The Future of Password Management: Passkeys and Their Potential to Revolutionize Online Security

As we move forward in the digital age, the way we manage our online security is undergoing a significant transformation. One of the most exciting developments in this space is the emergence of passkeys, a new approach to authentication that promises to make logging into our devices and accounts faster, more convenient, and more secure than ever before.

Passkeys are built on top of the FIDO Alliance's Universal 2nd Factor standard, which enables users to securely unlock their devices with a single sign-in. This means that instead of using traditional passwords or biometric authentication methods like Face ID or Touch ID, passkey users can use a unique, one-time password (OTP) that is generated and verified by the device itself. The benefit of this approach is that it eliminates the need to remember multiple passwords for each account, reducing the risk of password-related security breaches.

One of the most significant advantages of passkeys is their ability to offer zero lock-in, meaning that users can choose to use them with any app or service they want, without being tied to a specific platform. This flexibility is particularly appealing to users who may not want to tie their credentials to a particular device or platform, such as those who travel frequently or have multiple devices that require different authentication methods.

Another benefit of passkeys is their ability to provide an additional layer of security when logging into unfamiliar devices or accounts. When attempting to log in on a device that doesn't belong to you, the passkey system can present the user with a QR code that they can scan using their phone. The negotiation process between the browser and the device is handled at the system level, over Bluetooth-like continuity, which forces a good amount of proximity between the devices. This makes it much harder for hackers to intercept or steal the OTP.

However, not everyone may be comfortable with passkeys, particularly those who are already accustomed to using password managers for all their online accounts. Fortunately, many reputable password managers have announced their commitment to implementing FIDO Alliance standards and will offer web authentication and support, allowing users to continue using their existing systems while still benefiting from the added security of passkeys.

The Benefits of Passkeys for High-Risk Users

One group that may particularly benefit from passkeys is high-risk users, such as journalists or dissidents who are at risk of being targeted by nation-state actors. These individuals often require an additional layer of security to protect their online identity and activities. The passkey system offers a secure way to log in without relying on traditional passwords or biometrics, making it an attractive option for those who need maximum protection.

Another potential benefit of passkeys is their ability to provide access to devices and accounts that are not currently connected to the user's main device. For example, someone may want to log in to a device owned by a friend or family member without having access to the main device itself. The passkey system can present the user with a QR code that they can scan using their phone, making it possible to access the account and device without needing the original device's credentials.

The Limitations of Passkeys

While passkeys offer many benefits, there are also some limitations to consider. One potential drawback is that they may not be compatible with all devices or operating systems, particularly those that do not support Bluetooth-like continuity or FIDO Alliance standards. This could make it difficult for users to access their accounts on unfamiliar devices.

Another limitation of passkeys is that they require a reliable internet connection and a device with the necessary hardware capabilities to generate and verify OTPs. Without these resources, the passkey system may not be able to function properly, which could limit its effectiveness as an additional layer of security.

The Future of Passkeys

As the FIDO Alliance continues to develop and refine their standards, we can expect to see more devices and operating systems begin to support passkeys in the future. Apple has already announced their commitment to implementing FIDO Alliance standards in their upcoming products, and other companies are likely to follow suit as they realize the benefits of this new authentication method.

In conclusion, passkeys offer a promising solution for improving online security and convenience. By providing users with an additional layer of protection and flexibility, passkeys have the potential to revolutionize the way we manage our online identities and accounts. While there are some limitations to consider, the benefits of passkeys make them an exciting development in the world of cybersecurity.

Henson Razors: A Quality Alternative to Traditional Safety Razors

As a nod to our sponsor Henson razors, it's worth taking a moment to talk about their excellent products. Unlike traditional safety razors that can nick or cut if you get the angle or pressure wrong, Henson razors are designed with precision and quality in mind. The blade sticks out only 27 microns, making it easy to remove hair and cream with a quick rinse.

The aerospace machine shop behind Henson has been producing parts for everything from the ISS to the Mars rover, giving them an unparalleled understanding of what it takes to create high-quality products. Their razors are no exception, with attention to detail and a focus on comfort that make them a joy to use.

For those looking for a quality alternative to traditional safety razors, Henson is definitely worth considering. With their commitment to excellence and innovative designs, they're making a name for themselves as one of the top brands in the razor world.

