Hands-On Windows 176 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Paul Thurrott [00:00:00]:
Coming up next on Hands on Windows, we're going to take another look at passkeys, but this week instead of the built-in functionality, we're going to look at the way I recommend using passkeys in Windows 11.
TWIT.tv [00:00:13]:
Podcasts you love from people you trust. This is TWiT.
Paul Thurrott [00:00:22]:
Hello everybody and welcome back to Hands on Windows. I'm Paul Thurrott and This is our second look at passkeys in a row. Last week I looked at some of the new passkey integration capabilities in Windows 11, which are pretty good. There's the basic passkey functionality that arrived in 23H2. In 25H2, Microsoft has added Microsoft Password Manager integration, although that requires using Microsoft Edge, and also third-party password manager integration, which requires you to install an app and then configure it to work with the system instead of the built-in functionality. So it's like I said, it's pretty good. I don't do any of that. So I've been using passkeys as long as there have been passkeys.
Paul Thurrott [00:01:04]:
This technology has evolved pretty rapidly. It's gotten really seamless. And I feel really strongly that you should use a third-party password manager, which can be used for managing passkeys as well, right? So I'm going to interchange those terms, but passkey manager/password manager, basically the same thing for two reasons. One, they're natively portable, which other solutions are starting to become as well., but they also offer more features than the built-in password managers that you get you with, know, Chrome or Android or Apple or Windows, right? I happen to use ProtonPass. That's just the choice I made. I do recommend it, but 1Password, Bitwarden, Dashlane, those are all fantastic, and I'm sure there are others. What's interesting about the one I use, and actually a couple of the others, is that they don't yet integrate with Windows 11 in the way that 1Password and Bitwarden do right now. And I don't actually think it matters.
Paul Thurrott [00:02:00]:
So if you think about the devices that you use, everyone has a phone. I'm assuming you have a PC as you're watching this podcast, but you have some computer, you have a Mac, maybe it's a Linux PC, Chromebook, whatever it is, it doesn't matter. We're going to stick to Windows here. Obviously, you might have an iPad or another Android tablet. You want to have your password manager and separately an authenticator app, which we're going to talk about in a future episode. On all of those devices because you want to be able to access this stuff on a thing that you will have with you, hopefully at the time or at all times, and in a way that is secure because these things are secured using the native security functionality on those devices, which is typically something biometric like facial recognition or fingerprint recognition or maybe a PIN as a fallback. But there's the extra layer of protection. It's another thing that you have And it's just a, it's a nice, it's one of those things that once you start doing it, it becomes just second nature.
Paul Thurrott [00:02:58]:
It's very, it's simple. It's pretty obvious. I'm just going to show you, I took some screenshots from my iPhone just so I can kind of show you what this looks like. But this is ProtonPass, which is the password/passkey manager I use running on my iPhone. What I've done is you go into, you can just go into settings, Search for autofill, Android or iPhone, you'll see this. You'll see whatever apps you have installed on the device that can be autofill providers. You can actually have multiple autofill providers enabled. I don't recommend that, but you can.
Paul Thurrott [00:03:35]:
I use one, so I use ProtonPass, as you can see. Apple is kind of interesting because it's actually covered up here, but there's an option at the bottom for authenticator apps for getting codes. And I use the Proton Authenticator app for that. And again, we'll look at that later. But in this case, you can see I probably have 2, 3, 4, you know, 6, 7, whatever number of choices for autofill on phones. And I feel like this is something most people are familiar with, right? But this also happens on Windows or any computer. It can happen with apps, but the more typical experience is in a web browser. And what that means is you're going to be installing an extension for that thing.
Paul Thurrott [00:04:18]:
So you install the app on your phone and maybe your tablet, but you install a web browser extension in whatever web browser, or if you have multiple browsers, in each of the browsers that you use on your computer. So we're going to look at that right after this message.
Leo Laporte [00:04:33]:
Hey everybody, this episode of Hands on Windows brought to you by Thinx Canary. Love my Thinx Canary. It's got it, I've got it right here. Looks just like a USB external USB drive except a little different. It's got a Ethernet jack on the back, a USB dongle for power. What is it really? Well, anything you want it to be. This little guy can show up as a Windows server, as a Linux server. It could show up as a SharePoint server.
Leo Laporte [00:05:00]:
It could be a Windows 95 box. It it could, could even be a SCADA device. It can be anything you want it to be, but it isn't. It just looks that way right down to the MAC address. But to a bad guy, It doesn't look vulnerable, it looks valuable. It looks like something cool. You can also do something else with this Thinks Canary. You can create tripwires, little Thinks Canary tokens, and spread them all over, little files that look like spreadsheets, uh, even things like WireGuard configurations.
