Goodbye Passwords! Hello Passkeys
Vložit
- čas přidán 8. 10. 2023
- In this session we take a deep dive into the latest identity technology passkeys. For years hackers have been able to easily steal passwords through malicious links or phishing emails. In an attempt to solve this problem, Yubico created FIDO keys. Physical devices that truly offered the world a phishing resistant solution. With passkeys, we take things to a whole new level. The private/public key pair can now be stored on mobile devices and computers. So instead of using a password. The user could use an encrypted passkey along with a biometric, such as a fingerprint or facial scan. In this session I’ll take you through everything you need to know about passkeys and exactly how they work with lots of demos and explanations.
I’ll also be speaking at ESPC 2023 in Amsterdam. 27-30th Nov. Details below. Use Code: ESPCAndy and receive 10% off any ticket on top of Early Bird pricing. The code discounts 15% until September 30th and then it goes to 10%. www.sharepointeurope.com/
For more on me visit Andymalone.org
Visit my Patreon Site Patreon.com/AndyMaloneMVP
The main advantage for passkeys seems to be that a public key is stored instead of a password hash. That's a fantastic thing.
What I'm not super excited about is the idea of essentially removing passwords. Yes, there are weak passwords and passwords can be stolen, but at the same time, devices can be stolen, and biometry can be tricked, or compelled to unlock.
And if you compare the risk and probability to get hacked between these two options? Passkeys are invented for a reason! ;)
@@LivingInCloud1 Yah. Where a website actually supports passkeys, an attachment to passwords is a lot about comfort at this point. Passkeys aren't familiar, so it gets people thinking of scenarios that are less likely than the multitude of scenarios that are possible with preshared passwords. For example, a lot of the attacks @Lleanlleawrg mentioned require physical access. Passwords can be phished remotely.
I mean sure, it's possible for a Yubikey to be stolen, and for someone to guess the PIN before it locks itself out. And sure, someone who knows that your passkey is on a susceptible keystore can steal one, hack it, and log into your accounts, but a lot needs to happen _just to you_ before this happens. And it's likely that you'll notice you've been compromised and can start revoking the passkey since all that can be triggered when you can't find your key or learn about a vulnerability.
@@LivingInCloud1 So you lose your phone and stored biometrics. How are you going to log into anything? Relying on a passkey without a password as a backup login is a liability and if you need a password as a backup you might as well use it as the main login so you notice when it is compromised.
I've been using pass keys for a few years and love it, and I also agree with other users, saying they need to be easier to set up. They can be a pain in the ass to set up, and if it gets screwed up during setup it's a bigger pain in the ass to fix, I've done both.
Many Thanks Andy. Great information as always...!!!
Most excited for this. Looking forward to it.
As always, such a great video. Full of info, and no nonsense.
This was an awesome video. You look great by the way, Andy.
Thank you as always, mate!
Thanks Christopher 👍
This was the coolest intro that I have seen in a while
Nice one. I've passkeys set up for my google account now. This really could be the future.
Thanks for your sharing
Oh, You make me giggle, I wish you health!
Thank you :-)
Nice one❤❤❤
I am not so sure they will be readily adopted until the process is made far simpler for end users (and admins)
Andy how about a video for people managing multi tenants in 365 and best ways to access different customers from a single pane of glass and ways to swap credentials to login to the respective customers portal ?
But great video as always and thanks
Thanks so much. Hey have you taken a look at Microsoft Lighthouse? It's free and will help you do just that :-)
I like the introduction.
aww you made me think this is something real already. Wake me up when it's actually a thing. thanks for the description!
Or you could learn it now and be ahead of the game instead of catching up later.
@@AndyMaloneMVP looking forward to not have to pay for fido keys.
I use my ubikey as much as possible clearly the most secure option.
I believe that passkeys will be another option, but I do not believe that they will eliminate Fido Keys altogether. Having Fido keys would still be supported for a long time if not indefinitely.
So, how does Passkeys work when you boot up your Windows/Mac computer and get prompted with a Login screen? Do you type your username and there's a button that says "use this passkey?" Which means anyone could log in if they know your username?
