I've recently been researching U2F and FIDO key 2FA solutions, including getting FIDO2 key and starting to use it last week. This was the most direct and useful explanation of what the protocol is and how to utilize it that I've yet found, so THANK YOU! The confirmation that FIDO is a ubiquitously supported open standard under the purview of the W3C was especially reassuring!
I'm carrying an elder Yubikey for approximately 10 years on my keychain with no problems. So I would say, these things are really durable. I can't say anything about other brands.
Starting to roll these out for AAD and WHfB at work. Very cool stuff. Our users will love this vs. TOTP or number matching with push notifications. Still learning the differences between FIDO2 pwdless and smart card auth. More reading to do :)
In Australia, the Australian Tax Office uses push notifications for 2FA. If it's a new device without previous history of login to the account, the push notification has a 2FA code, if it's an existing device previously authenticated, it's an "approve / deny" push notification
Yes and no, FIDO2 is an extension of FIDO to allow it to be the only authentication method for "passwordless login", I prefer actually having 2 factors.
They'll only do it once regulators require it. Majority of financial institutions implement new security protocols only when an auditor or regulator threatens them. Speaking from experience having worked in IT for financial institutions.
In many parts of Europe, banks and institutions require their specific app to do anything, which is a PITA as they suck. they should be forced to allow hardware tokens
You bother ti check with your institution? Bother to check any institution? Yes I'm talking down to you because many institutions have supported tokens for years.
Duo also supports YubiKeys, you don't have to use their app and push. That means they can bring YubiKey functionality to all SSO (SAML and OIDC) as well as workstations, VPNs etc even if they don't natively support them. You can also set policies up to select which apps require only a YubiKey and which ones can use push. This also gives the IT team the ability to fall back to push/bypass for users that do lose their key, and central management where they can disable a lost key on all accounts.
Yubikeys are great! I think the most pressing matter for Identity Security is what to do when the threat is already inside. I recommend looking into products that can prevent the threat from lateral movement and minimize blast radius. A product called Silverfort can protect organizations from that, especially on legacy apps and on-prem solutions that don't support FIDO2 (Silverfort can extend your FIDO key usage).
I much prefer the TOTP over pushed notification. I find it more convenient, less intrusive and more secure. I've been wanting a yubikey since the first one came out, but that was always a big budget for a key that only a dozen of the sites I use support. I wished my company would switch to something like that, but they wont, even though I keep nagging them about it (and other security improvement for their infrastructure). Some day i might ask for a transfer to the IT department and implement those myself, who knows...
Something I didn't know until recently, is that even if the Fido key is duplicated, there is a counter added to it. If the counter doesn't match expectations, the authentication fails, and the key is voided for that site.
I really hope this does get widely adopted, and I've been pushing it for a few years now. In Canada it's very common to use SMS messages for MFA, but because of phone number porting laws (designed to make it easier for consumers to switch providers), it is somewhat trivial to steal someone's phone number (SIM swapping attack). Yet most banks and other large institutions here continue to only support SMS as a MFA method.
CIBC supports using their app to receive a push notification to approve a logon. But I’ve been locked out when the stupid app wasn’t processing the push notifications properly or the backend was messed up.
That is horrible. They should make you bring proper photo and other forms of government issued ID with you and make you come and do it in person. Really It should be a law that they must provide options for Yubikey and FIDO authentication.
You can control Fido key registration through an IDM solution like Microsoft or OKTA from an IT level, so you can issue keys to employees from the security team side of things.
I bought a Fido key & had it for well over 1 year & didn't start using it because I thought it would be difficult to setup. I was wrong! Easy to setup & use plus no I have the peace of mind of 2FA 😀
Helpful information! Maybe do a video on a breakdown of FIDO and U2F, as it's a common confusion point for people. One being a protocol, and one being the implementation of the protocol.
Currently I use KeepassXC's TOTP feature as it's easy to click on it to provide the code. Plus I can sync the database to my NextCloud as backup. I'll be looking into FIDO2 compatible keys to see how well it works with KeePassXC.
UPDATE: Latest version of KeePassXC now offer Passkeys which provides the same function as the FIDO2 key. The plugin for the browser is not enabled by default.
I'll switch only when recovery key can be issued along original that is able to disable original and take its function without reconfiguring every website (plus issuing new recovery key in the process)
Seems like the banking industry only uses email or SMS 2FA. Can't use Yubi or Trust at any institution handling your 401, savings or checking accounts. Wonder if this will change anytime soon?
What's the opinion on Microsoft's authenticator? It uses push, but also asks you to select the number which is displayed on screen at logon - still not fool proof, but helps avoid inadvertent 'allow' taps. I would love to have physical keys, though they can still be costly 😬
Why use push at all if you need to read off one device and type into the other? Just TOTP. Oh, and my yubikey as well as fido is storing my TOTP tokens.
My issue with the MS authenticator and the Google authenticator, is they can withdraw the app/service and then you are stuffed I'd rather have the total control myself, in a Yubikey
I haven't read about the full implementation details of Apple Passkey yet... But I'm going to guess that Apple turns it from a wonderful Passwordless Utopia into an Apple 'Walled Garden' ™ so that the only way to use it is on Apple devices (no export/integration/whatever the correct term!)
@@DerekGreen123 per my review - its just WebAuthN w/ FIDO2 via TouchID/FaceID - so pretty much using the Secure Enclave like the USB key. I think it will be a good thing because it will make customers want it - Apple has a way of steering consumer demand a lot more than many other companies.
1:32 - one way to stop notifications on android is to force stop the mfa application itself. can't push notifications is the app itself isn't even running in the background. :D
I love my FIDO key, because it has the TOTP codes and FIDO2. I wear my key on a necklace that I pretty much never take off. I can use it on my iPhone XS with NFC, my PC with the USB, and have all my codes and authentication there. Plus, Apple now has their Passkey, which I'm pretty sure is just Apple branded FIDO2. Once Apple does something, it becomes a universal. Give it a couple years, and most main-stream sites I imagine will have at least partial support for FIDO2 passwordless authentication. Microsoft already has this, and it's genuinely handy.
