Within seconds of posting this video, a shill already put a thumbs down. LOL. If you're a Yubikey competitor, why don't you send me a review copy of your product instead? Zucked up!
Watch my video on creating 2FA without a phone number. That's my alternate factor. Unfortunately registering multiple hardware 2FA's is not universally allowed (example is Twitter). As the this video shows, if you have one form factor (USB-A), you will not be able to reuse the same hardware on a USB-C. If you go to the end of the video, my wishlist was to be able to sync multiple Yubikeys.
@@varun_chunduru No you cannot use converters of USB-A to USB-C. Which makes sense because if you can put one of these on a hub, then in theory you can intercept the traffic.
You may want to update this video. I’m researching these now and listening to your video it is outdated. 1 - you can use them with Windows now, 2 - you can use a USB-C to USB-3 converter to switch between devices. They are about the same size as the nano, 3 - some sites allow you to use multiple keys now. Probably not the best security option, but would allow you to have a backup key stored safely away. Good info though...
0:47 2Fa 3:36 2 specific uses: 2Fa and static password 3:52 Yubikey and 2Fa 6:20 password manager 9:35 Yubikey on mobile phone 10:40 if you lose Yubikey 11:10 Yubikey and burner phone 11:28 Yubikey and computer: how it works 12:22 Yubikey nfc vs nano version 13:56 Yubikey static password vs 2Fa password 15:00 summarize
Thanks for the video! I have tested a USB A to USB C adapter and it worked on my Galaxy phone just fine for use with Yubico Authenticator. I could also use NFC of course but it is a pain to always have to turn on NFC and try to find just the right spot on the back of the phone that will read the key. Also the Static Password is super easy to set up and use with a user defined password, just choose the Scan Code button in the menu instead of Advanced, choose your keyboard type and then enter your desired password then write to key.
The concern about having nfc in the usb seems moot as if you leave the key plugged in all the time - you risk someone just using/tapping the key and entering - this circumvents the advantage of 2FA (something you have rather than just know/password). It should always be kept with you.
Rob, your video was the best one I found on the yubikey. I found that the static password works great for lastpass master but you can also add your own unique portion you type and then long press the yubikey to have the static fill in the rest of it. then short press for the 2fa from the yubikey. i got the nano based off your review and it's amazing on a laptop. i got the yubikey 5 nfc as my alternate and works great on anything including a lightning to usb adaptor i already had from apple ... and nfc to my iphone XR. these are cooler than you think because they allow you to stay logged out of password manager and log in quickly when desired.
@ about 17:20 or so: Factually incorrect. I am using my USB C -based Yubikey in my computer with an adapter to fit into a USB A slot. It works perfectly.
Interesting. If this is truly the case then maybe some adapters have combability issues while others do not. And maybe Braxman happened to have an incompatible one? I also have an adapter that I may try out. Not sure if there would also be a security concern in the case you buy some shady 3rd party adapters off like ebay that happen to be harboring malicious software.
You can duplicate the Yubikeys I have done this for years. At 10 minutes the video says you can't have two identical Yubikeys that are the synced on two different computers. You should use the Yubikey configuration tool. You can wipe the Yubikeys and make them all the same.
When one changes (i.e. you add a new account), do you have to bring them back together to re-sync. them ? i.e. I can't have one in LA and one in NY permanently...I'd have to fly one to the other every time there's a new account ?
@@jacklewis100 I doesn't work that way you don't have to change the key configuration every time you add a new account. The keys are made identical if you want using their configuration tool. Then you can give two or more people no matter where they are a key. they all have the same level of account access. You just keep pairing any one of the keys to each new account you make then they all will work with that new account.
@@huestifer Ah... so the key doesn't actually store any accounts - it's the accounts/web services which become aware of the permitted keys! Thanks. That makes a lot more sense.
@@jacklewis100 There is also a corporate version of the yubikey that allows you to control logins to a corporate server, for example. They also have tools that allow businesses to create more than one key at a time for a large business enterprise.
Rob, leaving your key plugged in leaves a physical security risk as a person couldclone the key, given time and physical access. Most people dont worry about this at home, but having had a PI break into my house (your home is not nearly as secure as you think!) I learned to not assume anything. Bathroom break at home, ok. Leave it when you go to work...nope!
A very good description and use of the Yubiko Nano key. I am going to buy this key. You answered the many questions I had as I wasn't sure which Yubico 5 to buy. Thanks
Anyone who uses a Yubikey with LastPass; LastPass allows you to register multiple keys. This allows me to have one key in my private laptop and have a separate (NFC enabled) key in my bag when I leave home without a laptop. It also gives me the ability to access my personal vault when on business travel with just a business laptop and business related Yubikey. When it comes to using a hardware key with KeePass, I really never used a browser plugin but just used Auto-Type function to fill the username and password fields. In case someone would like to use that combination, try it and see if that's what you were looking for.
Thank you for this video. This was extremely informative, very straightforward and the only video I have viewed on this subject that clearly explains the form factors, their names and respective uses and exactly how it might work (or might not) work with a password manager.
I've been using them since 2017 for online verification and always been able to use multiple Yubikeys with EVERY service that supported them. In fact a minimum of 2 has always been RECOMMENDED in case one is lost or damaged. I question the management of any service that allows 1 but not multiple Yubikeys. I have also been using USB A to USB C and Micro adapters for phone and tablets. If adapters didn't work for you that incompatibility was elsewhere.
He's conflating WebAuthn and/or FIDO2 with YubiOTP. There are services that only allow one YubiOTP entry (though Lastpass allows up to five, so it's not a technical limitation), but any that use then as Fido(2) / WebAuthn allow and even recommend setting up more than one.
