Do you use (or plan to use) a hardware-based authenticator app? Why or why not? And be sure to take advantage of the $5 off any Yubikey using code ALLTHINGSSECURED here: www.yubico.com/products/yubikey-5-overview/
I've been using Authy and have it on my phone, computer, and laptop. If I lose my phone or it gets destroyed I just install it on the new one or access it on another device. Seems like you would be in a real bind if you lost the key while traveling and your other key was at home. On the other hand, I suppose it is more secure to use a physical key. I like the idea, but the thought of losing it while away from home is an issue for me.
I have been using this exact solution for years. I keep my key attached to a pocket flashlight that I use many times a day. I also have an Airtag on it. I would notice if it was missing before long. I also carry an encrypted thumb drive with a copy of my QR codes. I keep a second key at home in a safe with all the codes on it. There are a lot of ways to create safety nets. All that said, you typically don't need the key unless you log in on a new device.
I have it just on my phone and a single device however you can reset it and have it added to a new phone 😎 I tried this and it worked I just think it makes things easier for me
Not a bad one, that's for sure. What you do with your backup key is up to you. Keeping in a safety deposit box is good in theory, but it makes it *really* difficult to add new codes when you need to.
Good idea in theory, but not in real life. Most websites that I encounter don't support the use of multiple keys yet. Yubiko don't seem to offer a way to clone a key either. So, you just end up with two completely different keys anyway.
I like microsoft authenticator because your MS account has the option of being passwordless and even if your phone breaks you can get back into it with a backup email...though obviously a yubikey is technically more secure, it's overkill for most people, though it makes sense to use it on your most important accounts.
I've been playing around with a Yubikey for a couple of months and, while it's a really good product from a security standpoint, real-world usability is a problem for me. In particular, my most sensitive accounts (banking, developer account, company production environment, etc.) are ones I may need to access at a moment's notice, if there's an issue. If I lose my tiny Yubikey, I'm locked out of those accounts until I can retrieve the backup. Often, if I'm traveling on business, that can be a matter of days later, making the Yubikey a potential risk to my business. This means I need to have another means of managing 2FA, which ends up being an app on my phone. But then, why bother with the Yubikey at all?
This. It goes to show that it's a _very_ niche product, but I'm glad it exists. It's nice having different options regardless how practical or unpractical they are.
Rather than having a second key, I am thinking to save the seeds in some encrypted file (like a keepass db) and store that file in a secure offline location. The rationale is: suppose I lose my primary key, and only then find out my backup key is broken. If you have ever found yourself on the side of the road with a flat tire, only to find out your spare was never inflated, you know what I mean. It takes some discipline to test backups regularly. But I am new to physical devices so I am willing to change my mind once I get some experience.
So, losing or damaging the phone is a concern, and instead, you suggest using the key. What if the key gets damaged, lost, or becomes corrupt? Is it possible to log in to the Authenticator on another device if our current phone is lost or damaged?
I was under the impression that an account requesting google authenticator had to use google authenticator app.......this changes everything :D Thanks Josh :)
Your videos are very informative and to the point. On another note, Authy has a cloud backup feature that lets you backup the MFA accounts library to a cloud backup (like Google) that you can then restore to a new device in case it gets lost/stolen/damaged. It requires a strong password to accomplish the above. This avoids one having to set up each MFA all over again on the new device. I agree though that nothing beats a hardware key.
@AllThingsSecured - Yubico says: OTP holds 2 credentials but can be registered on unlimited, FIDO U2F can be registered with unlimited, FIDO2 can hold 25, PIV holds 5, OpenPGP holds 5. And then the one you mention - OATH Yubico Authenticator holds 32. PLEASE tell us how to decide which to use for what websites. VERY confusing. NONE of the other UA-cam security people that I've watched are addressing this. Yubico's website doesn't explain it sufficiently. Need more info ASAP please.
Where do you store the stick? If someone stole your phone and stick, then he has everything he need? So where is save place for the stick eg I am at the beach? Waterproof neckbrace?
