Here's the deal: passkeys are going to replace passwords in the near future. But are you comfortable starting that transition yet or are you going to wait until things get a little easier to manage?

@debasishnayak8610

Жыл бұрын

Wait

@greenbeginner3353

Жыл бұрын

Based on your video, I don’t see how it’s any more secure than a well designed password.

@Venistro

Жыл бұрын

​@@greenbeginner3353 passkeys cannot be phished

@greenbeginner3353

Жыл бұрын

@@Venistro That’s all? That’s the entire value of a passkey? There’s got to be something more for such effort to be made to replace passwords.

@Venistro

Жыл бұрын

@@greenbeginner3353 No, that's not the only safety gain. Of course, the added value is significantly lower if you already handle passwords responsibly, but that is not the case for most people. Disastrously bad passwords are chosen and used for several or all services. This is also prevented. And protection against phishing is no small matter...

Interesting stuff! Meanwhile it's laughable that banks barely have strong password requirements, with only sms 2fa if you're lucky.... it's a total joke

@AllThingsSecured

Жыл бұрын

Preach

@zzrelaaxx8945

Жыл бұрын

Agree, thinking about switching my bank cause my bank don’t care about security seems like

@7m2sbwsfabrpocw6vvzetqgg6n0sgu

Жыл бұрын

@@zzrelaaxx8945 I'm curious what you and others pick because I can't find anything good

@momentomori1747

Жыл бұрын

It's worse than not having strong requirements. They actively prevent you from having strong passwords.

@Bushchannel

10 ай бұрын

My bank only allows a 16 character password and SMS for 2FA

Glad to hear you are trying to figure this out cause I/m still scratching my head. I agree with the yubikey method.

Good to know I'm not the only one confused. XD You did at least explain the core idea behind aka the user is no longer the weak link, ideally. I do wonder about how security will pan out over time and just hope like you that physical key support stays a thing, and ideally continues to spread.

At the end of the day, this is just an "online version of a YubiKey", meaning that the approach is the same as the one with YubiKey, but the challenge answer is shared not over USB channel, but online. If the private key used for signing the challenge sits securely in your phone HSM, you should be safe as long as your phone doesn't get hacked (which with offline YubiKeys would be much harder): indeed, if your phone is rooted, such private keys are not secure anymore, even if they reside in the HSM.

Question about password security. Do you know of anything that we can store passwords on, something like yubikey, that would do the same functions as 1password or bitwarden?

Thanks for the video. Still unsure if this is a better option than the physical keys. Any follow up videos to clarify our confusions will be highly appreciated!

@HalfwayHikes

Жыл бұрын

it's not a replacement for physical keys. It's a middle ground between passwords and security keys. However, passkeys can also be put onto a physical key like yubikey. But then backup and management is up to you.

I agree that Yubikeys are much preferred over phones. What would happen if your phone was compromised and you were not aware of it.

@AllThingsSecured

Жыл бұрын

My understanding is that they still wouldn’t have access to your passkey without your biometrics or knowledge of your Apple iCloud password.

@NonLogicalDev

Жыл бұрын

@@AllThingsSecured you can get by with just a passcode on iOS. No iCloud password necessary 😅

@user-yj8hd7td4g

2 ай бұрын

What do you do if you lose your phone? Yubikeys are better

Thanks Josh. I couldn't sleep last night, just thinking through options for Authenticator Apps 😂. (I use 2FA where possible, but they are SMS based). Passkeys sound like a natural progression and I like simplicity and the extra security. I'm however a bit concerned about whether Passkeys, being partially based on biometrics, might lock out immediate family members, should I pass away?

@mokiloke

10 ай бұрын

I agree, but i feel the same about current passwords being more inaccesible. At least they could slip my hand onto my phone if i have an open casket funeral.

@shadowminister4090

10 ай бұрын

@mokiloke Hi, I'm using Fingerprints, but if my phone's reader doesn't recognise my fingerprint at least there is the fall-back of a Password. My wife has assess to our Passwords. I'm just uncertain what happens with Passkeys? I have cancer and while I'm doing ok, I'm interested in fully understanding how Passkeys will work. I love the concept, just need more information. Kindest Regards.

