Where else have you found your 2FA key to be most useful? Also, if you're not sure which Yubikey you should buy, I did a video explaining the differences that you can watch here: ua-cam.com/video/WDPFARHQKNo/v-deo.html
Hey Josh, I just bought a yubikey5 but realized only the bigger websites like google and Facebook use the fido2 standard. Steam, epic games, etc don’t have this implemented and my password manager (Bitwarden) doesn’t allow me to set up a yubikey without premium. Are there any more popular services that use this?
You skipped the most crucial part for the Vanguard setup. Once you have multiple Yubikeys registered to your account, it will allow you to remove the SMS 2FA option.
I just did all this for Bank of America but it still offers me only sms auth to log in… I haven’t found anywhere I can delete that, the wrapper section now reads like it’s the yubikey only. Going to give them overnight in case they run some kind of early 2000’s chron job to reset that, but if that doesn’t work, it’s back into the suppor call queue 🙄
I was wondering about that as he was going throug the video. SIM swapping now making 2FA a high security risk and many organizations require it. Watching I was thinking what stops a SIM swapper from adding their own secutiy key. Trying to wrap my head around the security key to decide if it's the right choice for me. Now I am wondering if everybody allows to disable 2FA.
@@3weight Not sure Bank of America don't allow us to disable SMS either. Hopefully as time goes on passkeys will be the norm where sms is no longer needed.
I love your channel and am taking much of your advice. HOWEVER, there is one thing I have discovered regarding a company. The company does indeed support security keys but ONLY for logging in online. The same company does not support or allow security keys for their app. Further, they don’t allow you to restrict use of the app. So another person can download the app and get around the keys with only your password and cell phone 2FA. If you remove the cell phone and turn off 2FA, then it will require a security question. So you have to decide would you rather have a cell phone 2FA or security question for the app. Frankly, my solution was to not even use their app. But I still left the cell phone 2FA turned off. That way the security key is always the default, which is another get around. If you leave 2FA on, then it works around the key. I did not name the company for security reasons and because it does not matter. The lesson is to test the key and it if is not working, then it is competing with some other 2FA option or a passcode and those need to be removed or turned off. And you also need to test the app to make sure the keys work there too.
@@AllThingsSecured Agreed but even if you do everything right you are always at the mercy of your vendor’s software. I did not name the company in my original post but I think now I was being overly cautious. It is Vanguard. They are like the security key poster child, but I quickly found it could not use the key on their app. I called and at first they too were shocked. That can’t be right. They researched and put me on hold and researched some more. Finally they conceded I was right and put in a request for an upgrade. That was a month ago. It might have been fixed by now. If so, then I am to thank apparently.
I have an unrelated question... I bought a couple of Yubikeys and I would like this to be my primary method of 2FA, however, some websites (eBay, PayPal, etc.) still keep your phone number as a method of 2FA, even after adding a Yubikey or authenticator app. What should I do when a website won't allow me to remove text messages 2FA?
Hopefully others answer, but to my knowledge the best you can make of this bad situation is to try to use a Google Voice number for SMS from a well protected google account. Far from ideal, and some services will not allow GV, but it is at least a number not subject to SIM card attacks.
Yea, I like the previous answer here. You can use a virtual number (not your primary number) for the SMS. Also, for some services like PayPal, you can remove your phone number SMS authentication once you've set up both an authenticator app and a security key/passkey.
Thanks for these videos. As an elevator service tech I found many of these sweeping out the bottom of the shaft and now I know what they were. My question is, if you have a backup key can you delete a lost or stolen key?
@@AllThingsSecured Technically, one isn't a primary and the other a backup. They are, in essence, identical. You simply choose to physically carry one and use it while keeping the other in a secure location.
10:26 I don't understand "I don't want to save that in one password". You don't want to save what, the Yubikey 2FA numbers? Thanks. And which Yubi do most of you suggest for an average user?
Start with the cheapest one to try it. Just be aware not all keys support the Yubikey authentication app, so if you want this, you will need a higher key. I have two basic keys (5NFC) and a 1 x lightening key which does support the app as my primary key, the other two are my backups.
An important security/privacy question. For example you have two accounts both use the same YubiKey. Can the provider see that you have a same security key aka signature?
Yubikeys are far stronger. Unless someone physically has your Yubikey, they can't use it. Passkeys are alternatives to passwords, but they can be copied and synced across devices. A Yubikey can not be copied.
Simple question and maybe just out of ignorance but what happens if some else gains access to the yubikey? Can they just plug it in and gain access to what’s on the key? That might be a good video.
Yes, they would still need your username and password. The idea of somebody trying to find and steal such a small key off of somebody hasn’t really been a thing, though.
What happens if you loose your key device? Also where would you keep this device? On house keys, car keys? Its electronic which means it could break or fail. I am not sure on how tough this is.
It is recommended to have multiple of these on each account, that way you have backups. One key for example you keep on you at all times (on your keychain). Then at least 1 more in a secure place at home, or even multiple in different places at your house for example. If you lose them you can unassign it on your accounts. I have two keys for me and two for my wife. 1 on each of our keychains, 2 in secure places. All of them can be used on our accounts so if we lose one, we are covered.
Thank you for this. Have you done a similar video for passkeys? I have a modern Pixel phone that supposedly can be a passkey and I'm trying to find out if my Apple/icloud account can use my Pixel phone as a passkey (yes, I know, that's a stretch). Lastly can I use 1password as a passkey for an icloud account?
