A more secure, more convenient alternative to passwords.

Your explanation of pass keys is beyond excellent.

You're so good at explaining things, it's like listening to my favorite professor.

Passkeys are more secure than passwords because they are less "powerful". With an username/password pair you can potentially log in from any account, on any device, anywhere. Anyone who gets your username/password can potentially masquerade as you from anywhere. That is what makes them less secure / more dangerous. As described in the video, a given passkey is tied to a specific account and a specific device. It is important to remember that passkeys only authenticate the device and account. They do not authenticate the person. This is why the total security solution requires you keep access to the device secure. Fingerprint scanners, FaceID, or PINs HAVE to be used so that people who have physical access to your device, can't actually access your account. The device/operating system you use must, of course, provide a mechanism for securely operating a keystore. This was an excellent video.

One of the few on KZfaq that really brilliantly transmits information. Simply incredible, makes me want to listen to you for hours

This is an amazing explanation. Thank you for making it so clear. I will be saving this video so that when anyone asks about passkeys, I will share this to them.

"Or have a face" Beautifully done 😂

Leo, Thanks for sharing and explaining so clearly. you are a champion!

Excellent discussion of the theory. Clarified a lot of questions I had.

I've been using PGP keys for years and you have described it perfectly in this video!

The public key would be like walking down a street and writing down the house numbers you see on mailboxes, but that won't unlock the deadbolt on the front door...

As ever Mr LN explains the inexplicable with ease. Been a follower for years - when internet connections required a series of morse-code-like noises and then went at speeds the common tortoise scoffed at

You are a great Teacher. Especially the core puzzle is untangled with those two KEY images word by word. Great Job Leo. Thank you.

here we are. I thought i i already knew how, but now i really got it. Thanks from a german Guy. Great work!!!

Wow this was the clearest explanation I've found and finally understand!!! Thank you for this! 🙏🏻🙏🏻

What i like about things like this is that they are complicated for most users and this causes things to go wrong, so you end up dropping down to passwords and email to get back in to most accounts.This negates the purpose of it. you basically bypass by clicking on the "I forgot my password" link, this mostly ends up going back to unsecured emails.

I see the convenience of passkeys, but for me there's still a problem. Passkeys are effectively single factor authentication. Mere possession of the passkey is generally enough to gain access to a passkey protected system. If a criminal steals your laptop and gains access to it (e.g. by shoulder-surfing your laptop password), then they can automatically access any passkey protected data you have. Using complex passwords protected by a password manager (with a strong master password) together with 2FA (using a password protected OTP generating app), whilst much less convenient, seems far more secure. In the event of a data breach at say your email provider, even if hackers got access to your email password, 2FA would still prevent them from accessing your mail.

Fantastic explanation! Very clear. Been looking for a video that goes into more detail and this is exactly what I needed!

9:01 this is where Steve Gibson’s SQRL protocol is superior to passkeys. Both use public key encryption, but SQRL has 1 identity that creates a key pair on the fly for each login based on the site’s domain name. Elliptic curve crypto allows you to create a private key based on a determined input. The same input will always create the same key. Therefore a secret (the identity) mixed with the domain name will create a unique key pair for each login. Since this is easily calculated, there’s no need to save it for each site, just keep the original secret (identity)and recalculate based on the domain. This means the protocol and any devices can have an unlimited number of sites to log into, no extra storage and it’s easily shared between devices. Oh well, we get passkeys instead.

Loved that XKCD reference!

Excellent explanation, thank you ! i needed a little extra help getting the basic premise after learning a bit about it :)

Best explanation on this topic. Thank you, sir!

Have been following passkeys for a while but have never seen such a clear explanation. Congratz! Regarding passkeys i do have 2 concerns 1. Suppose i loose my device with the only private key i have, how will i be able to restore my account on a new device? 2. When creating a passkeys for an existing account, the less safe login method using a password which could be stolen from the server still exists. Hope some one can convince me that both issues can solved.

Impressive video. If anything, the private key is the weak link. So I am left with the doubt that the private key is safe. I know that if one has possession of the hardware with linux the logon procedure is not going to be much of protection. The only protection I would trust in that case is both disk encryption and a logon password. And make sure to switch your computer off, or someone might add a password to the list of passwords for disk encryption (LUKS). However, even that has a shelf life as quantum computing is around the corner. Of course the whole encryption scene will change by that time. Anyway, I thank you for your explanation sir, very clear!

