Learning Library

← Back to Library

Passkeys: Lost Device Recovery & Multi‑Device Sync

11mUnknown ChannelsecuritytutorialintermediateWatch on YouTube ↗

Key Points

  • Passkeys store a private key on your device that you unlock with biometrics, eliminating passwords while maintaining security.
  • If you lose the device, you lose the private key, but account‑recovery mechanisms similar to password reset (e.g., secret questions or identity verification) can restore access.
  • You can securely synchronize passkeys across multiple devices (phone, laptop, tablet) via encrypted, authenticated cloud storage if you choose to enable it.
  • While synchronization is optional, using a personal device is recommended; logging in on public or untrusted terminals is unsafe because malware could capture your credentials.
  • Overall, passkeys aim to improve both security and usability, but they still rely on established recovery processes and user‑controlled device security.

Sections

Full Transcript

# Passkeys: Lost Device Recovery & Multi‑Device Sync **Source:** [https://www.youtube.com/watch?v=9nrE4t4-IXA](https://www.youtube.com/watch?v=9nrE4t4-IXA) **Duration:** 00:11:06 ## Summary - Passkeys store a private key on your device that you unlock with biometrics, eliminating passwords while maintaining security. - If you lose the device, you lose the private key, but account‑recovery mechanisms similar to password reset (e.g., secret questions or identity verification) can restore access. - You can securely synchronize passkeys across multiple devices (phone, laptop, tablet) via encrypted, authenticated cloud storage if you choose to enable it. - While synchronization is optional, using a personal device is recommended; logging in on public or untrusted terminals is unsafe because malware could capture your credentials. - Overall, passkeys aim to improve both security and usability, but they still rely on established recovery processes and user‑controlled device security. ## Sections - [00:00:00](https://www.youtube.com/watch?v=9nrE4t4-IXA&t=0s) **Handling Lost Passkey Devices** - The speaker explains that losing a device containing a passkey is essentially the same as losing a password, and recovery depends on standard account recovery methods such as biometrics and security questions. ## Full Transcript
0:00there's a way that you can get better 0:02security and better usability and get 0:04rid of your passwords I did a video on 0:07this in fact recently and there were a 0:09lot of questions and I'm going to 0:11address those questions the number one 0:13question in particular about what 0:15happens if I lose my device I'm going to 0:17cover that and four others in this video 0:20so the first one what if I lose my 0:22device well it turns out the way pass 0:24Keys work in this phto standard that I 0:26talked about in the video is that you 0:29keep a private key on your device and 0:31you unlock that and access that through 0:34a biometric like your face or your 0:36finger or something like that so it 0:39stays there that was the idea if you 0:41lose the device then you lose that that 0:43private key the secret that you need 0:46however there are ways I'll ask you if 0:49you lose your password today how do you 0:51recover that in fact most websites have 0:55an ability to do account recovery of 0:57some sort or another you can either go 0:59back back into the site and answer a set 1:02of secret questions and yes most of the 1:04time they're lousy they don't have to be 1:06there could be good secret questions the 1:08credit bureaus have been doing that for 1:10years where they base it on information 1:12they know about you already as opposed 1:14to you choosing answers to trivial 1:16things like your mother's maiden name so 1:18there are ways to do that so what 1:20happens if you lose your device it's the 1:22same thing in essence as what happens if 1:25I lose my password it's not a a 1:28dramatically different kind of case we 1:30have account recovery capabilities 1:32related to this also then so that's the 1:35first one related is what if I have 1:37multiple devices I want to log in from 1:39so I'd like to be able to log in not 1:41only from my phone but from my laptop 1:43from my tablet and this sort of thing 1:46well what do you do in that case well 1:49there's also the ability to synchronize 1:51so in the video I talked about that you 1:53would keep the private key on the device 1:55and you can however if you want to there 1:58are secure synchronization 2:00capabilities where you put this in a 2:03cloud and therefore all of your systems 2:06let's say your phone your tablet your 2:09your laptop