What do you think? Does seeing "behind closed doors" give you more confidence using a YubiKey? And if you don't have your own security keys, get $5 off using this link: yubi.co/all-things-secured-2024
do i still need a password managet and and some othet form of 2FA too , or can i just use Yubi key for log in for email , and other sites where its accepted , im not tech savvy and get confused as to what i need for privacy and secrurity thats easy to use and impliment as i still use free gmail and i eant to switch to a paid for email for secrirty and privacy im not so much worried about goverment im more concerned about hacks , mitm and others i dont even know of lol , thanks for any info great channel i learn a lot frim you
No, it does the opposite. Absolutely nothing of substance was shown, and this whole thing feels like a corporate PR piece from a corporation desperate to try and convince you their closed-source security-through-obscurity binary blob is actually good for you.
You are so right. The fact that almost no big banks or investment companies support any 2FA beyond SMS, which is known to be vulnerable to sim card cloning attacks, is absolutely shameful. I would love to see more UA-camrs like @AllThingsSecured publicly calling out these institutions. They are failing their customers. Too often when customers are victimized they just wash their hands of it even thought they refused to provide modern methods to secure accounts like security keys. In the meantime, people need to do everything they can to protect themselves by securing all their recovery methods like their email and their phone's sim card. The banking institutions will only change when this becomes a big enough issue to be perceived as a competitive disadvantage.
The biggest thing holding me back is their limited acceptance, especially with what I consider my most import accounts - financial and government. I don't want to have to keep track of a hodge podge variety of ways to authenticate.
Interesting and enjoyable video, particularly as I've owned a pair of yubikeys (one in reserve) for two years. But I've always had great difficulty negotiating (not "navigating"!) Yubico's extraordinarily complex website. The firm's helpline has been of little help, especially concerning the so-far impossibility of obtaining my keys' PINS. These are required for use with some websites - some very important - such as Microsoft's. Any chance, please, of you covering Yubico's PINs in another of your passkey videos?
Hardware-based authorization-keys are very hard to beat. But it does require a functional and accessible USB-C port - leaving the physical phone potentially vulnerable to advanced tampering attacks. Physical USB-blockers from Smartkeeper is a possible option. Anyway, there is an argument for app-based authenticators and charging through wireless induction only - you can completely seal off the USB-C access alltogether. But that perhaps a too tough compromise to pay.
I’m not sure I follow. These keys also allow for NFC, which is just a tap on the phone, not plugged in, so you’re not dealing with the phone port at all.
@@AllThingsSecuredOK, I don't actually own and use one of these keys myself. So I misunderstood whats possible. I think I have some catch-up reading to do. 😊
@@AllThingsSecured - All these security keys can be emulated in an app like "Google Authenticatior", which essentially it does the same thing, of course it's only as secure your phone. Security keys are just a purpose build device which does one thing, and one thing only. One has to chose between the convenience of an all always on phone vs. carrying a key and plug-in/tap.
@@AllThingsSecured - All these security keys can be emulated in an app like "Google Authenticatior", which essentially it does the same thing, of course it's only as secure your phone.
@@AllThingsSecured - Security keys are just a purpose build device which does one thing, and one thing only. One has to chose between the convenience of an all always on phone vs. carrying a key and plug-in/tap.
One of your earlier Yubico videos convinced me to buy 2 Yubico keys. Both keys have done exactly what they're supposed to on both of my macs are "Smart Card Required" & all my accounts that allow/permit 2FA with hardware keys. Sadly, banks & brokerage firms don't allow Hardware Keys to be used for 2FA. Only Bank of America & Vanguard allow Yubikeys for 2FA for their customers.
@@AllThingsSecured The downside of a second key is that some services make the last hardware key entered the primary without an option to change this to a "backup key". This is not Yubico/Yubikey related but really annoying. Some software/services are really not up to speed with using amd adopting hardware keys. Using hardware keys on a Android phone / Chromebook can be a real pain sometimes e.g. when they do not use the NFC chip but expect a physical key to be inserted. Disclaimer: I also use Yubikeys but the CEO not being able to enter their workshop does not give me less or more trust in their products. There so many options to manipulate a service/product somewhere else in the supply chain.
I love my Yubikeys but I can use your advice. How do you carry yours around so you always have one on hand? Neck lanyards are uncomfortable, and I don't always have car keys with me. I'm open to any suggestions. Thanks for ALL your videos and advice.
