Replies

You can sync a passkey across multiple devices that you use, such as a smartphone, a laptop, and a desktop computer. If you lose your phone in a foreign country, you can get a new phone and sync your passkey to it. See the FIDO white paper, which says, “If the user had set up a number of FIDO credentials for different relying parties on their phone, and then got a new phone, that user should be able to expect that all their FIDO credentials will be available on their new phone.” [Emphasis in the original.] If you travel a lot, a good idea would be to get a customizable number that can be configured to forward calls to your new number (if your phone is lost and you get a new one).

1. I can confirm that the website “Have I Been Pwned” does not store passwords that you test by entering them. I’ve entered some passwords multiple times over the years, and the site has never said my passwords match the database of 12 billion credentials that are circulating on the Dark Web. I’m a sample of one, of course. But if you have any indications that HIBP is storing user data, let me know and I’ll publish the evidence. Microsoft does not own or run HIBP.
2. If your phone or laptop recognizes you by your face (biometric data), it should never transmit a picture of your face across the Internet. Instead, when challenged by a server, your device should reply, “Yes, an authorized person presented a correct face today.” Your device would then use public/private key handshaking to sign you in to the server. By contrast, uses of biometric data by third parties is a topic we should be concerned about. For instance, in order to present evidence to the IRS last year, I was required to send to ID.me a video selfie of my face turning slightly from left to right (to ensure I was not holding up a photo). The IRS announced in February 2022 that it would shift away from facial recognition. At this writing, all they’ve accomplished is to add the alternative of a video chat with a live agent. As another example, I was required to submit a video selfie in 2021 at a big-box store to qualify for credit when buying a new WASHER/DRYER! The reason for these intrusive requirements, of course, is that criminals steal billions of dollars every year through online fraud. We absolutely need positive means to prove we are who we say we are. Passkeys won’t solve every problem, but they are a step in the right direction.
3. I recommend the use of tiny USB-port devices such as the Yubikey. A photo of one such device appeared in my Nov. 20, 2023, column, and I’ve also attached it. These plug-ins can be used to sign you in to your device without a password (or, alternatively, you can still enter a password, if your fingers happen to be covered in grease or whatever). Your passkey, which is stored in a secure enclave on your device, would then respond correctly to challenges, getting you into Web servers that support passkeys. I can’t cover here what to do if some hated government agency — say, the Kremlin — demands from you a facial scan for admittance. That’s a separate topic, but with the amount of fraud on the Net, we’re all certain to some day face that (no pun intended).

6 users thanked author for this post.

AlphaCharlie, Mr. Austin, unbob, TechTango, WSbobby-p, J9438

I am aware that the update renamed “Quick Access” to “Home.” But when I was having these problems with the update, there was no down-arrow to expand Home, thereby making the Quick Access links unavailable (as shown in the figure). Clicking “Add to Quick Access” also did nothing to make the area visible and usable.

Not everyone experiences these issues. As I wrote, my Win11 machine is a sample of one. The real point of my column was that people should check Susan’s Patch Watch List (and the other resources that I listed) before approving updates.

1 user thanked author for this post.

rc primak

With passkeys, the authentication token is different every time you sign in to a different server. The device you’re using — and the server you’re visiting — exchange a pair of public/private keys. The server then sends your device a challenge, and your device replies with the correct cryptographic response. The server recognizes that only your device (which has the proper key) could have responded correctly to the challenge. You are therefore signed in without revealing a password or a passkey.

If you lose a device that stores a passkey, you can cancel the device’s service and establish a new passkey. That’s much more secure than a server that can be hacked to reveal the usernames and passwords it retains. More than 24 billion username/password combinations are currently for sale on the Dark Web (according to Digital Shadows). If a hacker buys a password of yours that signs into an ecommerce site, you wouldn’t even know about it until you received your credit-card bill weeks later.

1 user thanked author for this post.

Alex5723

Passcape Software is an expert site that sells tools to recover Windows passwords. It stated regarding the initial release of Windows Hello:

“Windows Hello is a brand-new biometrics technology that enables users to authenticate to their Windows 10 devices with just a fingerprint, iris scan, facial or voice recognition.”