What do you mean? Google Authenticator is synced with Google servers. The Google account is protected by a physical key. Everywhere you log in you get all your Google authenticator data if you download the app
Around 4:18 you say you can use 2FA on an unlimited number of accounts.... I think you should clarify that's only for FIDO U2F , but not for FIDO2 (limit is 24 unless I understood something wrong, I'm just a noob yet) .. OK OK .. FIDO2 is probably not considered "2nd factor", because it's passwordless.. There is no "second", it's "all in one."
What do you think of combining yubikey with 1password OTP. You could use the yubikey to safeguard the 1password and use the internal OTP from 1password. Which should be easier to share and store (backup). Probably this would be a better idea for the less important accounts (also to circumvent the 32 limit).
Always loved your format. Also didn't know I can do that with the Keys. I use Aegis as well to beckup my important 2FA codes. Will definitely put the most important once in my keys
Precisely why you never only own one. You buy two (or more), and you set up both simultaneously.. independent keys with the same information. Once set up, you put one away in a safe place as a backup and you carry about the other one and actively use day-to-day.
@@AllThingsSecured so, can you add more just in app, as a normal totp generator app? And in case, how to choose which ones go in the key and which in the app?
I understand the reason for these (app vs key) security, and I've worked on computers from DOS in the 70s in healthcare and with many LEO (military and as silly-villan) but not as a geek. Windows only. But trying to change to Linux. I'm (others who are same generations pre gen x) having too much difficulty wrapping my brain around this. My PTSD+, rt been around death too much (including own few times - close calls and on the table). Hard to learn new things etc. Both phone+app and or key if stolen then where is the security? So the key keeps what? QR codes and passwords?
Great video. I like having the ability to save the QR code/numeric code and re-use it with all my backup Yubikeys. Is this ability special to Yubikey? Or could you also do this other web-based authenticators like Google Authenticator to re-use the QR code and setup on as many phones as you want?
This is possible, but the point here is to offer a solution that *doesn’t* require letting go of control of you keys and giving them to Microsoft or Google.
@@sim-y9qHogue Yes, there exists a security hole when saving to the cloud, but for the average user, it is not a big issue. Most people are looking for a solution that protects against passwords being exposed, but one that offers ease of use as well. Most authenticator apps fill this role. The bad thing about MS Authenticator is that is collects analytics. But this is the case for Windows OS as well, so, you're not really losing anything if you're tied to the MS world. A more privacy focused authenticator is FreeOTP.
Even if your son puts a hammer on your phone, you could just login authy on another device and you are good to go..i believe this yubikey method is more complex as in what if my yubikey gets stolen or lost?
It’s not more secure if you tend to lose small physical items. You really need three keys, IMO. One you carry with you on your keychain. One at home. One offsite in case there is a house fire, flood, earthquake etc… and you evacuate w/o your two local keys. Or instead of offsite third key use recovery codes in the cloud but then you are breaking the pure physical key model.
I don't think having all your passcodes on a key that you have on your keyring is very secure. Unless those keys never leave your pocket it seems a far bigger risk.
No, they wouldn't. The Yubikey transmits a unique key each time, so even if the Flipper Zero intercepted one of them, the next one wouldn't be the same.
Cool beans. My worst nightmare happened when my Facebook got hacked, deleted email hooked to it and factory reset my phone. They didn't believe who i was. Only 32 accounts. Hmm. Ill deal with it.
Sadly not all sites supports usb keys, as authenticator app codes... Backup key... but what prevents to have apthenricator app on more then one devices?
To explain the password on the codes....Your app (on your phone, tablet, or PC) knows the password to get the Yubico key to give access to the codes. The key will not give codes to a device that doesn't know the password. If somebody finds the key, they cannot access the codes unless they know it's password. Quite secure. Even then, if they find the key, they probably still don't know the password to the account the code is protecting.
Think of a Yubikey as a physical house key, or car key. Make sure to have two of them. Keep one key separate, maybe even offsite. Just like you would with regular keys, leave one at your mom's place 😀
Remember, whenever you create a new secure login, or update an old login, you need to gather all the keys. So if you have any keys offsite, you could be making a lot of trips.