Question: I am trying to set up a YubiKey on my MacBook. The Mac's System Settings state that two of my devices are not compatible with the YubiKey and will be logged out. I am assuming this means I cannot use these devices on my account if I proceed... correct?
No. You can use the key on unlimited accounts as a key for 2FA. If you use the Authenticator codes feature from the 5 series, I think they limit you to 32.
@@AllThingsSecured Thanks! The FAQ on YubiKey tells: "FIDO2 - the YubiKey 5 can hold up to 25 resident keys in its FIDO2 application." What are "resident keys" then?
If a Youbi key is used to secure an Apple account on a MacBook, is the same key required to log into an iPhone and iPad associated with the same Apple account, or only the original MacBook?
The Yubikey look great! I bought a 5NFC, and the 5Ci on your recommendation. Tried multiple browsers including Chrome on both Windows desktop, and Android phone. Keep getting the "Something went wrong" Google error when trying to install them. This is becoming quite a time magnet (4 plus hours). Any suggestions? Can you point me to a possible solution?
Thanks again for your great video! I’m about to buy my first Yubikey 5. The problem is that I only have 2 USB C ports on my MacBook. While at home, I always use an USB C dongle to connect my 2nd screen and my other USB C port is used for my power cable. So basically I could only plug the Yubikey on my dongle via USB C or USB A port. My question is would that work?
Can two Yubikeys be used simultaneously from different locations logging into the same account? My daughter has my third Yubikey backup for everything(in case i get hit by a bus) but primarily she'll use it to get access to my Amazon account.
I believe it depends on the service, but in my experience yes, the keys can be used from different locations. Simultaneously? Depends on what the service allows.
Quick question, If I screw up adding a key to a website I have in 1password, (I accidentally told the site to trust this device) can I just delete that website from 1pass and start fresh with the keys... or start fresh w/ 1pass??
I can't find a video that you have done on Yubikey cloning. Apparently keys prior to 5.7 have a potential problem? That means anything prior to May 2024? It would be nice to see you cover this issue since I purchased keys on your recommendation.
I am notorious for losing small things. I understand that you can have a back up in a vault somewhere, but then it is not updated with recent changes in new logons. How do you deal with this? Also, do you still keep a password on these accounts? If so, then aren't they still vulnerable through that? Or do you rely ONLY on the key. I would be so afraid of losing it!
Same query @@AllThingsSecured bought 2 yubikeys (inspired by your vid) first one i used already and the other one is otw however I saw another vlogger recently where he set up his yubikey e.g. changed pin, PUK etc. Is it necessary to configure all this? Thanks man. Regards from Oz/NZ.🎉
I tested them and I like them, but I prefer the 5 series. The Bio doesn't have NFC (making it difficult to use with my iPhone) and it doesn't store authenticator codes.
my family somtimes uses my laptop, if i add a key to sites (shopping that we all share) will i have to input my fingerprint whenever they want to us the sites/pay?
I am about to purchase new iPhone. I have security keys setup on current iPhone 14. Do I need to disable Current security keys to be able to setup/transfer data to new iPhone
I noticed you said it was important NOT to save the key to 1Password. Could you please elaborate: Why is it important to NOT save the key to 1Password?
If I am allowed to view only 32 codes at a time on the mobile app and if I want to view the 33rd code then how to access it on the phone without actually deleting the code from the yubikey but only hiding it and viewing the 33rd code on the app?
Thank you for these great videos. Can you help me understand why you did not choose the mini Yubikey for your laptop? I was thinking it would be so much less prone to getting knocked askew and/or lost or misplaced? Can you elaborate on your choice? Thanks for all your videos and info!
I do have the mini that I keep in my laptop. Most people opt for the 5 series or Security series, so I’m just showing those in the video. It all works the same.
@@AllThingsSecured Thank you for your reply. Since that resolves the last question I had before making my choices, could you please confirm which links are your current links to enable me to place my orders with the no-cost commission to you?
Sorry for the late reply. I appreciate your desire to support. At this point it’s best to just go to their website or Amazon to purchase. No worries about commission 👍🏻
The best procedure is setting the same accounts on both keys (unless a service only allow one key). Your second key will be a backup for the first one (so you need the same thing on both of them). This is my method.
Can you show us how to add this to a protonmail account? Apparently proton requires an authentication app...I was hoping not having to use google or microsoft authenticators.
Watching an install of Yubikey on an Iphone which checks for active devices by Apple ID; however, according to video since I have two older devices with older software that does not support Yubikey the work around is very time consuming to delete the Iphone Keys every time and reinstall....is there a work around to get the Yubikey to work on the older MACOS or mybe even windows software?
I’m not clear on all the details here, but using a YubiKey on older Macs is absolutely possible. Not sure why it’s not working for you, but I don’t think it’s the key + operating system.
Hey Josh, thank you for your great video. I just bought 2 keys and I am happy to set it up with your video. I have a technical question, your sound (voice) sounds really good. You connected your shure with a xlr cable, would you mind sharing, how you prosses the signal? Thank you in advance, Ludwig
I'm confused. Why do I need two keys? I remember you mentioning that some websites require two keys. I'm guessing the primary key and the second one as a backup? So, if I have usernames and password saved on Brave or Google, will the key store it? I saw an article that Brave and Google can use YubiKeys. If my password is compromised, and I have a Yubikey, can the Yubikey still protect me while I change the password?