Leo Laporte [00:05:28]:
I mean, it's just a huge variety of things, and you could put them on cloud drives. I put them on my Google Drive. You can put them on your network drives. The whole point is When you set these up, they're honeypots. You can deploy them instantly. They're very secure. But as soon as somebody accesses them, somebody accesses one of those, accesses one of those, you know, lure files or brute forces your fake internal SSH server, you get the alert. Your ThinkScan area will immediately tell you you got a problem.
Leo Laporte [00:05:59]:
And no false alerts, just alerts that matter. And by the way, by text, by mail, however you want them. In Slack, it supports webhooks. There's an API. It supports syslog, of course. So you choose a profile. It's very easy for your ThinkScanary device. They've got a dropdown menu.
Leo Laporte [00:06:17]:
You can turn on all the services at like a Christmas tree or just a few carefully chosen services. You register it with the hosted console for monitoring and notifications. Then you sit back and you relax. Attackers who've breached your network, malicious insiders, or other adversaries will make themselves known instantly just by accessing your ThinkScanary. Most companies on average do not know they've been breached for as long as 91 days. That's not good. As if you've got an intruder on your network, you want to know as soon as possible, and that's what the ThinkScanary does. They cannot resist them.
Leo Laporte [00:06:54]:
It's like candy for the bad guy. Visit canary.tools/twit Just $7,500 a year gets you 5 Things Canaries. You may want more. In fact, big banks might have hundreds. Certainly every VLAN, every segment of your network should have a Things Canary on it. You also get your own hosted console. You get upgrades, you get support, you get maintenance. Oh, and by the way, if you use the code TWIT, TWIT, in the how did you hear about us box, you're going to get 10% off.
Leo Laporte [00:07:20]:
And not just for the first year, but for as long as you own your Things Canaries. That's a really good deal right now. Oh, hey, one other thing to reassure you: you can always return your things to Canary. They've got a 60-day, 2-month money-back guarantee for a full refund. But I have to tell you, they've been advertising with us for nearly a decade, and their refund guarantee has never once, not once, been claimed. Because once you get one of these little guys, or 2, or 3, or 4, or 5, or a dozen, or 100, You're never going to want to let them go. Visit canary.tools/twit. Don't forget to enter the code TWIT in the How'd You Hear About Us box.
Leo Laporte [00:08:00]:
canary.tools/twit. This thing is a lifesaver. And now back to Paul at Hands On Windows.
Paul Thurrott [00:08:09]:
So in Windows 11, as on any device I use, but in Windows 11 specifically, I installed the Proton web browser extension— I should say the Proton Pass web browser extension everywhere. So you can see that here, it's up in the toolbar of, in this case, Microsoft Edge, but I put it in every browser I use. There is a desktop app. You can install that too. You don't need to. Maybe one day when it— if it integrates with the system in Windows and I want to try that, I would probably try that, but there's no real reason to do that. If you think about the ways in which you might need to access your password in Windows, 90-something percent of the time it's going to be inside of a web browser because you're accessing some external website or whatever. But you can also do it inside of an app, right? And in this case, the web browser extension is not going to help you directly, other than if you're signing in to say— well, I actually can't— I was going to use Netflix as an example, but actually Netflix is a web app, so ProtonPass does work in Netflix the app.
Paul Thurrott [00:09:07]:
But some app that doesn't have you that, know, web backend, you can copy and paste from the password manager in your browser. To get it into an app. It's not a big deal and you don't really do it that often. So it's not, to me, it's not super important. But I will bring up Brave instead. Brave also, right, has the Proton Pass web browser extension built in, right? The key here when you're using a third-party extension is the same as, you know, we did in the last episode. I guess I'm losing track here, but you want to go into settings and make sure that this thing is not— this is not the right place— and make sure that it is not— the browser is not also trying to autofill passwords, right? And so you can see here all the settings are off for this, right? And so Microsoft Edge, Chrome, whatever browser you're using, it is a similar interface, but you just want to make sure that's off. You don't want those two things fighting each other, right? So I'm only using Proton.
Paul Thurrott [00:10:10]:
That's easy., and I can do the same you thing, know, I've been doing. So accounts.google, which is getting super you know, familiar, passkeys, right? We're going to create a passkey. Oh, it has to make sure it's me. Now here's an example of actually using this thing to sign into an right? And account, so this is what that experience is like. I've signed into this somewhere else, but that actually doesn't matter. So if I had never signed into my Google account and I went to this site, this would just pop up. And this is what's one of the things that's really cool about passkeys. I don't even have to type the email address.