@@generic_official That is a drawback for sure, it's not practical if you create new logins often. I haven't used Yubikeys yet, I'll stay on Authy for a while longer 😀
@@generic_official you got to figure out which method you like. I love yubikey because I don't have to worry about phishing attacks. I would be in the wrong website and enter password, they won't beable to access because they don't have yubikey. Just have to change password if that happens. Typing code is ok but yubikey is quicker and less stress. I have to check the url properly, if i use authetcator apps only.
Can´t deinstall it it . Not on the list and if i push the button where it generate codes nothing happened. Do you have any idea ? If not I will delete my account.
I just ordered two of the series 5 keys (using your code. Thank you) but have been using the Blue Security Key edition for a while. Do you recommend removing those from any accounts or just keep them as extra back up keys?
Sorry .. I am too thick … 32…websites , let’s say ? Amazon, governments , Costco etc that’s what you mean? So if I have 55 websites offering 2FA, I can’t ? I have to choose 32 max ? Is that it ?
My same question! Is it 32 accounts/websites that can be added or is it 32 individual codes that it generates, meaning it would run out? very confused about this too
Anyone here have experience with Google Advanced Account Protection? I can enable it, but my phone doesn't read the key to log back into my Google account. It reads the keys fine for literally everything else either via NFC or USB, but when signing into the Google account after enabling AAP it just ignores the USB tap or if using NFC it smply beeps at me (as it does when an NFC device is placed near the phone). Google support is, predictably, entirely nonexistent. As it is I have the account setup to use two keys anyway so I guess it's kind of moot, but it'd be nice to have AAP as an option.
Unfortunately I can't bring a yubikey into work. Not getting into where I work but it's criminal justice related. I asked the boss and it's not allowed. What would you recommend for me? Just use Google authenticator?
@@AllThingsSecured No, I don't need it at work. Just worried about not having it on my person. My job considers it an "electrical device". I can tell you more in a confidential chat or email.
For me yubikey makes no sense to guard authenticators codes, just use a keepassXC file to guard it and put it on a sd card. Yubikey makes sense only if you use it as the authenticator key. But for me Codes are enough... don't have to keep the phisical key with me. And btw yubikey and codes aren't enough anymore if your device is invaded, your browser carrys with then something that bypasses 2fa called SESSION COOKIES. So for me browsers have to create something to protect your cookies from being stolen.
I've started watching this security keys the last 2 days and find this all interesting, there is one thing that Im quite puzzled / worried is there some proper competitor or Yubico or is this the only viable option besides it ? If no smells a bit like a slowly growing monopoly. But still this looks beside saying this like a viable option for me which I might consider and leave 2fa for good. thx for sharing
Great Video I updated to Yubico Authenticator but I cant find a way to migrate from GA to Yubico Authenticator. Is that possible to import or do I need to do each account again from scratch in Yubico Authenticator?
can you provide a tutorial at how to install yubico authenticator on linux, say LMDE? as due to recent windows excessive issue with privacy and telemetry, im moving away from it and using linux
Hi Josh, I love your channel and I've already learnt a lot. I wonder if you could make a video, in which you are more specific on how to set up a backup key? I think I might have an idea, but I'm not 100% sure and I am afraid of making a mistake. Or is there a video I'm unaware of?
Facebook gave you a QR code to scan and a key. You can use either of these two to register on your primary key. Once you're done with your primary key setup, use the same key to setup the secondary key.
The process of setting up one key or 2 or more keys is the same. The site you registered your keys does not care which one is the primary key and which one is the backup key.
Yes. BUT, before you roll your eyes, it might help to understand that I use this as another way to intentionally make it hard for me access these sensitive accounts when I’m away from my home computer. It’s on purpose.