"WEBVTTKind: captionsLanguage: enover the coming year apple google and microsoft all say they'll accelerate the availability of passwordless sign-ins passwords are like the cockroaches of the internet they really despite all of our best efforts they're very hard to kill off apple google and microsoft were working together to come up with a system to replace passwords now you go to log into your site or your device you type in your username aka your email address then your password which might just be password better check that post-it note oh yeah it's one two three four five six for just about everything including home shop stop which has been hacked like eight gazillion times now thank kirigin for two factor just gotta wait for that text message unless there's that sim swap issue again that's why tech support is so helpful when they just call you right out of the blue you give them your password to prove that it's you and then boom they get right in and make sure all your sensitive messages and photos are a hundred percent safe so helpful what's taking this so long the internet is so slow lately at least you click the link in that email so even though the website name wasn't spelled 100 correctly you know they know where they want you to go and luckily links are like elevator buttons so you can just keep on clicking them to make them go faster and faster damn but soon you go to log into a site or device you type in your username and that's it because you enabled passkey no password to remember or forget or have hacked or phished or shoulder served or socially engineered no two-factor token to have sim swapped or sent to the wrong place or not sent at all i've seen this new world it's beautiful but is it real yes but not quite yet and also it's complicated so let me explain we've been working with industry leaders in the fido alliance including google and microsoft to ensure that pass keys work seamlessly cross-platform two-step verification security keys and most recently pass keys we've laid the path for a future without passwords meaning pass keys will work pretty much everywhere you work at least eventually apple announced their support for passkey their implementation at wwdc 2022 and you know that feature the one that automatically fills in text message tokens for you the one that everyone on twitter says should get the team that made it a raise yes passkey is being implemented by that exact same team with every bit as much thoughtfulness and delight and as part of the same familiar autofill interface and experience that all of us have been enjoying for a good long while already so basically starting this fall when all the new versions of apple software ships and developers start implementing it you'll be able to log into your apps or services or accounts or devices or whatever the exact same way you do now the same way you always have with a password like an animal but then then if and when they offer a pass key you'll just tap or click to create one confirm you want to create it authenticate with face id or touch id or password if you're old school at that point your iphone or your other apple device will generate a new cryptographically strong unique pass key for your account store it in your icloud keychain the same place it currently stores any and all of the passwords that you've either generated with it or saved to it and you're done again that's it that's all so how do pass keys actually work instead of you creating any old password that's then hashed and salted and stored all obfuscated like hopefully on a server and just directly compared whenever you try to log in but otherwise left there where you or the server can compromise it or have it cracked or hacked because an attacker would just need one or two and traditionally neither has been exactly super safe in our heads or in their hands with passkey it actually creates a unique pair of related keys a private and a public key the public key is stored on the server and it's not kept secret because it doesn't need to be which means it can't be compromised like a copy of your password on a server can it's almost more like a username in that way than a password and then there's the private key that stays locked on your device and you don't know what that is and the server doesn't know where that is so it's way way more difficult to compromise so what happens then is when you go to sign in the server sends you a single use challenge your private key then generates a signature basically a valid solution to that challenge because it's the only thing that can and sends that signature back to the server and that means the private key never leaves your device only that signature then the server validates the signature using your public key which it has and if it validates you're signed in in other words the server your account can verify that you own the correct private key without ever knowing what that private key is and yes this effectively eliminates phishing because fake websites can't challenge for legit pass keys and traditional social engineering attacks because you can't be tricked into telling someone a pass key it's not anything that you know even shoulder surfing because no one can sneaky peek at what you're typing when there's nothing for you to type same with carrier sim swapping because pass keys don't need two factor so there's no text token to intercept there's no text token at all pass keys just phaser set to kill so many of the existing ones and are so much better hardened in general that simply by adopting them everyone is going to be way safer and far more secure what if you created a pass key on your iphone but you want to sign in on your ipad or mac once one device generates a pass key icloud keychain securely syncs it to every one of your devices everything that's logged into the same icloud account what if you want to share it with your partner and they're logged into a different account also not a problem because if you really trust them trust them to have your pass key you can airdrop it right to them what if you have multiple accounts alts all of that pass keys part of the exact same keychain system the one that you already use so it can offer you up any and all pass keys for any and all accounts available for that app or service the one that you're trying to log into and depending on how the implementation is done it can even offer you a mix of past keys passwords and sign-ins with like apple that are available to you in that app or service what if you want to log into an android or windows device pass keys are being implemented by apple google microsoft and other members of the fido alliance eventually according to those platforms there's going to be zero lock in just next generation lockdown what about us nerds who already use password managers for all of the things will have the choice of moving to the platform secure passkey system or if the password manager implements pass keys staying with their secure system and one password dashlane lastpass for example have already announced they're committed to the fido alliance and they'll be providing web auth and support so if you don't want to tie your credentials to a hardware device or to a specific platform