Correct. You have a primary (that you usually keep with you) and a backup (that you keep stored safely elsewhere in case something happens to the primary). The 2FA key is a second form of authentication beyond the passwords.
You don't use them together. You just set them both up, then keep one put away in a safe place. That way, if you damage or lose the one you carry with you, you can just grab the other one from the safe place and use it. Then, you can set up ANOTHER key and delete the damaged/lost key.
The problem with setting this up is that a lot of sites keep SMS as a backup so you're not adding any security and can still be suseptible to Sim swaps. Plus it adds extra work and even more work to have a backup key and then having to store it in a separate place. Not sure it's worth all the effort. I think I'll stick with 2fa apps that can be backed up and are more convenient.
Easy: Delete that ridiculous app and get your life back. Spend time with the family. Mow the lawn. Volunteer at a food bank. Anything is better than wasting your life on FB.
I'm sure this is asked somewhere below, or you've been asked it before. What happens if you lose your keys. Or if they are stolen, destroyed in a fire/flood, etc.?
When I upgraded to the latest iPhone, my email app on the phone requested the YubiKey. I plugged it into the usb c slot, but the phone could not recognize it; nothing happened. The backup (nfc) also did not work. These same keys work on my computer. I had to uninstall the security and remove the keys from my email in order to get the app to run on my phone. Is there an issue with compatibility between iPhones and YubiKey?
Hi Josh- Great info as usual. But I have not been able to get Amazon to let me set up a key, even though their cloud services (AWS) do allow it. Any idea on how to lock down an Amazon account with a Yubikey? Thanks fopr all your content.
Same thing I realised can't use the hardware yubikey as 2FA however, a workaround can be using the yubikey authenticator for the time being if it's not too much trouble for you I guess.
Congratulations for the channel, I have always been very attentive to the issue of security, but over time I see that the classic 2FA apps are less and less secure, and therefore I am trying to familiarize myself with the concepts of Passkey and hardware key (e.g. YubiKey), but I'm still a bit confused, so I wanted to ask you two questions: 1) If I steal your YubiKey, I still won't be able to access your accounts, because it only works as 2FA, right? given that you must always enter your email and password as the first level of security. 2) I saw that to create a Passkey you need hardware on which credentials are automatically saved, but can I also save Passkeys inside a hardware key (e.g. YubiKey)? Thanks so much in advance
It's possible to also add a PIN number to unlock the physical YubiKey before it will work. In the case of using Passkeys on the YubiKey, a PIN is required for that category of security on the physical key itself. So, yeah, you would have to have in your possession the Login Name, Password, Physical Yubikey, Possibly the correct authenticator app and possibly the PIN Number of the YubiKey itself to actually be able to login to one of your accounts. Sounds pretty darn secure to me.
Can you answer this question please.. If I'm using Bitwarden, and have 2FA running on it too(on bitwarden), but only way to access my Bitwarden is having my yubikey, is this safe? Or do you recommend not having 2FA's on Bitwarden in general?
@@AllThingsSecured Finally! someone answers! Thank you! I wasn't sure if keeping everything in one nest was safe(which i get it isn't) but i had assumed having physical keys would make it safe, just wanted confirmation from someone who knows, Thank you! :)
That's how my BitWarden account is set up. I also had BW remember one of my Yubikeys with my home laptop, that way it doesn't ask me for my Yubikey. I only use my Yubikeys when I use a computer outside my home (ie work computer).
If I don’t have my key and I want to get into something, does it usually allow for a back up like using a password or an app. If so, then I guess it’s not secure because anybody else could guess the password and get in that way as well?
So I could use the key as a 2FA app! I recently had my Phone die and I had a lot of stress getting my 2FA app back running and gain Access to my stuff again. Does it mean, if my 2FA would be on a yubikey, I would never had that stress? How to change my 2FA app to the yubikey 2FA app?
The Yubikey isn't app. It's a physical device. The Yubikey is a 2FA (two-factor authentication) method. Your phone app (e.g.., Authy, Microsoft Authenticator, Google Authenticator, etc.) is also a 2FA method. So is getting an OTP (one-time password) delivered via SMS (text). In order to use any particular 2FA method, the web site or application you're wanting to use it with must support it. Some do not support Yubikeys as 2FA methods. Bottom line, it's all up to whomever developed the web site or application.
@@bobbybarnes1652 I thought I can replace the authy with yupi key and the yupi key app for OTP. When my Phone broke, I found out how helpless I was. It would been cool to have a yubikey 2FA app in the yupi key. This is how I understood it. Thank You
I just bought a backup and was trying to add it to my Google account but I don't have the option to add a backup anymore, I can use passkeys is it that?
@AllThingsSecured Is there any way to use Yubikey when encrypting an external drive (like a USB Drive) with Bitlocker? It looks like you can if you setup your Yubikey as a Smart Card but I'm having trouble getting it to work. I'm sure others would be very interested in this as well. Maybe the topic is worthy of a video??
Facebook gave the option to save the key to other devices suce as iPad or smartphone. I wasn't sure what to do about this so just saved it to the key. Could the other devices be used or should they have been used?
@@AllThingsSecured do these keys have expiry date? Do they fail ? What of they fail? Is there any option to recover accounts ? Let's just say both the keys failed, or stolen or something happened
As long as you have some kind of backup, you can always log in and remove a key. That’s one reason it’s important to name them if you can so you remember which one to remove.
