Really funny because 'U2F' is one of those words you only read and never have to say - well I just consistently said it wrong the whole video :P Enjoy the review/coverage! *➡If you like our content, join our Patreon, it's one of the best ways you can help us spread privacy & security to the masses:* patreon.com/techlore
U2F is terrible, easy to steal, easy to make so you lose access to your accounts forever TOTP solves all of this in better ways, I can have a backup somewhere online and no one would know. Even if the glowies raided my house and destroyed all my equipment, I would still have access to my accounts and data. The same just isn't the case for U2F
It would be really nice if you actually said what U2F stands for. I know MFA is multi-factor auth, 2FA is two-factor auth, but I actually had to look up U2F because I haven't encountered it before. (For those reading this that don't know, it's Universal 2nd Factor.)
A couple of banks in the UK still use the key where they send out a 6 digit code to a little plastic thing that you put your pin into, but they're reluctant to use them. like a little mini pocket bank. I'm totally up for getting security keys
In case you haven't noticed, banks are pros at placing the blame for their sloppy security on you. Everyone who has had their account hacked receives nothing but blame from the banks. It costs money to put real security on your accounts, it's cheaper to take the loss and have the banks lawyers find a reason you're at fault. Kind of like the Ford Pinto scenario Ford knew how many people would likely die from their poor design but took the risk (with the purchasers life) instead of fixing the safety issue.
Banks are the bedrock of capitalism so it only makes sense that they won't spend money doing something unless it makes them more money back than they spent ...
I bought 2 Security Yubikeys , because they fit my threat model. I still struggle with the "management" part but I'll get there, it's just a matter of finding the more intuitive arrangement, but overall I like this solution a lot. The irony is the few services I use that accept hardweare keys are the (only) ones that accept TOTP. It's all or nothing, so I've decided, whenever it's possible, to delete accounts or services that don't offer at least SMS 2FA. Thanks a lot for your video, and all your work :)
also Aegis you can back up at will and the DB is encrypted. If someone has your password and manages to steal the Db files without that PW they are SOL. With this if someone has your PW and they steal this device , one tap and they are golden. I will be sticking with Aegis
Def aegis is based and I also have a Yubikey and have used my fliperzero also as a hardwear key, I can also put a password on the key as well Is based but I understand that it can be expensive for some
@@3nertia solo security keys Nitro security keys Titan security keys Onlykey security keys Personal reccomendation is nitrokeys specifically the nitrokey 3a nfc open source and future proofed 👍
I wish their keys were made of durable materials or that they were honest with clients and tell them: “don’t store these with your keys in your pocket”
@@sibu7 because the Yubico keys are easily scratched. The USB type A keys do not have a shield and over time they wear out and have to be replaced, and they aren’t cheap. Mine doesn’t work reliably, I have to get a new one.
4:53 limitation #3, this is the main reason why I haven’t switched to these. I’m thinking of the disaster scenario where my house (and Yubikey) gets destroyed in a tornado. Keeping a backup key at a friends house isn’t a good idea because that would require having a friend, you’d have to retrieve it every time you update or create a new credential, and what if the tornado hits his house too? I’ve setup as many of my credentials using zero trust, like my password manager. So if I lose the password or 2FA there’s no way the service can let me back in. Having a weaker backup authentication method defeats the purpose of using the Yubikey in the 1st place. So, I’ve stuck with TOTP codes that I have encrypted backups of in the cloud. If an asteroid destroys my house and the cloud, then I’ve got bigger problems.
Back-up #1 stays in our fireproof safe (~$75), Back-up #2 stays in my Mom's safe (~100 miles away), Back-up #3 stays on my wife's keyring. The hassle of updating back-up #2 (at my mom's) is definitely something to contend with, but... security > convenience
@@soy_terrible And remember that everytime you create a new account for another website you need to manually add the backups to the account as well (hopefully supported). And whenever you lose one of the keys you'll need to add the replacement to each of the existing accounts. I can only imagine how painful this would become in terms of support requirements to help people get back access to their accounts if this were to be embraced by the general public in terms of support required as barely anyone would even consider going to the lengths you describe.
@@heymaumaumau You're completely right, but I stated your mindset has to be security > convenience. Most people don't care enough about security to even enable 2fa SMS - until they are forced to. And even then, they moan and grown about it. How do I know? I work IT for a private school and cover multiple trainings about privacy and security. Of the ~300 employees, less than 10% have actually made changes to the way they manage online accounts. And I'm giving them free and easy to implement tools. Your scenario of "support requirements to help people get back access to their accounts" is a nonstarter because people watching this video or actively seeking this information that decide to use hardware security keys are very unlikely to be people who need help recovering accounts. Hardware keys will never be embraced by the general public, at least not in this current iteration because it's too inconvenient.
@@soy_terrible I agree with you as well for the most part, I guess the difference might just be determining where "security > convenience". And in my case whether the inconvenience of the steps one must take to avoid getting locked out of an account in the event of losing a hardware token is worth it compared with the additional security of having those hardware tokens in the first place. At least now, with standardization of these hardware tokens, hopefully each org that starts requiring their use doesn't require people to carry their unique one anymore and allowing people to avoid having to carry separate tokens for each of the important accounts they may want to be able to access on a daily basis, if they want or need to rely on these tokens for additional security. In my personal case I already use a security key for work, but I'm still on the fence about whether it's worth it using for my personal accounts as well. I guess I'll wait a bit more and see how this ends up being adopted by the services where I have accounts and how they handle loss of keys.
@@heymaumaumauI’m going to use Proton Pass where I keep all my passwords and accounts. There’s also a 2FA baked in as well as ability to register passkeys directly to the accounts that support it. To login to my Proton Pass I use my Yubikey. Problem solved, at least for me.
Biggest obstacle is that it's not widely available in most of the countries ! Moreover, govt. in those places can ask operators to share SMS or force you legally to unlock your phone :)
@BlackLivesMatter we can't refuse legally. that's why u2f is very important for us yet it's availability is close to zero. even if we order online, the price goes very high because of the shipment cost and unbelievable tax rate.