The thing I don't like about these keys is that I use multiple machines at different times throughout the day in geographically different places. If I "forget" a key at home, and go to work, I'm turning around to have to get it. If I'm at home, upstairs, and my key is downstairs, then well, guess I'm moving my butt to get it. I'd either need a key for each machine, or, move the key around to each machine which starts to give to physical fatigue of the port and keys. Also, one of my laptops has a limited number of USB ports, so I'd have to unplug the keyboard or mouse to use it, or get a hub which is just more garbage to haul around and keep track of. (I'm generally not a fan of laptop keyboards due to their size and positioning of the keys, or, lack of keys (Numpad)) Keeping the key with the machine itself, if you lose the machine and the key, then what? Just to "touch" the device isn't enough. Fingerprint recognition on top of just a touch would be much more of an asset, but again, because of geographical differences at any point in time still kind of gets me in the "not subscribed to the idea" feeling. If this were to be something to be had on my phone, which goes with me everywhere, hard to misplace or drop and eliminates physical fatigue, then I'm in. If what I need to "log into" is sufficiently separated from what my phone would need to authenticate for, that's fine by me (IE: The phone only answers to requests from external access, but, doesn't have any knowledge or ever has been to what is making the request for login). If I'm being hammered by authentication fatigue, and I'm not making the requests, I stop the notifications from showing up on my phone for a period of time, or, I go and start resetting passwords so 2FA doesn't get to me.
and never mind the problem of adapters because laptops now only have usb-c ports. In general the idea of having your users carry a physical thing is just not going to work.
I don't see myself using these kinds of thingamabobs. I don't want to carry even more stuff around with me, I don't want to have to manage multiple physical sticks and I don't want even more small items that are easy to misplace and/or accidentally drop somewhere. It's a good point about the push notifications, but none of the services I use do that, so it's not an issue for me.
It's this and also "Passkeys" that are going to use your iPhone's secure enclave, or other type security hardware on device to use your already built in TouchID / FaceID / Windows Hello that prove that you are you. We are moving towards a passwordless future as a whole.
Yubico has TOTP as well in its newer keys so I use that as well. I don't do push notifications because of the inherent tracking built in to the apps especially Googles app. I use a hardware password manager, Mooltipass, that includes Fido2 and TOTP for one stop login. Backups are essential so that is a downside.
The Mooltipass looks cool but I can't tell from their web site how the user is expect to carry their smartcard as it doesn't appear to have a hole for attaching a keychain or lanyard. Do you keep yours in your wallet?
it's worth mentioning that all modern smartphones support webauthn and authenticate users with their fingerprint or face id, which removes the need for the vast majority of people to purchase additional hardware
The Rube Goldberg machine marches on lol. This system isn't going to fly with most normal people. Already picturing getting multiple calls a week "hey I lost that USB thingy you gave me and I cant sign in anymore.....". Honestly would be better to just make it so the system cant send more than 1 push notification in a 10-20 minute period and make it so users have to unlock their phone and actually look at the request before being able to hit yes. If you think the people that cant even handle having a unique password for every service can handle not losing their magic USB stick, IDK man.
Companies that aren't using WebAuthn are asking for trouble. The SMS codes can be an option for the uninformed but WebAuthn should be standard. It annoys me to no end that one of my CC banks doesn't have any 2FA options. My password for that service is over 100 characters to avoid being hacked.
the compamy i work at has decided that all users that have admin rights in our man program suite has to use a yubikey for autentication. all other users must atleast use a push notification style authenticator, but if they want and ask for a yubikey they can have one. i fond this a good compromise. i have already recieved my yubikey and im happy with it so far.
As an IT Manager, I'm currently struggling getting staff to buy into just MFA. I have total buy in from Sr. Management, but even then some staff refuse to take part. I need a good strategy on how to get staff to buy into FIDO (which I and my whole IT team use), but its more challenging than it sounds.
I just turned it on for everyone (management approved). The users that phone the helpdesk relentlessly because they can't log in? Too bad, get with the times.
@@adamzan7 that's what I did. Guess what? You want a job? You're gonna MFA like everyone else here. If you have that buy in from management you're good to go. Surprised to hear Northern-Light's IT doesn't want to use it? What IT guy out there worth his salt doesn't do this in these times? What rock do they think they can work under and not have to MFA anymore?
If they refuse to use MFA, that means they can't do their job. Fire them. I've worked at a large company that rolled out waves of MFA. You don't get a choice. The systems enforce the requirement, and eventually, if you want to be able to do simple things like read your email, you need to have gone thru an MFA enrollment.
What about this compared to something like Trusona? That sign on method makes sense to me and I like It as it doesn't require additional hardware. If you are familiar with Trusona, how does the security compare? Probably not a simple answer, sorry. I'm on board for more security, I wish something would get widely adopted soon.
There is a legal consideration that hasn't been addressed. The courts have rules that any device protected by a biometric is equivalent to a physical key. Authorities can compel access without your permission - including forcing your thumb on the sensor. Devices protected by a pass code - somethng stored in your brain - a person cannot be forced to reveal the access code, unlike your fingerprint, due to your 5th Amendment constitutional right not to self incriminate. FIDO appears to open the door to unlimited government intrusion into data you thought was strongly protected. Please work with the Electronic Frontier Foundation or other privacy groups to change this legal differentiation.
1 - IF there is a flaw within the firmware/protocols (there will be, nothing is perfect) you would need to replace millions of those devices, with the cost and it takes time 2 - Replacement for failed devices Software solutions are always better because of their flexibility, besides (some of) the code could be peer reviewed. Nonetheless I do like the Yubikey/Trustkey, security benefits afterall.
More complexity, more training, more user error, more time involved in access, more time involved in support and diagnosis, more people involved just to do something simple... This, just like MFA, is just adding more to the nightmare that is being an IT tech. Most end-users can't even manage clicking a button when their authenticator app pops up showing a code or just asking for approval. They'll look you dead in the eye and say they never saw something pop up, or that they have no app (that they have used daily for years). And new clients, forget it. I had to do 7 layers deep of account recovery and MFA enabling recently just for one new client to finally setup their Outlook on a new laptop. It's getting to be impossible to function, as an end-user but especially as their support. It's not sustainable nor effective to just keep adding layers of authentication, especially when the primary vector of attack is user error. Taking it all away would be less secure, sure. Just the same as removing people's access to cars would prevent car wrecks. There's a point where ability to function is hampered too much in order to boost security, and MFA is already itself too far beyond that point for most people. Heavy duty MFA, Fido2, etc to access your crypto key device that had its own multi layered security, sure... But all that just to access Microsoft Word, some video streaming service (which is where it's all headed), or to help end-users as a support tech? It's f*cking bonkers.
Man, you click your own device which supports fido2 (i.e. iphone or windows) and it uses a key per domain, you do it everytime you log in, no text or pop-ups required
Can you explain why some security keys work on U2F and WebAuthn sites but not on FIDO2 sites? eg. KeepKey for example works on most U2F sites but it won't work on say ebay which uses FIDO2. What is the implementation missing that prevents it from functioning on sites using FIDO2?