@@AllThingsSecuredthis is actually a very crucial point - reduce your entry points to your most valuable accounts. Your mobile phone shouldn't carry sensitive data (beyond your google account) imho
Can you I store all my 2fa authorization codes on yubikey just as redundancy and then use app like Microsoft authenticator for primary use? I mean for same set of applications. So when something happens with mu phone (it happened to me as well) I can quickly recover?
You can, but there’s a limit to the number of codes you can keep on a Yubikey, so I think it’s better to see your key not as a backup for all your codes, but rather perhaps a backup for your most important ones.
So if you go travelling, you will need to bring at least two Yubikeys, and keep them stored separately somehow..... I guess if you loose the keys you have no way back in??
Why bring two, since the key that generates the TOTP can also be used for FIDO2 authentication (insert and tap)? But yes if you lose all of your keys then you better have backup codes available to get into your accounts or you're kind of SOL. Or at least have quite a headache to get back in. This is probably why (most?) banks don't support using these keys.
@@paul-erikhansen5769 That's a good point. No, you would be locked out of any account that you need to sign into. I'd suggest attaching the keys to your keyring (or its own keyring), and attaching the keyring(s) to your pant's belt loop via some kind of chain. This is what I do. The items sit comfortably into my pocket rather than dangling out in the open.
@@FrazzleCat a bank ultimately relies on other authentication: you can go in person or mail various documents to authenticate; at the end of the day you’ll get access back. However, entities like Apple or Google that have zillions of customers and don’t have an off-line relationship with you will tell you to get bent. 😎
Maybe you can cut something in your life that is less important than your online data. I also have no money at all (but also no debts to pay) and started fasting months ago. I saved a bit of money every month this way and am able to buy 2 keys next month.
I usually find your videos very easy to understand, but you lost me on this one. I tried to follow along regarding my Linkedin account but it is not as straightforward as you make it seem.
A house fire is definitely not a “black swan event.” A black swan event is not a low probability event. You can’t buy insurance for black swan events. A black swan event is not something we can calculate the risk of because existing models don’t account for their existence at all until after they happen. It seems very obvious that you should have a yubikey offsite (or recovery codes in the cloud, if you trust that) as you would keep a hard drive offsite (or cloud backup).
Exactly. And for some people, this online method of syncing is considered risky. I’d rather keep the keys to my kingdom (or the most important parts of it) instead of trusting Microsoft with it. Make sense?
@@AllThingsSecured the whole keeping track of physical items isn’t going to work for most people. It’s human nature. We lose stuff. There has to be a better way to authenticate people. Maybe Face ID? Or some other biometric?
Love your content man, wondering if you'd review Stash Password Manager (I think there technology is something you'd really like) I'm holding by a thread with traditional password managers but I ran into Stash Password Manager not to long ago and I'm actually reconsidering and using there technology.
so more of the same. if your phone breaks you lose your codes. if your usb key breaks you lose your code. you didnt show anything that solves the problem, you're just runnin that verbal diarrhea
I lost my key once at work in the airport parking lot but found it the next day. By the looked of it, several cars ran over it. It's badly beaten but it still works.
Do you use (or plan to use) a hardware-based authenticator app? Why or why not? And be sure to take advantage of the $5 off any Yubikey using code ALLTHINGSSECURED here: www.yubico.com/products/yubikey-5-overview/
Don't backup codes nullify the key security? Brave/chrome/all web browsers "see" everything so someone has that screenshot somewhere no?
allthingssecured promo code is not working for me at the yubico website saying code is not valid
@@DoctorWhoNo1A1:36
I've been using Authy and have it on my phone, computer, and laptop. If I lose my phone or it gets destroyed I just install it on the new one or access it on another device. Seems like you would be in a real bind if you lost the key while traveling and your other key was at home. On the other hand, I suppose it is more secure to use a physical key. I like the idea, but the thought of losing it while away from home is an issue for me.
I have been using this exact solution for years. I keep my key attached to a pocket flashlight that I use many times a day. I also have an Airtag on it. I would notice if it was missing before long. I also carry an encrypted thumb drive with a copy of my QR codes. I keep a second key at home in a safe with all the codes on it. There are a lot of ways to create safety nets. All that said, you typically don't need the key unless you log in on a new device.