If you're going to use the static password facility of the key, you should have a prefix that is NOT on the Yubikey that is appended by the "fixed" password stored on the key in case the Yubikey is lost or stolen. In other words, if the static password is "hd7QWh%^87hd", then make your "master" password something like "6592" (typed by hand) + "hd7QWh%^87hd" (activated by the Yubikey).
I don't see them giving the ability to sync multiple keys. That would be a security issue because it would make it possible to clone them. The whole point behind the secure element is that it can't be read/replicated once it's manufactured. They could create duplicate physical keys in the factory, and maybe that's something they should off (like a set of 2 identical keys) but it would really reduce the security if they could be altered after manufacturing.
Not true. You can use two keys at the same time. I have both the nfc YubiKey and the 5ci YubiKey. Whenever you set up 2FA, you get a QRcode from the website. You just scan the code with the YubiKey app, swap your key, then scan it again. Now both keys will have the 2FA codes.
@@marcespina1 what Retro is saying is of course true. He is saying that a private key should never leave an HSM. You are saying that several public keys can be registered as authorized keys to access a service. So you are both right, you are just talking about different things.
@10m00s: You can only use one device with one key on one account. You can't sync multiple different form factor Yubikey's and access the same account via different hardware. Uhh, okay, wow. Thank you for saving me the time and effort!
You can register a second physical key. It is great as a backup in-case of lost/stolen or damaged keys. (And if you get two different USB types then that solves this issue.(btw NFC authentication doesn't work with most mobile browsers. Apps only.)
I have the same experience and could live with it and so I have decided to return the product. It also did not work properly with android NFC. I will give this another go it they have fixed what you have mention in the last section of your video. Great video by the way.
Does the Yuibkey have upgrades to the software? Who controls the software updates? I know this seems to be the best option in the market but I am always trying to see any possible vulnerabilities. No, I wasn't born skeptical, well, maybe I was.
I subscribed to your channel. I am using a Yubikey that I just received from the manf., I think that this type of security management is going to be the next BEST think. I remember when we used some software in a project way back when and it would NOT allow you to use that package w/o the dongle that is what they were called then and I thought it was great and a pain in the ass sometimes because it was used on multiple machines, each needing it's own expensive key! Thanks for the in depth review.
Rob, they make a combination Yubikey which has both USB-A and USB-C connectors on the one Yubikey. Moreover, you can program/clone more than 1 yubikey so it shows up as the same key across multiple devices.
Sooo if i'm getting this right, if I had 2 yubikeys and say yubikey #1 was used for my Google account. If I clone the 2nd yubikey to be identical to the 1st, and then lost yubikey #1, I could use #2 in it's place for logging in?
I appreciate your insights. I've been coming across your videos a lot recently as I'm starting to take internet privacy seriously. Byproduct of studying cybersec in preperation to switch careers. Thanks virus!
the other thing i'd add is I agree don't buy two - the marketing is that if you lose your first one you're stuffed - but if you're concerned and want to start out exactly where you left off - these are factory produced things, so all you do is with Yubikey #1 - get the hexadecimal crypto stuff from the manager, print it off and shove it under your floorboards and hope you never need it - but if you do, just buy another one and put the same hex data in. pwSafe is a good password management option to use with, it'll do PK authentication so with your long password in the regular box it's pretty much unbreakable as it's 256AES
Nice in-depth review, and dispelling common myths. Here is what I'm wondering: For any account that has a backup 2FA SMS enabled, isn't that still the weakest link in the security chain?
It is and I hate the use of phone numbers for many reasons to begin with. I have another video on doing SMS 2FA without a phone number. Is that any better? Better for privacy but someone with access to SS7 hacking can intercept the SMS. The better backup is TOTP (Google Aythenticator or Authy).
Consider using a number tied to a web service like Google Voice no SIM card, this can make it on par with email OTP in terms of security since someone would need access to your Voice account instead of just being able to scam your carrier into spoofing your sim card.
Hello Rob, I realize this video is 4yrs. Old, I just to know if you have any new opinions on yubikeys? I.e are they reliable, user-friendly and most importantly which brand you can recommend. Thanks
Thank you. you cleared up a lot of information in an easy to understand manner. I look forward to seeing more of your videos. I've subscribed. R. Varela
Helpful review, I learn a lot. It sounds complicated. It can only store one password? If it is lost, what are the steps to protect ourselves, is there a revocation process?
You can use multiple yubikeys. You should have a backup because if you want all the benefits of using a secure key then you ought to be turning off other weaker methods of authentication like cellphone/mobile authentication.
I appreciate the videos, and no, you don’t have to make them shorter. I watch them as you go into depth which is what we need to understand it. I have questions: 1) I bought 2 yubikey 5 NSD 2) outlook live was tested first ad worked fine after it asked to create code 3) added 2nd and was fine 4) tried google, failed 5) tried in chrome, failed with endless spinning until it gave a message stating it needed to be plugged in 6) restarted computer, gmail failed again to sync with same errors 7) I have never found anything that explains how many emails you can apply 8) I haven’t found anything that wipes the whole thing to start from scratch or updates that don’t require intense DOS style script for each “applet” where directions are difficult to follow 9) support to LastPass and yubico has been sent and have gotten zero responses 10) how far am I off? Is it a software thing? I saw a video where the thickness of the usb section varied and could be part of the problem, no? Thanks in advance.