Some thoughts: (1) you can 3d print enclosures to help keep these from getting too banged up on a keychain, there are designs on thingiverse and printables already; (2) I don't understand how MS hasn't implemented FIDO2 over RDP yet (AFAIK); (3) it's frustrating that more modern sites like Paypal only allow a single hardware token and less-modern sites like most financial institutions don't support them at all; (4) also frustrating how many sites require you to have a less-secure second method of authentication, totally degrading the security hardware tokens provide. I want FIDO2 and only FIDO2 and I don't want sms OTP but some sites don't allow that.
What happens if you have a VPN? Is this for logging into my desktop, notebook, and so on? I have been hacked, ransomware attacked, particularly anything that might be considered banking. Do you have to install an app on your computer? I have to stop this disruption from attacking my finances! They don't even care if you are a senior citizen (in fact they target seniors).
Windows Hello, Android and now the iPhone and MacOS have this built in. Users do not need keys. FIDO now supports multi device key sharing. Apple implemented it Google and Microsoft should have it soon. Even with slightly less security guarantees they are better than most current MFA solutions. Also the operating system keys are 2FA by default. They are an authorized device and a biometric or a pin.
Is there any good reason to have super strong authentication security on Wordpress... as every few months there will be another huge security hole allowing it to be compromised? /s 😝
@@DerekGreen123 The core Wordpress installation has had few if any CVEs that don’t require a user account on the site to exploit since late in version 4’s development cycle. Given the current lack of “drive by” exploits, securing the user login significantly increases the security of an up to date Wordpress site. Moving to PHP-FPM instead of mod_php has also helped significantly as well.
Great vid. Frustrating how difficult it is to have multiple keys on some services. Or even swapping to jus the key and not a Google or MS app as well without disabling MFA.
Using google account here. Already have 2 step set up for my Authenticator app. When going to add a security key it asks to enable passkeys. Why is this the only option?
@@LAWRENCESYSTEMS Looks like you found a topic for another video? ;) I'd never heard about this before and I suspect I'm not the only one, but looking into it, the idea does seem pretty neat.
Tom you should check out what we are doing over at Beyond Identity. I talk about some of it on my channel as well. Private key should not move. Security keys are a hassle to admins and users. There are better solutions out there.
I really love this tech but the problem is usability. I have a older low-end Android smartphone that has no NFC or similar (the only external connection is a single micro-USB for charging). How would I use one of these keys to log into my bank on my phone?
If you can't/aren't willing to part with our phone (which I would suggest at one point to make life easiest). I would look into an authenticator app if your bank supports it. Isn't as good but still strong
@Zachary I don't have the money for a new phone. Not that it matters since my bank doesn't actually support 2FA at all, I was more commenting on the fact that there are many instances when using this tech might not be possible and therefore it isn't the magic bullet answer for hacking/phishing/etc.
My boss doesn't think we need FIDO2 since we have AAD and SSO for most everything with Conditional Access policies to restrict access to AAD-joined devices only. I tried making the zero trust argument and benefits of FIDO2 vs TOTP or Duo push, no dice...
Is there a software emulation of a FIDO2 "key"? Seems like there could (should) be... I recently uninstalled the okta authenticator. I switched to using TOTP codes (such as generated by google auth instead). I have not yet accidentally clicked "yes it was me" in response to an okta notification, but it would be easy to do. I'd rather deal with the 6 digit codes.
My only complaint is it assumes the user has affordable access to secure hardware tokens. The technology can't really scale until products like Yubikey are as cheap and common as average USB.
It can be safe with a phone. The national electronic ID in my country (a specific app/program, that you can only get by authentication through a bank, since they have the strongest security already), will show a QR code on the screen, and you will have to use the phones camera to show that you login on the system you claim you are using. To make it even more secure, banks and other sites that need the best security, have started using rolling QR codes (the QR code changes every second). In other words: 1. You have to open a bank account in person. 2. You have to access the bank with a 2 factor identification device (You log in to the bank, you login to the device, you get a code from the site, you type it in to the device, you get a code from the device that you type in to the site. And even these devices is being replaced with models with cameras and QR code systems). 3. In the banks site, you chooses to get a digital ID. You sign the ID with the method mentioned above. 4. Now you have an ID that you can login to and authenticate, that you are who you claim you are. Obviously if you get promted to authenticate something, that isn't correct, you can't. Because you will not have access to a QR code (besides, you should never be prompted to authenticate, unless you initialized a login to a site/service, in the first place). The digital ID expires every few years, but you can login to the bank and block it at any time and get a new one, if you forget your password or you think that you have been compromised, or you get a new device (phone, tablet, computer). Forgot to mention, that another way that this is used, is to identify yourself in phone conversations (to prevent social engineering). You will call a company or government agency and they will send a signal to you Digital ID, and you will have to authenticate before you will be allowed to have a conversation with them. That way, they know that you are who you claim you are.
I just don't see what the benefit is versus using TOTP - I hear about it being more convenient, but I literally just have to tap my finger on my phone then open my TOTP app. It takes me and extra 3 seconds compared to a key... and I'm far less likely to lose my phone. Is there something I am missing / not getting?
plus if I use say LastPass Authenticator or Authy - I can just have the app on another device in case I do lose my phone. My phone itself is finger and PIN protected as is my backup device. Obviously if someone cracks my cloud credentials I'm stuffed but they'd need my fingerprint and phone PIN to do that anyway... If they can get in there, they can get my USB Key as well...
Something that's surpringly not adressed in your video is that having for instance TOTP as a backup to FIDO2 authentication will be more convenient but less secure, as it removes all the security benefits of using FIDO.
still have rsa key fobs for some access however most companies have moved away. curious how you plug this into a mobile device and authenticate - noting that self authentication on a mobile is well almost useless.
I would really like to see a smartcard with most of the functionality of a Yubikey. I don't want to carry a dongle on my keychain, but I could add another card to my wallet. As long as it has NFC to work with my phone, that would cover most day to day use, and I don't mind buying a smartcard reader for my PC if the tradeoff is an easier to carry form factor.
I don’t know which version of the spec they support but there are some JavaCard apps that implement FIDO 1 or 2. Though provisioning them is a huge pain in the backside.
@@JamesRouzier unless I'm missing something, it looks like it's still a dongle form factor. I'm looking for a card form factor to fit in my wallet. I guess I could make something card sized with a cutout for a dongle, but it would be as thick as three or four standard cards.
Not sure I like the idea of the authentication request to be tied to a host. If I have a replacement host then I will never get that authentication request and I am then locked out.
Meanwhile in norway they decided to redo our most used auth system from a sim card application to a push based phone app... And not support anything else.
