A

Coming up next on Hands on Windows, we're going to take another look at pass keys. But this week, instead of the built in functionality, we're going to look at the way I recommend using Passkeys in Windows 11.

B

Podcasts you love from people you trust. This is Twit.

A

Hello everybody and welcome back to Hands on Windows. I'm Paul Thurat and this is our second look at passkeys in a row. Last week I looked at some of the new passkey integration capabilities in Windows 11, which are pretty good. There's the basic passkey functionality that arrived in 23, 24H2. In 25H2, Microsoft has added Microsoft Password Manager integration, although that requires using Microsoft Edge and also third party password manager integration, which requires you to install an app and then configure it to work with the system instead of the built in functionality. So like I said, it's pretty good. I don't do any of that. So I've been using passkeys as long as there have been passkeys. This technology has evolved pretty rapidly. It's gotten really seamless and I feel really strongly that you should use a third party password manager which can be used for managing passkeys as well. Right. So I'm going to interchange those terms. But PassKeyManager Password Manager, basically the same thing for two reasons. One, they're natively portable, which other solutions are starting to become as well. But they also offer more features than the built in password managers that you get with Chrome or Android or Apple or Windows. I Happen to use ProtonPass. That's just the choice I made. I do recommend it, but one password, bitwarden Dashlane. Those are all fantastic and I'm sure there are others. What's interesting about the one I use, and actually a couple of the others, is that they don't yet integrate with Windows 11 in the way that 1Password and Bitwarden do right now. And I don't actually think it matters. So if you think about the devices that you use, everyone has a phone, assuming you have a PC as you're watching this podcast, but you have some computer, you have a Mac, maybe it's a Linux PC, Chromebook, whatever it is, it doesn't matter. We're going to stick to Windows here. Obviously you might have an iPad or another Android tablet, you want to have your password manager and separately an authenticator app, which we're going to talk about in a future episode on all of those devices, because you want to be able to access this stuff on a thing that you will have with you hopefully at the time or at all times, and in a way that is secure because these things are secured using the native security functionality on those devices, which is typically something biometric like facial recognition or fingerprint recognition or maybe a pin as a fallback. But there's the extra layer of protection. It's another thing that you have and it's just, it's a nice. It's one of those things that once you start doing it, it becomes just second nature. It's very, it's very. It's simple. It's pretty obvious. I'm just going to show you. I took some screenshots from my iPhone just so I can kind of show you what this looks like, but this is Proton Pass, which is the password slash passkey manager I use running on my iPhone. What I've done is you go into, you can just go into settings, search for autofill, Android or iPhone. You'll see this. You'll see whatever apps you have installed on the device that can be autofill providers. You can actually have multiple autofill providers enabled. I don't recommend that, but you can. I use one, so I use protonpass. As you can see, Apple is kind of interesting because it's actually covered up here, but there's an option at the bottom for authenticator apps for getting codes and, and I use the Proton Authenticator app for that. And again, we'll look at that later. But in this case, you can see I probably have 2, 3, 4, 6, 7, whatever number of choices for autofill on phones. And I feel like this is something most people are familiar with. Right. But this also happens on Windows or any computer. It can happen with apps, but the more typical experience is in a web browser. And what that means is you're going to be installing an extension for that thing. So you install the app on your phone and maybe your tablet, but you saw install a web browser extension in whatever web browser or if you have multiple browsers in each of the browsers that you use on your computer. So we're going to look at that right after this message.