That's a long list! LOL. There's a lot that you didn't read. For example, Lastpass only supports Yubikey using their Premium version. But I don't use TOTP with Lastpass, I just use it as a master password. Which requires some setup. There are always ways to disengage TOTP from any of those websites. Just remove the 2FA and start again. Many websites don't allow two TOTP devices. If it failed, try it again something didn't get processed right. For example, if you tap on the device too long. It should be a brief tap. A long tap is considered to be the 2nd mode (which is for a password)
love your videos, I more or less figured out quite a few of the same concepts myself over the years- the only thing i'd say is there's a lack of open source since I think the 3 - neo , and for all the RF stuff they offer, i'm sure a capable chap such as yourself could brush past a phone with near field switched on (for these keys and their convenience) and steal a bunch of creds from the phone concerned. If you build one of those and go to a concert you can walk out a millionaire... Other than that , I do like the things, just switch off NF on your phone.
It would be extremely close and obnoxiously noticeable. Less than 3 inches, and you must also tap the yubikey button to trigger it. Dont try this near someone's back pocket. If they step back slightly and touch your hand, you may end up being charged with groping and wind up on a sex offender registry. Yes, NFC is that close.
Assuming one could get close enough, how exactly would an NFC-enabled hacking device steal creds from a victim's phone? The two devices need to be configured to trust each other first, no?
I use the yubikey usb a and usb c with their own converters to switch with computer and mobile, it is best used with 3.0 converter that will make it work. If using the standard converters that aren’t 3.0 then it doesn’t function properly.
As this type of 2FA devices offer some level of security, it brings a whole host of inconveniences and other issues. I think I will stay with my existing security protocol with very strong password management with 2FA and leave it at that!
@@nathandrake981 I use Bitwarden so I'm biased, but it's a great program and I see no real reason why you should pay for a password manager. Definitely go with Bitwarden.
Thanks for the vid Rob. I have been researching tightening up my security in all areas, and considering Yubikey as well. I like the idea of using it as a ststaic password for my Mac as well, though it comes to mind that if you were to leave the nano plugged in, or your yubikey around, and some one managed to gets physical access, in the event of a theft, break in, or confiscation, which I have heard is happening more often at airports now so they can access all your data. But thats a story for another day. Isnt this leaving you very unprotected? Seems it would make accessing your computer and files even easier.
There is good reason why you cannot sync or copy to another key, and likewise you cannot copy the same to Google Authenticator. If you could, it would make this whole thing useless because the hacker or someone with momentary access to the key could just steal everything without your knowledge. Instead just add your backup key as a second device to unlock your account.
I’m not sure you accurately described how it works according to a video explaining the U2F protocol. The device does more than act as a simple keyboard macro, according to other sources.
At 16:19, I don't think this statement is quite accurate. For websites that support U2F (e.g. Google) or Yubico OTP (e.g. LastPass premium), you can configure multiple Yubikeys for the same account. Similarly for OATH OTP (which is what app-based 2FA uses), you can configure multiple Yubikeys for the same account by registering the same secret key multiple times. The easiest way to do that is by using the Yubico Authenticator app, which works just like other 2FA apps, but stores the secret keys on your Yubikey. If you want to be able to add additional Yubikeys for 2FA later, you can take a screenshot of the QR code, print it out, and store it somewhere safe. Obviously that's not super convenient, so ideally more websites will support U2F and FIDO2 in the future.
Do sites where you use a Yubikey store data about your fingerprint if you use a biometric key/ phone if you use an NFC key? i.e. would Amazon be able to see your fingerprint/ IMEI of your device if you were to use these keys to log in? Also, does Yubikey themselves collect any sort of data via these keys?? Heard a lot of these 'third party authenticator apps' mine a bunch of personal data. LOVE your vids Rob. Greetings from the UK!
Hi Rob, I have the yubikey 5C and 5NFC. THE YUBIKEY 5NFC works fine on my laptop but the Yubikey 5 C does not work on my Samsung Tab A nor my Samsung A40 Smart phone, it either takes too long to load or does not recognise my Yubikey 5c at all. I am a disabled person who uses social media often and I desperately want to use Yubikey on all my devices. Best wishes from UK.
I have been using a yubikey daily for years; they really are nice. This video doesn't cover all the features; and the best ones are for holding gpg keys. Generate them offline, put subkeys on the yubikey; then password store can just be gpg encrypted files. There are even front ends for doing this called "password-store" - much better usage than the "fixed password" use; I have that totally disabled. GPG is a much better password manager
In another video you asked why is everyone so interested in Bitwarden now? I would like to suggest, although I may wrong, that is possibly because the recent surge in interest in crypto currency and hence A. Antonopoluss channel and in his Ledger Hack/cyber security videos they mention Bitwarden as one of the main open source password managers.
You said you only can register one key at a time and u need to use either usb-c or usb-a. But I just got two yubikey 5 nfc usb-a version. and the services I've tried so far have let me registered both keys and it worked on my phone both with nfc and using a usb-a to usb-c adapter. Did u mean the adapter is a security flaw maybe?
This is mostly old information. For up to date info on yubikey look at more recent videos. In 2024 things have changed regarding this security key and points made on this video.
Sir, in your opinion do printable backup codes make an account protected with security keys more vulnerable? For example, Google back up codes are only 8 digits.
its not the code length. Its that if someone manages a password heist and logs in once, they can copy codes and use them in place of 2FA and lock you out of your account if they so choose. I had my comcast xfinity account hijaacked by a PI due to their poor security practices. I then had 2 different gmails hijacked that were used to impersonate me while I am locked out of them. That is beyond the scope of a normal PI, Its just creepy, but consider that in order to do that job you have to have no ethics anyway...
Do you know if consumers can use the 5C FIPS series keys? I'm wondering if the regular 5 NFC series differs from the 5 FIPS series other than the added level of security on the FIPS. I ask because I'm wondering if let's say you want to secure your gmail account with the regular 5 series, can you also do it with the 5 FIPS series? Or are most accounts the average user utilizes only compatible with the regular 5 series and not the FIPS series? If I can still use the FIPS series that has government level 3 encryption vs. the regular 5 series, which only has level 1 encryption, than I'd rather just make the investment and pay slightly more for the FIPS version and get added security but I'm not sure if it's ONLY for government use or can regular consumers use it to and for the most part it would still function like the regular 5 series but with the added protection? Thanks for making your content, it's valuable in today's digital world 👍❗
It would be nice if you could do an update on that. So many sites now ask to take a pic of an on-screen QR code, as a 2FA method, can this be done with the Ubikey and is it as safe?
