It's ironic that you're doing this on a Mac and using Bitwarden. With Mac/iPhone/iPad : Don't need no stinkin bitwarden. Or 1Password. The password "locker" is built into Apple products via the Keychain and Passkeys will work from all Apple devices and browsers on the same AppleID.

@teachmecyber

3 ай бұрын

infostealers are targeting keychain, so it's not as safe as you may think.

@AlanTheBeast100

3 ай бұрын

@@teachmecyber Then please do a deep dive on that in a video. Here are the rules: Only FACTS and EVIDENCE and NO MENTION of Bitdefender.

@teachmecyber

3 ай бұрын

Here's a good blog post that covers one of the infostealers: www.sentinelone.com/blog/apple-crimeware-massive-rust-infostealer-campaign-aiming-for-macos-sonoma-ahead-of-public-release/

@AlanTheBeast100

3 ай бұрын

@@teachmecyber Depends on foolish users + social engineering. Edge case non-issue.

@teachmecyber

3 ай бұрын

Infostealers are infecting hundreds of thousands of systems. People slip up all the time.

My wife is a non computer person and she was watching this with me and was asking how passkeys work. After a few minutes of her listening to me and not understanding what I was talking about she finally came up with an analogy that I think actually describes past keys very well. She said it's kind of like a lock and a key. And I think that's a very good analogy. In this case Bitwarden creates both the lock and key which is unique in the whole universe and it gives the lock to the web site. Bitwarden keeps the only key available to that lock.

@teachmecyber

2 ай бұрын

Great analogy!

This is great information 👍 Thx from Munich 😉

@teachmecyber

4 ай бұрын

Thanks for watching!

I really hope that, overtime, more webpages use Passkey as as sign-in method and not as a MFA.

@teachmecyber

5 ай бұрын

You and me both! There are some already but still a very long way to go.

Another excellent tutorial, thanks for staying on top of this tech, I have learned a great deal from your videos. Could you make a bitwarden tutorial for mobile use.

@teachmecyber

5 ай бұрын

I'll look into it! I had some challenges on a prior video with recording due to privacy features (which is great) on some password managers. Let me see what I can do!

@John-fj3qw

5 ай бұрын

Thanks Jason that would be awesome 👍

Thanks for the video - very useful! On a sidenote - what is your Chrome theme called? Love that dark blue gradient!

@teachmecyber

4 ай бұрын

I'm not sure what the theme is. It's one of the default ones that is available.

Thank you for this explanation, Jason. Is this something you can do only for new accounts? For example, if I wanted to use passkeys on an existing social media account, is it a similar process? Sorry if I missed something in the video :)

@teachmecyber

2 ай бұрын

Yes, you can do this for existing accounts as long as they support it. You should see it under security settings in the particular app

Great video, thank you! I've decided to give passkeys a try after being nagged a few times and now seeing your video... So I've done 2 of them and it seems seamless as you show. BUT how do I list my user accounts in Bitwarden where I've enabled a passkey? I don't want to lose track of which ones I've enabled it on. Also, if a website allows BOTH passwords and passkeys, isn't that less secure? Thanks!

@teachmecyber

2 ай бұрын

This is the one downside with Bitwarden right now, it requires a separate entry. Given your username would be stored with the password entry, it's not a big issue. Every website now will have both. You just want to default to passkeys as it is phishing resistant.

@TonyDL

2 ай бұрын

@@teachmecyber Hi, I don't really understand your answer as I see the passkey in the same entry. Still I don't know how to search for entries where a passkey was set. Also, I don't understand how passkeys as you describe are 'phishing resistant' if passwords are also allowed. Mabe another video? 🙂

Nice work Jason. I wish somebody who knows about computer stuff will at some point design an app to get a non computer user to be able to set up and use passkeys and indeed password managers. Nobody seems to understand that what seems like a "simple setup" to a computer user makes no sense at all to a non computer user. Until somebody designs a system to get this done the people who stand to gain the most from passkeys/password managers are the people who will continue to be the ones that are unable to access the service...just saying.

@teachmecyber

5 ай бұрын

I've been thinking about doing a written tutorial to help in situations like this. While not perfect (e.g. I can't make the program easier), it may help with learning the new tool. Would that be useful?

Great video. Remeber one thing till we get ride of less secure pwd recovery processes like via email recovery etc or we eliminate the pwd on the site( options that sites need to start providing) this will not be more secure.

@teachmecyber

Ай бұрын

Yes, it will still be a fall back. But the more you use passkeys and stay consistent the better off you will be.