Hi Andy,
Good job on this video. I would like to see this technology used for anything and everything. What are the differences between a physical Yubico key and the digital version you show here? Is it just as secure? Some may argue that a physical key and a digital key both have their faults, but with a physical key, no one can gain access without it. I personally like having a physical key. Does the digital option have the potential to make the physical key makers change their business strategy?
Great questions. They are obviously based on the same tech so would have the same pro's and cons. It's pretty robust so far. As MS have not released their options for Entra ID it will be interesting to see how admins can manage this in Antra ID as well as device management in Intune. We shall see soon I guess.
quick question as I was missing this in the video
with fido2 keys, you could protect yourself by having two or more fido2 keys, which was the redundant vault in case one fails
how about the passkeys, when your mobile drown or your laptop drive say good bye...
what is the redundancy model here for the consumer sector, where you are not using Conditional access policies, but would like to make use of passkeys, is your backup method still a passwrod, though few times longer, as you will use it only in backup scenarios, as a last gate of resort ?
Great point. You are correct about Fido. However Passkeys can be backed up to let say your iCloud account or Azure Key Vault which can then aid in recovery / transfer to a new device :-)
Thanks for this great introduction. It seems that passkeys cannot be synced, because the private keys cannot leave the device, so will we need a separate set of passkeys for each of our devices?
Kind of. They can be synced between apple devices via keychain.
I am excited by the notion of passkeys. I suspect that having them backed up by the likes of Apple, Google & Microsoft is good, but are there guarantees that they will be secure? And not revealed to 3rd parties.
If you could show me something that’s 100% secure, I’ll give you $1 million. Unfortunately nothing comes with 100% guarantee.
some websites or apps do not support passkeys then what should we do.Where should we save password because remembering multiple accounts and passwords is a difficult task?
As time goes on it will increase
Thanks for the great to the point video. Q.1. Can you use the passkey on any device regardless of what device it was created for? E.g. passkey created for desktop but then somehow installed on a mobile device or vice versa? Q.2. Can an existing passkey be copied, shared or moved over to a new device?
No and No. Passkeys generate a unique fingerprint. You could always use a fido key which has a portable private key.
@@AndyMaloneMVP You sure about the second No? The passkey ends up on the iOS keyring that can be backed up and transferred to a new phone. In essence, you give up a little security with a software Passkey compared to a physical FIDO key, trading security for usability. This said, Passkeys are WAY better than any password there is. If you want truly private key handling, stay with physical FIDOs.
Good video on what. As an individual end user I still have no ideal of how to create and use one. I am very wary, for example I am locked out of Facebook because I clicked a link that asked if I “want to use two factor authentication”. What it really meant was “if you have set up two factor authentication, do you want to use it”. Now when I try to log in I am asked for a code which my Authenticator can’t generate because it was not set up before I clicked the button requiring use of two factor A.
How do you do when your smartphone is completely crashed and you have to setup a brand new smartphone for example ? if you do not have a password of course.
The key will follow you.
When will just passkey be used for login?And password should completely removed so that no one could log in using passwords?or if we setup passkey then no one could log in using password?
Rolling out from January 24
I would assume you would not want this to be the sole method of authentication for a given account. This would mean if you lost your authenticaton device, you are locked out. For a secure but recoverable account, would one just keep a physical fido key as a backup, or simply rely on other admins to change those methods on lockout?
Obviously that cannot work for personal accounts, so what would the suggestion be for that scenario? Securely stored MFA backup codes?
I agree and good suggestion
What happens if the device on which I created the passkey is lost, stolen, or damaged? How do I login on a new device without the original one? I've watched half a dozen videos on passkeys, and I'm just barely starting to understand them, but none of them have answered that question.
Pies are stored on your device, which are then backed up either to your azure key vault or your iTunes account. Also this is one of the reasons why you would have multiple keys on multiple devices to prevent such an issue.
I tried to go password less Ms account only to find out I can no longer log into RDP...
Is the passkey device Specific? - or if I have a computer and phone will it merge across devices? Also does the passkey eliminate or delete my PASSWORD? AND what if you have 2-3 Google accounts like I do? I have a job gmail, a Google gmail, and another Goog gmail?