B

Hey, everybody. This episode of Hands on Windows brought to you by Thinkst Canary. Love my Thinkst Canary. I've got it right here. Looks just like a usb, external USB drive, except a little different. It's got a ethernet jack on the back, a USB dongle for power. What is it really? Well, anything you want it to be. This little guy can show up as a Windows server, as a Linux server. It could show up as a SharePoint server. It could be a Windows 95 box, it could even be a SCADA device. It could be anything you want it to be, but it isn't. It just looks that way, right down to the Mac address. But to a bad guy, it doesn't look vulnerable. It looks valuable. It looks like something cool. You can also do something else with this Think scanner. You can create tripwires, little things, Canary tokens, and spread them all over little files that look like spreadsheets, even things like wireguard configuration. I mean, it's just a huge variety of things. And you could put them on cloud drives. I put them on my Google Drive, you can put them on your network drives. The whole point is when you set these up, they're honeypots. You can deploy them instantly, they're very secure. But as soon as somebody accesses them, somebody accesses one of those, accesses one of those, you know, lore files or brute forces your fake internal SSH server, you get the alert. Your Thinks Canary will immediately tell you you got a problem. And no false alerts, just alerts that matter. And by the way, by text, by mail, however you want them. In Slack, it supports webhooks, if then API. It supports syslog, of course. So you choose a profile. It's very easy for your Things Canary device. They've got a drop down menu. You can turn on all the services at like a Christmas tree or just a few carefully chosen services. You register it with the hosted console for monitoring and notifications. Then you sit back and you relax. Attackers who breached your network, malicious insiders or other adversaries will make themselves known instantly just by accessing your thinkst Canary. Most companies on average do not know they've been breached for as long as 91 days. That's not good. If you've got an intruder on your network, you want to know as soon as possible. And that's what the Thinks Canary does. They cannot resist them. It's like candy for the bad guy. Visit Canary tools twit just $7,500 a year gets you five things canaries. You may want more. In fact, big banks might have hundreds. Certainly every vlan, every segment of your network should have a Things Canary on it. You also get your own hosted console. You get upgrades, you get support, you get maintenance. Oh, and by the way, if you use the code twit twit in the how did you hear about us Box, you're going to get 10% off. And not just for the first year, but for as long as you own your things. Canaries. That's a really good deal right now. Oh, hey, one other thing. To reassure you, you can always return your thanks to Canary. They've got a 60 day, two months money back guarantee for a full refund. But I have to tell you, they've been advertising with us for nearly a decade and their refund guarantee has never once, not once been claimed. Because once you get one of these little guys or two or three or four or five or a dozen or a hundred, you're never going to want to let them go. Visit Canary Tools Twit don't forget to enter the code. Twit and how did you hear about us? Box Canary Tools Twit this thing is a lifesaver. And now back to Paul at Hands on Windows.

