How can pass keys possibly be safe? Hi, everyone. Leo Notenboom here for askleo.com Askleo.com. There's still a fair amount of discomfort and uncertainty around
the concept of pass keys. I get a lot of questions from time to time
about, Well, what about this scenario? How does this affect
the security of pass keys? I still hold that pass keys are an
increase, a net increase in your security. Obviously, there's no such thing as
perfection, but there certainly is better, and pass keys can, in fact,
make things better. First, what are pass keys?
Well, pass keys are essentially digital keys,
just blobs of data encrypted in a certain way that are assigned to each specific
device on which you might use a service. At the time you first
sign into that service. For example, if I have two machines and I'm using pass keys,
then when I sign into a service on the one machine, we'll go through some
steps to set up the pass key. But then when I go to the other machine
and sign into that same account, we'll also go through those
steps to set up the pass key. Thereafter, the pass key is available for use on each of those two machines,
and the pass key can be remotely disabled. When you sign into your account, you'll have the opportunity to say, Well,
I don't have machine number 2 anymore. Disable the passkey for that machine. What are those other steps? Well, those are the other steps
that you probably already have. The first time you sign in to a service using passkeys, you will be asked
to authenticate yourself some other way. That could be using a password if
your account is still using passwords. But it could also be things like codes sent to your email or
texted to your phone. It could be one-time codes
from an authenticator app. It could be confirmation from another device that is already securely
signed into that service. There are lots of ways to prove you are who you are in order
to set up the passkey. Those ways are typically more cumbersome. Sending a code to an email takes some time and you have to read
your email and so forth. Once they're set up, they are stored
securely by the operating system. I'll talk about password managers
in a minute, but for this, pass keys are by default
stored securely by the operating system. When you use a pass key, so for example,
if I want to sign in to Google using a pass key,
what I'll have to do is authenticate myself with my machine, which typically
takes the form of Windows Hello. Windows Hello is that system of using
either a pen or a fingerprint print or facial
recognition or something else to confirm that you are who you are
to the operating system. It's the same every time. Once you've quickly authenticated with your machine,
your Passkey is available and you're automatically signed in to whatever
service it is you're trying to sign into. There's this level of abstraction. Pass keys are created securely because you'll have authenticated
some other way first. Thereafter, pass keys are stored securely
by Windows, and when you want to use them, you have to authenticate
yourself with Windows. Now, let's compare the different things we are concerned
about When we're using pass keys, when we're not using pass keys, when
we're using password faults, get the idea. Signing in. If you're signing in with just a password, a username and a password,
well, That's all you do. You enter your username, you enter
your password, and you're signed in. Of course, anybody that does your username and password then can
sign in as you as well. Sign in using a password from a password
vault is similar, except that rather than typing in your password yourself,
your password vault types it in for you. You'll have unlocked your password vault, typically with its master
password or Windows Hello again. But the bottom line is that by having the password vault type in your password
for you, you can have long, strong, confusing passwords that you'd have no
hope of remembering, and you can have a completely
different password for every site. Password vaults make this easy. However, you're still stuck
with username and password. If the password itself, username and password, is ever leaked,
regardless of how strong it is, then somebody else could
sign into your account. Now, if you sign in using only a passkey, that's the scenario I
I talked about earlier. You've got it set up. What happens is the service you're signing
into says, Okay, let's use a passkey. The operating system, Windows, says, Okay,
I've been requested to use a passkey. Let me authenticate with the user first. I will confirm that they
are who they say they are. The device confirms you are who you say you are using, in the case of Windows,
Windows Hello, a pin, fingerprint, facial rec, or
whatever hello gets expanded to someday. Same thing on a mobile device. It'll be the phone that authenticates you
as being you by virtue of its security measures, typically pin,
fingerprint, facial recognition. Once the operating system says, Okay, this really is the person they say they
are, then they provide the pass key that you set up earlier to the service
you're signing into and you're signed in. What it looks like is you go to the service It
says, Okay, let's use a pass key, Windows Hello pops up, you type in a pin,
and you're signed in. It's that simple. Now, password vaults can also,
in many cases, store store pass keys. I'll talk about that in a
minute a little bit more. But the bottom line here is that
your password vault can act instead of your operating system as the repository
for securely storing pass keys. If you're signing in with a pass key
that's stored in a password vault, then same scenario,
the service asks you to authenticate, your password vault then says,
Oh, this is a pass key. Let's make sure the user
is who they say they are. That password vault will then either prompt you for your master password
for that password vault, perhaps it has its own pin instead,
or it can use Windows Hello. Again, we're back to using windows to authenticate you,
pin or facial rec or fingerprint. Once your password vault has authenticated that you are who you say you are,
then it provides the passkey to the service you're signing into,
and boom, you're signed in. Okay, now that we have a sense for
what it looks like when they're working, what are the scenarios
that people are concerned about? They tend to boil down
to one of two scenarios. In fact, they It's generally
boiled down to only the first one. And honestly, it's the second
one that scares me more. However, let's walk through it. Scenario number one,