This is why I’m hesitant to make the switch…I need my security to be discrete. Besides I’m too worried I’ll misplace it on a busy day I can’t keep up with putting it back in its rightful place.
that's a fair point nothing is foolproof the reality is if someone wants to get you no matter what walls you put up, they will find a way around, but we should at least step back reflect and make an effort to prioritize security because we may not know what threats lies ahead and we should weigh up the pros and cons for each setup based on our threat models in our heads to ensure our safety
Switching off a phone entirely for a year has been difficult. Arguing with the bank to remove the cell number they have on my account or disable 2fa and they just wouldn't and ultimately left with just freezing the account entirely.
You should do a yubikey guide, is a pain in the ass understand everything about it, just open the Manager (PIV, FIDO, OTP) pin, passwords and open the Auth App more stuff, is a mess!!! understand the two yubikey apps. This video is useless until you explain all that showing that two apps.
I got a Yubikey 5 NFC recently, really just out of curiosity and your comment really hits home. It's remarkable how complicated the learning curve is to using it. Here I was thinking the whole point was to make 2FA easier. And given it was potentially going to be a critical link in my security processes, I feel like I need to absolutely understand every aspect of how it works before I could ever really use it for real world security. Following just the simplified guides for basic usage felt like I was trying to set up a home network server accessible to the outside internet without the faintest understanding of all the security implications. Then I thought, maybe I'll just use it for TOTP only, but couldn't get Yubikey's authenticator app to work on my custom rom due to some missing os function. So then I thought, maybe I'll just use it to unlock my keepass. And that became a massive learning curve in itself and couldn't get the same functionality working on both desktop and mobile so that the same database could be used. At this point it's really just gathering dust until one day perhaps I'll investigate again - maybe on a new phone or a new keepass app or some other situation. At this point I'm kind of thinking it's only purpose could be to just store it somewhere as kind of a key to some master set of instructions on how to decrypt my life that I can leave to my loved ones in my will.
My acer predator helios 300 2018 has 3 usb a ports so its not impossible it also has Ethernet USB C and SD Card slots plus a feature apple removed much to many dismay although im not to fussed the beloved headphone jack 😁
What I really don't like about the Yubikeys and basically all of the of the other U2F devices is that you cannot back them up. So you have to buy and register multiple devices for each service to be safe. Which is both annoying and expensive. With Trezor I can use it for U2F and restore it with the seed phrase if needed. But for that I have to carry around a bigger and more complex crpyto wallet. Why is no dedicated hardware key doing something like that? Is there any other device that supports backup and restoring? Preferably some small one dedicated hardware key like the Yubikey Nanos. I did not find any so far.
Appreciate the detailed breakdown! 🧐 Just a small off-topic question: 😅 I have a set of words 🤷♂️. (behave today finger ski upon boy assault summer exhaust beauty stereo over). How do I use this? 🤨
I've been using yubikeys for over a decade now. While I am not particularly a security enthusiast, I find them to be extremely convenient. Especially when traveling to countries where you might not have your phone number. Getting locked out of your email because you don't have your phone # is not a good time. But also have a key that only I have access to makes things quite nice. I wish banking institutions would allow me to use it. As of now, my banks are my weakest links when it comes to 2fa
Good question! Ahead are my personal takes on this. The key is meant to be something you 'have' - and then passwords and usernames/emails are something you 'know' On paper, because you need both forms of authentication for 2FA, there's no inherent risk if someone only obtains one. If someone steals your laptop with your key inside it, assuming your laptop has a strong password + Full disk encryption, there's very little anyone could do as they wouldn't be able to retrieve your passwords, emails, and/or session cookies from your browsers. (which are required alongside your security key) Even if someone bypasses your computer login, there are further precautions in place for the above risks, like clearing data from your browsers on exit, and ensuring you're using a safe password manager with a strong master password. TLDR: - In my eyes, keeping the key plugged in is every so slightly less secure, in exchange for a massive bump to convenience - which for me means it stays in my laptop - but this'll depend on your threat model 👍 - It's much more important for most people to layer up their security, than to be stressed about where their Yubikeys are being kept. This means: Full disk encryption, being aware of data being stored by your browser(s), ensuring you have a strong login password, having a backup security key in the event the one in the device is stolen, and using a strong password manager with a strong master password! - Do your best to ensure that something you 'have' and 'know' are not easily obtained at the same time from the same incident, and be ready to layer up to ensure this. A fun game to play is to think over scenarios of people gaining access to certain things. Example: - IF an attacker steals my security key with my laptop, THEN I will be safe because they'll need to bypass my device login and full disk encryption - IF an attacker manages to bypass my login and gain access to my OS, THEN I will be safe because my browsers clear data on exit, and my password manager is locked behind a secure password - IF an attacker manages to gain access to my password vault, etc. Just keep in mind the more 'ifs' you implement, the less likely it is to happen, but hopefully this comment adds some perspective on the question you're asking. No, I keep the nano plugged in all the time. Another tidbit: You can set up a PIN for your security key that some sites will respect. So even if someone steals your key and your laptop and they have your creds, you can still require a PIN to use the key. Edit: Yubikey also offers biometric keys as well to kind of address this problem. -H
@@techlore - thank you for the detailed response. I agree. They would need physical access to the device AND know the login to that device. For me, I’m less concerned about the device itself and more about stopping access to information/data like my Microsoft, google, 1Password, proton account settings. The goal would be to stop account take over or even worse, permanent lockout even if a device is stolen or compromised.
@@techlore The hardware key is the thing you have to secure some service, not your laptop. It seems like if they have your key it would be like they have your sim from your phone.
@@techlore thank you so much. Watching now. I’m definitely buying some yubikeys. I’ve been wanting to do it for awhile now and it’s good to hear your thoughts on it.