@@erbalumkan369 They can't login to your accounts unless they have your login credentials (username/password) AND your Yubikey, so they can't delete anything. 2-factor authentication means they need TWO factors, not just one. ;) And you should have a backup key to get in to your accounts in case your main key is lost, stolen, or damaged.
@@AllThingsSecured No, a pin code for the key that has to be put in after the key is inserted. When the PIN is entered then the request is made to tap the key.
Bad idea... Any authentication tied to your mobile number means you don't really own or control it. YubiKeys allow you to own your authentication, and it's beyond the control of the phone company.
@@JM.TheComposer Many website logins do not support anything but a mobile passcode... thus keeping your cell phone account as secure as possible from SIM-jacking etc is critical... If your cell phone company supports it, you should use yubikey on your cell phone account MFA. Unfortunately most carriers do not support it.
they ask for your phone number, and you say "it is not ideal, but that's the way they do it" ???? WTF ???? you just lost any credibility you have ever gotten ... privacy and security is uncomfortable, if they ask for your phone number, you look for another provider.
Sorry to disappoint you. Sometimes you get stuck with a service and you have to use what they give you. Thankfully, Vanguard does allow you to remove your phone number after you set up two security keys.
Where else have you found your 2FA key to be most useful? Also, if you're not sure which Yubikey you should buy, I did a video explaining the differences that you can watch here: ua-cam.com/video/WDPFARHQKNo/v-deo.html
Hey Josh, I just bought a yubikey5 but realized only the bigger websites like google and Facebook use the fido2 standard. Steam, epic games, etc don’t have this implemented and my password manager (Bitwarden) doesn’t allow me to set up a yubikey without premium. Are there any more popular services that use this?
laptop?
You skipped the most crucial part for the Vanguard setup. Once you have multiple Yubikeys registered to your account, it will allow you to remove the SMS 2FA option.
YES! So glad you mentioned that. I didn't realize that was possible and I'm so glad to hear that.
I just did all this for Bank of America but it still offers me only sms auth to log in… I haven’t found anywhere I can delete that, the wrapper section now reads like it’s the yubikey only. Going to give them overnight in case they run some kind of early 2000’s chron job to reset that, but if that doesn’t work, it’s back into the suppor call queue 🙄
I was wondering about that as he was going throug the video. SIM swapping now making 2FA a high security risk and many organizations require it. Watching I was thinking what stops a SIM swapper from adding their own secutiy key. Trying to wrap my head around the security key to decide if it's the right choice for me. Now I am wondering if everybody allows to disable 2FA.
@@3weight Not sure Bank of America don't allow us to disable SMS either. Hopefully as time goes on passkeys will be the norm where sms is no longer needed.
@@Darkk6969 yeah, it’s so weird - the most important things I need to secure are my bank accounts and they don’t let me.
Your timing couldn't be better, my yubikey order is arriving tomorrow!
Awesome! Enjoy :)
It’s crazy how so many financial websites don’t give you any 2FA options besides SMS or security questions
I know. Thankfully, I think that’s changing little by little.
Or they do but you cannot remove SMS. so it’s there like a backdoor into your account.
I love your channel and am taking much of your advice. HOWEVER, there is one thing I have discovered regarding a company. The company does indeed support security keys but ONLY for logging in online. The same company does not support or allow security keys for their app. Further, they don’t allow you to restrict use of the app. So another person can download the app and get around the keys with only your password and cell phone 2FA. If you remove the cell phone and turn off 2FA, then it will require a security question. So you have to decide would you rather have a cell phone 2FA or security question for the app. Frankly, my solution was to not even use their app. But I still left the cell phone 2FA turned off. That way the security key is always the default, which is another get around. If you leave 2FA on, then it works around the key. I did not name the company for security reasons and because it does not matter. The lesson is to test the key and it if is not working, then it is competing with some other 2FA option or a passcode and those need to be removed or turned off. And you also need to test the app to make sure the keys work there too.
Your security is only as strong as your weakest form of 2FA, even if you’re using a security key.
@@AllThingsSecured Agreed but even if you do everything right you are always at the mercy of your vendor’s software. I did not name the company in my original post but I think now I was being overly cautious. It is Vanguard. They are like the security key poster child, but I quickly found it could not use the key on their app. I called and at first they too were shocked. That can’t be right. They researched and put me on hold and researched some more. Finally they conceded I was right and put in a request for an upgrade. That was a month ago. It might have been fixed by now. If so, then I am to thank apparently.
@@AllThingsSecured Unfortunately, that fact goes right over some people's heads ... :)
I have an unrelated question... I bought a couple of Yubikeys and I would like this to be my primary method of 2FA, however, some websites (eBay, PayPal, etc.) still keep your phone number as a method of 2FA, even after adding a Yubikey or authenticator app. What should I do when a website won't allow me to remove text messages 2FA?
Hopefully others answer, but to my knowledge the best you can make of this bad situation is to try to use a Google Voice number for SMS from a well protected google account. Far from ideal, and some services will not allow GV, but it is at least a number not subject to SIM card attacks.
@@myr3434 that is actually a good idea. I'll give it a shot
Yea, I like the previous answer here. You can use a virtual number (not your primary number) for the SMS. Also, for some services like PayPal, you can remove your phone number SMS authentication once you've set up both an authenticator app and a security key/passkey.
@@AllThingsSecured Thank you both for the responses. This was driving me crazy.
@@AllThingsSecuredooh! Please show us how to do this for iPhone 🙏🏻😃
Thanks for these videos. As an elevator service tech I found many of these sweeping out the bottom of the shaft and now I know what they were. My question is, if you have a backup key can you delete a lost or stolen key?