Paul Thurrott [00:10:48]:
I might have multiple Google accounts listed. I just have to choose one. So in this case, I've only signed in with the one and I just pass through. It's automatic. It's really nice. If I do go to create the passkey, the native interface for that thing comes up, in this case, ProtonPass, right? I'm not getting the Native experience. I'm not getting the Microsoft Edge experience. I'm not using that.
Paul Thurrott [00:11:09]:
I'm getting the, in this case, the, the Proton Pass. Now I canceled it, so it's going to try to save it locally. I'll just cancel it. I don't need to save it, but that's how that works. It's super simple. It's really, really nice. So when you think about passkeys and like, where do you need them or where are you going to access them? The two places you have to have them to me are your phone and your computer. Right? You will sometimes get that QR code like we saw last time on the last episode.
Paul Thurrott [00:11:37]:
And more often than not, though, you're going to be on the web and you can just access it right through the web browser extension. Super easy. So what does it look like to actually use this thing? We actually saw one example already, but I have a couple of sites that I know I have Passkeys for. So for example, I can go to Best Buy. I am not signed in and there's a sign-in button, but there should be— where is this thing? Oh no, it's— you have to go to the next screen. There will be an option for signing in with a passkey, which I don't even have to click because ProtonPass is running. It knows I have a passkey. I didn't even type in my email address.
Paul Thurrott [00:12:11]:
I just signed in. Now, in many cases, what you're actually going to be doing here is what you saw before, which is you get that Windows Hello authentication experience. I've turned that off, which maybe isn't the smartest thing in the world. Skip the list. We don't need this. But because I have my computer auto log off the second I walk away from it. So this is already to me in a pretty secure state. So I don't feel like I need that extra layer of security, but most people should probably leave that on.
Paul Thurrott [00:12:39]:
So that's pretty seamless. And I could also try like GitHub, for example. So if I go to GitHub, I'm probably going to have, I would imagine the same experience, right? Yeah. So it just pops up like immediately, right? The interesting thing is there is an option. I think it's hidden. I think the button right there might even say it, but you could also just type in your, you know, user account or your email address here. And it would probably, it would just prompt you at that point. But this is how fast it is, right? And so without, I didn't type anything.
Paul Thurrott [00:13:08]:
I didn't type a password, but I also didn't even type the email address. So it's the seamless nature of this that makes it so good. And this is why Passkeys are It's one of the reasons why passkeys are so great, because that's what I just did is super convenient. I don't even need a second device, although it's not super hard, right, to bring up a phone, authenticate with Face ID or whatever you're using. But this is this is the, the fastest and easiest way. And the thing is, it's still super secure. That's, it's the beauty of passkeys. And so I know it feels complex and people still kind of freak out about passkeys, but I think passkeys are going to, if not solve the problems with online account security, it's certainly a giant step forward, right? The trick is figuring out where you can use them and then using them everywhere you can use them.
Paul Thurrott [00:13:56]:
Passkeys aren't the only form of online account verification and authentication. In a previous episode, we looked at the different ways you can verify yourself with a Microsoft account, right? But these are— whatever we call this, you know, 2FA, MFA, or, you know, two-factor authentication, multi-factor authentication, or two-step authentication, whatever it is— there are other methods, but Passkey is the go-to That's the first one. The first one, if you have a passkey, use that every time. If you don't, or maybe that account doesn't support it, that's when you have to look at other forms of 2FA or MFA. And that's where the authenticator app comes into play. And that's what we're going to look at in a future episode, possibly the next episode. We'll see how this goes. But I think between these two things with an authenticator app and with passkeys, you're in pretty good shape.
Paul Thurrott [00:14:42]:
For protecting your online accounts and doing it in a way that's secure and convenient. So hopefully you found this useful. We will have a new episode of Hands on Windows every Thursday. You can find out more at twit.tv/how. Thank you so much for watching. Thank you especially to our Club Twit members. You know we love you. If you're not a member, consider joining, please.
Paul Thurrott [00:15:03]:
You can learn more about that program at twit.tv/clubtwit. Quit. Thanks, I'll see you next week.
Leo Laporte [00:15:10]:
Hey everybody, it's Leo Laporte. Are you trying to keep up with the world of Microsoft? It's moving fast, but we have two of the best experts in the world, Paul Thurrott and Richard Campbell. They join me every Wednesday to talk about the latest from Microsoft on Windows Weekly. It's not a lot more than just Windows. I hope you'll listen to the show every Wednesday. Easy enough, just subscribe in your favorite podcast client to Windows Weekly. Or visit our website at twit.tv/ww. Microsoft's moving fast, but there's a way to stay ahead.
Leo Laporte [00:15:40]:
That's Windows Weekly, every Wednesday on Twitter.