Disclaimer: I don't know and genuinely wonder... What about race conditions? If I have access to the computer the key is used in, and my background software is trying to login on another service with their credentials at the same time? I know it is more "ifs", but a virus-ish could dump your bitwarden database every day if they only got your username and password once, as long as they time the blink with another login (like a VPN connecting) that could make the user not think twice.
I turned the notifications for 2FA off, they are just silent. When I want to login, I start the app. But I've never had event when I would receive notifications - not that interesting target :)
Hi Tom, great video. How would you support this as an MSP? Is there a one ring to rule them all in the spec? Seems great for an individual what about support as a MSP?
@@LAWRENCESYSTEMS yes, but what happens when they become standard? How would / could you support this as a business for an end user if this was their default auth?
TOTP authenticators for 2FA like Google Authenticator are a rolling number generator., which i use everywhere that allows them. they're inconvenient but secure. UB or FIDO will be my next upgrade.
i would say - if you not login anywhere and see the auth request - its a flag that someone trying to hack you. is there idiot who press yes if he is not the one who login?
I use Yubikeys and Windows Hello. My opinion is that Windows Hello is the way to go (IR Cameras specifically but a high end fingerprint scanner can work too).
that doesn't solve the problem first explained, it just silences it (meaning someone could still spam it enough to make you touch it at the wrong nime, ie: trying to log in yourself, and auth them by accident)... a cooldown in requests per machine would solve both problems...
As far as I understood from the video, with the FIDO2 standard there's almost no chance someone else can submit a challenge notification to your device - and this is the difference.
Do rhe trust key or thetis key "update"/ "phone home" like yubico does? I don't trust that. They shouldn't need to if they gave the fido algo installed so its nefarious. Anyone examine the packets they send even or everyone just "trust?"
Why would someone NOT raise an alarm if their phone gets a push and they are NOT the one logging in!? 😯 Maybe that's part of the reason there are beaches. 🤦🏻♂️🤣
We’ve used micro USB-C keys for a while 5 years and for devices with multiple USB-C ports we ad a tiny drop mild glue to make it stick. 2000+ keys and zero lost. The full size keys we use a wire loop with a pressed closed clamp on a quality key ring and users don’t mind because we gave them something else, we social engineered them to carry the key on their house/car keys
The biggest down side of these keys, is that most website only allow to you to associate a single key. I have 4 systems I often use for my work, I a PC at home and work, I have a phone and a laptop for emergencies. Keeping your fido key at you at all times is very hard. If you forget it and you need instant access to a system because there is a major issue, you can't do anything. I rather get hacked than loose a client because I couldn't solve a simple issue because I was unable to locate my fido key. We all know that emergencies don't have a 9-5 jobs...
Most people become preteens when it comes to security. I'd put TOTP mandatory for every service and please... PLEASEEEEEE.... stop asking a cellphone number in the way (especially in a Workspace owned domain)
i love and hate yubikey its honestly super easy to lose and having it in the pocket can trigger NFC on my phone if i forget to lock it, on other hand they are much more convinient then TOTP on phones. i hope we could reliably achive same thing with phones or a component of phones as we tend to have them on us, push notifications for auth are generaly bad but i think microsoft does them well with pick one of 3 numbers system, imo its good alternative for general consumer better then nothing but not as annoying and complicated as TOTP
Windows 10, iOS 14, and some recent version of Android and OS X all support acting as a FIDO key. However they only support the built in authenticator role. None of the computer side operating systems support FIDO over Bluetooth LE. Get that working or more NFC readers in computers and a phone could function as a roaming authenticator. Roaming Authenticators are the NFC, Bluetooth, or USB dongles per FIDO spec. Built In Authenticators are provided by the host operating system per FIDO spec.
I've recently been researching U2F and FIDO key 2FA solutions, including getting FIDO2 key and starting to use it last week. This was the most direct and useful explanation of what the protocol is and how to utilize it that I've yet found, so THANK YOU! The confirmation that FIDO is a ubiquitously supported open standard under the purview of the W3C was especially reassuring!
I love my Yubikey"s, my big complaint companies don't have the options to use them. There still stuck in the past with sms or push
I'm carrying an elder Yubikey for approximately 10 years on my keychain with no problems. So I would say, these things are really durable. I can't say anything about other brands.
That is a really good key if it lasted that long.
Impressive. Do you have a backup Yubikey too and register that too?
Starting to roll these out for AAD and WHfB at work. Very cool stuff. Our users will love this vs. TOTP or number matching with push notifications. Still learning the differences between FIDO2 pwdless and smart card auth. More reading to do :)
In Australia, the Australian Tax Office uses push notifications for 2FA. If it's a new device without previous history of login to the account, the push notification has a 2FA code, if it's an existing device previously authenticated, it's an "approve / deny" push notification
Bought 2 yubikey 5 nfc's after your's and Jay's videos about them... Been very happy with them.
Appreciate the content! FIDO U2F is consider legacy. FIDO2 is the newest and I believe is what you are referring to.
Oops, I think you're correct, I will fix the title
Yes and no, FIDO2 is an extension of FIDO to allow it to be the only authentication method for "passwordless login", I prefer actually having 2 factors.
@@EwanMarshall FIDO2 still requires a PIN from my experience. I haven't used the biometric Yubikey so not sure if that one also requires a PIN.
I sure hope more banks start widely implementing them
They'll only do it once regulators require it. Majority of financial institutions implement new security protocols only when an auditor or regulator threatens them. Speaking from experience having worked in IT for financial institutions.
In many parts of Europe, banks and institutions require their specific app to do anything, which is a PITA as they suck. they should be forced to allow hardware tokens
I find it very frustrating that most financial institutions either do not support 2FA or only support sms based 2FA.
You bother ti check with your institution? Bother to check any institution? Yes I'm talking down to you because many institutions have supported tokens for years.
@@ShainAndrews yes tokens but not FIDO2 , only a couple mayor banks that i know do it
Btw U2F generally refers to the 1.0 spec, it was superceeded by fido2 and finally by the passkey name
superseded*
Duo also supports YubiKeys, you don't have to use their app and push.
That means they can bring YubiKey functionality to all SSO (SAML and OIDC) as well as workstations, VPNs etc even if they don't natively support them.
You can also set policies up to select which apps require only a YubiKey and which ones can use push.
This also gives the IT team the ability to fall back to push/bypass for users that do lose their key, and central management where they can disable a lost key on all accounts.
Yubikeys are great! I think the most pressing matter for Identity Security is what to do when the threat is already inside. I recommend looking into products that can prevent the threat from lateral movement and minimize blast radius. A product called Silverfort can protect organizations from that, especially on legacy apps and on-prem solutions that don't support FIDO2 (Silverfort can extend your FIDO key usage).