I don't know about a PC, but I AM able to use USB-A to Micro converter for the Yubikey 5 on my Samsung 10 tablet. -->CableCreation Micro USB 2.0 OTG Cable Flat On The Go Adapter Micro USB Male to USB Female for Samsung S7 S6 Edge S4 S3 Android or Other Smart Phones Tablets with OTG Function 6 Inch, Black ON AMAZON
Aaand why exactly you "cant use converter" to connect USB-A to USB-C port for example? Yubikeys all electrically USB 2.0 (you dont need speed here at all) devices, connectors is different, protocol is same. Even more, you can connect USB key...to phone! Phones have USB host for years and adapters is present too.
If you said most systems default to email or text when you loose the key then how safe is the key if email or text can be hacked? I would think it should be key or backup key or nothing. Please let me know how to protect against a hacker that can claim they lost their yubikey?
Wait You're telling me that this keys don't work with adapters? I saw a video with the UA-camr using an adapter for his type c key to plug it into his PC. I need to check that with my keys.
Great review. Do you know if the USB C key has the option to configure 2 static passwords. BTW have you figured out how to configure your own static password?
I don't know if they've changed the software since but at the time I made the video, you can only configure one additional use (static or TOTP). The way it works is by touch time. If you touch it for a few seconds it is mode 1. Longer (10 seconds or so), then you get mode 2. So if you use a Yubikey for static only, in theory you can get 2 static modes. Or 2 TOTP modes are any combination of 2.
> If you're using Yubikey on your Windows computer that has a USB A and is semi-permanently plugged in there like the nano here, It's not gonna work with another computer that's only using USB C like the new MacBook. Umm, No you can. Maybe your USB-A to USB-C adapter is just broken (assuming you really did test it). I use both systems for work (Mac OS and Windows 10). And I can 100% confirm it works (Yubikey with USB-A using an adapter to USB-C for Mac OS). I use it on a daily basis. ----- You can use 2fa on Windows Login via Yubico Login Windows. It's a direct replacement of the "Windows Logon Tool" which also replaces YubiKey for Windows Hello app. That was sunset around September 2019, 5 months after this video aired. 🤦🏻♂️ So I'm not sure which tool Rob is saying that was deprecated at the time of this video recording. Where clearly Yubico release 3 different apps to use for Window logins for 2fa, albeit its for local accounts. Link of the article: support.yubico.com/support/solutions/articles/15000006472-using-your-yubikey-4-or-neo-with-the-windows-hello-app And here's how you get 2FA for Windows with their new software: support.yubico.com/support/solutions/articles/15000028729-yubico-login-for-windows-configuration-guide
So wait a minute you’re cool with using AWS for your cloud storage? I’m trying to move away from them as much as I can because if there is Susie as him about the surveillance state
So a great idea, but could be impractical. If you have one or maybe two sites that absolutely must have Good security, then...For the rest maybe use authenticator
Within seconds of posting this video, a shill already put a thumbs down. LOL. If you're a Yubikey competitor, why don't you send me a review copy of your product instead? Zucked up!
Watch my video on creating 2FA without a phone number. That's my alternate factor. Unfortunately registering multiple hardware 2FA's is not universally allowed (example is Twitter). As the this video shows, if you have one form factor (USB-A), you will not be able to reuse the same hardware on a USB-C. If you go to the end of the video, my wishlist was to be able to sync multiple Yubikeys.
So you're saying that we cannot use a Yubikey 5 NFC with Android mobile using a type-A to type-C converter ??
@@varun_chunduru No you cannot use converters of USB-A to USB-C. Which makes sense because if you can put one of these on a hub, then in theory you can intercept the traffic.
@@robbraxmantech Have you tested it ? Using Yubikey (type - A) using converter to a Android mobile ??
@@varun_chunduru Yes of course I tested it.
This whip smart, honest, humble man is on our side and is working to protect us. Valuable gift to us.
You may want to update this video. I’m researching these now and listening to your video it is outdated. 1 - you can use them with Windows now, 2 - you can use a USB-C to USB-3 converter to switch between devices. They are about the same size as the nano, 3 - some sites allow you to use multiple keys now. Probably not the best security option, but would allow you to have a backup key stored safely away. Good info though...
0:47 2Fa
3:36 2 specific uses: 2Fa and static password
3:52 Yubikey and 2Fa
6:20 password manager
9:35 Yubikey on mobile phone
10:40 if you lose Yubikey
11:10 Yubikey and burner phone
11:28 Yubikey and computer: how it works
12:22 Yubikey nfc vs nano version
13:56 Yubikey static password vs 2Fa password
15:00 summarize
Thanks for the video! I have tested a USB A to USB C adapter and it worked on my Galaxy phone just fine for use with Yubico Authenticator. I could also use NFC of course but it is a pain to always have to turn on NFC and try to find just the right spot on the back of the phone that will read the key. Also the Static Password is super easy to set up and use with a user defined password, just choose the Scan Code button in the menu instead of Advanced, choose your keyboard type and then enter your desired password then write to key.
This setup works just fine with my Xiaomi 9T phone.
The concern about having nfc in the usb seems moot as if you leave the key plugged in all the time - you risk someone just using/tapping the key and entering - this circumvents the advantage of 2FA (something you have rather than just know/password). It should always be kept with you.