I have it just on my phone and a single device however you can reset it and have it added to a new phone 😎 I tried this and it worked I just think it makes things easier for me
Ever thought about switching to Aegis?
@@2011k1500 I program chromebook to ask for email and key. Issue is you have to turn off for it to work.
My IT guy recommended getting 2 keys and keeping one in a safety deposit box in case the first is lost or destroyed. Good idea?
Not a bad one, that's for sure. What you do with your backup key is up to you. Keeping in a safety deposit box is good in theory, but it makes it *really* difficult to add new codes when you need to.
I think this is already a backup key, you can pair it with your phone's 2FA without paying twice.
Good idea in theory, but not in real life. Most websites that I encounter don't support the use of multiple keys yet. Yubiko don't seem to offer a way to clone a key either. So, you just end up with two completely different keys anyway.
I like microsoft authenticator because your MS account has the option of being passwordless and even if your phone breaks you can get back into it with a backup email...though obviously a yubikey is technically more secure, it's overkill for most people, though it makes sense to use it on your most important accounts.
This is brilliant! I didn't know about the password to protect access to the Key itself! Thanks a million Josh
My pleasure, Stef! So glad you found it useful.
I've been playing around with a Yubikey for a couple of months and, while it's a really good product from a security standpoint, real-world usability is a problem for me. In particular, my most sensitive accounts (banking, developer account, company production environment, etc.) are ones I may need to access at a moment's notice, if there's an issue. If I lose my tiny Yubikey, I'm locked out of those accounts until I can retrieve the backup. Often, if I'm traveling on business, that can be a matter of days later, making the Yubikey a potential risk to my business. This means I need to have another means of managing 2FA, which ends up being an app on my phone. But then, why bother with the Yubikey at all?
This. It goes to show that it's a _very_ niche product, but I'm glad it exists. It's nice having different options regardless how practical or unpractical they are.
Thanks a ton, Josh. I've been learning a lot because of your videos. Best regards from Germany.
Thanks so much, Alex!
Rather than having a second key, I am thinking to save the seeds in some encrypted file (like a keepass db) and store that file in a secure offline location. The rationale is: suppose I lose my primary key, and only then find out my backup key is broken. If you have ever found yourself on the side of the road with a flat tire, only to find out your spare was never inflated, you know what I mean. It takes some discipline to test backups regularly. But I am new to physical devices so I am willing to change my mind once I get some experience.
"it doesn't matter that my son drops a hammer over my phone" hahaha nice one my friend
😂🤣 It was a hard lesson to learn.
But what if he drops it on the yubikey? 😶
Underrated comment here@@CaltaTomas
So, losing or damaging the phone is a concern, and instead, you suggest using the key. What if the key gets damaged, lost, or becomes corrupt? Is it possible to log in to the Authenticator on another device if our current phone is lost or damaged?
Authy can be backed up and also used on multiple devices.
Thank you so much! I was on the fence for getting this key but the ability to use it on different devices is awesome
I was under the impression that an account requesting google authenticator had to use google authenticator app.......this changes everything :D
Thanks Josh :)
Yup! You can use whatever your heart desires 😎👍🏻
That’s exactly what google wants you to think. 😄
I use both Google and Microsoft
That looks cool. But one thing, is that key degradable like hard disk which degrade with time and corrupt the content.
Your discount code isn't working anymore.
Your videos are very informative and to the point. On another note, Authy has a cloud backup feature that lets you backup the MFA accounts library to a cloud backup (like Google) that you can then restore to a new device in case it gets lost/stolen/damaged. It requires a strong password to accomplish the above. This avoids one having to set up each MFA all over again on the new device. I agree though that nothing beats a hardware key.
I really appreciate your videos, I subbed and I'm binge watching them because you are doing a great job.