Yes, you can remove a key using either your primary or backup key.
@@AllThingsSecured Technically, one isn't a primary and the other a backup. They are, in essence, identical. You simply choose to physically carry one and use it while keeping the other in a secure location.
Banks are the worst. None of my banks have implemented 2FA using a Yubikey.
What happens if they security key brakes? You will loose everything?
They’re extremely durable, but that’s why I always have a backup key or keep my backup phrase in a safe place.
@@AllThingsSecured Have more than one key. Setup authenticator app. Lots of options.
@@AllThingsSecured Are you able to create a backup phrase equivalent to your Yubikey as a backup too?
10:26 I don't understand "I don't want to save that in one password".
You don't want to save what, the Yubikey 2FA numbers?
Thanks.
And which Yubi do most of you suggest for an average user?
Start with the cheapest one to try it. Just be aware not all keys support the Yubikey authentication app, so if you want this, you will need a higher key. I have two basic keys (5NFC) and a 1 x lightening key which does support the app as my primary key, the other two are my backups.
An important security/privacy question. For example you have two accounts both use the same YubiKey. Can the provider see that you have a same security key aka signature?
No. There would be no way to compare.
How would you compare the security of a UB key to the new pass keys?
Yubikeys are far stronger. Unless someone physically has your Yubikey, they can't use it. Passkeys are alternatives to passwords, but they can be copied and synced across devices. A Yubikey can not be copied.
Simple question and maybe just out of ignorance but what happens if some else gains access to the yubikey? Can they just plug it in and gain access to what’s on the key? That might be a good video.
they'd still need your password I guess?
Yes, they would still need your username and password. The idea of somebody trying to find and steal such a small key off of somebody hasn’t really been a thing, though.
@@AllThingsSecured Well unless you're watching a Hollywood feature film - lol!
are you using the same physical keys for all of these applications?
What happens if you loose your key device? Also where would you keep this device? On house keys, car keys? Its electronic which means it could break or fail. I am not sure on how tough this is.
Same question
Same question too
It is recommended to have multiple of these on each account, that way you have backups. One key for example you keep on you at all times (on your keychain). Then at least 1 more in a secure place at home, or even multiple in different places at your house for example. If you lose them you can unassign it on your accounts. I have two keys for me and two for my wife. 1 on each of our keychains, 2 in secure places. All of them can be used on our accounts so if we lose one, we are covered.
A video about using a yubikey to log into a Macbook would be great!
Thanks for the idea!
Is google titan key similar and will it work with most of the same sites ?
Yes and yes
Thank you for this. Have you done a similar video for passkeys? I have a modern Pixel phone that supposedly can be a passkey and I'm trying to find out if my Apple/icloud account can use my Pixel phone as a passkey (yes, I know, that's a stretch). Lastly can I use 1password as a passkey for an icloud account?
I haven't yet, but I'm considering it. And yes, I do believe that you can use 1Password as a passkey for any account that allows for passkeys.
@@AllThingsSecuredyes please for iPhone also
I believe Apple only allows passkeys from iCloud keychain and nothing else so far. That might change in the future but you can keep checking.
IN the Vangaurd example what if you log in via mobile app when the desktop it setup with the 2FA. Can you use Yubikey on the phone app?
Yes, you can. You either plug the key into your phone or take advantage of the NFC feature by tapping it on the back of the phone.
Can the same key be used for multiple platforms?
Yes
From your previous vid on password managers, which ones work with youbikey?
I use Youbikey with my BitWarden account.
I believe that all of them do? I know for sure 1Password, Bitwarden, Proton Pass and Dashlane do.
Question: I am trying to set up a YubiKey on my MacBook. The Mac's System Settings state that two of my devices are not compatible with the YubiKey and will be logged out. I am assuming this means I cannot use these devices on my account if I proceed... correct?
Josh--you are THE BEST!
So glad it was helpful!
Isn't this Yubikey limited to 25 key pairs / services though?
No. You can use the key on unlimited accounts as a key for 2FA. If you use the Authenticator codes feature from the 5 series, I think they limit you to 32.
@@AllThingsSecured Thanks! The FAQ on YubiKey tells: "FIDO2 - the YubiKey 5 can hold up to 25 resident keys in its FIDO2 application." What are "resident keys" then?
Would you recommend purchasing two identical YubiKeys or would it be better for the backup to be a different type than the primary YubiKey?
Why does saving the passkey in password manager making no sense?
If a Youbi key is used to secure an Apple account on a MacBook, is the same key required to log into an iPhone and iPad associated with the same Apple account, or only the original MacBook?
Using the 2FA codes on Yubikey, is it also possible to use it on 2 Yubikeys, one as a Backup?
The Yubikey look great! I bought a 5NFC, and the 5Ci on your recommendation. Tried multiple browsers including Chrome on both Windows desktop, and Android phone. Keep getting the "Something went wrong" Google error when trying to install them. This is becoming quite a time magnet (4 plus hours). Any suggestions? Can you point me to a possible solution?
Have you seen their tutorial? ua-cam.com/video/PeF0Y8pT7UQ/v-deo.htmlsi=cGwonFwu8x1Bl6o4
Thanks so much very helpful
Thanks again for your great video! I’m about to buy my first Yubikey 5. The problem is that I only have 2 USB C ports on my MacBook. While at home, I always use an USB C dongle to connect my 2nd screen and my other USB C port is used for my power cable. So basically I could only plug the Yubikey on my dongle via USB C or USB A port. My question is would that work?
