What are Passkeys? | Are Passwords Dead? | A Security Expert Explains

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what if you never had to enter a password into a website again and let's get greedy here what if you never had to enter a second Factor authentication as well all while keeping it even more secure than it has been before well I have good news because you can do that today using a technology known as pass Keys it's a technology gaining adoption by Microsoft by Google and by Apple so what is it in this video I'll break down what pass keys are and how they work and why you should be running to them as soon as possible and stick around to the end because I'll give you a cheat code on how you can find which websites support this amazing technology a passkey is a digital credential that ties your identity with a website or an application it's a bit like a super secure hall pass that you can use to log into different websites that means you don't have to remember passwords you don't have to type anything in with a few clicks you are in that website and on with your day and my personal favorite you're safe from phishing it attacks that are trying to Target your credentials Now to create this super secure hall pass it relies on a technology known as public key cryptography stay with me here because we're gonna get nerdy for a second but I promise we'll bring it back up and show you how this works in practice there are two core components of public key cryptography the first is a private key this is something that you have it sits nice and cozy inside of your device and you are keeping that secret nobody else has access to that this is what ties it to your identity this gets us to the second part a public key a public key is derived from your private key and it's meant to be sent to others to allow for secure communication that's why it's called a public key it's not meant to be a secret it's meant to be public now these two keys are mathematically related this is the secret ingredient into what makes this work that public key is useless without the corresponding private key and to get whether it's what allows you to verify who you are this is secure stuff it's the same technology that's used for end-to-end encryption in things like iMessage and signal and other secure communication apps okay so now that we have a primer on public key cryptography let's see how that's used with pass Keys pass keys are built on something known as 502 this is an open authentication standard that's supported by the Fido Alliance Fido which stands for fast identity online is essentially a bunch of nerds that are really just focused on how they can make your life easier with a passwordless future 502 uses two key standards client two authenticator protocol or ctap for short and web authentication or web authen for short client to authenticator protocol or ctap defines how browsers or operating systems communicate with your authenticator an authenticator is something that you have that verifies your identity this can be something like your phone a tablet your computer or even a hardware toggle like a Yuba key most importantly this is where your private key is stored this is how it's able to verify your identity because it's something that you have and you secure the next piece web authentication or web authen is the protocol that communicates between the application you want to log into and your browser web authen does all the heavy lifting with the coordination between the browser and the application that you're trying to log into with a pass key this is going to include first registering that pass key with the website as well as controlling all of the authentication after you get that registered essentially this is controlling all of the setup of that public key cryptography that we talked about before let's put all of these pieces together to understand how pass Keys work and there's no better way to show you than with a demo so in this demo we have a basic website that stood up that supports web authen authentication with our pass keys so the first thing we're going to do is just put in any old username it doesn't really matter from there that'll prompt us to set up a password again it doesn't matter we're going passwordless here we get a basic login screen and now I want to create the pass key so I'm going to go ahead and create a pass key this is where we get prompted by Google to create and store a pass key you can see that Google is saying this is only going to be stored on this device now that's a little bit different because Google is actually going to be storing it in the cloud which allows us for that cross-platform Mobility so I'm going to go ahead and click continue and this is where we get prompted for a password login with my second Factor authentication I have my touch ID set up on my system so I'm going to go ahead and click through that and now you can see I have a registered Pass Key now because Google created this Pass Key I can manage that through my Google account so to do that I'm just going to drag this over and I'm going to show you you can go to your Google password manager click on that you click on this and then go over to your settings and then we can see at the bottom here manage pass keys so I'm going to click on that and we can see this Pass key for this website is stored here now if we go back to our website and I will sign out of this because we have the pass key created now and then we'll attempt to log back in with our Pass Key we'll sign out and you'll see here we want to use a one button sign-in that's using our Pass key so I'm going to click on that and then it's going to ask me if I want to sign in with a pass key I'm going to click on that and then we see a pop-up in our browser for this Pass key so yes this is the one I would like to use I get prompted again for that second Factor authentication I'm going to do that with my touch ID and then there we go we're logged into this website and that's it that's all there is to get passkeys set up and to use them so you can see there are a lot of benefits to using these pass Keys number one there are no more passwords to remember and they're just generally easier to use it's quicker to log into applications even if you're using a password manager two depending on the device that you're using you can build in biometric authentication which is another factor of authentication for logging into these websites it also just helps prove that it really is you not just that you own or have that device another is that it's effective against phishing and this is because that pass key is tied to the specific domain of that web application so if a hacker tries to send you a phishing site and you attempt to log in there's no pass key to even try to log into that site so you are in the clear and lastly these pass keys are made from Multi-Device support this means that I can log in from my computer or from my phone it just helps manage and make it a lot easier to use these pass Keys now that's not to say that these packages don't come without their disadvantages because they do there's a few that you need to be aware of first passkeys are personal they're managed and secured by the user and when have users ever messed security up so as long as you're following the best practices of securing these pass Keys similar to what you would be doing with securing access to your password Vault then you should be in a relatively good position the main disadvantage of passkeys today is that there's just a smaller number of websites that support it now this is changing so we do see that this is going to increase over time but you might not be able to hit your major websites just yet now I promised you a cheat code on how you could figure out exactly which sites are supported there's a website called passkeys.directory that's provided by one password that keeps track of all these websites that support passkeys so you can take a quick look here and see that there's a number of different available websites that are going to support passkeys So I said it was small it's actually a pretty decent number for websites that you might use every single day so the only question left is what are you waiting for go and start getting this set up and if you haven't subscribed to the channel yet do so because I'll have some guides on how you can get this set up on all of your major systems

Info

Channel: Jason Rebholz - TeachMeCyber

Views: 23,900

Rating: undefined out of 5

Keywords: password manager, passkeys, passkeys explained, google passkeys, apple passkeys, microsoft passkeys, 1password passkeys, how passkeys work, passkeys tutorial, public-key cryptography, cryptography, passkey

Id: AhP0q8c38QU

Channel Id: undefined

Length: 8min 7sec (487 seconds)

Published: Sun Jul 02 2023