I much prefer the TOTP over pushed notification. I find it more convenient, less intrusive and more secure.
I've been wanting a yubikey since the first one came out, but that was always a big budget for a key that only a dozen of the sites I use support. I wished my company would switch to something like that, but they wont, even though I keep nagging them about it (and other security improvement for their infrastructure). Some day i might ask for a transfer to the IT department and implement those myself, who knows...
Something I didn't know until recently, is that even if the Fido key is duplicated, there is a counter added to it. If the counter doesn't match expectations, the authentication fails, and the key is voided for that site.
I think this is an optional feature. Not all authenticators (i.e. cheap ones) support this.
I really hope this does get widely adopted, and I've been pushing it for a few years now. In Canada it's very common to use SMS messages for MFA, but because of phone number porting laws (designed to make it easier for consumers to switch providers), it is somewhat trivial to steal someone's phone number (SIM swapping attack). Yet most banks and other large institutions here continue to only support SMS as a MFA method.
CIBC supports using their app to receive a push notification to approve a logon. But I’ve been locked out when the stupid app wasn’t processing the push notifications properly or the backend was messed up.
That is horrible. They should make you bring proper photo and other forms of government issued ID with you and make you come and do it in person. Really It should be a law that they must provide options for Yubikey and FIDO authentication.
Is the USA the same? I would happily give up the convenience of easy swapping for extra security.
You can control Fido key registration through an IDM solution like Microsoft or OKTA from an IT level, so you can issue keys to employees from the security team side of things.
Can the same be done on Google Workspace?
I bought a Fido key & had it for well over 1 year & didn't start using it because I thought it would be difficult to setup. I was wrong! Easy to setup & use plus no I have the peace of mind of 2FA 😀
Actually everyone need two of them for recovery. Lose/brake one and you are in trouble.
Helpful information! Maybe do a video on a breakdown of FIDO and U2F, as it's a common confusion point for people. One being a protocol, and one being the implementation of the protocol.
Agreed, I was speaking about FIDO2 to other week when the UBER breach happened- MFA MiTM efforts and how FIDO2 would have helped.
Ive had yubikeys for several years, one on my keys and one in a safe place, they are very convenient to use and I have seen support growing over time
Currently I use KeepassXC's TOTP feature as it's easy to click on it to provide the code. Plus I can sync the database to my NextCloud as backup. I'll be looking into FIDO2 compatible keys to see how well it works with KeePassXC.
UPDATE: Latest version of KeePassXC now offer Passkeys which provides the same function as the FIDO2 key. The plugin for the browser is not enabled by default.
I'll switch only when recovery key can be issued along original that is able to disable original and take its function without reconfiguring every website (plus issuing new recovery key in the process)
Seems like the banking industry only uses email or SMS 2FA. Can't use Yubi or Trust at any institution handling your 401, savings or checking accounts. Wonder if this will change anytime soon?
What's the opinion on Microsoft's authenticator? It uses push, but also asks you to select the number which is displayed on screen at logon - still not fool proof, but helps avoid inadvertent 'allow' taps. I would love to have physical keys, though they can still be costly 😬
Why use push at all if you need to read off one device and type into the other? Just TOTP. Oh, and my yubikey as well as fido is storing my TOTP tokens.
My issue with the MS authenticator and the Google authenticator, is they can withdraw the app/service and then you are stuffed
I'd rather have the total control myself, in a Yubikey
Apple implementing this for its passwordless setup means that it will adopt faster in the consumer space IMO.
I haven't read about the full implementation details of Apple Passkey yet... But I'm going to guess that Apple turns it from a wonderful Passwordless Utopia into an Apple 'Walled Garden' ™ so that the only way to use it is on Apple devices (no export/integration/whatever the correct term!)
@@DerekGreen123 per my review - its just WebAuthN w/ FIDO2 via TouchID/FaceID - so pretty much using the Secure Enclave like the USB key. I think it will be a good thing because it will make customers want it - Apple has a way of steering consumer demand a lot more than many other companies.
1:32 - one way to stop notifications on android is to force stop the mfa application itself. can't push notifications is the app itself isn't even running in the background. :D
I love my FIDO key, because it has the TOTP codes and FIDO2. I wear my key on a necklace that I pretty much never take off. I can use it on my iPhone XS with NFC, my PC with the USB, and have all my codes and authentication there. Plus, Apple now has their Passkey, which I'm pretty sure is just Apple branded FIDO2. Once Apple does something, it becomes a universal. Give it a couple years, and most main-stream sites I imagine will have at least partial support for FIDO2 passwordless authentication. Microsoft already has this, and it's genuinely handy.
But if you lose these codes what will happen? Would it be possible to restore access to an account in this case ?
I like yubikeys, and I have 2 of them. Unfortunately getting non techie folks to use them is a real challenge.
The thing I don't like about these keys is that I use multiple machines at different times throughout the day in geographically different places. If I "forget" a key at home, and go to work, I'm turning around to have to get it. If I'm at home, upstairs, and my key is downstairs, then well, guess I'm moving my butt to get it. I'd either need a key for each machine, or, move the key around to each machine which starts to give to physical fatigue of the port and keys. Also, one of my laptops has a limited number of USB ports, so I'd have to unplug the keyboard or mouse to use it, or get a hub which is just more garbage to haul around and keep track of. (I'm generally not a fan of laptop keyboards due to their size and positioning of the keys, or, lack of keys (Numpad))
Keeping the key with the machine itself, if you lose the machine and the key, then what? Just to "touch" the device isn't enough. Fingerprint recognition on top of just a touch would be much more of an asset, but again, because of geographical differences at any point in time still kind of gets me in the "not subscribed to the idea" feeling.
If this were to be something to be had on my phone, which goes with me everywhere, hard to misplace or drop and eliminates physical fatigue, then I'm in. If what I need to "log into" is sufficiently separated from what my phone would need to authenticate for, that's fine by me (IE: The phone only answers to requests from external access, but, doesn't have any knowledge or ever has been to what is making the request for login).
If I'm being hammered by authentication fatigue, and I'm not making the requests, I stop the notifications from showing up on my phone for a period of time, or, I go and start resetting passwords so 2FA doesn't get to me.
and never mind the problem of adapters because laptops now only have usb-c ports. In general the idea of having your users carry a physical thing is just not going to work.
@@bryanb3352 some devices already support fodo2 like iphones and windows
I don't see myself using these kinds of thingamabobs. I don't want to carry even more stuff around with me, I don't want to have to manage multiple physical sticks and I don't want even more small items that are easy to misplace and/or accidentally drop somewhere. It's a good point about the push notifications, but none of the services I use do that, so it's not an issue for me.