somebody walks up to your computer. Okay, Is this a likely scenario? This is something that I think
everybody needs to think about. What needs to happen for us to even begin to be concerned
is that somebody needs physical access to your computer, and indeed, walking
up to it could also include stealing it. They need to be able to sign into your computer or your computer was already
signed in when they walked up to it. Potentially, they need to be
able to unlock your computer. Hopefully, you have some an autolock on your machine if this is
a scenario you're concerned about. Already, there are a number of barriers in place that would prevent this
from being a scenario of concern at all. In my case, Yeah, nobody's going
to walk up to my computers here at home. When I travel, my laptop, yes, it's either turned off when I'm traveling
or it has a screen lock on it. It locks in a couple of minutes if I stop using it, which is perfect because
that way people can't get into it. Like I said, step one is to really understand whether this
is a concern at all. Now, if it is,
let's walk through those scenarios again this time with the computer
in somebody else's hands. If you use only passwords, then the person who has the computer
and who apparently has access to your machine somehow, maybe you didn't leave it
locked, all they need is your username
and password, and they can get into whatever
services you have available. If you're using a password vault, then it also comes down to,
is the vault locked or not? If the vault is not locked,
then, yes, the person who walked up to your computer can use all
of the entries in your vault. They could also export your vault. More likely and recommended, if this is a scenario you are truly
concerned about, is that like your machine,
you set up a timeout on your vault. In my case, my 1Password vault automatically
locks after 4 hours of idle time. Again, I'm at home. It's not a big concern to me. If it were, I would have it
to a much, much shorter time. 1password will let you make that time
out be as little as a minute. When you unlock it, it's either going to be your master
password or Windows Hello that the person looking at your machine shouldn't know
and can't be if you use only pass keys. Well, like I said earlier, the scenario is that when you try to use
a pass key, you are authenticated by Windows with Windows Hello,
either a pin, a fingerprint, or a face. As long as your pin is secure,
the person at your computer can't get in, and presumably, they don't
have your face or your finger. If you use pass keys stored in a password
vault, then it's the same thing. If your vault is unlocked,
and only if your vault is unlocked, or that person can unlock your vault,
again, with either your master password or your Windows Hello authentication,
only then can they do anything with it. There's nothing for them to steal. If you don't use passwords on an account, if it's a truly passwordless account,
then there's nothing for them to steal. Yet they may be able to log
in with the passkey that's stored in the vault, but they can't do anything
other than on that machine at that time. If there's nothing to steal, there's nothing to export,
there's nothing they can take with them. The only thing they could do potentially is get into your account
and make some changes. That's the scenario that I
think concerns a lot of people. What if my machine is stolen? What if somebody walks up to my machine? As I said, for most of us,
it is simply not an issue. The basic security we have on our
machines at home is plenty. Let's face it, we don't let strangers walk
into our home and access our computers. If you're traveling,
or if this is of concern to you, then it's solved as simply as having
shorter timeouts on things like your master password,
your Windows access, and so forth. That way, Once again,
unless they know your master password or unless they know your pin,
they can't get in. The scenario that concerns me more, and I wish people would actually think
about this a little bit more, is malware. If you let malware onto your machine, that malware can do, quote unquote,
everything or anything. However, in this case,
this is where pass keys really shine. Let me explain. Let's go through our scenario again. If you're using only passwords,
username, password, you type it in. If there's malware, then all of a sudden, say, a keylogger could capture
that information and send it to a hacker. Same thing if you're using
passwords from a password vault. It's something that gets entered into a
form that could be slurped up by malware. It doesn't necessarily have to be a key
logger, but it could operate like a key logger and log a lot more than just
keystrokes, ultimately getting your username and your
password, and possibly even the master password
that you'll have typed into your vault. If you use only pass keys,
nothing happens. There's nothing to steal. The pass key itself is stored, securely
encrypted in Windows credential storage. The hacker cannot get into it. Malware cannot get into it. That means that if there's malware on your machine and you're using passwordless
accounts, and I'll talk about that in a minute, then there's It's
literally nothing for the hacker to steal. Your account is secure. The same thing is true if you're using
password vaults to store your pass keys with the additional layer of, okay,
even if you unlock your password vault, then there's still nothing for them
to steal because the pass key is not only stored securely, but it is
handed over securely for use. It is not a scenario scenario that really,
really is worth worrying about. Pass keys in particular significantly
increase your protection from malware. I talked about a couple of times
here going passwordless. Some of the scenarios that I've talked about,
if you never have to enter a password, then a keylogger doesn't
see anything to log. You're using some other
technique like pass keys. But even better, there are systems that are now allowing
you to not have a password at all. Microsoft actually is moving to that. What it boils down to is then that even if there's a data breach at these services,
once again, there's nothing to steal. Going passwordless,
coupled with a reasonable alternative form of authentication, is actually a very,
very safe and secure approach. Now, one of the reasons that it has hasn't really caught on is because those other
reasons, those other techniques of authenticating you,
are a little bit more cumbersome. They take a little bit more time.