Rob, your video was the best one I found on the yubikey. I found that the static password works great for lastpass master but you can also add your own unique portion you type and then long press the yubikey to have the static fill in the rest of it. then short press for the 2fa from the yubikey. i got the nano based off your review and it's amazing on a laptop. i got the yubikey 5 nfc as my alternate and works great on anything including a lightning to usb adaptor
i already had from apple ... and nfc to my iphone XR. these are cooler than you think because they allow you to stay logged out of password manager and log in quickly when desired.
@ about 17:20 or so: Factually incorrect. I am using my USB C -based Yubikey in my computer with an adapter to fit into a USB A slot. It works perfectly.
Interesting. If this is truly the case then maybe some adapters have combability issues while others do not. And maybe Braxman happened to have an incompatible one? I also have an adapter that I may try out. Not sure if there would also be a security concern in the case you buy some shady 3rd party adapters off like ebay that happen to be harboring malicious software.
@@StoicSimp My adapter is a standard, plain USB-C female to USB-A male adapter - it's even smaller than the Yubikey (but a bit thicker).
You can duplicate the Yubikeys I have done this for years. At 10 minutes the video says you can't have two identical Yubikeys that are the synced on two different computers. You should use the Yubikey configuration tool. You can wipe the Yubikeys and make them all the same.
When one changes (i.e. you add a new account), do you have to bring them back together to re-sync. them ? i.e. I can't have one in LA and one in NY permanently...I'd have to fly one to the other every time there's a new account ?
@@jacklewis100 I doesn't work that way you don't have to change the key configuration every time you add a new account. The keys are made identical if you want using their configuration tool. Then you can give two or more people no matter where they are a key. they all have the same level of account access. You just keep pairing any one of the keys to each new account you make then they all will work with that new account.
@@huestifer Ah... so the key doesn't actually store any accounts - it's the accounts/web services which become aware of the permitted keys! Thanks. That makes a lot more sense.
@@jacklewis100 There is also a corporate version of the yubikey that allows you to control logins to a corporate server, for example. They also have tools that allow businesses to create more than one key at a time for a large business enterprise.
Rob, leaving your key plugged in leaves a physical security risk as a person couldclone the key, given time and physical access. Most people dont worry about this at home, but having had a PI break into my house (your home is not nearly as secure as you think!) I learned to not assume anything. Bathroom break at home, ok. Leave it when you go to work...nope!
A very good description and use of the Yubiko Nano key. I am going to buy this key. You answered the many questions I had as I wasn't sure which Yubico 5 to buy.
Thanks
Thank you for watching!
I love this guy. Thanks for all you do Rob. Life changing info on every video.
I LOVE my YubiKey 5 (nfc) used for iPhone X and computers.
You can register more than one USB key to an account and for 2fFA APP you can assign more than one key..
What is “2fFA APP”?
Anyone who uses a Yubikey with LastPass; LastPass allows you to register multiple keys. This allows me to have one key in my private laptop and have a separate (NFC enabled) key in my bag when I leave home without a laptop. It also gives me the ability to access my personal vault when on business travel with just a business laptop and business related Yubikey.
When it comes to using a hardware key with KeePass, I really never used a browser plugin but just used Auto-Type function to fill the username and password fields. In case someone would like to use that combination, try it and see if that's what you were looking for.
Thank you for the insights, your wishlist is the reason my yubikey isn't used.
Thank you for this video. This was extremely informative, very straightforward and the only video I have viewed on this subject that clearly explains the form factors, their names and respective uses and exactly how it might work (or might not) work with a password manager.
I've been using them since 2017 for online verification and always been able to use multiple Yubikeys with EVERY service that supported them. In fact a minimum of 2 has always been RECOMMENDED in case one is lost or damaged. I question the management of any service that allows 1 but not multiple Yubikeys. I have also been using USB A to USB C and Micro adapters for phone and tablets. If adapters didn't work for you that incompatibility was elsewhere.
He's conflating WebAuthn and/or FIDO2 with YubiOTP. There are services that only allow one YubiOTP entry (though Lastpass allows up to five, so it's not a technical limitation), but any that use then as Fido(2) / WebAuthn allow and even recommend setting up more than one.
i got me the 5Ci, with a seperate USB-C to USB-A adapter (€12) to use it on mac, iphone and windows machine
Awesome review, not like other sold out bias youtubers that only mention the good things and "forget" the bad, only because the receive free stuff.
If you're going to use the static password facility of the key, you should have a prefix that is NOT on the Yubikey that is appended by the "fixed" password stored on the key in case the Yubikey is lost or stolen.
In other words, if the static password is "hd7QWh%^87hd", then make your "master" password something like "6592" (typed by hand) + "hd7QWh%^87hd" (activated by the Yubikey).
Nice idea
very smart! Prevents access by device cloning. 😎
I don't see them giving the ability to sync multiple keys. That would be a security issue because it would make it possible to clone them. The whole point behind the secure element is that it can't be read/replicated once it's manufactured. They could create duplicate physical keys in the factory, and maybe that's something they should off (like a set of 2 identical keys) but it would really reduce the security if they could be altered after manufacturing.
Not true. You can use two keys at the same time. I have both the nfc YubiKey and the 5ci YubiKey. Whenever you set up 2FA, you get a QRcode from the website. You just scan the code with the YubiKey app, swap your key, then scan it again. Now both keys will have the 2FA codes.
@@marcespina1 what Retro is saying is of course true. He is saying that a private key should never leave an HSM. You are saying that several public keys can be registered as authorized keys to access a service. So you are both right, you are just talking about different things.
@10m00s: You can only use one device with one key on one account. You can't sync multiple different form factor Yubikey's and access the same account via different hardware. Uhh, okay, wow. Thank you for saving me the time and effort!