For me personally, I didn't always have my car keys with me until I got my Yubikey and added it to my keychain. After that, I always have it with me just in case.
@@SteveHowardPhotography Maybe "Retractable Badge Reel with Claw Clasp and Clip for Id Card Holders" That can attach to your belt loop. Retractable key holder or keyring might be something you prefer to a lanyard around the neck.
Hello. I hope your visit to Stockholm was nice. I trust the Swedish security keys because I know it’s basically the same cryptography as the new passkeys and offers the strongest possible security. What’s best about these YubiKeys is that they are separated from the Mac, iPhone or whatever you might be using to offer even stronger security for your accounts. Cheers! 👋
Question about setting up my keys. The Bitwarden extension tries to save it. When I choose hardware key, should I choose just this once or all the time? And how do i change it to once if I chose all the time?
There are so many things I still don't understand about computer security. Do the Yubikey secure anything other than email? Since Microsoft requires their corporate users to use Yubikey how did Russian hackers breach Microsoft recently? It must have had nothing to do with corporate user logins.
I know, right?? Isn’t it just nuts how a security and privacy UA-camr talks SO MUCH about actual security and privacy tools like password managers, encrypted email and 2FA keys all the time?! It’s just unbelievable. I mean, you’d almost think that it’d be better for somebody who wasn’t interested in actual security and privacy to just, you know…unsubscribe 🤷♂️
You can use any other brand of compatible key if you want, all content about why and how to use it still apply. It's all about the chip and formfactor, not the brand.
Went to Yibico's list of companies that their key works with. NOT IN ALPHABETICAL ORDER, not even by category. They should at least break this down by category such as banking, linux, microsoft, apple, android etc. For me, secure banking, email and securing my device are the only uses of interest to me. And none of my American banks is listed. In fact, I think Bank of America is the only bank. Ultimately, not sure I want to risk this. Lose the key or the key gets corrupted and I am locked out of my bank to do what ? It does, however, sound like a great solution for a large company.
General advice for not just physical 2fa keys, but other critical things as well. Backups. I have 3 yubi keys, one that stays at home, one that stays at work, and one in my wallet. Once I onboard a key to an account, I also onboard the others as soon as I can. I also do not trust leaving a regular yubi key laying around, so all of my keys are the bio series which requires a fingerprint scan. Accounts that do not support more than one physical key in my mind are flawed implementations implemented by incompetent staff.
This isn't a Yubico problem, it's an industry problem. Banks have notoriously been slow to adopt higher 2FA standards and it's not that they don't accept YubiKeys, it's that they don't accept ANY 2FA keys at all. It's unfortunately and hopefully something that will change eventually. Locking down your email (Gmail, Outlook, Yahoo), your mobile device (Apple iOS, Android), your retirement accounts (Vanguard) and other such important accounts make this much more than just a good solution for a "large company". You don't have to use a YubiKey, but if you're not using 2FA of some kind, you're making a big mistake.
@@AllThingsSecured I appreciate your videos and for taking the time to reply ! I too really wish the banking industry would take security more seriously.
@@AllThingsSecured Most banks do actually support hardware tokens, it's just that you must purchase their token directly from them. Wells Fargo for example will sell you a RSA SecurID token for $25.
Hey im really scared i was trying to mod a game and downloaded a mod that everyone said was safe but the site that i got it off you had to sign up ive tried deleting the account but apparently you cant on this website
The way I read your message, US market is served by keys manufactured in the USA. Just being paranoid for a second... why? Who else has the keys? Eventually, this is another crypto solution. Remembering Crypto AG from Zug, Switzerland. Who else has the keys?
So a digital key within a physical fob is the improved newfangled security now. And this you add to that metal ring that holds the rest of your brass house keys in a pocket/purse in your person. Anyone see the irony here? 😜😂🤭 P.S. No putdown on new technology. It just seems an old artifact, a metal key, to open a physical lock was replaced by a digital key, the new artifact, which is now encased inside a hard plastic fob that is no different than the old artifact, the aforementioned metal key. Plus the bulk.
@@VirtualCreativity In the old days in the 1970s & 80s when I was deployed overseas in the military, mail took two weeks for letters to arrive and then another two weeks for my reply letter to return to the US. Occasionally snail mail was lost so wasn’t totally secure and at one island location our mail was opened and checked prior to being issued as senior authorities were checking for porn (spouses or girlfriends sending photos) or drugs. I still live overseas and love to keep in contact with my family and friends and emails, instant messaging, and free video calls are magnitudes better. A little 2FA security of this “technology” is very simple after setup and we can send & receive instant communications in which many, including myself, like much better and still have privacy.