Medium. Com is a great example. They don't have passwords. So when I sign in to my medium. Com account, I enter my email address, and they send a link
to that email address. My ability to actually act
on that link proves that I am who I am. Clicking on that link then logs me in. The annoying The annoying part
is that it takes a little while. When I sign in to Medium,
I want to sign in now. Instead, I have to wait
for that email to show up in my inbox. Pass keys solve that problem. If you can sign in with pass keys,
then your passwordless account can be signed into by nothing more than
your typing in your Windows Hello pin or swiping your finger or
looking at your camera. It's Very convenient that way. Passwordless accounts are something that I personally am moving towards
for my important accounts. I've recently taken one of my Microsoft accounts, the test account,
and turned it into a passwordless account just to get a feel for what
it's going to look like. Eventually, I'm going to take my real Microsoft account and turn
that passwordless as well. Now, we have to talk about what I refer
to as imperfect security Security. One of the things that happens whenever I
talk about security solutions, be it passwords or vaults or anything
related to how you authenticate to an online service, I get a lot of Yeah,
but Leo, what about this scenario? Or what about that scenario? Or what about this? Or what about that issue? There's a lot of whatabouts,
and they tend to fall into two buckets. Sometimes I honestly learn something,
and I really appreciate that. I end up learning either about something that the authentication
approach isn't covering. It doesn't happen very
often, but it happens. The other scenario is that the scenario presented to me,
the what about presented to me, is something that just
isn't going to happen. It is so incredibly unlikely
to happen that, Yeah, okay, fine. Whatever.
I'm not concerned. My bigger concern is when one of these whatabouts comes along,
and it turns out that real problem is that I simply haven't explained
some of the core concepts correctly. I get it. With Pasquies in particular,
that's really easy to mess up. So hopefully, this has been a little
bit of clarity on the topic. But I do want to mention
that it's incredibly important to understand that there is no
such thing as perfect security. You are not secure. I am not secure. There are things we can do
to be more secure or to be less secure, but there is no such thing as
perfection when it comes to security. The The goal is not to be secure. The goal is to be as secure as
pragmatically possible for your situation. Paskeys, I think, enable a lot of that. They make a lot of things a lot easier. Now, I'm not suggesting you run out and you turn all your Pasci possible
accounts into Passkey using accounts, and you suddenly get rid
of all your passwords. That's not what I want you to do. What I want you to do
is slowly think about it. Take one of your less important
accounts that offers pass keys. Turn it on. See how it works for you. See literally how it works step by step. Gain some comfort with it. Then consider going passwordless
on that account if it's an option. The other thing to do, of course,
is to change your password to something that you can't possibly
remember and don't save it. That's the equivalent of going passwordless as long as you have
other ways to sign in, like a passkey. The final step, of course, is, hey,
if you're using a password vault that supports storing your
passkeys, great, do that. Because that way,
the scenario that I started with, where you set up a passkey on one machine
and then you separately set up the passkey on the second machine,
that scenario changes. The first time you set up a passkey and you store it in your password vault,
that passkey is then just available in all the other places you
use your password vault. Like I said, this is something that I've been doing with 1Password,
and it's working really well for me. Then a final, completely unrelated recommendation
authentication, regardless of how you
feel about passwords. Like I said, I encourage
you to investigate them. I encourage you to start using them
because they are going to become more and more prevalent in the coming years,
and it will take years. More important than that, I want you to turn
on two-factor authentication. That, more than anything I've ever talked about,
is the best way to secure your accounts. For updates, for the inevitable comments,
for related links and more, visit askleo.com/168902. I'm Leo Notenboom. This is askleo.com. Thanks for watching.