Devices like iphones and windows pcs support it without extra hardware
It's this and also "Passkeys" that are going to use your iPhone's secure enclave, or other type security hardware on device to use your already built in TouchID / FaceID / Windows Hello that prove that you are you. We are moving towards a passwordless future as a whole.
Yubico has TOTP as well in its newer keys so I use that as well. I don't do push notifications because of the inherent tracking built in to the apps especially Googles app.
I use a hardware password manager, Mooltipass, that includes Fido2 and TOTP for one stop login. Backups are essential so that is a downside.
The Mooltipass looks cool but I can't tell from their web site how the user is expect to carry their smartcard as it doesn't appear to have a hole for attaching a keychain or lanyard. Do you keep yours in your wallet?
it's worth mentioning that all modern smartphones support webauthn and authenticate users with their fingerprint or face id, which removes the need for the vast majority of people to purchase additional hardware
The Rube Goldberg machine marches on lol. This system isn't going to fly with most normal people. Already picturing getting multiple calls a week "hey I lost that USB thingy you gave me and I cant sign in anymore.....". Honestly would be better to just make it so the system cant send more than 1 push notification in a 10-20 minute period and make it so users have to unlock their phone and actually look at the request before being able to hit yes.
If you think the people that cant even handle having a unique password for every service can handle not losing their magic USB stick, IDK man.
Companies that aren't using WebAuthn are asking for trouble. The SMS codes can be an option for the uninformed but WebAuthn should be standard. It annoys me to no end that one of my CC banks doesn't have any 2FA options. My password for that service is over 100 characters to avoid being hacked.
bro I love that shirt. Thanks for the video btw. I've never seen such a great explanation!
Thanks for another useful video article Tom, it's really appreciated!
the compamy i work at has decided that all users that have admin rights in our man program suite has to use a yubikey for autentication. all other users must atleast use a push notification style authenticator, but if they want and ask for a yubikey they can have one. i fond this a good compromise. i have already recieved my yubikey and im happy with it so far.
As an IT Manager, I'm currently struggling getting staff to buy into just MFA. I have total buy in from Sr. Management, but even then some staff refuse to take part. I need a good strategy on how to get staff to buy into FIDO (which I and my whole IT team use), but its more challenging than it sounds.
I just turned it on for everyone (management approved). The users that phone the helpdesk relentlessly because they can't log in? Too bad, get with the times.
@@adamzan7 that's what I did. Guess what? You want a job? You're gonna MFA like everyone else here. If you have that buy in from management you're good to go. Surprised to hear Northern-Light's IT doesn't want to use it? What IT guy out there worth his salt doesn't do this in these times? What rock do they think they can work under and not have to MFA anymore?
If they refuse to use MFA, that means they can't do their job. Fire them.
I've worked at a large company that rolled out waves of MFA. You don't get a choice. The systems enforce the requirement, and eventually, if you want to be able to do simple things like read your email, you need to have gone thru an MFA enrollment.
I use a a CozyCap USB cover for the Yubikey and USB devices I carry on my keychain. Give me a lot more peace of mind.
What about this compared to something like Trusona? That sign on method makes sense to me and I like It as it doesn't require additional hardware. If you are familiar with Trusona, how does the security compare? Probably not a simple answer, sorry. I'm on board for more security, I wish something would get widely adopted soon.
There is a legal consideration that hasn't been addressed. The courts have rules that any device protected by a biometric is equivalent to a physical key. Authorities can compel access without your permission - including forcing your thumb on the sensor. Devices protected by a pass code - somethng stored in your brain - a person cannot be forced to reveal the access code, unlike your fingerprint, due to your 5th Amendment constitutional right not to self incriminate. FIDO appears to open the door to unlimited government intrusion into data you thought was strongly protected. Please work with the Electronic Frontier Foundation or other privacy groups to change this legal differentiation.
1 - IF there is a flaw within the firmware/protocols (there will be, nothing is perfect) you would need to replace millions of those devices, with the cost and it takes time
2 - Replacement for failed devices
Software solutions are always better because of their flexibility, besides (some of) the code could be peer reviewed. Nonetheless I do like the Yubikey/Trustkey, security benefits afterall.
More complexity, more training, more user error, more time involved in access, more time involved in support and diagnosis, more people involved just to do something simple...
This, just like MFA, is just adding more to the nightmare that is being an IT tech.
Most end-users can't even manage clicking a button when their authenticator app pops up showing a code or just asking for approval. They'll look you dead in the eye and say they never saw something pop up, or that they have no app (that they have used daily for years).
And new clients, forget it. I had to do 7 layers deep of account recovery and MFA enabling recently just for one new client to finally setup their Outlook on a new laptop.
It's getting to be impossible to function, as an end-user but especially as their support.
It's not sustainable nor effective to just keep adding layers of authentication, especially when the primary vector of attack is user error.
Taking it all away would be less secure, sure. Just the same as removing people's access to cars would prevent car wrecks. There's a point where ability to function is hampered too much in order to boost security, and MFA is already itself too far beyond that point for most people.
Heavy duty MFA, Fido2, etc to access your crypto key device that had its own multi layered security, sure... But all that just to access Microsoft Word, some video streaming service (which is where it's all headed), or to help end-users as a support tech? It's f*cking bonkers.
Man, you click your own device which supports fido2 (i.e. iphone or windows) and it uses a key per domain, you do it everytime you log in, no text or pop-ups required
Really appreciated this may come in very handy, thank you. 🙂
You may want to do a video regarding Passkeys, which is going to make any use of security keys completely moot (imo)
I might make a video on why they are not going to do that in the business world
That too would be interesting content, highlighting the differences between consumer and business use cases would be quite intriguing 👍
👍🏾 appreciate your videos
Thanks, glad you like them!
Limit how many times push can show up, by going into notification settings. Done!
Can you explain why some security keys work on U2F and WebAuthn sites but not on FIDO2 sites? eg. KeepKey for example works on most U2F sites but it won't work on say ebay which uses FIDO2. What is the implementation missing that prevents it from functioning on sites using FIDO2?
Some thoughts: (1) you can 3d print enclosures to help keep these from getting too banged up on a keychain, there are designs on thingiverse and printables already; (2) I don't understand how MS hasn't implemented FIDO2 over RDP yet (AFAIK); (3) it's frustrating that more modern sites like Paypal only allow a single hardware token and less-modern sites like most financial institutions don't support them at all; (4) also frustrating how many sites require you to have a less-secure second method of authentication, totally degrading the security hardware tokens provide. I want FIDO2 and only FIDO2 and I don't want sms OTP but some sites don't allow that.