Its not true, you can setup multiple keys to the same acounts and have them as backups, I dont know where this man got all his misinformation from..
You can register a second physical key. It is great as a backup in-case of lost/stolen or damaged keys. (And if you get two different USB types then that solves this issue.(btw NFC authentication doesn't work with most mobile browsers. Apps only.)
Not every site allows 2 keys. But you're right it only makes sense to allow 2 for backup reasons.
I have the same experience and could live with it and so I have decided to return the product. It also did not work properly with android NFC. I will give this another go it they have fixed what you have mention in the last section of your video. Great video by the way.
Thank you. I don't use it much now myself. I'm mostly using TOTP (Authy etc).
the USB-C with an USB-C to USB-A adapter solves your problem, also most apps/accounts support a second / third backup key
Video already cpl years old, he also mention the hardware should change maybe every year.
Does the Yuibkey have upgrades to the software? Who controls the software updates? I know this seems to be the best option in the market but I am always trying to see any possible vulnerabilities. No, I wasn't born skeptical, well, maybe I was.
I subscribed to your channel. I am using a Yubikey that I just received from the manf., I think that this type of security management is going to be the next BEST think. I remember when we used some software in a project way back when and it would NOT allow you to use that package w/o the dongle that is what they were called then and I thought it was great and a pain in the ass sometimes because it was used on multiple machines, each needing it's own expensive key! Thanks for the in depth review.
Rob, they make a combination Yubikey which has both USB-A and USB-C connectors on the one Yubikey. Moreover, you can program/clone more than 1 yubikey so it shows up as the same key across multiple devices.
Can you provide a link please? I found only combination of usb c and lightning
Sooo if i'm getting this right, if I had 2 yubikeys and say yubikey #1 was used for my Google account. If I clone the 2nd yubikey to be identical to the 1st, and then lost yubikey #1, I could use #2 in it's place for logging in?
@@uniquechannelnames You can't clone Yubikeys. But you can register more than one.
I appreciate your insights. I've been coming across your videos a lot recently as I'm starting to take internet privacy seriously. Byproduct of studying cybersec in preperation to switch careers. Thanks virus!
the other thing i'd add is I agree don't buy two - the marketing is that if you lose your first one you're stuffed - but if you're concerned and want to start out exactly where you left off - these are factory produced things, so all you do is with Yubikey #1 - get the hexadecimal crypto stuff from the manager, print it off and shove it under your floorboards and hope you never need it - but if you do, just buy another one and put the same hex data in. pwSafe is a good password management option to use with, it'll do PK authentication so with your long password in the regular box it's pretty much unbreakable as it's 256AES
Some apps and websites do allow for registering more than one yubikey. This is handy for having a back up yubikey that you can store.
Nice in-depth review, and dispelling common myths. Here is what I'm wondering: For any account that has a backup 2FA SMS enabled, isn't that still the weakest link in the security chain?
It is and I hate the use of phone numbers for many reasons to begin with. I have another video on doing SMS 2FA without a phone number. Is that any better? Better for privacy but someone with access to SS7 hacking can intercept the SMS. The better backup is TOTP (Google Aythenticator or Authy).
Consider using a number tied to a web service like Google Voice no SIM card, this can make it on par with email OTP in terms of security since someone would need access to your Voice account instead of just being able to scam your carrier into spoofing your sim card.
Hello Rob,
I realize this video is 4yrs. Old, I just to know if you have any new opinions on yubikeys? I.e are they reliable, user-friendly and most importantly which brand you can recommend.
Thanks
Agree with your wish list 1000%
WOW this was a really great video review !!
Thank you. you cleared up a lot of information in an easy to understand manner. I look forward to seeing more of your videos. I've subscribed. R. Varela
Your review lacks demonstrations for completeness. But overall good review, thanks.
Helpful review, I learn a lot. It sounds complicated. It can only store one password? If it is lost, what are the steps to protect ourselves, is there a revocation process?
Thanks very much for this - I'll look up something more recent too but this was a good intro to user thoughts.
Hi Rob, you can in fact use the series 5 usb A on a USB C computer, with a converter dongle.
You can use multiple yubikeys. You should have a backup because if you want all the benefits of using a secure key then you ought to be turning off other weaker methods of authentication like cellphone/mobile authentication.
I appreciate the videos, and no, you don’t have to make them shorter. I watch them as you go into depth which is what we need to understand it. I have questions:
1) I bought 2 yubikey 5 NSD
2) outlook live was tested first ad worked fine after it asked to create code
3) added 2nd and was fine
4) tried google, failed
5) tried in chrome, failed with endless spinning until it gave a message stating it needed to be plugged in
6) restarted computer, gmail failed again to sync with same errors
7) I have never found anything that explains how many emails you can apply
8) I haven’t found anything that wipes the whole thing to start from scratch or updates that don’t require intense DOS style script for each “applet” where directions are difficult to follow
9) support to LastPass and yubico has been sent and have gotten zero responses
10) how far am I off? Is it a software thing? I saw a video where the thickness of the usb section varied and could be part of the problem, no?
Thanks in advance.
That's a long list! LOL. There's a lot that you didn't read. For example, Lastpass only supports Yubikey using their Premium version. But I don't use TOTP with Lastpass, I just use it as a master password. Which requires some setup.
There are always ways to disengage TOTP from any of those websites. Just remove the 2FA and start again. Many websites don't allow two TOTP devices. If it failed, try it again something didn't get processed right. For example, if you tap on the device too long. It should be a brief tap. A long tap is considered to be the 2nd mode (which is for a password)
Hey Rob, thank you!
love your videos, I more or less figured out quite a few of the same concepts myself over the years- the only thing i'd say is there's a lack of open source since I think the 3 - neo , and for all the RF stuff they offer, i'm sure a capable chap such as yourself could brush past a phone with near field switched on (for these keys and their convenience) and steal a bunch of creds from the phone concerned. If you build one of those and go to a concert you can walk out a millionaire... Other than that , I do like the things, just switch off NF on your phone.