First thought after first few seconds was "again?" These hackers ain't getting anymore out of an emptied account and widely abused and banned user profiles, so just like artists losing to A.I. they better adapt.
Thanks for putting in the effort and extra demonstration in this fairly informative video, as i added it to the top my 2fa topic playlist i might show my sister later. Anyways, Liked and subscribeds 👍
@@hellouser5498 Phones have a similar feature called Passkey but Passkey is a software solution. When your phone is infected, the keys could be stolen. This can't happen with a physical security key.
Where is a website with all the information needed explaining this information . See many videos of parts but not all . One video seem to say non compliant devices will be locked out but using the key on a compliant device will give all devices access ?
I recently updated my phone since it forced me to do so, but when it finished updating it, all of my photos, videos and apps I have downloaded were all gone including the authenticator. I used the authenticator for roblox for my account log in, but now that it has been deleted, i can't log in nor find the exact authenticator i used. I tried setting back up the log in code on other authenticator apps, but it didn't work. So now i can't log in to my account anymore. Can someone help me?
YubiKeys demonstrated in the video are closed source security keys however you can buy an open-source alternative such as nitrokeys and solokeys for around the same money.
@@rashidismail9537 so for google titan they are great very well put together and established security keys work well with android devices, but I believe they are closed source (someone correct me if I'm wrong) I was looking at them for purchase when I was shopping around for U2F keys however shipping options outside of the US are spotty at best meaning to get a hold of one outside of google store you would need to purchase it of eBay for example and we all know how sketchy that can be in relation to tampering as for only key I researched it as I had no prior knowledge of them but they seem to be more geared towards tech professionals like developer types features include pin code u2f with self-destruct pin code as a pose to just tap and in so that's pretty sweet however they cost nearly 200$ USD that being said though they are open source and store passwords too so it's not all bad news
What’s weird here to me is why you would use an external security key over something like Passkeys. I have multiple security keys which I use weekly, but I use biometrically protected Passkeys wherever supported
@Techlore - Thanks for another great assistance in security management :) One Question: About software updates - Does the HW key or the OS service require updates? since it's also a security vulnerability? OS service - I mean - the code that transport the "public key" and the "location of the private key on the HW-Key" between the App/Site and the USB connector, on registration and login sequences.
I tried the most well known brand of hardware key ten years ago. The main key failed after three weeks of being carried around on my key-ring. Just failed, for no reason.That is not reliable enough. Never had a phone fail on me.
Do you have a video on having multiple 2FA and using the others as backup? Say hardware keys are your active 2FA, meaning the only one you use, and you lost your hardware keys, but fortunately you’ve got your TOTP Authenticator code backed up in a location that doesn’t require the use of that hardware key. My thought being that you have multiple 2FA, which seems less secure, but if you aren’t using the other ones it lessens the possibility they are compromised. Instead just have them stored on an encrypted USB or in a veracrypt folder on the cloud (your thoughts on the security of this too?) for the day all your hardware keys are lost. Realistically I don’t see why having more than one backup 2FA is necessary if you would be storing that 3rd 2FA backup in the same secure place. Or any other thoughts on this, best alternative backup 2FA (might depend on the 2FA offered by each service). Basically any video you can point to where you talk about using multiple 2FA and your security thoughts on this. Thanks!
I bought my 2 Yubikeys back in 2021 and I love them I really wish BANKS WOULD GET ON THEM MOST OF ALL it boggles my mind how this is not a thing I use them everywhere I can and I always disable all other methods like SMS and TOTP if I am allowed to like on Twitter UA-cam should also force you to Authenticate with 2FA when making important account changes like changing the channel name or modifying 2FA itself Coinbase does this it is strict about it too like even changing my password I have to Authenticate the change with my Yubikey and I love it Same thing happens with changing your email for Coinbase
Why does Instagram not have the option for Yubikey or for any physical hardware token form of 2FA? It’s very weird considering that Facebook has this option and both companies are part of Meta.
Why would you keep one key in your wallet and another in your laptop? Surely if the one in your laptop breaks you wouldn't need the backup that urgently? Also wouldn't that be a problem if you fall into water? You'd think you should just keep one at home. idk tho
Security requires something know, have and are -- each and every time. Authenticating apps and keys are only as secure as your phone and key. Therefore, you MUST enable a solid 6-digit PIN to use every time you log in to each and every account. Otherwise, you're short-circuiting your own security. Know: PIN Have: phone, key Are: fingerprint (record multiple from both hands) SMS is absolutely NOT secure TOTP is not as secure as you think! If someone were to sit down at an unlocked computer with TOTP, they would have access to the authenticator.
I'll look into these more. I use a password generator and have generated passwords for every account I have but everything is on one encrypted file across 3 of my devices. It it supports having a security key but it's a digital file you can put in a flash drive so it's not as convenient as just tapping the end of the key.
I have three fido devices I got years ago get them out now and then for another shot... always too much of a pita. Now if there were a password manager that used U2F to effectively U2F enable all the sites I use, I guess it may be ok. A couple of mine do bluetooth, NFC and USB, but never really worked with android - and I only recently got a phone that does NFC.... Maybe time to dig the out again!
If I lose my hardware key is there an option to switch over your old credentials from the lost key to a new hardware key over the internet? Otherwise, revoking the old key and adding a new one in all my websites will be a tremendous headache. I know we will have a backup key as well, but we still have to revoke the lost key on all the websites.
Best option but just another thing for me to lose. It and the backup, which is barely useful since many sites don't support it and just forget any financial institution.