A lot of banks go through their app handling security.
What happens if you have a VPN? Is this for logging into my desktop, notebook, and so on? I have been hacked, ransomware attacked, particularly anything that might be considered banking. Do you have to install an app on your computer? I have to stop this disruption from attacking my finances! They don't even care if you are a senior citizen (in fact they target seniors).
Windows Hello, Android and now the iPhone and MacOS have this built in. Users do not need keys. FIDO now supports multi device key sharing. Apple implemented it Google and Microsoft should have it soon. Even with slightly less security guarantees they are better than most current MFA solutions. Also the operating system keys are 2FA by default. They are an authorized device and a biometric or a pin.
Wordpress supports webauthn through a plug-in. PAM also supports either FIDO or FIDO2.
Is there any good reason to have super strong authentication security on Wordpress... as every few months there will be another huge security hole allowing it to be compromised? /s 😝
@@DerekGreen123 The core Wordpress installation has had few if any CVEs that don’t require a user account on the site to exploit since late in version 4’s development cycle.
Given the current lack of “drive by” exploits, securing the user login significantly increases the security of an up to date Wordpress site.
Moving to PHP-FPM instead of mod_php has also helped significantly as well.
Great vid. Frustrating how difficult it is to have multiple keys on some services. Or even swapping to jus the key and not a Google or MS app as well without disabling MFA.
Using google account here. Already have 2 step set up for my Authenticator app. When going to add a security key it asks to enable passkeys. Why is this the only option?
SQRL solves for all of this, plus deprecates user credentials in favor of a secure single factor.
Yes, I wish SQRL had better adoption.
@@LAWRENCESYSTEMS Looks like you found a topic for another video? ;)
I'd never heard about this before and I suspect I'm not the only one, but looking into it, the idea does seem pretty neat.
@@fafardh TWiT has a decent summary video, and if you suffer from insomnia, there’s a white paper that’s like 85 pages long. :)
How does FIDO2 differ to OATH when using a hardware token and why might you choose one over the other?
Use FIDO2 for your as part of auth for your OAUTH provider.
Tom you should check out what we are doing over at Beyond Identity. I talk about some of it on my channel as well. Private key should not move. Security keys are a hassle to admins and users. There are better solutions out there.
I really love this tech but the problem is usability. I have a older low-end Android smartphone that has no NFC or similar (the only external connection is a single micro-USB for charging). How would I use one of these keys to log into my bank on my phone?
If you can't/aren't willing to part with our phone (which I would suggest at one point to make life easiest). I would look into an authenticator app if your bank supports it. Isn't as good but still strong
@Zachary I don't have the money for a new phone. Not that it matters since my bank doesn't actually support 2FA at all, I was more commenting on the fact that there are many instances when using this tech might not be possible and therefore it isn't the magic bullet answer for hacking/phishing/etc.
@@jfwfreo For sure good point, there is no perfect solution. But hey gotta commend good progress :)
Surely the quickest and easiest protection for MFA fatigue is to just disable the push feature and make people enter the tokencode?
I had a good chuckle at APT
My boss doesn't think we need FIDO2 since we have AAD and SSO for most everything with Conditional Access policies to restrict access to AAD-joined devices only. I tried making the zero trust argument and benefits of FIDO2 vs TOTP or Duo push, no dice...
Is there a software emulation of a FIDO2 "key"? Seems like there could (should) be...
I recently uninstalled the okta authenticator. I switched to using TOTP codes (such as generated by google auth instead). I have not yet accidentally clicked "yes it was me" in response to an okta notification, but it would be easy to do. I'd rather deal with the 6 digit codes.
My only complaint is it assumes the user has affordable access to secure hardware tokens. The technology can't really scale until products like Yubikey are as cheap and common as average USB.
It can be safe with a phone. The national electronic ID in my country (a specific app/program, that you can only get by authentication through a bank, since they have the strongest security already), will show a QR code on the screen, and you will have to use the phones camera to show that you login on the system you claim you are using. To make it even more secure, banks and other sites that need the best security, have started using rolling QR codes (the QR code changes every second).
In other words:
1. You have to open a bank account in person.
2. You have to access the bank with a 2 factor identification device (You log in to the bank, you login to the device, you get a code from the site, you type it in to the device, you get a code from the device that you type in to the site. And even these devices is being replaced with models with cameras and QR code systems).
3. In the banks site, you chooses to get a digital ID. You sign the ID with the method mentioned above.
4. Now you have an ID that you can login to and authenticate, that you are who you claim you are.
Obviously if you get promted to authenticate something, that isn't correct, you can't. Because you will not have access to a QR code (besides, you should never be prompted to authenticate, unless you initialized a login to a site/service, in the first place).
The digital ID expires every few years, but you can login to the bank and block it at any time and get a new one, if you forget your password or you think that you have been compromised, or you get a new device (phone, tablet, computer).
Forgot to mention, that another way that this is used, is to identify yourself in phone conversations (to prevent social engineering). You will call a company or government agency and they will send a signal to you Digital ID, and you will have to authenticate before you will be allowed to have a conversation with them. That way, they know that you are who you claim you are.
I just don't see what the benefit is versus using TOTP - I hear about it being more convenient, but I literally just have to tap my finger on my phone then open my TOTP app. It takes me and extra 3 seconds compared to a key... and I'm far less likely to lose my phone.
Is there something I am missing / not getting?
plus if I use say LastPass Authenticator or Authy - I can just have the app on another device in case I do lose my phone. My phone itself is finger and PIN protected as is my backup device.
Obviously if someone cracks my cloud credentials I'm stuffed but they'd need my fingerprint and phone PIN to do that anyway... If they can get in there, they can get my USB Key as well...
Meanwhile in the UK our banks seem pretty happy about their recent rollout of enforced SMS 2FA 🤦
Something that's surpringly not adressed in your video is that having for instance TOTP as a backup to FIDO2 authentication will be more convenient but less secure, as it removes all the security benefits of using FIDO.
Disable MFA push or configure for time out 15 mins then you don't have that issue. Manually enter the code then there is no push.
still have rsa key fobs for some access however most companies have moved away. curious how you plug this into a mobile device and authenticate - noting that self authentication on a mobile is well almost useless.
Most newer keys use NFC. Could look into the yubikey 5c, that's a good example. Just touch the key to the phone!
Could a consumer use this for folders, documents, computers etc. I know i could use it for bitwarden. Thanks.
That would depend of if the access solution you are using supports it.