It would be extremely close and obnoxiously noticeable. Less than 3 inches, and you must also tap the yubikey button to trigger it. Dont try this near someone's back pocket. If they step back slightly and touch your hand, you may end up being charged with groping and wind up on a sex offender registry. Yes, NFC is that close.
Assuming one could get close enough, how exactly would an NFC-enabled hacking device steal creds from a victim's phone? The two devices need to be configured to trust each other first, no?
I use the yubikey usb a and usb c with their own converters to switch with computer and mobile, it is best used with 3.0 converter that will make it work. If using the standard converters that aren’t 3.0 then it doesn’t function properly.
Thanks for the video!
Sorry but we don't know what back doors are in this product.
AFAIK it is closed and proprietary
You can always use TOTP software like Authy or Google Authenicator which does the same thing. And they're clearly open source.
As this type of 2FA devices offer some level of security, it brings a whole host of inconveniences and other issues. I think I will stay with my existing security protocol with very strong password management with 2FA and leave it at that!
Just using any Password Manager would be a 10000% security increase for most people
@@nathandrake981 Generally Bitwarden would be considered better as it is open source, meaning anyone can inspect the code.
@@nathandrake981 I use Bitwarden so I'm biased, but it's a great program and I see no real reason why you should pay for a password manager. Definitely go with Bitwarden.
Thanks for the vid Rob.
I have been researching tightening up my security in all areas, and considering Yubikey as well.
I like the idea of using it as a ststaic password for my Mac as well, though it comes to mind that if you were to leave the nano plugged in, or your yubikey around, and some one managed to gets physical access, in the event of a theft, break in, or confiscation, which I have heard is happening more often at airports now so they can access all your data. But thats a story for another day. Isnt this leaving you very unprotected? Seems it would make accessing your computer and files even easier.
I would only use a static password case if I were sure of my physical security like at home. I wouldn't use it in an open work environment.
You can also use the static password and add your own extra characters to the end of it for better security.
There is good reason why you cannot sync or copy to another key, and likewise you cannot copy the same to Google Authenticator. If you could, it would make this whole thing useless because the hacker or someone with momentary access to the key could just steal everything without your knowledge. Instead just add your backup key as a second device to unlock your account.
There should be a adapter over the top of USB-A, that can be USB C or Micro USB. This way you have all of them.
I’m not sure you accurately described how it works according to a video explaining the U2F protocol. The device does more than act as a simple keyboard macro, according to other sources.
I'm pretty sure google lets me use multiple FIDO U2F keys.
Thank you Rob, this is a great review
Thank you for watching!
At 16:19, I don't think this statement is quite accurate. For websites that support U2F (e.g. Google) or Yubico OTP (e.g. LastPass premium), you can configure multiple Yubikeys for the same account.
Similarly for OATH OTP (which is what app-based 2FA uses), you can configure multiple Yubikeys for the same account by registering the same secret key multiple times. The easiest way to do that is by using the Yubico Authenticator app, which works just like other 2FA apps, but stores the secret keys on your Yubikey. If you want to be able to add additional Yubikeys for 2FA later, you can take a screenshot of the QR code, print it out, and store it somewhere safe.
Obviously that's not super convenient, so ideally more websites will support U2F and FIDO2 in the future.
Do sites where you use a Yubikey store data about your fingerprint if you use a biometric key/ phone if you use an NFC key? i.e. would Amazon be able to see your fingerprint/ IMEI of your device if you were to use these keys to log in? Also, does Yubikey themselves collect any sort of data via these keys?? Heard a lot of these 'third party authenticator apps' mine a bunch of personal data.
LOVE your vids Rob. Greetings from the UK!
Thanks good review
You'd think that a fairly simple solution to USB-C / USB-A would be to have both types, one at each end. Then you use whichever one you like.
Which I thought they did, but that was 5C and Lightning (Apple)
Hi Rob, I have the yubikey 5C and 5NFC. THE YUBIKEY 5NFC works fine on my laptop but the Yubikey 5 C does not work on my Samsung Tab A nor my Samsung A40 Smart phone, it either takes too long to load or does not recognise my Yubikey 5c at all. I am a disabled person who uses social media often and I desperately want to use Yubikey on all my devices. Best wishes from UK.
My Yubikey is of USB-C form factor and I simply use a C-to-A adapter to make my key fit any device I may use.
Perfekt review
thank you!
I mostly use another email as my 2FA. Its a pita but judging from the comments it sounds like yubikey could be a bigger pita.
I have been using a yubikey daily for years; they really are nice. This video doesn't cover all the features; and the best ones are for holding gpg keys. Generate them offline, put subkeys on the yubikey; then password store can just be gpg encrypted files. There are even front ends for doing this called "password-store" - much better usage than the "fixed password" use; I have that totally disabled. GPG is a much better password manager
In another video you asked why is everyone so interested in Bitwarden now? I would like to suggest, although I may wrong, that is possibly because the recent surge in interest in crypto currency and hence A. Antonopoluss channel and in his Ledger Hack/cyber security videos they mention Bitwarden as one of the main open source password managers.
very useful summary, thank you so much
Excellent review! Thanks!
Good review
you can use OTG to convert USB to USBc or LIGHTNING
Have you looked in to ellipal titan let us know if they will comp you one for a review on a new video, thanks great content.
Very detailed video. Thanks!