A

So in Windows 11, as on any device I use, but in Windows 11 specifically, I installed the Proton web browser extension. I should say the Proton Pass web browser extension everywhere. So you can see that here. It's up in the toolbar of, in this case Microsoft Edge. But I put it in every browser I use. There is a desktop app. You can install that too. You don't need to. Maybe one day when if it integrates with the system in Windows and I want to try that, I would probably try that, but there's no real reason to do that. If you think about the ways in which you might need to access your password in Windows 90/ something percent of the time it's going to be inside of a web browser because you're accessing some external website or whatever. But you can also do it inside of an app, right? And in this case the web browser extension is not going to help you directly other than if you're signing in to say, well, actually I was going to use Netflix as an example, but actually Netflix is a web app. So Proton Pass does work in Netflix the app, but some app that doesn't have that web back end you can copy and paste from the password manager in your browser to get it into an app. It's not a big deal and you don't really do it that often. So it's not. To me it's not super important. But I will bring up Brave instead. Brave also has the Proton Pass web browser extension built in. The key here when you're using a third party extension is the same as we did in the last episode. I guess I'm losing track here, but you want to go into Settings and make sure that this thing is not, this is not the right place and make sure. That it is not. The browser is not also trying to autofill passwords. Right. And so you can see here all the settings are off for this. Right. And so Microsoft Edge, Chrome, whatever browser you're using, is a similar interface. But you just want to make sure that's off. You don't want those two things fighting each other. Right. So I'm only using Proton. That's easy. And I can do the same thing I've been doing so counts Google, which is getting super familiar passkeys. We're going to create a passkey. It has to make sure it's me. Now here's an example of actually using this thing to sign into an account. This is what that experience is like I've signed into this somewhere else, but that actually doesn't matter. So if I had never signed into my Google account and I went to this site, this would just pop up. And this is one of the things that's really cool about passkeys. I don't even have to type the email address. I might have multiple Google accounts listed. I just have to choose one. So in this case, I've only signed in with the one and I just pass through. It's automatic. It's really nice. If I do go to create the passkey, the native interface for that thing comes up. In this case, ProtonPass. Right. I'm not getting the native experience. I'm not getting the Microsoft Edge experience. I'm not using that. I'm getting the, in this case, the, the Proton Pass. Now I canceled it, so it's going to try to save it locally. I'll just cancel that outside. I'm just. I don't need to save it. But that's how that works. It's super simple. It's really, really nice. So when you think about pass keys and like where do you need them or where are you going to access them, the two places you have to have them to me are your phone and your computer. Right. You will sometimes get that QR code like we saw last time on the last episode. And more often than not though, you're going to be on the web and you can just access it right through the web browser extension. Super easy. So what does it look like to actually use this thing? We actually saw one example already, but I have a couple of sites that I know I have passkeys for. So for example, I can go to Best Buy. I am not signed in and there's a sign in button, but there should be. Where is this thing? Oh no, it's have to go to the next screen. There'll be an option for signing in with a passkey, which I don't even have to click because Proton Pass is running. It knows I have a passkey. I didn't even type in my email address. I just signed in. Now, in many cases, what you're actually going to be doing here is what you saw before, which is you get that Windows hello authentication experience. I've turned that off, which maybe isn't the smartest thing in the world. Skip the list. We don't need this. But because I have my computer auto log off the second I walk away from it. So this is already to me in a pretty secure state. So I don't feel like I need that extra layer of security, but most people should probably leave that on. So that's pretty seamless. And I could also try like GitHub for example. So if I go to GitHub, I'm probably going to have, I would imagine, the same experience, right? Yeah. So it just pops up like immediately. Right. The interesting thing is there is an option, I think it's hidden, I think the button right there might even say it. But you could also just type in your, you know, user account or your path, your email address here and it would probably, it would just prompt you at that point. But this is how fast it is, right. And so without, I didn't type anything, I didn't type a password, but I also didn't even type the email address. So it's the seamless nature of this that makes it so good. And this is why passkeys are. It's one of the reasons why passkeys are so great, because that's what I just did is super convenient. I don't even need a second device. Although it's not super hard, right. To bring up a phone, authenticate with face ID or whatever you're using. But this is the fastest and easiest way. And the thing is, it's still super secure. It's the beauty of passkeys. And so I know it feels complex and people still kind of freak out about passkeys, but I think passkeys are going to, if not solve the problems with online account security. It's certainly a giant step forward. Right. The trick is figuring out where you can use them and then using them everywhere you can use them. Passkeys aren't the only form of online account verification and authentication. Previous episode we looked at the different ways you can verify yourself with a Microsoft account. Right. But these are whatever we call this you know, two fa, mfa, where you know, Two Factor Authentication, Multi Factor Authentication or two Step Authentication, whatever it is. There are other methods, but Passkey is the go to. That's the first one. The first one, if you have a passkey, use that every time. If you don't, or maybe that account doesn't support it, that's when you have to look at other forms of two FA or mfa. And that's where the Authenticator app comes into play. And that's what we're going to look at in a future episode, possibly the next episode. We'll see how this goes. But I think between these two things, with an Authenticator app and with Passkeys, you're in pretty good shape for protecting your online accounts and doing it in a way that's secure and convenient. So hopefully you found this useful. We will have a new episode of Hands on Windows every Thursday. You can find out more at TWiT TV. How thank you so much for watching. Thank you especially to our Club TWIT members. You know we love you. If you're not a member, consider joining. Please. You can learn more about that program at TWIT tv Club Twit. Thanks. I'll see you next week.

B

Hey, everybody, it's Leo laporte. Are you trying to keep up with the world of Microsoft? It's moving fast, but we have two of the best experts in the world, Paul Thurat and Richard Campbell. They join me every Wednesday to talk about the latest from Microsoft on Windows Weekly. It's a lot more than just Windows. I hope you'll listen to the show every Wednesday. Easy enough. Just subscribe subscribing your favorite podcast client to Windows Weekly or visit our website at TWIT tv. WW Microsoft's moving fast, but there's a way to stay ahead. That's Windows Weekly every Wednesday on Twitter.