Passkeys SUCK (here’s why + how I use them)

preview_player
Показать описание


If you care about your personal security and privacy online, download my free security checklist here:

🔹🔹🔹What You Should Watch Next🔹🔹🔹

We've got a lot of great privacy- and security-related content here on the All Things Secured YouTube channel (although we admit we're a bit biased). If you're wanting to increase your online cybersecurity, here's what's next:

🔹Support All Things Secured (Recommendations)🔹
If you enjoy this kind of practical security and privacy content, one of the best ways you can help support this channel is by using these affiliate links to our favorite products and services. When purchasing through these links, you not only get the best available deal, the companies will also pay us a small commission. Thank you for your support!

*********************
Video Timestamps
*********************
0:00 - Introduction to Passkeys
0:33 - The History of Password Security
2:12 - What is a Passkey?
3:52 - Understanding a Syncable Passkey
4:46 - Understanding a Single Device Passkey
5:59 - Logging in with a Passkey
7:34 - Should You Use Passkeys?
8:53 - My Passkey Security Strategy
10:05 - Passkeys will NOT replace Passwords...yet
*********************

You've probably been hearing about passkeys as a replacement for the traditional username and password security for your accounts. In this video, Josh walks through a clear explanation of how this new standard of security works and whether or not it's useful in our everyday lives.

#onlinesecurity #passkey #passkeys
  1. All Things Secured
  2. passwordless authentication
  3. passkeys explained
  4. what is a passkey
  5. passkey vs 2fa
  6. passkey vs passwords
Рекомендации по теме
Passkeys SUCK (here’s 0:10:49

Passkeys SUCK (here’s why + how I use them)

Cybersecurity | Your 0:00:32

Cybersecurity | Your passwords suck. Here’s how to fix that

your home automation 0:43:50

your home automation SUCKS!!

Autofill SUCKS.. here's 0:02:04

Autofill SUCKS.. here's why...

Keep Your Private 0:06:09

Keep Your Private Information Safe | Safety Tips | Kids Cartoon | Sheriff Labrador

Here is why 0:01:35

Here is why incident response sucks in cybersecurity

This is Why 0:08:15

This is Why Combination Locks are Completely Useless

Passwords Suck! New 0:04:58

Passwords Suck! New Tech Provides Better Security

Filing Your Taxes 0:06:38

Filing Your Taxes Sucks: Here's the Truth About Why

Yelp Sucks. Here's 0:00:53

Yelp Sucks. Here's Why.

Fix All error 0:00:19

Fix All error Printer Sharing Windows 10 & 11 | 100% Worked With 1 Click

iOS 17 SUCKS 0:11:31

iOS 17 SUCKS - Here’s Why

Meet Peppa Pig's 0:57:01

Meet Peppa Pig's Pen Pal 🐷🖋 Peppa Pig Official Channel Family Kids Cartoons

My Parents Disappeared 0:10:20

My Parents Disappeared One By One Without A Trace

Johnny Got Into 0:25:25

Johnny Got Into a FIGHT While at SCHOOL!

ROBLOX ESCAPE CREEPBOB 0:15:01

ROBLOX ESCAPE CREEPBOB OBBY!? (ft. AquaticNeptune)

your home router 0:45:31

your home router SUCKS!! (use pfSense instead)

How to Choose 0:07:14

How to Choose a Secure Password

SAVED My CRUSH 0:12:23

SAVED My CRUSH Cali

ESCAPE THE CARNIVAL 0:17:28

ESCAPE THE CARNIVAL OF TERROR!

10 FRIENDS on 0:22:32

10 FRIENDS on one SUPERHERO BLOCK In Minecraft!

Having a NOOB 0:50:51

Having a NOOB vs PRO SUPERHERO Family In Minecraft!

Windows 10 search 0:01:07

Windows 10 search sucks! Here's How to fix it (Easy)

Nepali Passport SUCKS 0:08:02

Nepali Passport SUCKS (Here's Why)

Комментарии
Автор

Oh boy, that shirt isn't good for youtube's bitrate ^^

talle
Автор

Thank you for covering this! I bought keys like a year ago and I honestly couldn't figure out if I was using it incorrectly. Almost no sites allow the key to be anything more than a backup since you essentially still need to log in how you previously had. I was really wondering if it was something I set up incorrectly. So relieved it's just awkward to use them in many places

ThatonedudeCR
Автор

Passkeys are probably intended for people who have so far been using simple passwords, memorising them and using them on multiple websites. Using passkeys will mean a big jump in security for them. Those who use password managers for creating and saving long, random, unique passwords for each website along with 2FA won't gain much by using passkeys. I have created passkeys on a couple of websites out of curiosity but I still use passwords on those sites.

hoopoe_
Автор

Note that Amazon and Google both use password protected hardware tokens (like Yubikeys) as their method of authenticating to internal systems. It takes some additional infrastructure, but it is very robust and resistant to many types of attacks. But the human behind the keyboard will probably always be the weakest link.

shubinternet
Автор

If a website login (such as the Amazon example here) allows the user to choose either password or passkey, then the passkey seems to add zero security. An attacker in possession of the password would simply choose that option.