@Techlore: The Nano can be used in a Pixel 6a, right? Plugin in with the sensor up or down, right? Can someone tell me if it fits into the cutout at the USB-C Port of the Otterbox Commute? Otterbox can not tell me even i provided the exact dimensions 🙄
Since the nano is usb a You can use a usb a to c connector thats the size of a small phone charger cable and it should fit through thats what i use for my 2fa keys
No, the yubico app merely displays what is on the key. Without the physical key the app has no information to bring up. Nothing is saved on the app itself
ua-cam.com/video/epiduqAStlE/v-deo.htmlm59s We directly touched on this on our recent Techlore Talks if you want to see our thoughts. It's not that simple. 🫡
@@tjgdddfcn - It would, but the point of 2FA is that passwords are hackable, hence the need for the second physical layer of security. But, when you're providing the physical layer to the thief, then you might as well just use a password and not bother using the physical layer. It's like having a security door that uses a keypad, and you go "That's not secure enough, because someone could figure out the security code, so I'm going to add a physical key lock to it too, so that you have to have the physical key and the security code to get in." Then, it becomes inconvenient to keep the key on your keychain and digging it out every time you want to open the door, so you just start leaving the key in the lock. You've effectively downgraded your 2FA back to just needing a security code to get in.
Yes it does still work if you have a usb c key and even a usb a to c adapter to plug in however support depends on the service you are using and how well they have set it up
@@_modiX no problem happy to help if you need a personal reccomendation on security keys im running nitrokey 3A NFC for my accounts that support it in comparison to yubikeys they are open source if you value checking the code and are also fido2 certified plus you can attach them to a keychain as well 😁
This is a nice summary, but I'm surprised that you felt comfortable releasing a video of this quality. The consistently repeated speech-errors are unprofessional. Given that it is such a short video, it seems like a candidate for re-recording. Just say all the same things, but "U2F".
@@Eeeeejjejsud7372 My issue is my bank is either SMS or their own proprietary software authentication app. I dont want to have so amy Auth apps on my phone id rather either a physical key or it be companiable with other apps and not force me into their own
I don't get it. 1. If you are still entering password, how it better than password ? 2. If a touch is all it takes (and not fingerprint/pin), whats prevents it from being stolen and used ?
No that's not correct reasoning for number 2. I found the correct answer elsewhere. A touch of the HW key alone is not sufficient to use the key. The key has an associated pin which you need to enter on every use. So even if a bad actor steals your key, they cannot use it since they wont know the associated PIN.
Let me see you sim swap my email. Just send the code to the email instead of a phone company not smart enough to not swap you with someone thats not you.
ok break your 2fa key all of them can you get in your accounts no loose your iPhone otp you just sign in to your iPhone plus the iPhone version in settings more secure you must have your face id unlocked first to use it then it auto fills boom much better plus Apple locks otp down great
It is one of the main disadvantages of Yubikeys. However, most if not all services that give a 2FA option, also give you back-up codes in case you lose your 2FA authentication method.
I'm hoping Proton will at the security key for the phone as well. Currently you can only use the key to the computer. And yes you need extra keys, we have 4 in our household.
Really funny because 'U2F' is one of those words you only read and never have to say - well I just consistently said it wrong the whole video :P Enjoy the review/coverage!
*➡If you like our content, join our Patreon, it's one of the best ways you can help us spread privacy & security to the masses:* patreon.com/techlore
U2F is terrible, easy to steal, easy to make so you lose access to your accounts forever
TOTP solves all of this in better ways, I can have a backup somewhere online and no one would know. Even if the glowies raided my house and destroyed all my equipment, I would still have access to my accounts and data.
The same just isn't the case for U2F
Merch!
It would be really nice if you actually said what U2F stands for. I know MFA is multi-factor auth, 2FA is two-factor auth, but I actually had to look up U2F because I haven't encountered it before.
(For those reading this that don't know, it's Universal 2nd Factor.)
@@kpieckiel 🙏
Absolutely love security keys and the peace of mind they provide. However it baffles me that every bank I have only allows SMS verification 😒
Yes, banks need to get their act together. Problem is people wont pay the money for a security key.
A couple of banks in the UK still use the key where they send out a 6 digit code to a little plastic thing that you put your pin into, but they're reluctant to use them. like a little mini pocket bank. I'm totally up for getting security keys
In case you haven't noticed, banks are pros at placing the blame for their sloppy security on you. Everyone who has had their account hacked receives nothing but blame from the banks. It costs money to put real security on your accounts, it's cheaper to take the loss and have the banks lawyers find a reason you're at fault. Kind of like the Ford Pinto scenario Ford knew how many people would likely die from their poor design but took the risk (with the purchasers life) instead of fixing the safety issue.
Not the banks in South Africa - they use App Authentication etc. no SMS
Banks are the bedrock of capitalism so it only makes sense that they won't spend money doing something unless it makes them more money back than they spent ...
I bought 2 Security Yubikeys , because they fit my threat model. I still struggle with the "management" part but I'll get there, it's just a matter of finding the more intuitive arrangement, but overall I like this solution a lot. The irony is the few services I use that accept hardweare keys are the (only) ones that accept TOTP. It's all or nothing, so I've decided, whenever it's possible, to delete accounts or services that don't offer at least SMS 2FA.
Thanks a lot for your video, and all your work :)
well u2f is so expensive so aegis 2fa is still a chad for security
also Aegis you can back up at will and the DB is encrypted. If someone has your password and manages to steal the Db files without that PW they are SOL. With this if someone has your PW and they steal this device , one tap and they are golden. I will be sticking with Aegis
Def aegis is based and I also have a Yubikey and have used my fliperzero also as a hardwear key, I can also put a password on the key as well
Is based but I understand that it can be expensive for some
@@phukhue289 yes v based
definitely a chad
But then Aegis is Android only, so... Sorry
I appreciate the usage of the term “hardware key” all over this video instead of saying a singular brand like many do.
Yeah absolutley we got to keep competion alive and well there is more than one security key manafacturer 😀
@@DEFECTEDSTREETRACER Which ones? I've literally only ever heard of Yubikey lol
@@3nertia
solo security keys
Nitro security keys
Titan security keys
Onlykey security keys
Personal reccomendation is nitrokeys specifically the nitrokey 3a nfc open source and future proofed 👍
@@DEFECTEDSTREETRACER Thank you
This is a great video. I was not fully aware of how U2F/Hardware keys work. After watching this, I would seriously start considering them. Thank you!