You said you only can register one key at a time and u need to use either usb-c or usb-a. But I just got two yubikey 5 nfc usb-a version. and the services I've tried so far have let me registered both keys and it worked on my phone both with nfc and using a usb-a to usb-c adapter. Did u mean the adapter is a security flaw maybe?
This is an older video. This has been changed.
@@robbraxmantech ah :) damn fast response btw. 🤘🤘
2FA is a second method of verifying your login details are correct, not necessarily your identity.
This is mostly old information. For up to date info on yubikey look at more recent videos. In 2024 things have changed regarding this security key and points made on this video.
Thank you, very informative video.
Thank you!
I need to know if it's made of metal, that's a make or break for me
But if a ybikey is nominal, the login data goes to the Yubico server, they know every login we make and on which site, and IP etc.
Sir, in your opinion do printable backup codes make an account protected with security keys more vulnerable? For example, Google back up codes are only 8 digits.
its not the code length. Its that if someone manages a password heist and logs in once, they can copy codes and use them in place of 2FA and lock you out of your account if they so choose. I had my comcast xfinity account hijaacked by a PI due to their poor security practices. I then had 2 different gmails hijacked that were used to impersonate me while I am locked out of them. That is beyond the scope of a normal PI, Its just creepy, but consider that in order to do that job you have to have no ethics anyway...
I appreciate your review. Doe's it work with Yahoo?
Do you know if consumers can use the 5C FIPS series keys? I'm wondering if the regular 5 NFC series differs from the 5 FIPS series other than the added level of security on the FIPS. I ask because I'm wondering if let's say you want to secure your gmail account with the regular 5 series, can you also do it with the 5 FIPS series? Or are most accounts the average user utilizes only compatible with the regular 5 series and not the FIPS series? If I can still use the FIPS series that has government level 3 encryption vs. the regular 5 series, which only has level 1 encryption, than I'd rather just make the investment and pay slightly more for the FIPS version and get added security but I'm not sure if it's ONLY for government use or can regular consumers use it to and for the most part it would still function like the regular 5 series but with the added protection? Thanks for making your content, it's valuable in today's digital world 👍❗
It would be nice if you could do an update on that. So many sites now ask to take a pic of an on-screen QR code, as a 2FA method, can this be done with the Ubikey and is it as safe?
If you leave this in your computer and step away, can't I pop it in my computer, steal your master password, and put it back?
I don't know about a PC, but I AM able to use USB-A to Micro converter for the Yubikey 5 on my Samsung 10 tablet. -->CableCreation Micro USB 2.0 OTG Cable Flat On The Go Adapter Micro USB Male to USB Female for Samsung S7 S6 Edge S4 S3 Android or Other Smart Phones Tablets with OTG Function 6 Inch, Black ON AMAZON
Aaand why exactly you "cant use converter" to connect USB-A to USB-C port for example? Yubikeys all electrically USB 2.0 (you dont need speed here at all) devices, connectors is different, protocol is same. Even more, you can connect USB key...to phone! Phones have USB host for years and adapters is present too.
Can the clipboard be comprised or reviewed afterwards?
If you said most systems default to email or text when you loose the key then how safe is the key if email or text can be hacked? I would think it should be key or backup key or nothing. Please let me know how to protect against a hacker that can claim they lost their yubikey?
Wait You're telling me that this keys don't work with adapters? I saw a video with the UA-camr using an adapter for his type c key to plug it into his PC. I need to check that with my keys.
this is an old video. So adapters have improved
Great review. Do you know if the USB C key has the option to configure 2 static passwords. BTW have you figured out how to configure your own static password?
I don't know if they've changed the software since but at the time I made the video, you can only configure one additional use (static or TOTP). The way it works is by touch time. If you touch it for a few seconds it is mode 1. Longer (10 seconds or so), then you get mode 2. So if you use a Yubikey for static only, in theory you can get 2 static modes. Or 2 TOTP modes are any combination of 2.
Can you insert this into an android cellphone?
On new Yubikey models yes. This is an old video
What about Nitrokey (Opensource)?...
> If you're using Yubikey on your Windows computer that has a USB A and is semi-permanently plugged in there like the nano here, It's not gonna work with another computer that's only using USB C like the new MacBook.
Umm, No you can. Maybe your USB-A to USB-C adapter is just broken (assuming you really did test it). I use both systems for work (Mac OS and Windows 10). And I can 100% confirm it works (Yubikey with USB-A using an adapter to USB-C for Mac OS). I use it on a daily basis.
-----
You can use 2fa on Windows Login via Yubico Login Windows. It's a direct replacement of the "Windows Logon Tool" which also replaces YubiKey for Windows Hello app. That was sunset around September 2019, 5 months after this video aired. 🤦🏻♂️ So I'm not sure which tool Rob is saying that was deprecated at the time of this video recording. Where clearly Yubico release 3 different apps to use for Window logins for 2fa, albeit its for local accounts.
Link of the article: support.yubico.com/support/solutions/articles/15000006472-using-your-yubikey-4-or-neo-with-the-windows-hello-app
And here's how you get 2FA for Windows with their new software: support.yubico.com/support/solutions/articles/15000028729-yubico-login-for-windows-configuration-guide
update? vs solo or any key? verify they don't go online?
So wait a minute you’re cool with using AWS for your cloud storage? I’m trying to move away from them as much as I can because if there is Susie as him about the surveillance state
Great explanation ✅✅✅
Do you have any password manager recommendations?
What about OnlyKey?
So a great idea, but could be impractical. If you have one or maybe two sites that absolutely must have Good security, then...For the rest maybe use authenticator
But if all the yoube key does is type the word, wouldn’t a keylogger still be able to hack it?
It's a TOTP Time-Based One Time Password. SInce time is not constant, then the password changes every second
I have two yubikeys for 1 website. Synch is possible.
Thanks
Welcome