Passwordless Authentication: Weighing the Options

Another concise and engaging video that all IT/cyber folks would benefit from watching and considering the authentication options that are now available- passwords are SO insecure. Thank you Jeff!

Jeff-S-Grimes

Great Video!
One argument I do have against "have" and "are" options is the availability/reliability of the devices required to authenticate them. If I need my phone and its stolen/broken, then its inconvenient. If the biometric fingerprint reader malfunctions, then i am locked out. These are not easy to replace quickly. So while I agree these combinations are the most secure, I do believe these can be the most inconvenient when things go wrong.

taimurqureshi

You can never underestimate how important these videos from you, but for me some small things are so frustrating(as already mentioned here in comments), if on your android smartphone, if you failed to pass bio for some reason(wet fingers, bad angle, low light or sunglasses, whatever) after couple fail attempts you either should input pin code or pattern, which you have to hide in public area(can be catched by camera or pair of eyes) which make it a little bit inconvenient. On the other hand I still shocked how many high level organization's websites asking some ridiculous questions (usually set of them) like mother's maiden name, fav pets or first teachers and keeping them as the ultimate and only option. I guess many of this info bad acts can fish from media platforms, not mentioning that it's hard to remember what you put there couple years ago, overthinking to not make it obvious but more secure 🤯 But as always, Thank You for comprehensively clear and straightforward video

BoNaha

FIDO eliminates the reliance on passwords, which are the primary target for credential harvesting there by reducing the attack surface but getting end users to always use mfa is no easy feat

tahirbalarabe

Jeff, old friend. Very well described.

diamatomtundra

FIDO is definitely by design the solution

lxn

Another issue is that not everyone is using mobile phones (think of many older folks or visually challenged). I never use a phone for any banking or other serious work, instead I'm always using a laptop which may or may not have bio-metric features built in. Again, every method has its pros and cons, there's no perfect solution.

BillAnt

Just I worried about most of factors are rely on USIM and telephone system. When attacker steal your SIM card and If you not did SIM hardware-lock in case. It is very dangerous issue until you try to register your new SIM. (even the bio-key does not resist of this attack. it is similar with changing the phone. Bio auth is only authentication in hardware, not qualified by network or server or etc. ) Stealing SIM is not often occur in real world, but be aware of take care of your phone. And sometimes... SIM break down in naturally.
I recommend backup system of telephone. May be use 2 or more phone number, email, recovery key which can use offline-based system.

NOTE: recovery key same as password. don't take picture of this don't save any digital thing if it is important. Just write on your book and lock of it. recovery key is not used in most of case. Don't use it normal case.

choi

I saw some new security beta programs for post quantum and something similar to fido but although they have two different origins i think as in the video they could in the near future especially be used with a mobile device that contains a much better build of security kit into it... Also i am just this year starting to hear or read about the potential of adapting the already researched bio computer stuff like the new buo computing or photonic computing languages built for ai driven purposes. I'm really interested🤔 to hear about it more. Thanks.

izbr

Hi. I have a question.i love the MFA initiatives. And great videos on security. I agree the passwordless is a blessing in disguise. On a device I also have a passcode. This system is faulty as the something I am is left open to something I know. On my device my passcode can get all my password and my cybersecurity team(‘just me myself and I) are left open to an attack of my bank account and access to personal information etc. I wonder if their may be suggestions of how to keep our devices more secure and yet accessible in case of a os problem camera problem/ fingerprint?my 4 or 6 digit passcode is the concern and I want security for my own device. The external it has done a great job but at home could have bad actors also. Any wise words would help. Thanks. And no keep your passcode hidden answers 🙏. Should have watched till the end thanks Jeff. See hope in the fact Siri may only listen to my voice not a child’s voice?

toenytv

Really like your videos. Insane good.
But now I would disagree. Costs of the HW Token is xx but fido is more expensive, even for the needed backup. For me FIDO is xxx at the costs.

NikNukem

Thank you for the video. But I would disagree with the fact that passkeys are more secure than strong passwords in all situations. Mobile phones, mobile tablets and - to a less degree - laptops which you often take with you are a big question in this case.

We know that the "Security is Only As Good As Your Weakest Link". If one of the above-mentioned devices is lost or stolen that it is only required to guess your PIN to get the access to ALL your personal and financial data. Yes, you can change your private keys for all the services, but it takes time. And sometime a lot of time depending on where you lost your device or when you realized that.

Yes, IF you phone of laptop is powered off, and IF they have the entire data partition encrypted, than it will save your data (provided that your password is strong). Yes, IF you use face ID or Fingerprint unlock option, than it may protect your data to a certain degree (provided that you do not have your phone rooted), Such "protection" is not very strong as we know, it may give you more time to change your passkeys, but not much usually. And you still have your headache coming from the urgent passkeys cancellation or recall. Yes, IF you use a strong passphrase (I do not know if it is possible with online services though), than your data is protected, but what is the point in passkeys in this case?

I would prefer to stick to using strong passwords at least on this type of devices. I also would use Keepass2Android/Keepass2 or my PGP keyring (but for encrypting the list with the passwords locally only) + a good open source 2FA app like aegis (Android) or WinAuth (Windows) which can also be protected with a password. 2FA can solve the issue with hash stealing. 2FA together with a properly configured antivirus and browser minimizes the risk of fishing even for beginners. In addition you can make your browsers to delete the session cookies so that session stealing is not possible. You can do it with passkeys to, but will you have too make it all over again (the process of setting your login with a passkey)?

You can use passkeys on your home PC. But would it be convenient to you to have different modes of authorization to one particular service? And would this service allow this? These are the questions.

P.S. But, of course, if a user has big risks of getting fished and does not want to take basic precations (at least not to open links from e-mails), than passkeys maybe the solution.

pavelsergeev

Is it possible to create a FaceID on one phone from a picture displayed on another phone without the actual physical face?

williamcanton

Can you affiliate link to a secure password manager program/app?

JennaHasm

The problem with any bio-metric method is that if a person passes away either young in an accident or of old age, then usually bio is not available for their loved ones to access bank and other accounts. Every method has pros and cons, there's no perfect solution.

BillAnt

push-bio vs FIDO-bio/pki.. that's a bit confusing to compare

patrickchan

Must have phone. Must have internet connection. Almost forgot, must have credit card.

joelmamedov