and they all synchronize up 2:12to a cloud and therefore that private 2:16key is shared across all of these in a 2:18secure way how is it done in a secure 2:20way well you can go into the details of 2:21how that happens but these these 2:23sessions are authenticated and they're 2:26encrypted as well so that way you can 2:28actually use this 2:30across multiple devices if you choose to 2:32enable that that's not something that's 2:34required but if you're concerned about 2:36this you do in fact have an option also 2:39sometimes related to this people will 2:41ask well what if I want to go do this on 2:43a public terminal uh at a friend's house 2:46something like that I'm just going to 2:48say my personal opinion is don't if you 2:51don't control the system that you're 2:53logging into and you don't control its 2:55security you should assume everything 2:57you type on it is public information 3:00why because there could be malware on 3:03that system that copies every single 3:05keystroke that you make and then sends 3:07that off to a bad guy and you say but I 3:09trust my friend I'm using their system 3:12it's not about trusting your friend it's 3:13about trusting that the security on 3:15their system is good so if you don't 3:18control the security assume everything 3:19you type on that system is generally 3:22available to the world so I'm going to 3:23say that's a bad idea in general but 3:26here we've answered if the device is 3:28lost and if I have multiple devices 3:30another question that came up a lot was 3:33this business about isn't this really 3:35just SSH uh the secure shell or pgp or 3:39TLS or SSL or any of those kind of 3:42things well I'm going to say uh it's 3:45it's not just it's a particular 3:48application of some underlying 3:50technologies that are in there for 3:52instance is an electric vehicle just an 3:55electric motor no we could use an 3:57electric motor to be a fan we could use 3:59it to to be a closeth washer we could 4:01use it to be in a particular application 4:04as an electric vehicle what we're 4:05talking about underneath all of this is 4:08pki public key infrastructure so in that 4:11sense what I described is not new pki 4:14has been around for a long time and 4:16these standards have been around for a 4:18long time however what they tend to do 4:20is different so for instance if we're 4:22looking at something like SSH we've got 4:25a user here and a web server that 4:27they're trying to log into or more 4:30likely uh it's it's any kind of server 4:32that they need to log into so what SSH 4:35is really concerned with is creating a 4:37secure connection a secure pipe this is 4:41a VPN type technology so in other words 4:43the emphasis here is on 4:46confidentiality it's on data privacy is 4:48another way to look at it now if we look 4:50at something like pho which is the 4:53standard I talked about to replace 4:55passwords with pass Keys now we're 4:58looking at something different now we're 5:00just looking at a way for this user to 5:02log into this website and give them a 5:07key they give that information and 5:10that's how they get logged into it now 5:12they're not actually sending their 5:13private key they're sending a pass key 5:16so they keep the information that's 5:17sensitive on their system it's never 5:20exchanged so there we go uh We've 5:22dressed the first three of these now 5:25let's take a look at a few more some 5:27people say really what's the problem 5:29with password I like my passwords I'm 5:30just going to stick with those well 5:32what's the problem with passwords I'm 5:34going to tell you it's people because 5:36what will people do if you ask them to 5:40follow the rules for passwords and the 5:42rules that we generally ask them to 5:44follow are that we want the password to 5:46be complex that is so that it can't be 5:50easily guessed we want the password to 5:52be unique that is we want it to be uh 5:56different across every different system 5:58because if I figure figure out what your 5:59password is on one system I don't want 6:01to be able to have that so that they can 6:03get into every one of the systems and we 6:05want them fresh that is changing 6:08constantly because someone might be able 6:10to crack a password if given enough time 6:12so if you take all of these things and 6:15ask these humans to actually do that 6:18what will they do I'll tell you what 6:20they do they come up with exactly one 6:22password to every single system they 6:26violate this one and they usually 6:28violate one by picking something that 6:30they can easily remember which makes it 6:32therefore easy to guess and they're not 6:34so wild