Hey great video, yeah so like you said this is obviously new to all of us & lots to explore……now with Google there are a ton of apps like KZread that need to be signed in on Smart TVs/Apple TVs or the like & then there’s the security element once your account is signed in on another device which may be in your home or office…same goes with Google Maps; possibly signed in on an Android Music system in your car or the like…so considering we don’t use the same Google account everywhere then we don’t enjoy their premium services if one is a premium user…just some thoughts to consider 😊

@AllThingsSecured

Жыл бұрын

Yea, that’s interesting. Thanks for sharing, Sachin!

Now they can link accounts to your identity. No more burners. Klaus is happy with this.

Can you talk about Firefox add-ons? Especially the Firefox Relay add-on

I have only a laptop entertaining myself on KZread. For the time being there is no need for me to have a phone. Do I soon need a one to browse KZread on my laptop. Will I be I locked out if I don't have a phone?

Passkeys can techincally be stored on a Fido key. I have done so with mine. However I only have room for 12 keys.

Is it tested? Passkey work for Windows Hello Pin, but for automatically added android device, it prompts "sent notification to the device" but there is not reaction.

Hello just for your information every single time I've set up past keys so far on non-apple devices because I don't use Apple devices it asked me if I want to use a hardware key or if I want to use the device itself because this technology also works if you just use normal to a fake keys which addresses which concerns at the end of the video

Do you need a special device to set up google passkey for MacBook? If yes, can the same passkey device be used with multiple MacBooks (same Apple ID for all of them? )

@dinofareal

Жыл бұрын

I just set up the passkey on my iPhone 13 Pro Max; then I was about to set it up on my M1 MacBook Pro but didn't have to. When I went to log into my Google account (on my laptop), it asked me for my fingerprint and it worked! I did not have to put in a password, or use Google Authenticator or any of the methods before (and I did NOT set it up on my laptop...just my iPhone). So far, the Passkey is syncing through iCloud (as far as I can tell)

@AllThingsSecured

Жыл бұрын

No special device or software.

@dinofareal

Жыл бұрын

All I used was my iPhone

If my passkey is a pin code from an android phone, will the new device trying to login still have to use a QR code and will i get notified if there's a new sign in with passkey?????

You can now enroll FIDO2 capable keys at Passkey section in security tab of Google account settings. Tested with Windows 11. I need to dismiss Windows Hello twice to begin enrollment of Security key by Yubico.

@AllThingsSecured

Жыл бұрын

Thanks for sharing 🙏

@IncertusetNescio

11 ай бұрын

which was super handy since Google didn't seem able to take the key directly (except the Titan one I never use). Definitely have to dismiss the WH 2x as well, which is a minor nuisance also. Hopefully they solve both sooner than later. I am glad to see the new methods meanwhile.

I'm very sceptical about this (not least because it's Google). I'm happy using a strong unique password and 2FA and I'm yet to be convinced this is better. Also, Google accessing the passkey itself is not the real question here. Google is all about tracking you and making *you* the product, so I can see scenarios where Google doesn't know your passkey but it does know _where_ you are using passkeys.

@yochem9294

11 ай бұрын

You don't have to use Google for it, popular password managers like bitwarden and 1password will also support it: they save your passkeys, like they currently do with your passwords

@WilcoVerhoef

10 ай бұрын

Strong password & 2fa is still secure. However, no one is using it except when forced to. I see passkeys basically as a standard protocol between services and password/key managers, cutting out the middle man (which is you copying the password/key from one to the other). Where passkeys are more secure is that phishing for passwords or second factors gets basically eliminated. Humans have always been one of the weakest links. Of course, password managers have and will always be technically able to track what passwords/keys you are using. You should choose one that you trust. Most users are and will still be using the easiest/most forced one (built into Google Chrome)...

Thanks for the video. I get the potential benefits of passkeys, but nobody explains if I can get locked out of my accounts, or what if I set up a passkey on my computer but then I'm travelling and don't have access to the desktop, or if I set them up on the cell phone and lose it, etc etc. Can you possibly shed some light on this?

@rexhepramadani617

Жыл бұрын

u can click try another way and log in with a password or sms code ?

@Hasanbas-rv3vm

6 ай бұрын

It can be synchronized with icloud etc

Awesome overview

Can you no longer add another security key since they added this?