Q: so If I have a password previously set in a website and later I set a passkey, I'll be able to use both or just the passkey ? and don't forget Nordpass tutorial for future videos

@sevenelven

5 ай бұрын

Websites usually let you choose your preferred way of signing in

@bigjoegamer

5 ай бұрын

It depends on the website. Some websites will let you sign in with a password or a passkey, which means you can lose your passkey but still sign in with your password, or lose your password and still sign in with your passkey. Others will use your passkey as a form of 2-factor authentication, meaning you'll need your password and your passkey to log in. Others will replace your password with the new passkey, meaning you can only sign in with your passkey. I don't know if I've covered every scenario, but I hope passkeys become the thing that replaces passwords.

@teachmecyber

5 ай бұрын

@bigjoegamer covered most of the scenarios you'll run into! The website may autodetect it (e.g. Gmail does this), others may ask you which method you want to sign in with (passwordless or password).

when i create a passkey like you in your video the public key will be saved in bitwarden. What about the private key which usually is saved on the local authenticator? what does sync of passkey mean? Sync the private key from one device to another? How will they be stored there? does this happen automatically`?

@teachmecyber

3 ай бұрын

When you create a passkey with Bitwarden, the private key is saved into your Bitwarden vault. The websites you configure passkeys with will get a copy of your public key. With Bitwarden's passkey implementation, the passkey stays in your vault which you can access from different devices.

Will passkeys replace hardware authentication like Yubikey? what are the advantages of each?

@teachmecyber

5 ай бұрын

Passkeys are the same technology as Yubikey. The main difference is that instead of the private key being stored on the yubikey, it's securely stored your laptop or mobile device. This implementation with Bitwarden (synchronized passkeys) allows for more flexibility to log in from different devices. Yubikey, is a device-bound passkey that you can only log in with the yubikey, so you have to have it with you. It's more secure but less flexible.

@Juan-sq9hb

5 ай бұрын

@@teachmecyber Thanks a lot for your answer! :)

Is the passkey device Specific? - or if I have a computer and phone will it merge across devices? Also does the passkey eliminate or delete my PASSWORD? AND what if you have 2-3 Google accounts like I do? I have a job gmail, a Google gmail, and another Goog gmail?

@teachmecyber

2 ай бұрын

You can set it up for multiple accounts, no issues there! You can have both the password and the passkey at the same time. You can set it up just for a specific device or use a password manager like 1Password and it will work across devices.

Sorry but saving the passkeys on Bitwarden in my opinion is less secure than saving them on your device, this is because correct me if I'm wrong, by saving them on Bitwarden if they ever enter my vault, with the passkeys they could access the sites they want, whereas if they are saved on the device (like a phone) to then use a passkey you also need biometric authentication, so it's an additional security check in addition, don't you think?

@teachmecyber

2 ай бұрын

Yes, you're correct. It's the trade-off between security and convenience, but it's the same risk of using a password manager with just passwords. You can still take steps to secure access to the vault to minimize the likelihood of someone gaining access.

Does the private passkey have to be remembered, or is it encrypted on the device? Does anything have to be remembered? It seems that if it's stored on the device, the the weak link is the device login... not the website login.

@teachmecyber

5 ай бұрын

You don't have to remember anything new! The passkey is stored encrypted in the vault. The only thing you need to do is unlock Bitwarden to securely access the private key. You should set up Bitwarden to require strong MFA (you can also set this up with passkeys to your local device).

Here is the scenario - passwords no longer used and a person now has 200 device-bound passkeys on a Windows laptop or Android (Apple may vary I don't know). You now get a new laptop - how do all these passkeys get reset on the new laptop? Cannot be manually. I guess the same question applies to a password manager - how to link a new device to use existing passkeys.

@teachmecyber

5 ай бұрын

This is the key difference between device-bound and synced passkeys. Device-bound passkeys are stuck to that device. With Bitwarden's synced passkey solution (similar to what 1Password does), you can access it from any device as long as you have Bitwarden installed.

But sites that also allow user/password authentication negates the security that passkeys offer unless you can delete these credentials once you have a passkey setup for the site

@teachmecyber

2 ай бұрын

Potentially. But if you don't use them after setting them up and only use passkeys it is still more secure, especially against phishing attacks as long as you default to using passkeys

what does Bitwarden save to manage the passkey? The private key or what?

@teachmecyber

4 ай бұрын

That's right, BItwarden is saving and securely storing the private key.