@AllThingsSecured - Yubico says: OTP holds 2 credentials but can be registered on unlimited, FIDO U2F can be registered with unlimited, FIDO2 can hold 25, PIV holds 5, OpenPGP holds 5. And then the one you mention - OATH Yubico Authenticator holds 32. PLEASE tell us how to decide which to use for what websites. VERY confusing. NONE of the other UA-cam security people that I've watched are addressing this. Yubico's website doesn't explain it sufficiently. Need more info ASAP please.
Where do you store the stick? If someone stole your phone and stick, then he has everything he need? So where is save place for the stick eg I am at the beach? Waterproof neckbrace?
Why take to the beach, high humidity and waterproof devices and bags float ... High tide?
What do you mean? Google Authenticator is synced with Google servers. The Google account is protected by a physical key. Everywhere you log in you get all your Google authenticator data if you download the app
Too expensive in Brazil, it isn’t sold here officially
Sorry to hear that, Don. It’s not for everybody.
Around 4:18 you say you can use 2FA on an unlimited number of accounts.... I think you should clarify that's only for FIDO U2F , but not for FIDO2 (limit is 24 unless I understood something wrong, I'm just a noob yet) .. OK OK .. FIDO2 is probably not considered "2nd factor", because it's passwordless.. There is no "second", it's "all in one."
What do you think of combining yubikey with 1password OTP. You could use the yubikey to safeguard the 1password and use the internal OTP from 1password. Which should be easier to share and store (backup). Probably this would be a better idea for the less important accounts (also to circumvent the 32 limit).
This is my exact question. Wish he would answer it.
@@pampierce maybe he doesn't have the answer
Always loved your format. Also didn't know I can do that with the Keys.
I use Aegis as well to beckup my important 2FA codes.
Will definitely put the most important once in my keys
Thanks so much, Fred!
PayPal is asking for 6-digit authenticator app and yet Microsoft authenticator app has 8-digit code, what to do?
What happens if the YubiKey gets damaged? And what if it gets lost?
Precisely why you never only own one. You buy two (or more), and you set up both simultaneously.. independent keys with the same information. Once set up, you put one away in a safe place as a backup and you carry about the other one and actively use day-to-day.
However it has only 32 OATH limit.
That’s correct, and I mention that toward the end in the FAQ.
@@AllThingsSecured so, can you add more just in app, as a normal totp generator app? And in case, how to choose which ones go in the key and which in the app?
Excellent!! video Josh. I am learning a lot from you.
The Yubico has several keys. Which one should I order?
I understand the reason for these (app vs key) security, and I've worked on computers from DOS in the 70s in healthcare and with many LEO (military and as silly-villan) but not as a geek. Windows only. But trying to change to Linux.
I'm (others who are same generations pre gen x) having too much difficulty wrapping my brain around this.
My PTSD+, rt been around death too much (including own few times - close calls and on the table). Hard to learn new things etc.
Both phone+app and or key if stolen then where is the security?
So the key keeps what? QR codes and passwords?
Great video. I like having the ability to save the QR code/numeric code and re-use it with all my backup Yubikeys. Is this ability special to Yubikey? Or could you also do this other web-based authenticators like Google Authenticator to re-use the QR code and setup on as many phones as you want?
Hi, 1:56 is this available only for theier ~50$ Yubikey or also for their 25$ Security Key?
For MS Authenticator, make sure you have cloud backup enables. This will save your recover codes to the cloud so you can restore them to a new device.
Don't do that please (save on the cloud)
This is possible, but the point here is to offer a solution that *doesn’t* require letting go of control of you keys and giving them to Microsoft or Google.
@@sim-y9qHogue Yes, there exists a security hole when saving to the cloud, but for the average user, it is not a big issue. Most people are looking for a solution that protects against passwords being exposed, but one that offers ease of use as well. Most authenticator apps fill this role. The bad thing about MS Authenticator is that is collects analytics. But this is the case for Windows OS as well, so, you're not really losing anything if you're tied to the MS world. A more privacy focused authenticator is FreeOTP.
Even if your son puts a hammer on your phone, you could just login authy on another device and you are good to go..i believe this yubikey method is more complex as in what if my yubikey gets stolen or lost?