If I create the passkey on my device (smartphone) and a private key is generated based on data from my device and my biometric data, the only way to compromise a passkey-protected account would be to hack my password manager ? Or did I not understand well? The big difference is that I, the user, do not know my private key as I do for the password as it is a very long and complex alphanumeric string.

Thank you! This is the best explanation of passkeys I've heard so far! One of my concerns regarding passkeys is... what happens when you have an account that's only using passkeys, have only setup passkeys for that account on a single device, and that device is lost, stolen, or is otherwise unavailable (it dies)? How do you regain access to that account? It seems like the best defense for such a situation is to have passkeys setup on multiple devices, allowing you to confirm you identity when setting up a new device after a device becomes unavailable, but that's not economically viable for some people. An alternative is to actually have a password for the service, using passkeys when possible, but that leaves the account vulnerable in the event of a data breach. Additionally, let's say I want to replace a functional device (my only device) with a new device. It seems I would need to maintain possession of that device for some "overlap period", during which I would need to login to every service I use on the new device, so that my new device can be authenticated by the old device. That seems rather cumbersome, but is probably a small price to pay for the added security of passkeys. What are your thoughts?

Very well explained!

In a passkey-only service, isn't there a higher than normal risk of getting blocked of your own account if you lose the devices the passkey is stored on?

Gee, I finally know about passkeys. I was so curious about them. One problem, however: if someone breaks into your house, and if you are not there and your computer is turned on, they can just sit down at your computer and login anywhere, can they not? Maybe the operating system would ask them for a pin, or a fingerprint.....

Wow yeah, I second that. You have a very easy to understand way of explaining this!! Thanks so much. Every time I think I understand the encryption/decryption process, I seem to lose the understanding. This helped immensely.

Thank you for your thorough overview. Cheers!

Great update Leo, Passkeys for Google Accounts are now available.

So, no more passwords or password managers? What about the security of the pin? Do you need to use different pins on different devices? If I were to lose my device, wouldn’t the pin be easily compromised? Or would pins therefore need to be treated as passwords are now? My passwords are 20+ characters long & in a password manager. I question that use of passkeys & a pin is better than what I currently do. Plus, is it easy to change the passkey if a device is changed? I assume removing a device is done by wiping the data from it. But, the old passkey for the old device needs to no longer be valid.

wonderfully explain. Thanks, Sir.💟💟🎀🎀

You explained in a detailed way. Passkey is still in infacy stage, I'm still waiting another 1-2 yrs..

Thanks for your nice overview Leo. I’m interested in how third party password manager apps will help manage this information, versus the device operating system itself.

Outstanding - I subscribed immediately

What happens if the machine with the passkey dies? How would you be able to access the account. I'm thinking here of things like cloud storage.

superb explanation of passkey done layman terms.

Great Video!

Hello.Thank you for this very interesting and informative video. A question of security: I imagine that the public key and the private key are created using an algorithm that ensures the link between the 2. What happens if a hacker gains access to this algorithm? Can he decrypt the private key? This is a very unlikely hypothesis and the risk of ordinary passwords is certainly much greater.

I saw this on my PlayStation account I have lost accounts before so I was looking for a different way to keep my account safe but I didn't understand it thank you for this video

Great video Leo. I can't wait for passkeys to take over the password phase. Do you have a list of services that have already started using passkeys, besides google?

Thank you. You described a software pair of keys. And Google does supply that. But, there are vendors selling hardware devices. I assume that using hardware PassKeys, the public key is identical on each of the web services that I use the hardware PassKey. When should I consider buying the hardware PassKey? Do most web services also require a password in addition to the PassKey?

Where does PGP email encryption, decryption, digitally signing emails fall in the mix? Sorry, I am not a techy, just someone trying to learn and understand. Thanks.

Excellent & clearly spelled out...thanks!

Does the rollout of pass keys present a vulnerability for accounts that have not been set up yet that may be compromised, allowing a threat actor to set up the pass key on another device? Does the key have a method of being reestablished manually or during a password reset or account recovery process?

My main concern about this is that I can't easily imagine what could be a smooth transition to a new device (computer or phone for example) when the previous one is damaged or simply obsolete.

Subscribed! Thanks!

This is an absolutely fantastic video - thank you!

Just found you. Outstanding succinct explanation thank You. Subbed of course

If the site owner isnt forced to update to passkeys it will take ages for this to be implemented. And if its mor conveinient can be discussed. I have setup passkey on my google account. So everytime i log in i have input my win passcode. Compaired to chrome just remembering the password. Not easier. Or i have to buy a camera or a fingerprint reader for my desktop. And how do i know if my fingerprint/face dont get stolen by hackers exploiting flaws in the camera/fingerprint reader? Imo just a new set problems compaired to the old way.