I see no more asking for passwords. I continued to test it and then Google asked me one more time to activate the passkey. Now it’s just entering my email and then clicking on continue. An explanatory step later and one more click and it’s done, I’m logged in. I assume this explanatory step with time will disappear. Cheers from a happy surfer from Sweden. 👋🇸🇪

This ‘you still have to fill in your password thing’ they fixed that. On my iPhone I created a passkey for my Google account. It worked on my iPad right away and on my windows laptop with scanning of the QR code. On windows it asked to create a new passkey for my windows laptop which is stored in windows hello. About the security keys. It’s the same protocol and yes a security key is a little more secure than a passkey for a number of reasons. So I don’t think the keys will disappear anytime soon.

Its still early days for passkeys. I think, I will wait till things get more clear. Nevertheless, Great video Josh

@AllThingsSecured

Жыл бұрын

Thanks so much!

@IkaikaArnado

Жыл бұрын

It's not early days. This has been used for years. This is just a streamline and rebranding of existing technology that you've already been using in some iteration.

Hey there, how can I turn this off I don't want my lockscreen code to be the password to my google account I have authenticator already setup Dont want this on my phone Thanks

Nice content... I have a question that probably is another persons question also... So If I create a passkey on my mobile device and then i set a lock screen password to use that passkey (if I understood correctly) then someone that steals my mobile device and that saw me putting that screen lock password for the passkey will have direct access to my account? I hope I'm missing something here... Thanks

@AllThingsSecured

Жыл бұрын

I’m not 100% sure. I don’t think your passcode will unlock the passkey. It would require your biometrics or your Apple password, I think?

@mmaxton

Жыл бұрын

Even if it requires biometrics, the next question is: how does it respond after I add a new biometric (for example, a new fingerprint on an iPad)? This is a huge gaping whole for Apple’s standard passwords / keychain. I tested this recently. If I’m a bad actor who shoulder surfed someone’s iPhone/ iPad unlock passcode, and then go into settings and add another fingerprint, I can then use that to view all passwords stored in the built-in Apple password system. On the other hand, 1Password is smart enough to detect that the biometrics have changed since the last time I unlocked the app, and will then require me to use the full 1Password password to log in for that next time. This is the smart, safe use of the biometric login. I would be curious to know which of these protections passkeys will use going forward. I like the idea of the separate hardware security key (like my Yubikeys), but I can see that most people just aren’t going to give that level of commitment to their online security. For most users, the device-stored passkey is probably ideal. But I, too, hope that websites will support the use of Yubikeys.

@mecampbell30

Жыл бұрын

I would say this situation is no different than using a password manager. If your phone credential is compromised, a person with physical access to your phone could use your password manager to log into all kinds of sites. Passkeys are stored on your device much like how a password manager handles ordinary passwords.

@mmaxton

Жыл бұрын

@@mecampbell30 it really depends on the particular password manager app. As in my post above, 1Password will not let you use the iPhone’s unlock code to get into it (unless one is silly enough to go out of their way, set up a PIN code for 1Password that matches the phone’s code). And if you add a new biometric, it’s aware of that, and requires the full password for access, any time the biometric has changed.

I really like the idea of passkeys and changed my password into a very complicated one, expecting, that I would only need it as a backup, if ever. But it is a annoying, that login to a chromebook (not unlocking screen) still requires a password. And in my opinion this contradicts the whole idea. I mean, I have my smartphone next to me and I can use it to log in to my google account on a chrome browser on any windows system. Why not on a chromebook, googles own system?

Will this system still be susceptible of account hacking (ie. on KZread channels) since they store cookies and those can be stolen by virus software?

It is a much more secure method of logging in than just passwords, although it is not really a step up on security if you already use a long complex password which was generated by a passowrd manager + a 2FA method (exluding sms). It is just more convenient. Because of that, you are still vulnerable to session hijacking, an increasingly popular method of hacking, especially for youtubers.

@mecampbell30

Жыл бұрын

Thankfully many web services are getting wise and requiring you to reauthenticate for certain sensitive actions even with a session token.

@stratvar

Жыл бұрын

@@mecampbell30 Yes, i sure do hope so.

@AllThingsSecured

Жыл бұрын

I’m hoping this session hijacking problem is addressed quickly!

@matthewcarr6708

Жыл бұрын

It is more secure since the passkey is never actually sent to the service that you're authenticating against. Compared to a username/password which regardless of complexity is always sent over the network. The convenience also helps prevent phishing attacks since you never have to type anything in.