Your APT description 🤣🤣🤣
I would really like to see a smartcard with most of the functionality of a Yubikey. I don't want to carry a dongle on my keychain, but I could add another card to my wallet. As long as it has NFC to work with my phone, that would cover most day to day use, and I don't mind buying a smartcard reader for my PC if the tradeoff is an easier to carry form factor.
I don’t know which version of the spec they support but there are some JavaCard apps that implement FIDO 1 or 2. Though provisioning them is a huge pain in the backside.
Depending on features you are looking for onlykey could fit your needs
@@JamesRouzier unless I'm missing something, it looks like it's still a dongle form factor. I'm looking for a card form factor to fit in my wallet. I guess I could make something card sized with a cutout for a dongle, but it would be as thick as three or four standard cards.
@@mattv5281 ok sorry misread your comment.
Not sure I like the idea of the authentication request to be tied to a host. If I have a replacement host then I will never get that authentication request and I am then locked out.
It's tied to the site name.
It also stops evilginx AITM type attacks.
YES!
wouldn't buying these on amazon be a security risk? can i trust that the vendor is not some bad guys?
Yubico is the seller on Amazon. You're buying straight from the source.
@@estusflask982And without additional shipping costs!
Meanwhile in norway they decided to redo our most used auth system from a sim card application to a push based phone app... And not support anything else.
Disclaimer: I don't know and genuinely wonder...
What about race conditions? If I have access to the computer the key is used in, and my background software is trying to login on another service with their credentials at the same time?
I know it is more "ifs", but a virus-ish could dump your bitwarden database every day if they only got your username and password once, as long as they time the blink with another login (like a VPN connecting) that could make the user not think twice.
Passwords are generated per-domain in fido2, so they would get each their key
I turned the notifications for 2FA off, they are just silent. When I want to login, I start the app. But I've never had event when I would receive notifications - not that interesting target :)
I would prefer that they be turned on, if you are getting notices someone has your credentials which is a cause for concern.
@@LAWRENCESYSTEMS I still get notifications, just silent - so the phone would not grab the attention. But I get your point, have to think about it.
Hi Tom, great video. How would you support this as an MSP? Is there a one ring to rule them all in the spec? Seems great for an individual what about support as a MSP?
Not sure I get the question, I buy these for all my staff for them to use with their service account.
@@LAWRENCESYSTEMS yes, but what happens when they become standard? How would / could you support this as a business for an end user if this was their default auth?
@@rob-men Like any other hardware, you issue the device to the client and have a replacement process ready.
Thank you!
Is TOPT a thing I'm supposed to know about?
TOTP authenticators for 2FA like Google Authenticator are a rolling number generator., which i use everywhere that allows them. they're inconvenient but secure. UB or FIDO will be my next upgrade.
i would say - if you not login anywhere and see the auth request - its a flag that someone trying to hack you. is there idiot who press yes if he is not the one who login?
USB sticks are very inconvenient on mobile phones even with NFC. And this is major stop factor for me.
There are USB-C ones now. With USB-C and NFC.
Login to site with user/pass
Website pops up a qr code
scan qr code with phone
Login approved.
Why doesn't that exist?
Seems so simple.
How do you scan the QR with your phone if you're logging in to the site from your phone?
@@_Steven_S QR code would just be a link that opens in a 2FA app.
If you are on your phone you would just click the link.
@@justinjja2 Train people to scan unknown barcodes.
What happens when you lose the key?
You have to have a backup method to get into the service.
I use Yubikeys and Windows Hello. My opinion is that Windows Hello is the way to go (IR Cameras specifically but a high end fingerprint scanner can work too).
Can we all just agree that MFA is a superior term than 2SV/2FA and use it exclusively.
cool video. thanks
that doesn't solve the problem first explained, it just silences it (meaning someone could still spam it enough to make you touch it at the wrong nime, ie: trying to log in yourself, and auth them by accident)... a cooldown in requests per machine would solve both problems...
As far as I understood from the video, with the FIDO2 standard there's almost no chance someone else can submit a challenge notification to your device - and this is the difference.
Do rhe trust key or thetis key "update"/ "phone home" like yubico does? I don't trust that. They shouldn't need to if they gave the fido algo installed so its nefarious. Anyone examine the packets they send even or everyone just "trust?"
Will i still be protected if hacker using cookie stealing technique ?
no
Why would someone NOT raise an alarm if their phone gets a push and they are NOT the one logging in!? 😯 Maybe that's part of the reason there are beaches. 🤦🏻♂️🤣
The question of 1 million dollars. FIDo2 does accept multiple accounts or just one account???
What about FIDO fatigue?
We’ve used micro USB-C keys for a while 5 years and for devices with multiple USB-C ports we ad a tiny drop mild glue to make it stick. 2000+ keys and zero lost.
The full size keys we use a wire loop with a pressed closed clamp on a quality key ring and users don’t mind because we gave them something else, we social engineered them to carry the key on their house/car keys
The biggest down side of these keys, is that most website only allow to you to associate a single key. I have 4 systems I often use for my work, I a PC at home and work, I have a phone and a laptop for emergencies. Keeping your fido key at you at all times is very hard. If you forget it and you need instant access to a system because there is a major issue, you can't do anything.
I rather get hacked than loose a client because I couldn't solve a simple issue because I was unable to locate my fido key. We all know that emergencies don't have a 9-5 jobs...
Hackers, leave Tom alone!!!
Most people become preteens when it comes to security. I'd put TOTP mandatory for every service and please... PLEASEEEEEE.... stop asking a cellphone number in the way (especially in a Workspace owned domain)
The problem is that this key's don't protect against session cookies Stiller's
Nope, they do not
i love and hate yubikey its honestly super easy to lose and having it in the pocket can trigger NFC on my phone if i forget to lock it, on other hand they are much more convinient then TOTP on phones. i hope we could reliably achive same thing with phones or a component of phones as we tend to have them on us, push notifications for auth are generaly bad but i think microsoft does them well with pick one of 3 numbers system, imo its good alternative for general consumer better then nothing but not as annoying and complicated as TOTP
Windows 10, iOS 14, and some recent version of Android and OS X all support acting as a FIDO key. However they only support the built in authenticator role. None of the computer side operating systems support FIDO over Bluetooth LE. Get that working or more NFC readers in computers and a phone could function as a roaming authenticator.
Roaming Authenticators are the NFC, Bluetooth, or USB dongles per FIDO spec. Built In Authenticators are provided by the host operating system per FIDO spec.
@@Knirin yep they have advertised working but dont work(chrome asks if my android is key but doesnt work)
@@Knirin BT's near ubiquitous nature would be better. There are a lot of phones, and no PCs with NFC.