So, if I had to login on a computer where Bitwarden isn't installed, the passkey stored in Bitwarden cannot be used, right?

@teachmecyber

5 ай бұрын

Correct, in the current implementation. Future iterations with mobile support may change this if it allows you to point to your mobile app.

@breadone_

3 ай бұрын

@@teachmecyber Wow. this, and the frankly amateurish UI for desktop was enough to make me switch to 1P

Thanks for the info. Good video. I'm looking forward to device-bound passkey management on Linux, and the ability to use passkeys to sign in to Linux apps and websites without downloading a password manager or using a browser's built-in password manager. Also, the ability to import and export passkeys across all of my devices and password managers would be awesome. For example, exporting my Bitwarden passkeys to a file (encrypted or unencrypted) and then importing them into an Android phone or iPhone or Linux/Windows/macOS computer or another password manager. Or just skipping the "file" part and letting me choose from a menu which device or password manager I want to send my exported passkeys to.

@teachmecyber

5 ай бұрын

The export feature scares me a bit because it will get abused by attackers, so I'm keen to see how they do that securely. Google is lagging behind on support in Android, but is working on APIs that will unlock the ability for Bitwarden to use passkeys on Android. It's slow but progress is being made!

Wouldn't you want the username to be stored if you've got multiple accounts on a site? How are you going to login to a site if you can't remember what username you used when you registered?

@teachmecyber

4 ай бұрын

For passkeys in Bitwarden, you will need a new entry for each unique account on a website. The passkey stores the username in it, so you'll just have to manage the item in Bitwarden accordingly (e.g. just put it in the name of the item).

I'm a newbie. It seems that Firefox does not support passkey except the hardware ones....what a shame

@teachmecyber

2 ай бұрын

Yeah, hopefully they get an update to support it soon!

Sir, I am fully new in Bitwarden, Today i am trying to login Bitwarden using password key using mobile phone but only shows pin option, but after that when i am going to login it always shows wrong key. Please help me how to use it properly. using Mobile Phone.

@teachmecyber

2 ай бұрын

Can you provide more information on what's happening?

125% faster what does that even mean? If i normally log in in 100 seconds using bitwarden makes me log in in negative 25 seconds?

@teachmecyber

5 ай бұрын

Okta's analysis showed that logins with a password on average took ~13 seconds. With passkeys, 3 seconds.

@CapAlzheimers

5 ай бұрын

Ok, so faster, but the number 125% makes no sense. @@teachmecyber

@teachmecyber

5 ай бұрын

Just me getting my math wrong lol

You cite Okta, but you fail to mention that they're a biased party... I can only be thankful that passkeys are still not working on my copy of Bitwarden. It appears that is by design. Passkeys only work with the online vault, which is a million times less secure than my locally installed vault. No thanks. Got any alternative password managers I can try that didn't dilute their product security with passkey implementation?

@teachmecyber

5 ай бұрын

Passkeys are the future. They are more secure than traditional passwords. I imagine most password managers are going to expand support for them as more websites adopt the technology. If you're an offline password vault person, KeePass, Bitwarden's offline version, or Passbolt are good options.

@StijnHommes

2 күн бұрын

@@teachmecyber "They are more secure than traditional passwords." How so? When biometrics fail, the fallback is a simple PIN. Anyone close to you with bad intentions who has seen you unlock your phone can get access to your accounts as well when passkeys are enabled. Passkeys are basically 1FA when the bad actor has access to the device.

No Firefox support?

@teachmecyber

5 ай бұрын

I've heard mixed results with Firefox. Are you having issues with it?

@therevanchistv

4 ай бұрын

@@teachmecyber I am works on chromium based browsers only it seems.

It is so quick that I lack the confidant I did it right...🙄

@teachmecyber

5 ай бұрын

Did you try to login with the passkey after you set it up?

"Can log in 125% faster" - math does not work out. Negative time?

@teachmecyber

2 ай бұрын

Heh yeah, I think I got my math wrong. Regardless, it's much faster and more secure!

Real short list of supported browsers and sites, sounds like wait a year then have another look.

@teachmecyber

4 ай бұрын

There's no reason not to start now. Protect the accounts you can and then revisit it from time to time to see what you can add.

takes 6seconds to load the addon on i7+SSD+16GB RAM, unacceptable

@teachmecyber

2 ай бұрын

That's odd, what OS are you using?

I'm even more confused about passkeys now than I was before watching.

@teachmecyber

3 ай бұрын

What can I help clear up? Have you seen the full video I posted on what passkeys are and how they work?