@stratvar

Жыл бұрын

@@matthewcarr6708 Well, isn't prevention of unauthorised access our end goal though? Ok, let's assume that someone finds out our password. It doesn't really matter if you also have a 2 factor authentication activated though, does it? I guess you do have a point when it comes to phising attacks though, since you probably would also type in the temporary 2fa code, unless of course you have a Yubikey (as i do) as your 2FA, then it would be impossible.

Great Video!!

hey josh i'm waiting you to talk about it and my question is i set up a passkey for my samsung phone S9+ use IRIS scanner it is extremely biometric secure and the Question is why when sign in my laptop i notice that account log out Automatically every single day i need to log in and my laptop dosent support any kind of biometrics?!

@AllThingsSecured

Жыл бұрын

I’m not sure I understand the question. Biometrics is entirely dependent upon the hardware, so the kind of laptop you have matters.

They aren't working for me, I create them, but it doesn't give me the option to use them when signing in...

Before May 1st my android ph and Windows PC both worked fine with Google Account & email. Then my PC died. Now my new PC which is using Kaspersky Password Manager just like the one that died can't login to any Google account. Ph is just fine. How do I get my New PC to work with Google?

I could imagine, for example if it turns out that the phone number is way too old to to pass the verification challange. A pattern lock can be offered for android or face id for apple. Interesting

When I tried to set up a Yubikey on my Win 10 PC for Google, it said, "Passkey cannot be set up on this device". I installed Windows Hello and then it worked.

I created the passkey and I am still asked to go to KZread first. Afterwards I enter the passkey. This is annoying. One more layer to slay.

I have a laptop in every room of the house and sometimes two or more laptops near the different chairs I sit in. I use different distro's of Ubuntu and linux on all the laptop and some I have dual and triple booted hard drives with three operating systems, I even have one laptop I rarely use with windows 10 on it, that's just what I do and enjoy. This sounds like a freaking nightmare to me, is this going to be ( forced ) on to us with no choice what so ever ???

I can not create a passkey on my Linux box and despite my S20 claims to have one being made already, it doesn't work either. So I stick with my Yubikey and KeepassXC.

When it asks for your password you have to click on the words that say try another way for it to use ur passkey

How to disable them?

how do i remove it?

Is it safe to save the passkey in the browser? My gut tells me not, what am I missing?

@WilcoVerhoef

10 ай бұрын

If you trust your browser; yes. If you don't; stop using your browser to log into your accounts. You can also store passkeys in a password manager instead of your browser. Many have plugins.

Yubikeys still the GOAT in my opinion

@AllThingsSecured

Жыл бұрын

😂👍🏻

It would be so much easier if we all could use our thumb print.

How do passkeys protect your embedded identity when your device is stolen? Mobile phone theft is on the rise. What do you do when you upgrade to the next smartphone and trade in, donate or recycle your old phone?

Sounds like passkeys will be useful for 90% of sites, but downright dangerous for the other 10% of sites. Im hoping for a Passkey+Yubikey solution.

Passkeys are resistant to online attacks like phishing

@flashlightfreek

Жыл бұрын

Is that a question or statement?

set up a passkey for my accounts

What about mobileless users like me? Passwords are easy for me passkeys are really complicated this is insanity. What if I also login to an older Google account of mine where I had never set a passkey? Will it just disappear because of some stupid new "tech upgrade"? Ugh.

@WilcoVerhoef

10 ай бұрын

Passwords aren't going away anytime soon, don't worry. Your old Google account might disappear just because you haven't logged into it for a long time, but until that point you can use your password

ty

Don't we still have to remember our userid's?

@bigjoegamer

7 ай бұрын

As far as I know, passkeys store your usernames. In other words: you don't have to remember your user ID. I could be wrong, though. I'm not an expert on passkeys.

A long time ago I put in my password and had it saved so I never have to type my password again. How is this easier ?

@Hasanbas-rv3vm

6 ай бұрын

Not easier but safer

This would not be Ideal to a secretary or personal assistant who is manages several devices for two bosses. I log into their many devices so I'm constantly entering in passwords.

@marcradermacher6244

11 ай бұрын

As I understand it your bosses should be able to enter your device as well to unlock their devices. I have four phones and one fingerprint scanner set up to unlock on my PC ;)

Saving your passkey to the Apple cloud is NOT end to end encrypted.

I think Google broke something. I was able to sign in from my phone, but now when I try to sign in on a computer I have to put in my password.

