployments with Passkeys

Passkeys Explained: FIDO’s 0:55:10

Passkeys Explained: FIDO’s Passwordless Authentication Deep Dive

Google Accounts Just 0:11:06

Google Accounts Just Got an AWESOME New Feature

I Switched to 0:10:13

I Switched to Proton Pass...here's why

FIDO Video: The 0:03:22

FIDO Video: The Future of Passwords is No Passwords

Passkeys — The 0:10:50

Passkeys — The END of Passwords

FIDO passkeys are 0:06:41

FIDO passkeys are the future of digital banking authentication - Thales

FIDO Passkeys Webinar: 1:02:27

FIDO Passkeys Webinar: Achieving End-to-End Passwordless

Комментарии
Автор

Big FIDO2 fan and may I offer my favorite best practice with regards to "What if I lose my key?" You can register multiple keys with your servers. The key pair on the key is only used to protect the key pairs you make for each server. Once you're authenticated, your server will allow you create another key pair for the additional FIDO key. Keep one in a safe and use the other for daily use. Love your videos! Keep up the great work.

maxquasar
Автор

Great video, thanks, Jeff. I have been wondering about passkeys, have watched vids on YouTube, and this is the best concise video that explains it in human language. Well done, IBM! I am lucky enough to have worked there, so it is gratifying to see they're still doing a great job.

BarryOGrady
Автор

Thank you Professor Jeff ! Your videos on Cyber security have helped me ace some interview questions i've been asked recently.

NK-iwrq
Автор

As a PKI engineer, this warms my heart

gasovensforqcult
Автор

We’ve come along way with passwords. Hind sight is 2020. Just thinking back at how great a tech this is and its importance. Great job keeping it open and secure. Threats shouldn’t be able to keep up. Just a thought security sure is my number1. Trust one of the keys to security. There sure is a lot of great tech in the process. Thanks for the points.

toenytv
Автор

What do I use to sync the passkeys. A password manager like 1Password?

alejandrodelavega
Автор

Good teaching. He explain very important concept with easy example. Thanks.

jaidenrichard
Автор

Excellent best describes this presentation. I could listen all day.

herewearewayoutwest
Автор

Account recovery is always going to be the achilles heel. Even among the few sites that support passkeys, most force the user to enable a weak recovery method before they'll enable passkeys.

kenp
Автор

It's funny how he says he's addressed SSH and PGP, but has done all but.

con-f-use
Автор

IMHO, the first two questions are as important as what currently FIDO is trying to standardise. Without addressing or standardising those two, it just cannot be counted as a complete solution. And, "eliminating the needs for password entirely" sounds quite ambitious.

samwang
Автор

I really like your contend and I appreciate the advantages of PKI and FIDO2, but I believe this video doesn't present a complete picture of modern password managers (PMs) that actually generates and stores unique, high-entropy passwords for each site automatically. With that in mind I'd like to clarify the two points:
1. In the phishing scenario (7:56): With properly configured PMs generating unique passwords per site, a compromised password from a phishing site doesn't put other sites at risk.
2. Regarding the offline attack (8:34): Cracking a properly generated password with 180+ bits of entropy is practically infeasible, and even if successful, would only compromise one site's credentials.

While Passkeys may offer better protection for the average person, the video would benefit from a more balanced discussion of their limitations. Also worth noting that the current Passkey implementations are still in their infancy - most sites simply replace passwords with Passkeys while still requiring email verification and 2FA, rather than fully utilising the technology's potential. A thorough comparison should consider the pros and cons of both approaches, as each has its place depending on user needs and circumstances.

DeepDiveGames
Автор

Phishing question: why can't a phishing website act as a live man in the middle? A user sign in request goes to the phish site, who passes it on unchanged to the real site. When the challenge request comes back, the phish site sends it to the user unchanged. The user challenge response gets sent back to the phish site, which again passes it on to the website, which successfully decrypts the response. Both ends assume authentication is successful, except now the phish site prevents further communication to the user and continues in the user's place. No passkey encryption/decryption by the phish site was needed. I must be missing something. (I'm assuming the passkeys are only for authentication purposes, but, if not, this would still be a problem.)

michaelcharl
Автор

Problem 1, only 4 accounts I have use passkeys
Problem 2, websites still asking for an email address or even a password when using a passkey.
Problem 3, it takes longer to logon using a passkey
Problem 4, website still want to use another method of 2FA rather than a yubikey etc where the passkey is stored i.e. email code, text code or authenticator app code
Problem 5 many will not use passkeys as they have been poorly implement & are less convenient than a password.

zetectic
Автор

The best security is when you use all THREE: 1. something you KNOW, 2. something you HAVE and 3. something YOU ARE. For example a password + device + fingerprint. Passkey violates this. To get access to you online banking, a bad guy can catch you unconcious (or help you with that), grab your phone, unlock passkey with your finger and thats it. I know real case. Although password managers also violate the first mean. Therefore for critical services I don't use password managers.

ukranonymous
Автор

This depends on the level of security you are looking for. I do use FIDO 2 USB tokens since the beginning BUT... I still pair them with passwords and passphrases. Just in case someone steals my devices...

AlessandroBottoni
Автор

The major concern I have regarding the password-to-passkey transition period, is that the site (e.g., Amazon) I am accessing will actually have both the new public key for specific device(s) AND my original password. I mention this because I have created a few passkeys but have not seen an option to have the site permanently delete my password once the passkey was created; therefore, even if I create or share passkeys for all my devices to a particular site, a data breach of that site will cause the same pain it does with or without passkeys because my passwords are stored in the same old way "alongside" my public key.

What am I missing?

Thanks for the excellent video!

Karl

karlking
Автор

If you do not control the security, assume everything you send to that system, it is available to third parties allowed by that system. Keep your private keys private! Period!

eduardobuitrago
Автор

I would like to know if once a Passkey is setup, can I remove the 2FA for that site?

MartynStarkey
Автор

@Jeff, what is the cost involved? Both from new installation perspective and also migrating existing password based authentication

dinesharunachalam