I wish their keys were made of durable materials or that they were honest with clients and tell them: “don’t store these with your keys in your pocket”
Why should you not keep them with your keys?
@@sibu7 because the Yubico keys are easily scratched. The USB type A keys do not have a shield and over time they wear out and have to be replaced, and they aren’t cheap. Mine doesn’t work reliably, I have to get a new one.
@@hugoedelarosa Amazon sells covers for the keys.
U2f is nice, but personally I would only recommend it for business, including working for yourself. TOTP is frankly more than enough.
Yubikey has a 2fa app. The info is kept on the key. If someone can open the app they will find nothing.
4:53 limitation #3, this is the main reason why I haven’t switched to these. I’m thinking of the disaster scenario where my house (and Yubikey) gets destroyed in a tornado. Keeping a backup key at a friends house isn’t a good idea because that would require having a friend, you’d have to retrieve it every time you update or create a new credential, and what if the tornado hits his house too? I’ve setup as many of my credentials using zero trust, like my password manager. So if I lose the password or 2FA there’s no way the service can let me back in. Having a weaker backup authentication method defeats the purpose of using the Yubikey in the 1st place. So, I’ve stuck with TOTP codes that I have encrypted backups of in the cloud. If an asteroid destroys my house and the cloud, then I’ve got bigger problems.
Back-up #1 stays in our fireproof safe (~$75), Back-up #2 stays in my Mom's safe (~100 miles away), Back-up #3 stays on my wife's keyring.
The hassle of updating back-up #2 (at my mom's) is definitely something to contend with, but... security > convenience
@@soy_terrible And remember that everytime you create a new account for another website you need to manually add the backups to the account as well (hopefully supported). And whenever you lose one of the keys you'll need to add the replacement to each of the existing accounts. I can only imagine how painful this would become in terms of support requirements to help people get back access to their accounts if this were to be embraced by the general public in terms of support required as barely anyone would even consider going to the lengths you describe.
@@heymaumaumau You're completely right, but I stated your mindset has to be security > convenience. Most people don't care enough about security to even enable 2fa SMS - until they are forced to. And even then, they moan and grown about it. How do I know? I work IT for a private school and cover multiple trainings about privacy and security. Of the ~300 employees, less than 10% have actually made changes to the way they manage online accounts. And I'm giving them free and easy to implement tools. Your scenario of "support requirements to help people get back access to their accounts" is a nonstarter because people watching this video or actively seeking this information that decide to use hardware security keys are very unlikely to be people who need help recovering accounts. Hardware keys will never be embraced by the general public, at least not in this current iteration because it's too inconvenient.
@@soy_terrible I agree with you as well for the most part, I guess the difference might just be determining where "security > convenience". And in my case whether the inconvenience of the steps one must take to avoid getting locked out of an account in the event of losing a hardware token is worth it compared with the additional security of having those hardware tokens in the first place. At least now, with standardization of these hardware tokens, hopefully each org that starts requiring their use doesn't require people to carry their unique one anymore and allowing people to avoid having to carry separate tokens for each of the important accounts they may want to be able to access on a daily basis, if they want or need to rely on these tokens for additional security.
In my personal case I already use a security key for work, but I'm still on the fence about whether it's worth it using for my personal accounts as well. I guess I'll wait a bit more and see how this ends up being adopted by the services where I have accounts and how they handle loss of keys.
@@heymaumaumauI’m going to use Proton Pass where I keep all my passwords and accounts. There’s also a 2FA baked in as well as ability to register passkeys directly to the accounts that support it. To login to my Proton Pass I use my Yubikey. Problem solved, at least for me.
Henry, you are GREAT at this. Thanks for this helpful info. I look forward to your review(s) of the open source alternatives to Yubikeys.
Biggest obstacle is that it's not widely available in most of the countries ! Moreover, govt. in those places can ask operators to share SMS or force you legally to unlock your phone :)
@BlackLivesMatter we can't refuse legally. that's why u2f is very important for us yet it's availability is close to zero. even if we order online, the price goes very high because of the shipment cost and unbelievable tax rate.
Great video. I use mine with my password manager Bitwarden. I wish financial institutions (i.e. banks, credit card companies) support hardware 2FA.
Bank of America supports it now.
People with security keys: "Wow look at me, my security is impenetrable!"
People with fingers: "yoink that real quick thanks"
This is why I’m hesitant to make the switch…I need my security to be discrete. Besides I’m too worried I’ll misplace it on a busy day I can’t keep up with putting it back in its rightful place.
that's a fair point nothing is foolproof the reality is if someone wants to get you no matter what walls you put up, they will find a way around, but we should at least step back reflect and make an effort to prioritize security because we may not know what threats lies ahead and we should weigh up the pros and cons for each setup based on our threat models in our heads to ensure our safety
Switching off a phone entirely for a year has been difficult. Arguing with the bank to remove the cell number they have on my account or disable 2fa and they just wouldn't and ultimately left with just freezing the account entirely.
@Not Me I’ve done exactly this after I learned that for myself several years back with a yahoo account I tried to get rid of.
You should do a yubikey guide, is a pain in the ass understand everything about it, just open the Manager (PIV, FIDO, OTP) pin, passwords and open the Auth App more stuff, is a mess!!! understand the two yubikey apps. This video is useless until you explain all that showing that two apps.
I got a Yubikey 5 NFC recently, really just out of curiosity and your comment really hits home. It's remarkable how complicated the learning curve is to using it. Here I was thinking the whole point was to make 2FA easier. And given it was potentially going to be a critical link in my security processes, I feel like I need to absolutely understand every aspect of how it works before I could ever really use it for real world security. Following just the simplified guides for basic usage felt like I was trying to set up a home network server accessible to the outside internet without the faintest understanding of all the security implications.
Then I thought, maybe I'll just use it for TOTP only, but couldn't get Yubikey's authenticator app to work on my custom rom due to some missing os function.