Passwords are device specific but can be backed up. Goog also have there own passkeys for their sites. No they don't delete your password YET! Best to have multiple passkeys on multiple devices :-)
Hi,My question is that if we set up passkey then password option should be disabed,but password option is enabled so if someone knows your password then where is the secuirty of passkey?because password option is enabled even after setting up passkey so he can log in
There will be an option in conditional access for this coming in January👍
is there always a online connection required to check the public key or is there en "backup mode" for devices that are use online and also offline?
It's a client to service authentication method. For example device to website or app authentication, so a connection would be required.
Can somebody explain Please, so far it is not possible to add a Passkey for a M365 User, the only option is to use a security key right?
If i follow through the dialogue on the "my security info" site and add a new authentication method, only "security key" is available. Klicking on "security key" prompts the QR code and the passkey can be saved on my iphone, bit it wont let me finish the setup with an error message
This feature will be available soon. A Passkey will be associated with a users device.
Is apple itself password storing feature secure or not
Can we use lastpass for storing passwords?
Apple key vault is far superior at storing passwords and many commercial systems. It’s completely encrypted and passwords are shared across Apple devices.
Any idea if Windows 10 will be updated to support these (my PC is too ancient to run Windows 11).
I believe so yes.
I don't understand how this is better or safer than Two-Step Authentication that we already have in place. What benefit does this method offer which the 2SA can't?
There was some research done a few years back that showed that two-step verification features such as phone calls and texts could potentially be intercepted and thus these methods are not phishing resistant. Whereas authentication methods linked to hardware such as Fido keys are the Microsoft authenticator app are resistant.
When you've created passkeys for multiple devices and it presents a choice of which passkey you want to log in with - presumably the passkeys be renamed to easily associate with specific devices? What happens when you get a new phone? Lots of new passkeys to create, or some transfer of old ones to new phone? Or is this outside the spec, so each manufacturer does their own thing?
For an example, the passkey is associated with your keychain in Apple. So it’s irrelevant for the device. So if you lose your phone, it’s not a problem, passkey it’s for the user to identify themselves
does android offer keychain?
or Windows for that matter
@@aaronster to be honest, I don’t use android due to his poor security. So I don’t feel qualified to answer this question sorry.
How do you use a passkey on a windows desktop with no camera for face recognition?
Buy a camera first 😊👍
Not "ALL" have a smartphone or tablet. I certainly hope there is an opt out for this tech.
This is merely one form of authentication
I see one floor in this system, what if the tech fails and has to be replaced, are you then locked out of everything connected to it in this way?
I assume you me flaw? This is but one a number of methods. Your passkeys are backed up and could be transferred to a replacement device 👍
Does this type passkey support Fips 140-2 like you can get with some of the physical FIDO YubiKeys?
Yes it will
@@AndyMaloneMVPawesome do you have any documentation you can direct me at? Also will this work for both Windows, MacOS and IOS when available in Entra? Thanks for making great videos 💪
Can you please let me know where should we save passwords because remembered multiple accounts and passwords is a difficult task.please please please let me know
Thanks
If you really must! Use a password manager use an encrypted key store
Passkeys would have been great had they been developed BEFORE passwords came into use. Since they weren't, passwords seem to now be a permanent feature of the authentication landscape. Even though passkeys are superior to passwords, they don't seem to be doing much to eliminate them.
They are, believe me
@@AndyMaloneMVP What examples of existing, practical, mainstream web sites can you name where passwords have been eliminated as an option for new or existing accounts?
Apple key vault?
Please let me know is it icloud keychain or not?
Please briefly explain
support.apple.com/en-gb/HT204085
What is apple key vault.
Is it iCloud Keychain or its any other thing?
Please confirm me
Thanks
1 and the same
Question is, ultimately does MS still store the User account with a password hash? If yes, then all you need do is find a entry point on the perimeter that doesn't support Passkey and must fall back on password challenge.