about changing these all the 6:36time so in fact they end up not 6:38following all any of these rules most 6:41people that's what happens so understand 6:43at the end of this system there's always 6:45a human and what the human does and 6:48their behavior matters so that's one of 6:50the big problems with passwords right 6:52off the bat and that's people now some 6:55other people say oh but don't you know 6:57about password managers these things are 6:59really great and they are in fact I've 7:00been using password managers for more 7:03than 20 years and I think they are great 7:06um but let's talk about what are some of 7:08the issues that could happen here I'm 7:10going to suggest to you so if we have a 7:13a password manager so this is Will 7:15depict this as holding a bunch of 7:17different passwords we have a user here 7:20and the user then goes and retrieves a 7:22password from the password manager and 7:25that's locked either by a biometric or 7:27through a very strong password we hope 7:29and then they send that off to all the 7:32different sites that they need to log 7:34into so that's the general flow the way 7:36a password manager works that's great 7:39however guess what what if this is not 7:43the real website that we think it is 7:45what if this is a fished website that is 7:47this guy's been tricked into sending his 7:49password to a place that it's not 7:51supposed to be then this password once 7:53it's on the bad guys system can be 7:56reused and again if they have not chosen 7:59good passwords it could get them into a 8:01lot of different systems there are other 8:03ways that this could be a breach so one 8:06of those breaches as I said is a fishing 8:09attack where the credentials are fished 8:12another is a password database breach on 8:17this side of the equation so what do I 8:19mean by that over here these websites 8:23maintain a database of hashed passwords 8:26in other words it's a one-way encryption 8:29of your password if someone gets into 8:32this and takes those passwords offline 8:35they may be able to crack those and come 8:37out with what is the actual password if 8:41given enough time and if they're able to 8:44attack it here then that password can be 8:47reused and again in a lot of cases the 8:49people will have the same passwords 8:50across multiples of these systems I'm 8:53going to suggest to you as long as a 8:54password exists it's vulnerable so in 8:57other words a better system and this is 8:59the way phto does it is the secret is 9:02not sent the secret stays on your device 9:05with the exception of these kinds of of 9:07use cases that I mentioned where you 9:08might synchronize it across devices but 9:11during the authentication flow the 9:13secret stays on your device in the case 9:16of a password the secret goes across the 9:18internet and is stored somewhere else so 9:21now there's another copy of it therefore 9:23the attack surface just got larger so 9:26I'm going to suggest to you it's much 9:27better if you have a system or the 9:29secret stays on the device the pass key 9:32is not the private key the pass key is 9:34something that is time bound a password 9:36is not a password can be reused again 9:39and again and again a pass key cannot so 9:42again we've reduced the attack surface 9:45with a phto pass key and by the way in 9:49in the end of all of this it's really 9:51not about pho versus password managers 9:55in fact most of the good password 9:57managers support Pho already today in 10:01addition to passwords so you have your 10:03choice and I would just say when you get 10:05a choice choose pass keys this literally 10:08happened to me yesterday I was logging 10:10into a major pharmaceutical website in 10:12order to get a vaccination scheduled and 10:15it said would you like to switch to 10:17using pass keys and I said absolutely I 10:19would like to because that way I keep 10:21the secret on my device and I can still 10:24get to these other systems and do it in 10:26a much more secure much more able way 10:29and it gave me a choice of using my 10:31password manager or using the 10:33capabilities built in my operating 10:35system over 250 organizations are 10:38members of The phto Alliance so you're 10:40going to see this start rolling out more 10:42and more don't be scared off B pass Keys 10:45they're a better alternative the dog ate 10:47my password somebody said well if that 10:49dog is Pho as in the phto alliance 10:53that's a good 10:54thing thanks for watching if you found 10:57this video interesting and would like to 10:58learn more about cyber security please 11:00remember to hit like And subscribe to 11:01this 11:03channel