So then I thought, maybe I'll just use it to unlock my keepass. And that became a massive learning curve in itself and couldn't get the same functionality working on both desktop and mobile so that the same database could be used. At this point it's really just gathering dust until one day perhaps I'll investigate again - maybe on a new phone or a new keepass app or some other situation. At this point I'm kind of thinking it's only purpose could be to just store it somewhere as kind of a key to some master set of instructions on how to decrypt my life that I can leave to my loved ones in my will.
I have 2 yubikeys, best 80 bucks I ever spent.
Great video like always. I’m looking forward to the reviews on the other hardware keys
Yeah, Laptops should put more than 3 USB ports!
Less than 3 is just embarrassing
My acer predator helios 300 2018 has 3 usb a ports so its not impossible it also has Ethernet USB C and SD Card slots plus a feature apple removed much to many dismay although im not to fussed the beloved headphone jack 😁
@BlackLivesMatter my condolences : (
What I really don't like about the Yubikeys and basically all of the of the other U2F devices is that you cannot back them up. So you have to buy and register multiple devices for each service to be safe. Which is both annoying and expensive. With Trezor I can use it for U2F and restore it with the seed phrase if needed. But for that I have to carry around a bigger and more complex crpyto wallet.
Why is no dedicated hardware key doing something like that?
Is there any other device that supports backup and restoring? Preferably some small one dedicated hardware key like the Yubikey Nanos. I did not find any so far.
does Ledger?
Appreciate the detailed breakdown! 🧐 Just a small off-topic question: 😅 I have a set of words 🤷♂️. (behave today finger ski upon boy assault summer exhaust beauty stereo over). How do I use this? 🤨
I've been using yubikeys for over a decade now. While I am not particularly a security enthusiast, I find them to be extremely convenient. Especially when traveling to countries where you might not have your phone number. Getting locked out of your email because you don't have your phone # is not a good time.
But also have a key that only I have access to makes things quite nice. I wish banking institutions would allow me to use it. As of now, my banks are my weakest links when it comes to 2fa
Woudn't leaving that key in your laptop be a risk? For example, what if someone stole your laptop with it in it?
ua-cam.com/video/epiduqAStlE/v-deo.htmlm59s
We directly touched on this on our recent Techlore Talks if you want to see our thoughts 🫡
@@techlore Points taken. I just think though that leaving it in raises the risk.
I have been using yubikeys for years, I even give them as a birthday present sometimes to friends and family....
What is the risk of leaving one in your laptop if, say, the laptop was stolen? Do you remove the nano when not using?
Good question! Ahead are my personal takes on this. The key is meant to be something you 'have' - and then passwords and usernames/emails are something you 'know'
On paper, because you need both forms of authentication for 2FA, there's no inherent risk if someone only obtains one. If someone steals your laptop with your key inside it, assuming your laptop has a strong password + Full disk encryption, there's very little anyone could do as they wouldn't be able to retrieve your passwords, emails, and/or session cookies from your browsers. (which are required alongside your security key)
Even if someone bypasses your computer login, there are further precautions in place for the above risks, like clearing data from your browsers on exit, and ensuring you're using a safe password manager with a strong master password.
TLDR:
- In my eyes, keeping the key plugged in is every so slightly less secure, in exchange for a massive bump to convenience - which for me means it stays in my laptop - but this'll depend on your threat model 👍
- It's much more important for most people to layer up their security, than to be stressed about where their Yubikeys are being kept. This means: Full disk encryption, being aware of data being stored by your browser(s), ensuring you have a strong login password, having a backup security key in the event the one in the device is stolen, and using a strong password manager with a strong master password!
- Do your best to ensure that something you 'have' and 'know' are not easily obtained at the same time from the same incident, and be ready to layer up to ensure this.
A fun game to play is to think over scenarios of people gaining access to certain things. Example:
- IF an attacker steals my security key with my laptop, THEN I will be safe because they'll need to bypass my device login and full disk encryption
- IF an attacker manages to bypass my login and gain access to my OS, THEN I will be safe because my browsers clear data on exit, and my password manager is locked behind a secure password
- IF an attacker manages to gain access to my password vault, etc.
Just keep in mind the more 'ifs' you implement, the less likely it is to happen, but hopefully this comment adds some perspective on the question you're asking. No, I keep the nano plugged in all the time.
Another tidbit: You can set up a PIN for your security key that some sites will respect. So even if someone steals your key and your laptop and they have your creds, you can still require a PIN to use the key.
Edit: Yubikey also offers biometric keys as well to kind of address this problem.
-H
@@techlore - thank you for the detailed response. I agree. They would need physical access to the device AND know the login to that device.
For me, I’m less concerned about the device itself and more about stopping access to information/data like my Microsoft, google, 1Password, proton account settings. The goal would be to stop account take over or even worse, permanent lockout even if a device is stolen or compromised.
@@techlore The hardware key is the thing you have to secure some service, not your laptop. It seems like if they have your key it would be like they have your sim from your phone.
ua-cam.com/video/epiduqAStlE/v-deo.htmlm59s
We directly touched on this on our recent Techlore Talks if you want to see more of our thoughts 🫡
@@techlore thank you so much. Watching now. I’m definitely buying some yubikeys. I’ve been wanting to do it for awhile now and it’s good to hear your thoughts on it.
First thought after first few seconds was "again?"
These hackers ain't getting anymore out of an emptied account and widely abused and banned user profiles, so just like artists losing to A.I. they better adapt.
Thanks for putting in the effort and extra demonstration in this fairly informative video, as i added it to the top my 2fa topic playlist i might show my sister later.
Anyways, Liked and subscribeds 👍
You don't need to plug them in. You can use NFC on some models
My Nitrokey 3A has nfc support it works but you have to take your phone cover off still it works
Cant they integrate U2F NFC into phones, no need for separate device
@@hellouser5498 Phones have a similar feature called Passkey but Passkey is a software solution. When your phone is infected, the keys could be stolen. This can't happen with a physical security key.