Let me reiterate that I do not recommend Windows Hello. I recommend W3C-compliant passkeys, which Microsoft added support for in Windows 11 via a September 2023 update.

Both Windows 10 and 11 have voice recognition, which can be used to say a PIN verbally (to avoid typing on a small keyboard, for example).

https://support.microsoft.com/en-us/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571#WindowsVersion=Windows_11

A Hello PIN can be used locally to sign into a laptop or other device. Alternatively, instead of a PIN, one can use a fingerprint, voice command, facial recognition, and other methods.

But Windows Hello is Microsoft-oriented and is designed to sign in to an Active Directory, Azure, and so forth.

As I’ve stated elsewhere, I do not recommend Windows Hello. I recommend W3C-compliant passkeys. See the second part of my column, which AskWoody will publish on Nov. 20, 2023.

As I’ve stated above, I do not recommend Windows Hello. I recommend W3C-compliant passkeys. Be sure to read Part 2 of my column, which AskWoody will publish on Nov. 20, 2023. The topic had to be split into two parts, one week apart. I understand that the wait is inconvenient.

I disagree with Oleg Afonin’s article, which the previous comment links to. His method requires that someone possesses your PC and boots it using software that Afonin sells. The software uses brute force to break full-disk encryption, never mind an encrypted Hello PIN.

As you know, if a malicious person has his hands on your PC, the game is over and you have lost. Lock it up.

Also, Afonin says his method doesn’t work if a numeric Hello PIN is longer than 6 digits, or it includes even a single alphabetical character or symbol. In those cases, the attack must be performed offline on a dedicated machine, which can require hours.

By the way, I don’t recommend Windows Hello, which is Microsoft-specific. I recommend W3C-compliant passkeys, which Microsoft began to support in Win11 with a September 2023 update. That’s the subject of my second column in the series, which will be published on Nov. 20, 2023.

2 users thanked author for this post.

ibe98765, WSraysig

See Part 2 of my series on Nov. 20, 2023, which will answer this and other questions. In short, with W3C/FIDO-compliant passkeys (which Microsoft in September added to Windows 11) you only need to set up one authorization method. It can be a PIN up to 127 characters in length or a biometric method. You do not need to set up a different method for each different website or resource you sign in to.

1 user thanked author for this post.

tcc089

I have no affiliate relationships with anyone, and I receive nothing if you buy any product or service that I happen to mention.

I can honestly assure you that I’ve downloaded and paid for StartAllBack myself, even before writing about it.

There’s nothing inherently wrong with free software. But I agree with Susan Bradley that products supported by a payment or donation model are more likely to be upgraded in a timely fashion to keep pace with the OS. (The developer is not required to neglect their day job to make extensive code updates with no compensation.)

 

1 user thanked author for this post.

Andy M

Thank you for your interest. There is a blue-and-tan “cheat sheet” in the article and in the downloadable ZIP file. It shows most of the glyphs that Brian’s Quick Keys can produce. To enter the degree and bullet symbols you mentioned, see the following line in the cheat sheet:

Backquote @ a A b or o — to enter å Å (Aring) • ° (degree)

The AutoHotKeys script uses Unicode hex values, not the Alt+nnnn system that Windows used on the numeric keypad. I think Backquote @ o is easier to remember to make a degree symbol than Alt+0176. I selected the “@” symbol for this key sequence because it is round, like the circular shapes of the Aring, bullet, and degree characters.

1 user thanked author for this post.

AusJohn

Nothing in the story was cut and pasted. The transposition of “FRL” to “FLR” was a typo that was caught by the proofreader but somehow didn’t get fixed before publication. We may be able to correct it on the page. Thanks for noticing!

1 user thanked author for this post.

rc primak

My thanks to everyone who provided valuable comments on my column. It’s impossible to write about every combination of provider and options. But I’ll strive to cover the most important variations in my columns to come! Thanks again….

3 users thanked author for this post.

Kirsty, geekdom, satrow

Writers can’t be on the forum all of the time, and I myself won’t always be in here, either. But I’ll pop in if I ever have some spare time. I hope you’ll help each other as much as you can. I’ll try to keep my columns as full of useful information as possible. Thanks for reading! —Brian Livingston

1 user thanked author for this post.

webweweave