Passkeys in Action

FIDO Alliance
FIDO Alliance
42,531
0
Published 2022-07-14
FIDO Passkey Demo - Google - Christiaan Brand, Product Manager, Google and with Megan Shamas, Sr. Director of Marketing, FIDO Alliance
All Comments (21)
  • @andrascser7235
    This demo was brilliant. Clear flows, clear verbal explanation. Bravo and thank you.
  • @garydunken7934
    Good to see Google, Microsoft, Apple and others working together to realise FIDO2 passkeys on devices.
  • @ashraffouad
    Thanks for the great video and for covering user experience.
  • @d0msch
    if passkeys are stored "on device" and "in the cloud", then how much does this increase the dependency on companies like Google, Apple and Microsoft? will it still be possible to have a separate password manager that stores a passkey instead? modern authentication should not fuel vendor lock-in!
  • @AJGiliberti2
    This is such a great demo and explanation! Great work
  • @Ostap1974
    Best demo on the subject I have seen so far. Some things were not fully clear for me though. - What happens if I create first passkey on a computer that does not have a camera? What will be the other options to spread to the other devices? - What medium is used to "remember the device" notification (mentioned, but not demoed) from the computer to the phone? - If someone shoul break into my Google or iCloud or MS account, how it is avoided that the hacker will have access to each and every service I use?
  • @RaymondDay
    Seems like it's a copy of SQRL Secure Quick Relabel Login. made about 2 years ago. Both have to run on each end but SQRL don't store your password on the server. Nice video. Thank you.
  • @gaston.
    Great demo thank you... I guess it doesn't work on computers without fingerprint sensors?
  • @flymoracer
    Interesting video, thanks guys. I love the user experience, but it seems that we would be totally reliant on secure access to the Google, Microsoft, xxx account to protect access to the keys right? I'd be interested to know how a user would keep track of which keys exist for access to a given account/service (e.g. for Tribank, how many passkeys do I have and where are they? How can I revoke one or more of them?). Should enrolment of a passkey remove a password from an account? If not, surely we still have potential password access issues remaining until either the password is set to be strong (full circle on the original problem) or removed entirely.
  • @francescofra751
    If the passkey get synced with iCloud, doesn't this defeat the point of FIDO, since it is not tied to your hardware but to the Cloud? What if someone hacks my iCloud? Are we putting all of our eggs in the same basket, or am I missing something? If so, I think we should just keep using password and using passkeys only as 2FA
  • @tmsganesh
    for using the android phone on Windows, you said that it connected via blue tooth. is it just connecting the blue tooth. any other steps needs to be done?
  • @QQQ80804
    Is there a separate passkey (FIDO keypair) for each service I am signing into? Or, is there only one passkey associated with one identity that can then access all services? (e.g if I currently have 40 passwords for 40 services, will they be replaced with 40 FIDO keypairs? Or, just one keypair that now allows me to access all 40 services?)
  • @meshelsgrover2064
    Isn't the weak link the biometrics? I can open my mother's iPhone by pointing it at my face, even when I am wearing glasses (she does not wear glasses). Works consistently. On the other hand, I have to constantly reset my Google Pixel fingerprint imprint, because it stops working. If biometrics are that unreliable, doesn't that affect the security of the passkey system?
  • @taranagnew436
    does passskeys support face id (using windows hello)?
  • @kegantawney
    At minute 2:34, I'm seeing the edge browser calling in a chrome sheet when verifying identity. This is after the presenter already created the passkey on the chrome browser on the android phone. Does this mean Tribank knows to ask for an android passkey? Can anyone explain this??
  • @richardmaher9297
    I'm worried that the registration sequence in the video maybe arbitrary or a tad confected (IIUC) Have you not glossed over a potential and very undesirable requirement of a website's user's having to answer "Hey we see you have a platform authenticator (eg: Windows Hello) Would you like to use that or we'll take a punt on Bluetooth? Ah, hold on, you're login to Google on this device how about that?" Why not just list "Platform authenticator" (obviously something by a differnt name 🙂) allong with Android phone, Other sign in, etc? Also if it's a shared computer, how many times do you/we keep asking the user if they'd like a local credential? Once again, Well done to all involved. This stuff is awesome!👍
  • @affinitystablepeanuts
    How does one un-enroll a specific device when multiple devices are sharing the same key?
  • @mateyko555
    Google completely broken security keys support while they were actually migrating to passkeys on yubikeys instead of earlier way of support. What a mess. Does the owner of the device has an option to block sync? Actually the flaw is if one can attack account used to sync they can still phish user and acquire passkey on their device. Correct?
  • @Knards
    What if you only use a Desktop? I have an android phone, but I never use it for browsing, banking etc so I dont need a sign in on that. Do you have to buy a fingerprint device for the PC? I dont use laptops