Where is a website with all the information needed explaining this information . See many videos of parts but not all . One video seem to say non compliant devices will be locked out but using the key on a compliant device will give all devices access ?
I recently updated my phone since it forced me to do so, but when it finished updating it, all of my photos, videos and apps I have downloaded were all gone including the authenticator. I used the authenticator for roblox for my account log in, but now that it has been deleted, i can't log in nor find the exact authenticator i used. I tried setting back up the log in code on other authenticator apps, but it didn't work. So now i can't log in to my account anymore. Can someone help me?
All this security is a nightmare.
Is it open or close sourced...I mean the hardware firmware.
YubiKeys demonstrated in the video are closed source security keys however you can buy an open-source alternative such as nitrokeys and solokeys for around the same money.
@@DEFECTEDSTREETRACER Thoughts on Onlykey and Google Titan? Are they any good?
@@rashidismail9537 so for google titan they are great very well put together and established security keys work well with android devices, but I believe they are closed source (someone correct me if I'm wrong) I was looking at them for purchase when I was shopping around for U2F keys however shipping options outside of the US are spotty at best meaning to get a hold of one outside of google store you would need to purchase it of eBay for example and we all know how sketchy that can be in relation to tampering as for only key I researched it as I had no prior knowledge of them but they seem to be more geared towards tech professionals like developer types features include pin code u2f with self-destruct pin code as a pose to just tap and in so that's pretty sweet however they cost nearly 200$ USD that being said though they are open source and store passwords too so it's not all bad news
Thanks bro.Really appreciate it.
@@rashidismail9537 no problem happy to help happy shopping 8)
Can you use adapter USB C to USB A Please If you want the tinny one Techlore 🤗Thanks in advance
Thanks for your video Mr Henry
Thanks for watching 🫡 -H
@@techlore what is "-H"?
been thinking of getting a yubikey too honestly, but I don't really have anything to warrant it.
Get an open source alternative
whats the life span of a yubi key ?
Just like with most electronics, lifespan is a combination of how you re using/treating them and luck.
If you keep it with your laptop you lose it and your laptop together.
What’s weird here to me is why you would use an external security key over something like Passkeys. I have multiple security keys which I use weekly, but I use biometrically protected Passkeys wherever supported
@Techlore - Thanks for another great assistance in security management :)
One Question:
About software updates - Does the HW key or the OS service require updates? since it's also a security vulnerability?
OS service - I mean - the code that transport the "public key" and the "location of the private key on the HW-Key"
between the App/Site and the USB connector, on registration and login sequences.
I tried the most well known brand of hardware key ten years ago. The main key failed after three weeks of being carried around on my key-ring. Just failed, for no reason.That is not reliable enough. Never had a phone fail on me.
Do you have a video on having multiple 2FA and using the others as backup? Say hardware keys are your active 2FA, meaning the only one you use, and you lost your hardware keys, but fortunately you’ve got your TOTP Authenticator code backed up in a location that doesn’t require the use of that hardware key. My thought being that you have multiple 2FA, which seems less secure, but if you aren’t using the other ones it lessens the possibility they are compromised. Instead just have them stored on an encrypted USB or in a veracrypt folder on the cloud (your thoughts on the security of this too?) for the day all your hardware keys are lost. Realistically I don’t see why having more than one backup 2FA is necessary if you would be storing that 3rd 2FA backup in the same secure place. Or any other thoughts on this, best alternative backup 2FA (might depend on the 2FA offered by each service).
Basically any video you can point to where you talk about using multiple 2FA and your security thoughts on this. Thanks!
I bought my 2 Yubikeys back in 2021 and I love them
I really wish BANKS WOULD GET ON THEM MOST OF ALL it boggles my mind how this is not a thing
I use them everywhere I can and I always disable all other methods like SMS and TOTP if I am allowed to like on Twitter
UA-cam should also force you to Authenticate with 2FA when making important account changes like changing the channel name or modifying 2FA itself
Coinbase does this it is strict about it too like even changing my password I have to Authenticate the change with my Yubikey and I love it
Same thing happens with changing your email for Coinbase
Love this channel and the podcast
Aw thanks a lot
Why does Instagram not have the option for Yubikey or for any physical hardware token form of 2FA?
It’s very weird considering that Facebook has this option and both companies are part of Meta.
Why would you keep one key in your wallet and another in your laptop? Surely if the one in your laptop breaks you wouldn't need the backup that urgently? Also wouldn't that be a problem if you fall into water? You'd think you should just keep one at home. idk tho
Do you know how I can set on amazon to use myr authentication harware key as the primary, and not have to keep receiving codes to my phone.
Security requires something know, have and are -- each and every time. Authenticating apps and keys are only as secure as your phone and key. Therefore, you MUST enable a solid 6-digit PIN to use every time you log in to each and every account. Otherwise, you're short-circuiting your own security.
Know: PIN
Have: phone, key
Are: fingerprint (record multiple from both hands)
SMS is absolutely NOT secure
TOTP is not as secure as you think! If someone were to sit down at an unlocked computer with TOTP, they would have access to the authenticator.
I'll look into these more. I use a password generator and have generated passwords for every account I have but everything is on one encrypted file across 3 of my devices. It it supports having a security key but it's a digital file you can put in a flash drive so it's not as convenient as just tapping the end of the key.
I have three fido devices I got years ago get them out now and then for another shot... always too much of a pita. Now if there were a password manager that used U2F to effectively U2F enable all the sites I use, I guess it may be ok.
A couple of mine do bluetooth, NFC and USB, but never really worked with android - and I only recently got a phone that does NFC....
Maybe time to dig the out again!
I don’t know if I fully trust these keys … see they could Install a keylogger and still be hacked.
Meanwhile Cookies Session Hijack 😶
I have a different method for 2FA. I currently use my Authenticator app via 2FAS as backup and I use my security key as my default key.