It says that my device does not support passkeys. This is bullshit. Ill stick to my passwords.

Yubikey > Passkey

What if my phone breaks, or I lose it, or someone steals it from me?

@AllThingsSecured

Жыл бұрын

For now, you can still fall back on your password, but in the future I’m pretty sure they will force backup 2FA, such as from a 2FA key.

@paul-erikhansen5769

Жыл бұрын

If you more than one device you can access it from there, same goes for Youbikey, if you loose it and dont have a spare, you can not access any more....

@mecampbell30

Жыл бұрын

Store more than one passkey.

The future is now!!!

it doesn't work on my Pixel 7 Pro

@AllThingsSecured

Жыл бұрын

Hmm…I don’t know why that would be.

I'll need to watch the video here in a bit, but my immediate reaction to this from Google is "meh". They need to copy Microsoft's passwordless sign-in & stop this pantomiming with their phones. 🙄I enabled this on my account the other day and it solidly feels like a marketing gimmick by deliberately over engineering around their phones, rather than doing the sensible thing and going truly passwordless with FIDO keys. I still had to use my password to sign into google accounts on both my desktop and my phone. It was only after closing the browser and reloading the site that it finally acted as though the passkey was necessary. I'll need to use a browser in a Sandbox to verify that the service is working as one would assume, but for now, until I do, I actually wouldn't trust this to secure my account.

@WilcoVerhoef

10 ай бұрын

"Passkeys" are what Google and Apple call FIDO keys

@FrazzleCat

10 ай бұрын

@@WilcoVerhoef I know. However it's the common name for it now, so I'm simply using the newer name for it. :) The implementation via mobile phones is also quite user friendly.

Hello!

@AllThingsSecured

Жыл бұрын

Hi

honestly reluctant to use this. not rolled out by Google well. I am a tech person and I don't really understand this.. :)

4 minutes of nothing. Show us an example video of the creation of one passkey, so we can actually use this feature TODAY.

hard to follow video

👍🏻

@AllThingsSecured

Жыл бұрын

🙏

I would have expected better from a channel called "All Things Secured". Either properly mark your Google advert with the necessary text in the corner at the start of your video or stop spamming. We don't need your stinking passkey spam.

@AllThingsSecured

6 ай бұрын

😂🤣 You think Google PAID me?! 🤣

I hate this feature

@AllThingsSecured

8 ай бұрын

Sorry

Nope. Never going to happen. I frequently am on my computer with my phone nowhere in site. Not to mention,. I am not going to lock my fucking phone just to sign into Google.

That stain on your blue background is annoying as hell.

Sounds more confusing and uncertain than passwords at the moment.

I'm losing brain power a little more each year. And I just lost more watching this. I'm retired so that's my deal.

I wouldn’t trust google with my dirty socks 😂

@AllThingsSecured

Жыл бұрын

I don’t think you understand…a passkey is not “trusting Google” any more than creating a password is trusting Google.

NEVER EVER WILL I TRUST GOOGLE PRODUCTS

@AllThingsSecured

Жыл бұрын

But it’s not a Google product. So…??

I've had the opportunity to test it a bit more and the results are, well, a bit disappointing. Windows' sandbox, unfortunately, wouldn't read my Yubikey for whatever reason, so I purged *ALL* cookies from one of my browsers and then ran it with all add-ons disabled. Result: Google still prompts for a password, so this is simply not a passwordless account setup. Specifically, the login flow is now: Username (email address), password, Yubikey, then passkey. Once you're signed in, Google then "fakes" a passwordless account by no longer presenting the password prompt when you sign in next time, but this is just left over from a previous cookie (strangely, incognito was not enough to avoid this, but purging ALL cookies did the trick). Note that I'm using "advanced account protection", but the password entry requirement still exists before either the yubikey or passkey is requested by the login flow. I may be misunderstanding something but as it is, the "passwordless" claim seems to be kind of smoke and mirrors. Terrible? Not really, but honestly it's just more weight on my opinion that they're stubbornly refusing to go truly passwordless like Microsoft in favor of making their phones the big focus, rather than security. In my opinion? People should keep using Advanced Account Protection and maybe skip this passkey thing, especially considering how damaging the passkey could potentially be if your phone is stolen. 🤔 But that's, like, just my opinion. (Big Lebowski)