Can two Yubikeys be used simultaneously from different locations logging into the same account? My daughter has my third Yubikey backup for everything(in case i get hit by a bus) but primarily she'll use it to get access to my Amazon account.
I believe it depends on the service, but in my experience yes, the keys can be used from different locations. Simultaneously? Depends on what the service allows.
Quick question, If I screw up adding a key to a website I have in 1password, (I accidentally told the site to trust this device) can I just delete that website from 1pass and start fresh with the keys... or start fresh w/ 1pass??
I can't find a video that you have done on Yubikey cloning. Apparently keys prior to 5.7 have a potential problem? That means anything prior to May 2024? It would be nice to see you cover this issue since I purchased keys on your recommendation.
I am notorious for losing small things. I understand that you can have a back up in a vault somewhere, but then it is not updated with recent changes in new logons. How do you deal with this? Also, do you still keep a password on these accounts? If so, then aren't they still vulnerable through that? Or do you rely ONLY on the key. I would be so afraid of losing it!
Great tutorial, pls explain Yubikey menager desktop app. pin and puk and certificate video would be good.
Thanks for the suggestion!
Same query @@AllThingsSecured bought 2 yubikeys (inspired by your vid) first one i used already and the other one is otw however I saw another vlogger recently where he set up his yubikey e.g. changed pin, PUK etc. Is it necessary to configure all this? Thanks man. Regards from Oz/NZ.🎉
Does this Key meet FIDO Fast identitiy Online standards
What are your thoughts on the bio series yubikeys? Doesn’t seem like you use or like them.
I tested them and I like them, but I prefer the 5 series. The Bio doesn't have NFC (making it difficult to use with my iPhone) and it doesn't store authenticator codes.
my family somtimes uses my laptop, if i add a key to sites (shopping that we all share) will i have to input my fingerprint whenever they want to us the sites/pay?
What’s going to happen to my Apple TV UA-cam app when I add a yubikey to my Google account?
The TV app will require authentication via your phone, so if your phone has been logged in with a security key, you won’t have a problem.
I am about to purchase new iPhone. I have security keys setup on current iPhone 14. Do I need to disable Current security keys to be able to setup/transfer data to new iPhone
Can I use an International Mobile number not living in the US
I noticed you said it was important NOT to save the key to 1Password. Could you please elaborate: Why is it important to NOT save the key to 1Password?
If I am allowed to view only 32 codes at a time on the mobile app and if I want to view the 33rd code then how to access it on the phone without actually deleting the code from the yubikey but only hiding it and viewing the 33rd code on the app?
Thank you for these great videos. Can you help me understand why you did not choose the mini Yubikey for your laptop? I was thinking it would be so much less prone to getting knocked askew and/or lost or misplaced? Can you elaborate on your choice? Thanks for all your videos and info!
I do have the mini that I keep in my laptop. Most people opt for the 5 series or Security series, so I’m just showing those in the video. It all works the same.
@@AllThingsSecured Thank you for your reply. Since that resolves the last question I had before making my choices, could you please confirm which links are your current links to enable me to place my orders with the no-cost commission to you?
Sorry for the late reply. I appreciate your desire to support. At this point it’s best to just go to their website or Amazon to purchase. No worries about commission 👍🏻
Security keys are great if you can find accounts that actually use these. Most accounts I have use mobile numbers and a few use an authentication app.
do you suggest using the same key across all these accounts or have different keys?
Same key for sure. But always have a backup.
The best procedure is setting the same accounts on both keys (unless a service only allow one key). Your second key will be a backup for the first one (so you need the same thing on both of them). This is my method.
What happens if I lose both keys, primary and back up?@@AllThingsSecured
Can you show us how to add this to a protonmail account? Apparently proton requires an authentication app...I was hoping not having to use google or microsoft authenticators.
Watching an install of Yubikey on an Iphone which checks for active devices by Apple ID; however, according to video since I have two older devices with older software that does not support Yubikey the work around is very time consuming to delete the Iphone Keys every time and reinstall....is there a work around to get the Yubikey to work on the older MACOS or mybe even windows software?
I’m not clear on all the details here, but using a YubiKey on older Macs is absolutely possible. Not sure why it’s not working for you, but I don’t think it’s the key + operating system.
Hey Josh, thank you for your great video. I just bought 2 keys and I am happy to set it up with your video. I have a technical question, your sound (voice) sounds really good. You connected your shure with a xlr cable, would you mind sharing, how you prosses the signal? Thank you in advance, Ludwig
Just wanted to share that iCloud for Windows doesn’t work with the Yubikeys.
Hmm, I didn't know that, but it seems that you're right. That's a shame.
Why are 2 keys needed?
Also this can be saved with Max 100 accounts only?
One can be put away in a safe place in case you lose the one you carry/use.
I'm confused. Why do I need two keys? I remember you mentioning that some websites require two keys. I'm guessing the primary key and the second one as a backup? So, if I have usernames and password saved on Brave or Google, will the key store it? I saw an article that Brave and Google can use YubiKeys. If my password is compromised, and I have a Yubikey, can the Yubikey still protect me while I change the password?
Correct. You have a primary (that you usually keep with you) and a backup (that you keep stored safely elsewhere in case something happens to the primary). The 2FA key is a second form of authentication beyond the passwords.