If I lose my hardware key is there an option to switch over your old credentials from the lost key to a new hardware key over the internet? Otherwise, revoking the old key and adding a new one in all my websites will be a tremendous headache. I know we will have a backup key as well, but we still have to revoke the lost key on all the websites.
and where passkeys goes in all this?
better or worse?
Best option but just another thing for me to lose. It and the backup, which is barely useful since many sites don't support it and just forget any financial institution.
Do you know now security keys now integrit on phones to say your fingerprint be your utf
5:11 55 dollars? Here in the netherlands they are 95 euro's.
£48 in the uk dutchy
@Techlore: The Nano can be used in a Pixel 6a, right? Plugin in with the sensor up or down, right?
Can someone tell me if it fits into the cutout at the USB-C Port of the Otterbox Commute?
Otterbox can not tell me even i provided the exact dimensions 🙄
Since the nano is usb a You can use a usb a to c connector thats the size of a small phone charger cable and it should fit through thats what i use for my 2fa keys
@@DEFECTEDSTREETRACER There is also a Nano 5C i would line to use with the Pixel ;)
Is it safe to leave it in your PC all the time?
Bro.. I flashed my phone... I used my fingerprint as security key.. Now my fingerprint is required to open discord.. What should I do please help
Can you not use authenticator app on your phone as a bakcup to get on the account if you lose your key?
No, the yubico app merely displays what is on the key. Without the physical key the app has no information to bring up. Nothing is saved on the app itself
If you keep it plugged into your laptop, and someone steals your laptop, you've provided them (literally) the key to hacking all of your accounts.
ua-cam.com/video/epiduqAStlE/v-deo.htmlm59s
We directly touched on this on our recent Techlore Talks if you want to see our thoughts. It's not that simple. 🫡
wouldn't that also require them to have the password?
@@tjgdddfcn - It would, but the point of 2FA is that passwords are hackable, hence the need for the second physical layer of security. But, when you're providing the physical layer to the thief, then you might as well just use a password and not bother using the physical layer.
It's like having a security door that uses a keypad, and you go "That's not secure enough, because someone could figure out the security code, so I'm going to add a physical key lock to it too, so that you have to have the physical key and the security code to get in." Then, it becomes inconvenient to keep the key on your keychain and digging it out every time you want to open the door, so you just start leaving the key in the lock. You've effectively downgraded your 2FA back to just needing a security code to get in.
I prefer to security key better than 2FA
There is a maximum of 32 TOPT key limit btw
Or your bank has no 2FA. Yes truly these days thats sad.
can your employer track your location with this key?
☝🏼Unfortunately, they don’t work with Windows Hello (apart from Azure Active Directory), if I’m not mistaken. 🤔
🤷🏼♂️
I think they do. Security key is an option for signing in with Microsoft Account
Do they work on Android phones?
Yes it does still work if you have a usb c key and even a usb a to c adapter to plug in however support depends on the service you are using and how well they have set it up
@@DEFECTEDSTREETRACER Keys with NFC are also an option, if supported by your phone/tablet. 🤓
@@DEFECTEDSTREETRACER Thanks!
@@comically yes absolutley i forgot to mention NFC support for security keys and phones 😅
@@_modiX no problem happy to help if you need a personal reccomendation on security keys im running nitrokey 3A NFC for my accounts that support it in comparison to yubikeys they are open source if you value checking the code and are also fido2 certified plus you can attach them to a keychain as well 😁
surprised you didn't redo the video with how many mistakes there are, other then that great advice
They should make these with security cameras on them so you wouldn’t have to buy multiple ones maybe they can team up with us security camera company
What about onlykey?
Bro got confused between u2f and dablu tee eff😂🤣
This is a nice summary, but I'm surprised that you felt comfortable releasing a video of this quality. The consistently repeated speech-errors are unprofessional. Given that it is such a short video, it seems like a candidate for re-recording. Just say all the same things, but "U2F".
What a joke. My company is completely moving away from FidoKey and YubiKey to MS Authenticator. Nobody wants those keys.
good luck with carrying that around
rfc6238 should be mandatory for all websites.
Chase bank doesn’t use yubikeys.
I would love if my bank would give me a way to use 2FA to use hardware key over app or sms
As long as your authenticator app is secure via E2EE and isn't collecting data, you would most likely be fine.
@@Eeeeejjejsud7372 My issue is my bank is either SMS or their own proprietary software authentication app. I dont want to have so amy Auth apps on my phone id rather either a physical key or it be companiable with other apps and not force me into their own
3:50 USBc?
I don't get it.
1. If you are still entering password, how it better than password ?
2. If a touch is all it takes (and not fingerprint/pin), whats prevents it from being stolen and used ?
No that's not correct reasoning for number 2. I found the correct answer elsewhere. A touch of the HW key alone is not sufficient to use the key. The key has an associated pin which you need to enter on every use. So even if a bad actor steals your key, they cannot use it since they wont know the associated PIN.
Let me see you sim swap my email. Just send the code to the email instead of a phone company not smart enough to not swap you with someone thats not you.
Leaving the yubikey plugged into the laptop sounds like a terrible idea.
how much you get paid for this sponsorship
Yubikey is actually 3fa so the title you've chose make little sense...
ok break your 2fa key all of them can you get in your accounts no loose your iPhone otp you just sign in to your iPhone plus the iPhone version in settings more secure you must have your face id unlocked first to use it then it auto fills boom much better plus Apple locks otp down great
They did mention those disadvantages of 2fa keys in the video i guess like anything do so at your own risk
It is one of the main disadvantages of Yubikeys. However, most if not all services that give a 2FA option, also give you back-up codes in case you lose your 2FA authentication method.
UTF lol
Until you lose or the key gets stolen.. lol
I'm hoping Proton will at the security key for the phone as well. Currently you can only use the key to the computer. And yes you need extra keys, we have 4 in our household.
👍
people who care about security as randoms are insanely delusional. narcissism + low knowledge in computer science, happens i guess..
It's better to overestimate than to underestimate
I always thought 2fa was stupid.