What do you think? Does seeing "behind closed doors" give you more confidence using a YubiKey? And if you don't have your own security keys, get $5 off using this link: yubi.co/all-things-secured-2024
do i still need a password managet and and some othet form of 2FA too , or can i just use Yubi key for log in for email , and other sites where its accepted , im not tech savvy and get confused as to what i need for privacy and secrurity thats easy to use and impliment as i still use free gmail and i eant to switch to a paid for email for secrirty and privacy im not so much worried about goverment im more concerned about hacks , mitm and others i dont even know of lol , thanks for any info great channel i learn a lot frim you
I would be interested in using this for banking. Bank America seems to be the only banking using 2FA keys.
Yea, unfortunately banks have been slow to adopt the FIDO standard for security. It's coming, I hear!
No, it does the opposite. Absolutely nothing of substance was shown, and this whole thing feels like a corporate PR piece from a corporation desperate to try and convince you their closed-source security-through-obscurity binary blob is actually good for you.
Good joke. 404 error
We can't find that page. Sorry!
Now if only our financial institutions would let us use them...
or Amazon Shopping too
@@SteveHowardPhotography amazon supports passkeys which includes yubikeys
Works on amazon @@SteveHowardPhotography
Bank of America supports them.
You are so right. The fact that almost no big banks or investment companies support any 2FA beyond SMS, which is known to be vulnerable to sim card cloning attacks, is absolutely shameful. I would love to see more UA-camrs like @AllThingsSecured publicly calling out these institutions. They are failing their customers. Too often when customers are victimized they just wash their hands of it even thought they refused to provide modern methods to secure accounts like security keys. In the meantime, people need to do everything they can to protect themselves by securing all their recovery methods like their email and their phone's sim card. The banking institutions will only change when this becomes a big enough issue to be perceived as a competitive disadvantage.
Thanks for going there and finding out. I appreciate it as a YubiKey user!
Thanks for watching and commenting!
Love the videos you’ve help so much with security and learned a lot keep it up.
Glad you like them!
The biggest thing holding me back is their limited acceptance, especially with what I consider my most import accounts - financial and government. I don't want to have to keep track of a hodge podge variety of ways to authenticate.
great video Josh!
And you were sooo lucky with the weather for April :D
Ha! It was actually filmed in a different month, but the weather was fantastic.
A video i really wanted to watch, thanks so much
My pleasure! Glad you enjoyed it.
Interesting and enjoyable video, particularly as I've owned a pair of yubikeys (one in reserve) for two years.
But I've always had great difficulty negotiating (not "navigating"!) Yubico's extraordinarily complex website. The firm's helpline has been of little help, especially concerning the so-far impossibility of obtaining my keys' PINS. These are required for use with some websites - some very important - such as Microsoft's.
Any chance, please, of you covering Yubico's PINs in another of your passkey videos?
I knew nothing about security keys and just picked one happened to be yubico and I’ve heard nothing but good and I’m glad I trusted my gut
Well Done! I Always love your videos and this was so interesting. Thanks for all your efforts.
My pleasure, Charlie! Thanks for watching and commenting. 👍🏻
Bought one of their keys 3 years ago, couldn't be happier!
Good call. Interesting to see about this. Since I'm Swedish but living abroad I bought Yubikey.
Can't wait to get me hands on one of these products.
I hope to make them as important as a phone to me and my family.
Nice video just wanted to mention that the music in the video is far louder than your voice level. Thanks.
Thanks for the feedback. I’ll try to do better next time 👍🏻
Been to Stockholm, it's a wonderful city. That ship is epic!
Would love to see it during the summer (we went during the winter).
Hardware-based authorization-keys are very hard to beat. But it does require a functional and accessible USB-C port - leaving the physical phone potentially vulnerable to advanced tampering attacks. Physical USB-blockers from Smartkeeper is a possible option. Anyway, there is an argument for app-based authenticators and charging through wireless induction only - you can completely seal off the USB-C access alltogether. But that perhaps a too tough compromise to pay.
I’m not sure I follow. These keys also allow for NFC, which is just a tap on the phone, not plugged in, so you’re not dealing with the phone port at all.