Excellent explanation - thanks

Excellent expositor! Thank you very very much.

Great explanation and examples, but I have a question! Let say that we are in 2027 all my accounts are using passkeys and there are no passwords anymore and all the private keys are stored in my machine. Now, let's imagine that someone stole my machine or it gets damaged, how can I access my accounts again without my private keys?

Thanks this answers my questions.

Hmmm, thanks for the great explanation . I wish google would hire you to explain. Dreadful articles. However I am already deep in the swamp of questions. Such as- your laptop has problems any you have to give it to a repair person (not a hard drive replacement). They need admin rights. Does that leave you open? Also, another question - in an emergency (you can’t give them data) how do they get into your device to pull data? Lots and lots of questions before the complicated users feel comfortable. Again, thanks

Now that TSA and flight security systems around the globe and immigrations check points are using fingerprint and facial identity, what could possibly go wrong? I would think that a pin number would be a better choice for the final authentication, while using these passkeys.

What if I have only one device storing my private key (say my phone) and I lost it. What is the recovery option here? and the person who was able to get my lost phone figured out the login pin? I am not questioning the security of passkey but trying to understand this scenario. In case of password, I know it and can use it from any device. By the way excellent explanation!

Thank you for that explanation.

Okay, I know and understand that passkeys > passwords, but I still have a few questions. Your house burns down and with it your laptop, desktop, tablet, and phone. How do you recover those passkeys? Now I understand how this can be done, but so will the black hat hackers in Elbownia. What can we do to prevent that attack? Next, what about brute force on the public key? Yeah, it would take a zillion years to do it on a laptop today. We had the same thing with the Windows NT password system back in the 90s, and just a few (like 4-5) years laters, it was possible to crack within hours using a desktop computer. With all the computing power on earth today (equal to a single GPU in 2050), how long does it take to get through all the possible combinations? Are there collisions (you create an A-B pair, but it turns out that R can also Decrypt some A? Can there be a 'dictionary' of passkeys? There are a number of formulas and prime numbers in use. Once they are fed through, is it possible to recognize the A key and then pull the B key out of a dictionary as well?

As a senior citizen I am very concerned that when something happens to me, my children can access all my accounts and information. If I set up a passkey, do they have to have my device to do so?? Right now, I keep passwords in an encrypted file for which they have the password and I send them the current file on a semi-regular basis. This sounds wonderful if YOU are the only one using your device and the only one needing to log into accounts. But I am a bit confused about how it will work in a situation where multiple people need to access the same account (a bank is an example).

Very clear! Thanks!

For how long will the private key be valid ? Does it expire ? (Like certificates do) Greetings, Rik

The source of “correct horse battery staple” is an XKCD cartoon. Number 936 to be exact.

I wonder if they hijack but knowing hardware locked to the key. But what if the emulate the hardware?

Supplying your face-print or your finger-print, to access computers containing sensitive data, is fraught with risk. Once a bad actor gets your face-print or your finger-print, then they have your private pass-key. Yes, having two-factor authentication helps. But how many people people do not use two-factor authentication? For non essential login credentials, then use the above. But if your livelihood or your company's trade secrets could be attacked or stolen by someone with access to the above, then you should not use a finger print or a face print as the sole means of access. Can you imagine the potential damage if the Chief of Medicine physician at a hospital were able to access and alter any patient's treatments, by simply having her face scanned? Or how about military computers, or banking computers? Gaining access, even if only to disrupt services, simply by scanning someone's face, is high risk. Always use a long (virtually) uncrackable password/passphrase for anything that matters. It is all well and good to improve the convenience of authenticating yourself. But understand that convenience and security do not make for a happy marriage. With convenience, you are giving up some level of control. For any critical on-line services that I use, I always use a unique, long, unbreakable, cryptic pass phrase. I use a password manager to facilitate the above. That, too, involves some risk, if a key logger should get my password manager's master pass phrase. But they would also need my password database file, and any key-files that I might be using as part of my master pass phrase. So there are trade-offs. But always use a strong password / passphrase for critical services. Apple understands the importance of still requiring a pass-code. Every so often, you are required to tap in your code, even if you normally gain access via your face scan or your finger print. When you power on your iPhone, you must enter your pass-code. By the way, as far as I can remember, "PGP" (Pretty Good Privacy) was the first software to implement public/private key encryption -- and has since been replace with "GPG (GNU Privacy Guard)". Both PGP and GPG are free and open source. If you decide to download the above, be very careful to get it only from its official site.