Hopefully this will be removed
@@AndyMaloneMVP My understanding is that, in the consumer space, the challenge will always be regaining access to an account if you loose your phone for example. The fall back would be to standard username and password and maybe another MFA mechanism. It's not an easily solved problem. I think the point is that such cases would be outside of normal behavior and make phishing attacks considerably harder.
The enterprise space is a little easier. With federated SSO there are fewer credentials to manage so getting your help desk to let you back in should be easier. Not that that pathway won't be abused by attackers..... ☹️
@@AndyMaloneMVP We said that back in 2000 when we started using RSA fobs... still waiting ;-)
It won't be too much longer before the hackers learn how to get through passkeys
Without access to a physical device that will be tough.
The private Key „NEVER“ leaves the device? But how does it sync between your devices?
And where will it be backuped?
Apple and Google require cloudsnyc or else you cant use Passkey!
Whats with Microsoft? Do they „allow“ Passkey without an account?
A user account can have passkeys on multiple devices. In terms of how MS will deploy .. watch this space for more details 😊
As I understand there is no standard for passkeys so management between browsers and for example Bitwarden have yet to be resolved.
You are incorrect, I’m afraid. Fido is a standard
Looks pretty easy to set up, but what happens if you lose your phone or your passkey set up info becomes corrupt somehow? Will you lose your life?
It’s backed up to either your Azure key vault or your iCloud, or equivalent. No, you won’t lose your life 😊
I think passkeys will remain in the consumer space for a while before being adopted by business. MS already has a FIDO2 compliant solution for Windows devices, Windows Hello for Business. (Note: this is not the same as the consumer Windows Hello. They are different technologies.) That said MS don't have a device trust solution for Android and iOS. An MS Authenticator managed passkey would extend this paradigm to mobile devices too. Time will tell but business adoption will be slow.
For enterprise, passkeys will be implemented in enter ID very shortly.
@@AndyMaloneMVP I'll be watching, and waiting for, the mobile support with interest.
Can you break down the difference between using MFA against this?
A passkey is for of authentication. When you add a fingerprint or face that’s a second. Plus the device itself is the third. Hence the term multi factor/
One thing that people don't realize past keys.
Past keys actually have batteries in them and when those batteries run out. You're not going to be able to access your equipment.
You’re talking about physical Fido2.0 keys. You’re right. Another reason to use passkeys stored on devices and backed up into Keychain or similar system
@@AndyMaloneMVP an alternative is to enroll multiple passkeys on devices including ones that don't have a battery. The ones w/o a battery or that are in a less durable phone can be backed up by passkeys on physical security keys that you keep in a safe. Behind all of these, most websites have recovery methods that you can use if you lose all other authentication methods, but it's important to confirm these before you get locked out lmfao. In a corporate environment, your IT department will always be able to recover your accounts. BUT if they encourage you to have backup keys, they'll need to do this less often and may even allow you to self serve rotating your backup key if it goes missing.
What if i want to login to my email on someone elses laptop for example, how would that work with passkeys?
You would setup a passkey on each of your devices
What happens if passkeys are only on a cellphone and the phone is lost, stolen, or broken? How would a person still access accounts?
It's backed up to your iCloud
@@AndyMaloneMVP So one would not be able to access any accounts until the device was replaced? But after replacing the device, at least one would not have to regenerate the passkeys.
Most people, including myself, will be lost watching this video and I'm fairly computer savy.
My phone and computers remember all of my passwords so I rarely have to put them in. Will it same work the same way with passkeys?
Exactly! But a million times more secure and are phishing resistant
@@AndyMaloneMVP No one has ever figured out my passwords nor will they. This fixes a problem where there is none and just looks like a pain in ass.
@@jamestemple8970 a very real problem with password auth is that you could be fooled into providing account info to a phishing site if that website asks you to login. So someone who has never touched, or installed malware on your computer could convince you to give them your username and password and perhaps even log in for one or many sessions on your behalf. If an attacker with similar access (none to your physical computer, but with the ability to fool you) tried to convince you to do a passkey login to a phishing site, your browser would divulge nothing about your account to this site: It wouldn't know how to divulge your account information.
It's still not perfect, but it's significantly harder for people to get scammed in the same ways when they're conditioned to always use passkey login.