You don't use them together. You just set them both up, then keep one put away in a safe place. That way, if you damage or lose the one you carry with you, you can just grab the other one from the safe place and use it. Then, you can set up ANOTHER key and delete the damaged/lost key.
Hello, I wonder if you have experience that the key doesn’t work on (generating the code or unlocking) the opt work fine?
I haven’t had any problems with it yet.
The problem with setting this up is that a lot of sites keep SMS as a backup so you're not adding any security and can still be suseptible to Sim swaps. Plus it adds extra work and even more work to have a backup key and then having to store it in a separate place. Not sure it's worth all the effort. I think I'll stick with 2fa apps that can be backed up and are more convenient.
It's not worth the effort. Hardware keys don't work for anything important and they are way to hard to setup.
If you are on FB a lot on the iPhone is there a work around so you don’t have to have a yubi with you all the time?
Just log in once with the YubiKey on your phone and it won’t be required every day for login.
@@AllThingsSecured thank you!
Easy: Delete that ridiculous app and get your life back. Spend time with the family. Mow the lawn. Volunteer at a food bank. Anything is better than wasting your life on FB.
I'm sure this is asked somewhere below, or you've been asked it before. What happens if you lose your keys. Or if they are stolen, destroyed in a fire/flood, etc.?
You use the backup key that you bought and configured at the same time you bought and configured your main key.
Useful content as always Love all your videos sending love ❤
Thank you!!🙏
When I upgraded to the latest iPhone, my email app on the phone requested the YubiKey. I plugged it into the usb c slot, but the phone could not recognize it; nothing happened. The backup (nfc) also did not work. These same keys work on my computer. I had to uninstall the security and remove the keys from my email in order to get the app to run on my phone. Is there an issue with compatibility between iPhones and YubiKey?
I have used Yubikey 5C NFC keys on my iPhone 15 Pro without issue. No problem with the USB-C or NFC functionality.
There shouldn't be. It sound like something with the email provider (or app).
This is why I am skeptical of these keys.
Hi, in your exemple, you have four different websites and two Yubikeys for each one?? ... eight Yubikeys to have in total??
No, the same two keys (my primary and backup) can be used for an unlimited number of websites/accounts. You only need to purchase 2 keys.
Thank you for your answer.
Hi Josh- Great info as usual. But I have not been able to get Amazon to let me set up a key, even though their cloud services (AWS) do allow it. Any idea on how to lock down an Amazon account with a Yubikey? Thanks fopr all your content.
Neither Amazon or eBay allow account holders to set up HARDWARE YubiKeys as a method of 2FA.
@@azclaimjumper Thanks, just trying to confirm what I suspected.
Yup, Amazon doesn't allow it.
Yea, it's a shame, but Amazon doesn't let you lock down your account with a physical 2FA key...yet.
Same thing I realised can't use the hardware yubikey as 2FA however, a workaround can be using the yubikey authenticator for the time being if it's not too much trouble for you I guess.
Congratulations for the channel, I have always been very attentive to the issue of security, but over time I see that the classic 2FA apps are less and less secure, and therefore I am trying to familiarize myself with the concepts of Passkey and hardware key (e.g. YubiKey), but I'm still a bit confused, so I wanted to ask you two questions:
1) If I steal your YubiKey, I still won't be able to access your accounts, because it only works as 2FA, right? given that you must always enter your email and password as the first level of security.
2) I saw that to create a Passkey you need hardware on which credentials are automatically saved, but can I also save Passkeys inside a hardware key (e.g. YubiKey)?
Thanks so much in advance
It's possible to also add a PIN number to unlock the physical YubiKey before it will work. In the case of using Passkeys on the YubiKey, a PIN is required for that category of security on the physical key itself. So, yeah, you would have to have in your possession the Login Name, Password, Physical Yubikey, Possibly the correct authenticator app and possibly the PIN Number of the YubiKey itself to actually be able to login to one of your accounts. Sounds pretty darn secure to me.
Can you answer this question please.. If I'm using Bitwarden, and have 2FA running on it too(on bitwarden), but only way to access my Bitwarden is having my yubikey, is this safe? Or do you recommend not having 2FA's on Bitwarden in general?
Yes, using a physical 2FA key to lock your Bitwarden account is an excellent security measure.
@@AllThingsSecured Finally! someone answers! Thank you! I wasn't sure if keeping everything in one nest was safe(which i get it isn't) but i had assumed having physical keys would make it safe, just wanted confirmation from someone who knows, Thank you! :)
That's how my BitWarden account is set up. I also had BW remember one of my Yubikeys with my home laptop, that way it doesn't ask me for my Yubikey. I only use my Yubikeys when I use a computer outside my home (ie work computer).
@@manny7886 thank you! :)
If I don’t have my key and I want to get into something, does it usually allow for a back up like using a password or an app. If so, then I guess it’s not secure because anybody else could guess the password and get in that way as well?
Do you usually carry two car keys for the same care in case you misplace one? Same difference. You keep your backup key in a safe place.
Is it ok if I get a 5CNFC as my main unit but a 5 as a second?
Absolutely. Doesn’t have to be the same key.
and how i login in tablets android tv ect ect
So I could use the key as a 2FA app! I recently had my Phone die and I had a lot of stress getting my 2FA app back running and gain Access to my stuff again. Does it mean, if my 2FA would be on a yubikey, I would never had that stress? How to change my 2FA app to the yubikey 2FA app?