@@AllThingsSecuredOK, I don't actually own and use one of these keys myself. So I misunderstood whats possible. I think I have some catch-up reading to do. 😊
@@AllThingsSecured - All these security keys can be emulated in an app like "Google Authenticatior", which essentially it does the same thing, of course it's only as secure your phone. Security keys are just a purpose build device which does one thing, and one thing only. One has to chose between the convenience of an all always on phone vs. carrying a key and plug-in/tap.
@@AllThingsSecured - All these security keys can be emulated in an app like "Google Authenticatior", which essentially it does the same thing, of course it's only as secure your phone.
@@AllThingsSecured - Security keys are just a purpose build device which does one thing, and one thing only. One has to chose between the convenience of an all always on phone vs. carrying a key and plug-in/tap.
One of your earlier Yubico videos convinced me to buy 2 Yubico keys.
Both keys have done exactly what they're supposed to on both of my macs are "Smart Card Required" & all my accounts that allow/permit 2FA with hardware keys.
Sadly, banks & brokerage firms don't allow Hardware Keys to be used for 2FA. Only Bank of America & Vanguard allow Yubikeys for 2FA for their customers.
Yea, I don’t know why banks have been so slow to adopt a better security standard.
@@AllThingsSecured Easy. IT Support. Banks don't want to spend alot of money in IT Support for their customers with 2FA issues.
Thank you for the video.
You’re welcome!
I was hoping all of my high risk apps used the yubikey such as banking etc
Cool. What happens if you lose the physical key though?
That’s why I have a backup. Either a second key that I store in a secure place or a backup code/phrase that I store offline.
My Q as well!
@@AllThingsSecured The downside of a second key is that some services make the last hardware key entered the primary without an option to change this to a "backup key". This is not Yubico/Yubikey related but really annoying.
Some software/services are really not up to speed with using amd adopting hardware keys. Using hardware keys on a Android phone / Chromebook can be a real pain sometimes e.g. when they do not use the NFC chip but expect a physical key to be inserted.
Disclaimer: I also use Yubikeys but the CEO not being able to enter their workshop does not give me less or more trust in their products. There so many options to manipulate a service/product somewhere else in the supply chain.
Plz consider doing a review on the Quetta browser sometime.
I love my Yubikeys but I can use your advice. How do you carry yours around so you always have one on hand? Neck lanyards are uncomfortable, and I don't always have car keys with me. I'm open to any suggestions. Thanks for ALL your videos and advice.
For me personally, I didn't always have my car keys with me until I got my Yubikey and added it to my keychain. After that, I always have it with me just in case.
@@justicefool3942 Thanks for your input. Guess I just need to decide - lanyard or keys. Thanks for your reply
@@SteveHowardPhotography Maybe "Retractable Badge Reel with Claw Clasp and Clip for Id Card Holders" That can attach to your belt loop. Retractable key holder or keyring might be something you prefer to a lanyard around the neck.
@@localfixx4184 Great idea. Thanks for the tip!
Hello. I hope your visit to Stockholm was nice. I trust the Swedish security keys because I know it’s basically the same cryptography as the new passkeys and offers the strongest possible security.
What’s best about these YubiKeys is that they are separated from the Mac, iPhone or whatever you might be using to offer even stronger security for your accounts.
Cheers! 👋
Thanks, Mikael! It was a wonderful trip.
Question about setting up my keys. The Bitwarden extension tries to save it. When I choose hardware key, should I choose just this once or all the time? And how do i change it to once if I chose all the time?
Hi Josh, how would i know which accounts i have on which Yubikey? As I intend to buy 6. Cheers
There are so many things I still don't understand about computer security. Do the Yubikey secure anything other than email? Since Microsoft requires their corporate users to use Yubikey how did Russian hackers breach Microsoft recently? It must have had nothing to do with corporate user logins.
They stole the session tokens. No two factor will prevent that. It's up to the controls of those tokens.
Any recommendations for a USB adapter to go from C to A?
You can get a cheap one off of Amazon. Or just buy the correct YubiKey.
This dude is the whole PR team of Yubico, never seen a single UA-cam creator pump so much content for a single product.
I know, right?? Isn’t it just nuts how a security and privacy UA-camr talks SO MUCH about actual security and privacy tools like password managers, encrypted email and 2FA keys all the time?! It’s just unbelievable. I mean, you’d almost think that it’d be better for somebody who wasn’t interested in actual security and privacy to just, you know…unsubscribe 🤷♂️
You can use any other brand of compatible key if you want, all content about why and how to use it still apply. It's all about the chip and formfactor, not the brand.