Another real problem is session hijacking. After you've logged into a website, it's possible for someone to move your login session to another computer. If a website provides a more convenient, more secure way to login (like passkeys) it can reduce the max duration of sessions, reducing the impact of a session hijack.
Can anyone tell me how best to handle these things for a sysadmin of a small company. I tend to remote control machines out of hours when the machines are free and texting the machine owner to say can you hit accept in an app or to get a verification number or.... Is a pain. I love the old method of they give you the password and you are logged in with no interaction with the user needed. I understand that's not secure but how can this situation be handled in a new age, can the system admin be granted a user / login that can bypass the user two factor
As I said, at the end of the video Microsoft will be introducing passkeys into Microsoft 365 admin centre and Entra ID. Watch out for more details to come.
How do you revoke a passkey if you lose a device?
Delete it.
Hello. How do I access my Coinbase without the Passkey? I was able to get in a month ago, but now it's requesting a passkey, which I never created. I can't even access the account to create the passkey. HEEEELLLLP
No idea, sorry
It’s difficult to remember passwords of multiple accounts
Please suggest me the best way to store passwords or best password manager?
The whole point of this video was to move away from passwords
@@AndyMaloneMVPsome websites or apps do not support passkeys then what should we do.Where should we save password because remembering multiple accounts and passwords is a difficult task?
@@sheikhhasnainiqbal3715 It’s new tech. It’ll come
I don't know this sounds like a terrible idea. If someone steals your device or biometric data what recourse do you have? Once your biometric data is stolen that's it there's no changing it unlike a password. Also what happens if you need to reinstall your OS or move to a new phone?
Unlikley
Unlikely? That doesn't address the concern or offer any comfort-- it makes it more concerning!
It's pretty common to replace OSs and hardware.
Your biometrics is not what is passed to the online service. So stealing your fingerprint is useless. Unless they also steal the physical device with the passkey that is locked with your biometric. But even in that case you can use another device to revoke the passkey in the stolen device.
Although I haven't tried it I think you can reinstall OS and not lose passkey because it is handled by hardware TPM chip. If you need to move to a new mobile device you can just link up new device and it creates a new linked passkey. You can also create backup keys in printed form...and they can be revoked if you lose them. Anytime a new device is linked you'd be alerted.
It's all well thought out. There are multiple things in action that are not obvious. It's both complex in security while being simple to use.
My Windows laptop is crippled by the passkey virus from Google. What malware or antivirus do I buy to remove it? It has locked down my password manager. I have no idea what did to install the passkey virus. I am very careful.
Passkeys is not a virus. It’s an authentication mechanism. I’m not using Google sorry.
@@AndyMaloneMVP I solved the problem by editing my passwords in Edge and then syncing Autofill and then syncing on Chrome. You call it a feature. I call it a virus.
Do passkeys need an internet connection? Does that mean I can't log into my mobile without a signal? There is no such thing as total security? For the average user good enough is all they need. The more complicated the system the more likelihood that the legitimate user is the victim of the security system
Generally no, however, you would typically use a Paske to authenticate to a server or website via an app
The problem is passkeys cost a lot of money, and when you are an SMB you don't want to spend the money to buy them. If the price comes down on passkeys were you can buy them at your local dollar store then I can see it being thing, but until then passwords will remain king.
I agree with what you say about physical passkeys, but not the ones attached to mobile devices or computers. These will be free.
@@AndyMaloneMVP the ones that are attached to computer are they physical? Because I know a lot companies in Canada that still do a part-time WFH model and also have floors of desks and computers for users who need to come in and work, no one user has their own machine.
@@andrewenglish3810 yup. You can use a physical (removable) key as part a FIDO2 2FA or Passkey auth attempt. You can also have multiple physical keys attached to an account, and do whatever you need to do to prevent someone from grabbing and PIN-unlocking them.
Question is for backup method there shouldn’t be password
Passkey and just passkey
Because if someone knows password he can login using password instead of passkey
Then where is the security?
And other thing if someonee knows passcode of iphone he can log in any account using paaskey by giving passcode
What’s the solution for that?
