What are Passkeys? | Are Passwords Dead? | A Security Expert Explains

Passkey is a totally useless thing.
1) When the phone is lost or broken, you still have to log in with a password to access the account, so how can you say Passkey will replace password and you don't need to remember the password.
2) When a bad guy gets your phone, they can't unlock it with fingerprint or face recognition, but they can unlock it with a PIN number. A PIN number is usually 4 or 6 digits. This is easier to figure out than a password, so how can it be called more secure than a password.
3) In the case where the bad guy doesn't have your phone, they will pretend that the phone is lost or broken to be able to enter the password. So what is passkey called more secure.
4) The password is in my head. In the event of being threatened, I may not provide the password even if I am killed. The passkey is on the outside. If threatened, the bad guy will use my finger or face to unlock the phone easily. So how can Passkey be called more secure.

nghia

Don't get what's so revolutionary about that.

Used digital signature and ssl for years. I get what private key is.

But instead of storing password + 2FA, you just store passkey + 2FA. Not that different from password manager. Not that faster either.

End it can be lost as well, so the process of "I don't have passkey, please let me in" will still be there.

ipohertroyanov

Just finished watching your portion of the recent InfoSecurity conference and saw your mentioning passkeys as being your low hanging fruit piece. I have been hearing about them for a while now but hadn't really delved into the mechanics of it, so thank you for explaining since they are starting to make some headway in the market.

AngriestPanda

Cool, meanwhile my bank just recently updated their site login to finally include 2fa, just the only issue is that it doesn't allow a third party authenticator app to be the 2fa. Instead it's sms, call, or email. They had 2fa on their phone app for awhile now, via sms. So not only does it do it via the most insecure way, but sends that info to the same phone it's try to login from. And for a good chunk of time they implemented 2fa in the MOST insecure way possible.

ketsuekikumori

My biggest concern with this type of authentication (I have used it on linux / git / ssh ...) is how to secure the private key. It would be disastrous if some malware broke into your PC and sent the private key to someone without your knowledge. Yes I know you can password protect the private key but then it does not remove the password.

drescherjm

Thanks for the hard work to vulgarize all these features!
Question: if I store my passwords + my passkeys in Bitwarden, is there any risk if my Bitwarden account is hacked?
Shouldn't I use another app to store my passkeys?

flowfo

Perhaps I misunderstand, but this sounds to me like another version of SSO, and with the same weakness: If my Google account is compromised, so is my passkey. Plus, this requires me to activate Chrome's password manager, and most technology bloggers say to avoid using your browser's password manager. And I don't want Google to bug me to use their password manager. I like the idea of public key cryptology, but I don't think this is the winning implementation.

BulldogXXX

passkeys meaning public and private key pairs are created by the device? ie OS microsoft/andriod/ios or the browsers create key pairs?

sanjanarao

do you just have one private key for all sites or is a private key for each one?

carlowe

So do you have a seperate privatekey for each site that supports it? What happens if your device gets trashed, do you just create a new passkey on your new device? All of this sounds like ssh.

jonrend

what if all of my devices gets stolen from the hotel while traveling, how do I authenticate with the replacements when I am starting from scratch ? Wouldn't a password manager be better in this situation ?

DaveG-qdug

If your computer needs to be replaced because of theft or broken how do you get your passkeys on your new computer?

Jimfundercover

What if it’s not you’re device? I sometimes want to log into online accounts on my work pc 🤔

mchammer

Well made and informative video, and very well explained.
Just a small video tip: sit a bit farther from the camera to allow a more natural headroom.

valorien

I have a lot of questions. If I have a password with Google, can I also use the Passkey as an option? Or does it delete my password?

Chicago

Brother how can i save passkeys on my mobile using 1password.

usmanzubair

I still dont get the point of passkeys being the most secure when the websites allow other weaker methods to sign in at the same time.

Correct me if im wrong but doesnt Microsoft keep its sms and email codes alongside passkeys?! 🙈

Nanai-hfns

As long as you have your phone with you and it's charged all is good trying to get into your desktop or laptop. Phone missing or dead, you are out of luck.

bab

How does this protect your identity when your device is lost or stolen? Cellphone theft is on the rise.

asinheaven

I didn't get one thing. Many sites don't have yet but those which have they won't have or will have regular registration form but it will have passkey too?

Gorky