Went to Yibico's list of companies that their key works with. NOT IN ALPHABETICAL ORDER, not even by category. They should at least break this down by category such as banking, linux, microsoft, apple, android etc. For me, secure banking, email and securing my device are the only uses of interest to me. And none of my American banks is listed. In fact, I think Bank of America is the only bank. Ultimately, not sure I want to risk this. Lose the key or the key gets corrupted and I am locked out of my bank to do what ?
It does, however, sound like a great solution for a large company.
General advice for not just physical 2fa keys, but other critical things as well. Backups. I have 3 yubi keys, one that stays at home, one that stays at work, and one in my wallet. Once I onboard a key to an account, I also onboard the others as soon as I can. I also do not trust leaving a regular yubi key laying around, so all of my keys are the bio series which requires a fingerprint scan. Accounts that do not support more than one physical key in my mind are flawed implementations implemented by incompetent staff.
This isn't a Yubico problem, it's an industry problem. Banks have notoriously been slow to adopt higher 2FA standards and it's not that they don't accept YubiKeys, it's that they don't accept ANY 2FA keys at all. It's unfortunately and hopefully something that will change eventually.
Locking down your email (Gmail, Outlook, Yahoo), your mobile device (Apple iOS, Android), your retirement accounts (Vanguard) and other such important accounts make this much more than just a good solution for a "large company".
You don't have to use a YubiKey, but if you're not using 2FA of some kind, you're making a big mistake.
@@AllThingsSecured I appreciate your videos and for taking the time to reply ! I too really wish the banking industry would take security more seriously.
@@AllThingsSecured Most banks do actually support hardware tokens, it's just that you must purchase their token directly from them. Wells Fargo for example will sell you a RSA SecurID token for $25.
What if you lose the Key or get damaged?
You always need a backup key.
Exactly. The best thing is to have a backup key. If not that, then you need to keep another kind of backup offline.
Hey im really scared i was trying to mod a game and downloaded a mod that everyone said was safe but the site that i got it off you had to sign up ive tried deleting the account but apparently you cant on this website
Sorry to hear that. Not sure how it has anything to do with 2FA keys, though.
@@AllThingsSecured I just wanted to reach out to you for some advice I'm only ney to computers
If you're gonna be silly on the internet, create unique email accounts for every sketchy website. Are you 12?
The way I read your message, US market is served by keys manufactured in the USA. Just being paranoid for a second... why? Who else has the keys? Eventually, this is another crypto solution. Remembering Crypto AG from Zug, Switzerland. Who else has the keys?
I'm not sure I follow the question. How is a 2FA key related to crypto?
2:31 That flag is spilling over into Canada lol xD
Ha! Sorry about that.
lol idk why this made me laugh
testing
👍🏻
🙌
So a digital key within a physical fob is the improved newfangled security now. And this you add to that metal ring that holds the rest of your brass house keys in a pocket/purse in your person. Anyone see the irony here? 😜😂🤭
P.S. No putdown on new technology. It just seems an old artifact, a metal key, to open a physical lock was replaced by a digital key, the new artifact, which is now encased inside a hard plastic fob that is no different than the old artifact, the aforementioned metal key. Plus the bulk.
I wouldn't call it "newfangled" since the technology has been around for decades.
Old Days Was Secure. When You Had To Wait For Someones Letter.
How does that relate to 2FA security keys?
@@AllThingsSecured no technology no more tension about privacy security.
@@VirtualCreativity In the old days in the 1970s & 80s when I was deployed overseas in the military, mail took two weeks for letters to arrive and then another two weeks for my reply letter to return to the US. Occasionally snail mail was lost so wasn’t totally secure and at one island location our mail was opened and checked prior to being issued as senior authorities were checking for porn (spouses or girlfriends sending photos) or drugs. I still live overseas and love to keep in contact with my family and friends and emails, instant messaging, and free video calls are magnitudes better. A little 2FA security of this “technology” is very simple after setup and we can send & receive instant communications in which many, including myself, like much better and still have privacy.
Can’t use on smart phone = deal killer.
But…you can use them with smartphones via NFC or USB-C/Lightning port.
All Thiings 😃, ands omg 🫢 an interview with one of my favorite companies 😱
👍🏻👍🏻🙏🙏