Tux.Penguin
Автор

I wish banks took security seriously and gave us the option of hardware keys, banks 2FA are a joke, sad

westbccoast
Автор

Thanks for adding actual captions for the Deaf - and thanks for clear explaination

jwillisbarrie
Автор

Funny how a month after this video, a vulnerability in YubiKeys and other systems that use the Infineon library came to light.

GlassDeviant
Автор

As someone who just implemented Passkeys on the server side, the username part as mentioned in 6:12 is not actually required. The passkey when you first sign into the server sends a sha256 hash of the public key along with it. Every time you use a passkey, that same hash is sent back along with the challenge response. The server can use the hash for the user lookup (so it doesn't have to check your challenge against n number of users to find out who it actually belongs to) and then check the challenge against the public key as stored in the database. I offer my users a simple button that allows them to sign in to their account with just their passkey. No username is required, just physical control of the passkey device (be that a phone, tablet, computer, or Yubi / Titan security key.)

Dygear
Автор

also. These companies that have passkey support should also offer the user the ability to remove and delete the logging in with a username and PW. Defeats the purpose and security of passkeys if that old tech is still avail and could get hacked and stolen.

cobrabtc
Автор

I totally agree. I love having my account secured and I do have a security key in place for as many accounts as I can, but yet still have not activated passkey on any of my accounts I feel the same way about passkey going to continue using what I’ve been using to me. I’m very happy with that.

NomadOutdoorAdventures
Автор

You didnˋt mention the most important thing and the reason why Iˋm not using passkeys at all.

At least on my device, an S22 ultra, the passkeys asks for my fingerprint OR MY SMARTPHONE PIN. Thats completly absurd. Why would I swap a long and random password for an 8 digit pin? AND MORE, I live in a country (Brazil) thats possibile that someone would point a gun at me and ask for my pin, so sure, letˋs give the thief my device AND the password for all my passkeys. (!!!) Another possibility is someone being able to see me unlocking my device with the pin for some reason, something that also happens in the US.

Until itˋs only possible to unlock with biometrics and not the deviceˋs pin, Iˋm out. Very unsafe.

gabrielgon
Автор

its only good for if you only wanna verify already logged in users before doing certain actions.
its faster than typing password, but you can argue its faster for password manager to fill the password

nomadshiba
Автор

Thanks Josh, good to see someone discussing Passkeys in more depth.

Here's what I'd like to know:
1. I note that I can turn off password and passkey sync'ing in my devices. In this case, I'd need to create a separate passkey for each device. Once that was done, wouldn't that be equivalent to having multiple yubikeys with separate passkeys?
2. Does the emergence of passkeys resident on devices threaten Yubico?

Be interested to hear your thoughts.

MichaelJessen
Автор

I did a rant recently on Facebook, basically saying "what is a passkey and why should I trust Samsung to handle my authentication"
I mistakenly assumed it was a string, similar to a session token or api key. Knowing it is asymmetric key is interesting and helpful. Thank you .

LucTaylor
Автор

If you are in the United States ALWAYS use a password as an obligatory factor in a logon process, no matter how many other factors you use. The government can compel you unlock a device with a fingerprint or a face but they can’t make you utter a password.

My opinion says that you have a Fourth Amendment right to be secure in your person and a Fifth Amendment right to refrain from incriminating yourself but every court says otherwise.

joev
Автор

I am quite in tune with security as I work on adjunct technologies. Passkeys are glorified randomly generated passwords for now. It require a few things that rooted in having password anyways. Passkeys need to be stored on major ecosystem platforms, or in password manager software. Current implementation and regulation on biometrics mean none of those are stored in the cloud, so if you ever try to provision a new device (that is the gate keeper for your passkeys), you will need to enter an account and password anyways. Those ecosystems or password manager serve as point of failure or attack point. Passkeys don't really solve most of these issues. The best and most flexible solution is to use a hardware device but not your phone or tablet.

_w_w_
Автор

Thank you - very helpful. I was confused about the difference between physical and syncable passkeys and this is a good explanation.

larkc
Автор

Using a physical device for 2fa codes feels so cumbersome for logging in from mobile devices!

Ldysith
Автор

In amazon the passkey is just replacing the password but in Google and Microsoft they are replacing the 2nd auth 2FA as well.

opesach