You can customise MFA n Authentication strengths 👍
If I’m understanding this correctly, once set up you have to carry the pass key with you like your regular keys. Armed robbers when demanding your phone will also be demanding your pass key as well. Kind of like getting the key to your kingdom.
I because it’s protected by your biometrics
@@AndyMaloneMVP Biometrics on your phone can be circumvented by entering a password instead which an armed robber will ask for. I see a pass key as more of a convenience device so you don’t have to keep entering passwords. It appears secure until the biometrics are circumvented.
This is not a passkey. This is called a “security token”.
What about recovery
This is an updated video that answers all these questions Phishing Resistant MFA How it Works!
czcams.com/video/Z0C_dpwCOcY/video.html
I dont trust anything from windows ... how can one test if the keys idea is watertight even in windows ...
Please don’t be paranoid. 🙂
Remember the little time out batteries that the watches have.
You're watching your hand talking about? That's a kind of battery the past key for your password carries inside of it or maybe even a smaller than that.
If that drop stood you're done cannot access your account.
This all sounds terribly complicated.
Not at all trust me. It’s as easy as paying for goods with Apple Pay
2:24
3:30
@@AndyMaloneMVP😮 0:37
1:04
Sorry to be pedantic, but the plural of passkey is "passkeys". In the vast majority of grammatic situations, the apostrophe followed by s is reserved for indicating possession or concatenating "is" onto the end of the word...
Oh, and yes, passwords are bullsh!t passkeys are awesome
🤪
Second problem is so long niet 99,99% all websites, and shops banks ect whit this No inlogname and pasword so long is it useless
This will change
Give me a break - I now need to carry a gizmo around.
What a stupid idea.
Biometrics - retina scans, fingerprints, or something I carry in the shower...
Exactly
So who owns these keys? Can you export public and private?
You own the private key which stays on the device that it’s installed on. You can install multiple keys on multiple devices. Public keys are shared with relating to party servers, for example, a vendor. But only you have access to the private key.
In addition, private keys are backed up to either your iCloud, Keychain, and, or your Azure key vault
Little over my head . NO THANK YOU
Not really,,
No, we don't all carry smartphones - I don't have a smartphone and I don't want one. No, I'm not a technophobe - I was a computer programmer/administrator for 46 years.
Well my friend times are a changin😊
Carry a Secure Token instead 😮😅😊
Google did it first
You are correct, google was one of the founding bodies of Fido
Aaaah the push for Chinese credit score checking is like... mRNA.....sprinkled into all facets of life ...who knows...maybe the government will pay for grandma's smartphone data plan so she can go do her groceries....oh wait.... what's that ding dong....oh ...my ...gotta first get my booster!!!!!!
I think you’re letting your imagination run away with you 😊
Major downside is now having to carry a smartphone everywhere you go instead of a small key. Lots of people do NOT carry a phone everywhere everyday. Techo-folks don't even fathom that...
In that case, you can use a hardware, token
I'm missing the mark in the corner that CZcams requires on adverts...
You're not getting my passwords and I'm not going to fall for this passkey scam no matter how many people start advertising this nonsense.
It's coming. One way or another. Passwords are on there way out!
@@AndyMaloneMVP Well, I guess I'll prepare for an offline life then.
We're screwed anyway when Microsoft ends support for Windows 10 anyway.
I'll just have to figure out how to do my banking without a computer or phone.
@@StijnHommes
When you find an answer, make sure you let me know please 😊
@@AndyMaloneMVPWhy? You'll be using passkeys, won't you?
Passkeys or biometric authentication means permanent online identification in browser and on the internet so no personal freedom and privacy online at all.
Corporation will record, evaluate and score everything about you.
Are you sure that's what you want?
but i all ways use 16 random passwords
All hackable and soon to be obsolete
Well I wont be using them & I hate the very idea. We already have too much security imposed on us and its a drag. If you want it, use it but I have a feeling people like MS wont leave the decision to the user AND its our damn machine. I take the view that nothing on a computer is secure and just dont put stuff on them that I feel I cant afford criminals to hack. I certainly dont think Windows and Apple are secure. Tiptoes back to my linux machines.