Very good explanation

Thanks!

Hello. What if i loose device? Can i still access my data and how? Thanks

Websites that I use passkey with are asking my MacOS to do fingerprint verification. So it basically is 1FA. It is really good against fishing attacks and databreaches. So it is good against digital criminals.

I think you confused things a little with the "A & B" thing, Just call them what they are, Private & Public, just my 2 cents. Other than that thank you very much for the hard work

thnx. one question, what i missed explaind. say you have done so for your phone. all is working fine. you now get a new phone. do you have to start all over again on your new phone for every account (as where it a other device as you mentioned) , and then can without a problem get access to that account ? just wondering....thnx for the feedback

TY 8) What if you loose your PC with private keys or have the disk died?

I may be a novice on this topic, but I thought that authentication with a private/public keypair was a matter of signing a "nonce" (a randomly generated number) with your private key, and the server using the public key to verify the signature. Am I wrong?

Thanks! Great video.

Great explanation - thank u

Hay Leo can I use the same passkey on different devices? Or do I need more passkey Thanks

So on my google account, I can set up a passkey for my chromebook?

How do you sign out of a machine so that if someone else signs into it after you does not have access to your key?

Interesting. I am familiar with PGP, for example, but had not realised it could be used in this way.

Dear Lord, this is confusing

This is a superb explanation. I have one dumb question: is there no way for the server side and the device side to be hacked at the same time, or even at different times, and somehow allow the private and public keys to be mated up by the hackers?

Thanks, Leo~

GREAT VIDEO thanks!!

The point of potential confusion is where the private key is going to be stored. It’s not obvious. If you live in a multi platform environment where you login to website from various OS and mobile devices running different OSes, who is the private key store cross platform? Do I use my Google account? Do I use my 3rd party password manager? My 2 or 3 OSes? I’m already concerned that Google Authenticator offers to backup your 2FA keys in the cloud, thats putting all your access keys in one basket and outside of your physical control. I only use the QR export and import to a separate device not via the cloud. If I put passkeys in 1Password, what if my account is hacked? All the eggs are in one basket. PKI relies on the private key not getting duplicated outside of your control. This is the weakest link if we allow the private keys out into the cloud.

Good clear explanation. My concern is that each device is locked to each passkey. This potentially could be a lot to manage. Also a source of privacy issues. Given the exponential growth of surveillance capitalism I will avoid use of passkey until it's better addressed.

Can you use emojis in passwords? It would sure expand options

If someone has my passwrds already and has access to everything will this work to stop them getting into my phone?

It's like nuclear energy. All sophisticated and such, just to turn a turbine 😂. Here were are, using "passkey" (key pair), something that's already there, just rebranded 😂😂😂

I manage my wife's financial investments etc and I can do this with Passwords and 2FAs. (I'll just ring her and ask her for the code that has been SMS'd to her). Will Passkeys make this harder ?

Is using Yubi Key considered using a pass key?

Will password managers still have value when everyone starts using passkeys?

What happens if my hard drive fails?

Use to be that a password was the sole requirement to gain access to a service for which you were entitled. NOT any longer. The provider of said service will have the ability to specifically control which machine his service will be provided to. The days of being assured that your access to your services at your discression and based SOLEY ON YOUR PASSWORD are over. Bye, bye password sharing! I want MY password to be the SOLE requirement for access to my stuff and THAT is what is going away. More important is to look at the reasons why and who bares liability for password security. Ya didn't explain that part Leo.

Very nice. Just one note. In the kzfaq.info/get/bejne/bNJynNt9xNfUoqM.html you say, "Google can, right then and there, create a key pair, and store the private key on your machine." Is that really true? I would assume, it is the machine who generates the key pair, possibly using the security hw on the machine and the machine is the party providing the public key to the Google, not the other way around. This way it is possible, that the private key never leaves the machine and noone even knows that apart from the security device on the machine. Correct me, if I am wrong.

I couldn't possibly remember all that

me after 18 minutes but what are passkeys? 🤣there are devices that you're buying?

What is a passkey? It's away to hand off all your security to your phone and thinking your phone's unlock screen is more secure and can't be hacked or stolen or subverted.

TERRIBLE idea. Once they figure out how to "spoof" the passkeys? We're ALL fucked. Now, I have dozens of passwords, so if hackers manage to find one, they don't have ALL OF THEM. If they spoof my passkey, they have access to EVERYTHING I have access to... banks, investments, social media... everything.