you'll still be able to tie them to a password manager service what if you're 07 or in all seriousness a journalist or dissident at high risk of being targeted by a nation state or what if you just don't trust biometrics you can still use passkey because just like every other system on your apple devices it'll fall right back to passcode or system password if that's all that's available or possible you just threat level you what if you need to log in on a device that isn't yours and doesn't have your keychain or your manager on it like your aunt's best friend's cousin's badminton coach's club pc and there's no password for you to remember or look up the pass key system can present you with a qr code that you scan with your phone then the negotiation is handled between the browser and the device at the system level and over bluetooth like continuity so it forces a good amount of proximity in other words people can try to hack their way in using this system from afar like by emailing you a qr code or something like that and because it's peer-to-peer and out of band from the logging request itself the server legitimately sees none of it your phone just picks a relay server and then you still have to authenticate on your phone with face id or touch id or passcode and the challenge still needs to be answered by a valid signature solution on the server side even if it's on a strange new pc and your aunt's best friend's cousin's badminton club but what if you don't have your phone to scan that qr code with what if that's the whole entire reason you're trying to log in on that damned badminton club pc anyway then yes that's where things start to break down just like they would with two-factor if you couldn't get the two-factor token and why we'll probably still need recovery keys from our friends which apple introduced last year at wwdc even passwords on recovery accounts for a good long while still because all of this is fresh and new apple's implementation is still in testing everyone else is still in the process of rolling out and there will be plenty of slip twists to beta and a ship but the future has got to start somewhere and it's starting now with pass keys and with razors thanks to today's sponsor henson they're not gimmicky they're not complicated they're simple they're precise produced at an aerospace machine shop family owned for 20 years where they've made parts for everything from the iss to the mars rover so they know they know literally an unearthly amount about quality that's how hanson was able to build the best shaving angle 30 degrees right into the head design which makes it easy to shave well not like safety razors that can nick or cut or irritate you if you get the angle or pressure or direction even slightly wrong with hints and razors the blade sticks out only 27 microns the built-in channels make it easy to remove hair and cream with a quick rinse and as someone who used to go through packets and packets of neon razors and all the waste that went with them using henson is like a dream and the best part the absolute best part is that this aerospace quality razor is designed to work with standard recyclable blades in fact when you click the link below and use code renee ritchie they'll even send you 100 blades free with your razor so click that button or the link in the description and use code rene richie to get a free 100 pack of blades when you purchase your razor clicking on that button just really helps out the channel and so it is hitting up this video for way more on apple's latest announcements all the info all the details just hit it up and i'll see in the next videoover the coming year apple google and microsoft all say they'll accelerate the availability of passwordless sign-ins passwords are like the cockroaches of the internet they really despite all of our best efforts they're very hard to kill off apple google and microsoft were working together to come up with a system to replace passwords now you go to log into your site or your device you type in your username aka your email address then your password which might just be password better check that post-it note oh yeah it's one two three four five six for just about everything including home shop stop which has been hacked like eight gazillion times now thank kirigin for two factor just gotta wait for that text message unless there's that sim swap issue again that's why tech support is so helpful when they just call you right out of the blue you give them your password to prove that it's you and then boom they get right in and make sure all your sensitive messages and photos are a hundred percent safe so helpful what's taking this so long the internet is so slow lately at least you click the link in that email so even though the website name wasn't spelled 100 correctly you know they know where they want you to go and luckily links are like elevator buttons so you can just keep on clicking them to make them go faster and faster damn but soon you go to log into a site or device you type in your username and that's it because you enabled passkey no password to remember or forget or have hacked or phished or shoulder served or socially engineered no two-factor token to have sim swapped or sent to the wrong place or not sent at all i've seen this new world it's beautiful but is it real yes but not quite yet and also it's complicated so let me explain we've been working with industry leaders in the fido alliance including google and microsoft to ensure that pass keys work seamlessly cross-platform two-step verification security keys and most recently pass keys we've laid the path for a future without passwords meaning pass keys will work pretty much everywhere you work at least eventually apple announced their support for passkey their implementation at wwdc 2022 and you know that feature the one that automatically fills in text message tokens for you the one that everyone on twitter says should get the team that made it a raise yes passkey is being implemented by that exact same team with every bit as much thoughtfulness and delight and as part of the same familiar autofill interface and experience that all of us have been enjoying for a good long while already so basically starting this fall when all the new versions of apple software ships and developers start implementing it you'll be able to log into your apps or services or accounts or devices or whatever the exact same way you do now the same way you always have with a password like an animal but then then if and when they offer a pass key you'll just tap or click to create one confirm you want to create it authenticate with face id or touch id or password if you're old school at that point your iphone or your other apple device will generate a new cryptographically strong unique pass key for your account store it in your icloud keychain the same place it currently stores any and all of the passwords that you've either generated with it or saved to it and you're done again that's it that's all so how do pass keys actually work instead of you creating any old password that's then hashed and salted and stored all obfuscated like hopefully on a server and just directly compared whenever you try to log in but otherwise