The Yubikey isn't app. It's a physical device. The Yubikey is a 2FA (two-factor authentication) method. Your phone app (e.g.., Authy, Microsoft Authenticator, Google Authenticator, etc.) is also a 2FA method. So is getting an OTP (one-time password) delivered via SMS (text). In order to use any particular 2FA method, the web site or application you're wanting to use it with must support it. Some do not support Yubikeys as 2FA methods. Bottom line, it's all up to whomever developed the web site or application.
@@bobbybarnes1652 I thought I can replace the authy with yupi key and the yupi key app for OTP. When my Phone broke, I found out how helpless I was. It would been cool to have a yubikey 2FA app in the yupi key. This is how I understood it. Thank You
can Google titan key do the same things???
Yes, it can.
Hello Mate! Thank you for the informative video. I was wondering how many accounts can be saved on a single Yubikey 5C NFC?
As many as you want
@@anthony9013 thank you Anthony! :)
Yup…it’s unlimited.
I just bought a backup and was trying to add it to my Google account but I don't have the option to add a backup anymore, I can use passkeys is it that?
No, you can add multiple 2FA security keys to your Google account.
@AllThingsSecured Is there any way to use Yubikey when encrypting an external drive (like a USB Drive) with Bitlocker? It looks like you can if you setup your Yubikey as a Smart Card but I'm having trouble getting it to work. I'm sure others would be very interested in this as well. Maybe the topic is worthy of a video??
Definitely worth some research because honestly, I don't know the answer to your question!
Facebook gave the option to save the key to other devices suce as iPad or smartphone. I wasn't sure what to do about this so just saved it to the key. Could the other devices be used or should they have been used?
This is a passkey. You can save this to a device or to your YubiKey. It’s up to you.
How to make a Backup Yubikey? Second one ? For same accounts ?
Yea, a backup key is nothing more than a second YubiKey that is setup in the same way as the first. You can’t copy keys.
@@AllThingsSecured thank you
@@AllThingsSecured do these keys have expiry date? Do they fail ? What of they fail? Is there any option to recover accounts ? Let's just say both the keys failed, or stolen or something happened
No expiry. I’ve never had one fail personally nor heard of that happening. Regardless, that’s what a backup is for.
@@AllThingsSecured thank you
What if you lose a key? How do you remove that key from all those accounts?
As long as you have some kind of backup, you can always log in and remove a key. That’s one reason it’s important to name them if you can so you remember which one to remove.
@@AllThingsSecured so if someone finds or steals your key and deletes all your other ones...
@@erbalumkan369In most cases, they still need your ID and password in addition to the YubiKey.
@@erbalumkan369 They can't login to your accounts unless they have your login credentials (username/password) AND your Yubikey, so they can't delete anything. 2-factor authentication means they need TWO factors, not just one. ;) And you should have a backup key to get in to your accounts in case your main key is lost, stolen, or damaged.
How do u delete Facebook?
Although Vanguard supports FIDO2, Fidelity does not. Guess what I did?
If the Facebook database is hacked, there is nothing that can secure your account, isn't that correct?
It’s not an end-to-end encryption for you as a user, no. But that’s true of pretty much every social media platform.
What about passwordless logins? Using the key just for 2FA is cumbersome, expensive and problematic(if u loose the key).
That’s why you need a good backup. Carrying around keys for your car is cumbersome too…
If you only secure your accounts when they are convenient, you're a hack waiting to happen.
if only ALL banks were required to have a key as an option
I know...hopefully someday!
No way you save your passwords on your browser? Why?
Browsers were made to browse the internet. They were not designed to encrypt a password vault. That’s my opinion.
@@AllThingsSecured what do you use to store your password?
Bitwarden @@n.g.l.
This won’t work if you are using a PC for iCloud…
They require a phone number? What's the point then? You can do without a yubikey
You can remove the phone number after multiple keys are setup.
Apple is asking for what password? Apple ID, or computer password?
I wish Apple could allow to disable the “trusted device” authentication and just use the yubico key.
Can TWO Yubikeys have the same name?
It depends on the service. The YubiKeys themselves aren’t named.
Vanguard had me give each key a PIN code. Anybody else run into this?
A PIN code through your phone number? I only had that at the start of the process.
@@AllThingsSecured No, a pin code for the key that has to be put in after the key is inserted. When the PIN is entered then the request is made to tap the key.
Just for the record: One Password was hacked in the Past. So for someone who preaches security you should know better
You are incorrect. LastPass was hacked. 1Password has not.
Your cell phone account login if supported by the carrier!
What?
Bad idea... Any authentication tied to your mobile number means you don't really own or control it. YubiKeys allow you to own your authentication, and it's beyond the control of the phone company.
@@JM.TheComposer Many website logins do not support anything but a mobile passcode... thus keeping your cell phone account as secure as possible from SIM-jacking etc is critical... If your cell phone company supports it, you should use yubikey on your cell phone account MFA. Unfortunately most carriers do not support it.
This is a mess. going back to the 80's.
How so?
Who thinks think again that his real name is josh 😂😂
You'll never know...
so this yubikey tool requires a vanguard account. oh plz, cut this ssh&*te
they ask for your phone number, and you say "it is not ideal, but that's the way they do it" ???? WTF ???? you just lost any credibility you have ever gotten ... privacy and security is uncomfortable, if they ask for your phone number, you look for another provider.
Sorry to disappoint you. Sometimes you get stuck with a service and you have to use what they give you. Thankfully, Vanguard does allow you to remove your phone number after you set up two security keys.