left there where you or the server can compromise it or have it cracked or hacked because an attacker would just need one or two and traditionally neither has been exactly super safe in our heads or in their hands with passkey it actually creates a unique pair of related keys a private and a public key the public key is stored on the server and it's not kept secret because it doesn't need to be which means it can't be compromised like a copy of your password on a server can it's almost more like a username in that way than a password and then there's the private key that stays locked on your device and you don't know what that is and the server doesn't know where that is so it's way way more difficult to compromise so what happens then is when you go to sign in the server sends you a single use challenge your private key then generates a signature basically a valid solution to that challenge because it's the only thing that can and sends that signature back to the server and that means the private key never leaves your device only that signature then the server validates the signature using your public key which it has and if it validates you're signed in in other words the server your account can verify that you own the correct private key without ever knowing what that private key is and yes this effectively eliminates phishing because fake websites can't challenge for legit pass keys and traditional social engineering attacks because you can't be tricked into telling someone a pass key it's not anything that you know even shoulder surfing because no one can sneaky peek at what you're typing when there's nothing for you to type same with carrier sim swapping because pass keys don't need two factor so there's no text token to intercept there's no text token at all pass keys just phaser set to kill so many of the existing ones and are so much better hardened in general that simply by adopting them everyone is going to be way safer and far more secure what if you created a pass key on your iphone but you want to sign in on your ipad or mac once one device generates a pass key icloud keychain securely syncs it to every one of your devices everything that's logged into the same icloud account what if you want to share it with your partner and they're logged into a different account also not a problem because if you really trust them trust them to have your pass key you can airdrop it right to them what if you have multiple accounts alts all of that pass keys part of the exact same keychain system the one that you already use so it can offer you up any and all pass keys for any and all accounts available for that app or service the one that you're trying to log into and depending on how the implementation is done it can even offer you a mix of past keys passwords and sign-ins with like apple that are available to you in that app or service what if you want to log into an android or windows device pass keys are being implemented by apple google microsoft and other members of the fido alliance eventually according to those platforms there's going to be zero lock in just next generation lockdown what about us nerds who already use password managers for all of the things will have the choice of moving to the platform secure passkey system or if the password manager implements pass keys staying with their secure system and one password dashlane lastpass for example have already announced they're committed to the fido alliance and they'll be providing web auth and support so if you don't want to tie your credentials to a hardware device or to a specific platform you'll still be able to tie them to a password manager service what if you're 07 or in all seriousness a journalist or dissident at high risk of being targeted by a nation state or what if you just don't trust biometrics you can still use passkey because just like every other system on your apple devices it'll fall right back to passcode or system password if that's all that's available or possible you just threat level you what if you need to log in on a device that isn't yours and doesn't have your keychain or your manager on it like your aunt's best friend's cousin's badminton coach's club pc and there's no password for you to remember or look up the pass key system can present you with a qr code that you scan with your phone then the negotiation is handled between the browser and the device at the system level and over bluetooth like continuity so it forces a good amount of proximity in other words people can try to hack their way in using this system from afar like by emailing you a qr code or something like that and because it's peer-to-peer and out of band from the logging request itself the server legitimately sees none of it your phone just picks a relay server and then you still have to authenticate on your phone with face id or touch id or passcode and the challenge still needs to be answered by a valid signature solution on the server side even if it's on a strange new pc and your aunt's best friend's cousin's badminton club but what if you don't have your phone to scan that qr code with what if that's the whole entire reason you're trying to log in on that damned badminton club pc anyway then yes that's where things start to break down just like they would with two-factor if you couldn't get the two-factor token and why we'll probably still need recovery keys from our friends which apple introduced last year at wwdc even passwords on recovery accounts for a good long while still because all of this is fresh and new apple's implementation is still in testing everyone else is still in the process of rolling out and there will be plenty of slip twists to beta and a ship but the future has got to start somewhere and it's starting now with pass keys and with razors thanks to today's sponsor henson they're not gimmicky they're not complicated they're simple they're precise produced at an aerospace machine shop family owned for 20 years where they've made parts for everything from the iss to the mars rover so they know they know literally an unearthly amount about quality that's how hanson was able to build the best shaving angle 30 degrees right into the head design which makes it easy to shave well not like safety razors that can nick or cut or irritate you if you get the angle or pressure or direction even slightly wrong with hints and razors the blade sticks out only 27 microns the built-in channels make it easy to remove hair and cream with a quick rinse and as someone who used to go through packets and packets of neon razors and all the waste that went with them using henson is like a dream and the best part the absolute best part is that this aerospace quality razor is designed to work with standard recyclable blades in fact when you click the link below and use code renee ritchie they'll even send you 100 blades free with your razor so click that button or the link in the description and use code rene richie to get a free 100 pack of blades when you purchase your razor clicking on that button just really helps out the channel and so it is hitting up this video for way more on apple's latest announcements all the info all the details just hit it up and i'll see in the next video\n"