In both cases, backup is essential. With Authy, your codes are online. I'm simply offering an offline option as a more secure alternative.
It’s not more secure if you tend to lose small physical items. You really need three keys, IMO. One you carry with you on your keychain. One at home. One offsite in case there is a house fire, flood, earthquake etc… and you evacuate w/o your two local keys. Or instead of offsite third key use recovery codes in the cloud but then you are breaking the pure physical key model.
You should keep your codes on multiple external veracrypt encrypted drives.
Brilliant
Thanks Josh🙏🤩
My pleasure, Salim!
I don't think having all your passcodes on a key that you have on your keyring is very secure. Unless those keys never leave your pocket it seems a far bigger risk.
what about the flipper zero cloning your NFC on your iPhone ? then they got an exit copy of the yubikey
No, they wouldn't. The Yubikey transmits a unique key each time, so even if the Flipper Zero intercepted one of them, the next one wouldn't be the same.
so it wouldn't be able to generate the key itself?@@AllThingsSecured
Cool beans. My worst nightmare happened when my Facebook got hacked, deleted email hooked to it and factory reset my phone. They didn't believe who i was.
Only 32 accounts. Hmm. Ill deal with it.
Sadly not all sites supports usb keys, as authenticator app codes... Backup key... but what prevents to have apthenricator app on more then one devices?
To explain the password on the codes....Your app (on your phone, tablet, or PC) knows the password to get the Yubico key to give access to the codes. The key will not give codes to a device that doesn't know the password. If somebody finds the key, they cannot access the codes unless they know it's password. Quite secure. Even then, if they find the key, they probably still don't know the password to the account the code is protecting.
Overall seems great but WAY TOO MUCH for a USB key. It would seem that one could setup a USB drive on ones own USB drive.
Think of a Yubikey as a physical house key, or car key. Make sure to have two of them. Keep one key separate, maybe even offsite. Just like you would with regular keys, leave one at your mom's place 😀
Poor analogy. There is no locksmith to get you back into your accounts if you lose your keys.
It’s not a bad analogy. Sure, there’s no locksmith, but if you always lose your key to your house or your car, perhaps a 2FA key isn’t right for you.
Remember, whenever you create a new secure login, or update an old login, you need to gather all the keys. So if you have any keys offsite, you could be making a lot of trips.
@@generic_official That is a drawback for sure, it's not practical if you create new logins often. I haven't used Yubikeys yet, I'll stay on Authy for a while longer 😀
@@generic_official you got to figure out which method you like. I love yubikey because I don't have to worry about phishing attacks. I would be in the wrong website and enter password, they won't beable to access because they don't have yubikey. Just have to change password if that happens. Typing code is ok but yubikey is quicker and less stress. I have to check the url properly, if i use authetcator apps only.
What if your house catches on fire with your keys and devices there?
Can´t deinstall it it . Not on the list and if i push the button where it generate codes nothing happened. Do you have any idea ? If not I will delete my account.
You can also turn any USB flash drive into a security key.
Thanks for the tip.
Do you have a video which shows how the underlying technology works? Do the 6 digits codes change or are they always the same?
I just ordered two of the series 5 keys (using your code. Thank you) but have been using the Blue Security Key edition for a while. Do you recommend removing those from any accounts or just keep them as extra back up keys?
boy that security key so tiny that could easily misplaced or get stolen.
So true. So is your car key. You should stop driving.
@@AllThingsSecuredNAHHH💀💀
Sorry .. I am too thick … 32…websites , let’s say ? Amazon, governments , Costco etc that’s what you mean? So if I have 55 websites offering 2FA, I can’t ? I have to choose 32 max ? Is that it ?
My same question! Is it 32 accounts/websites that can be added or is it 32 individual codes that it generates, meaning it would run out? very confused about this too
Anyone here have experience with Google Advanced Account Protection? I can enable it, but my phone doesn't read the key to log back into my Google account. It reads the keys fine for literally everything else either via NFC or USB, but when signing into the Google account after enabling AAP it just ignores the USB tap or if using NFC it smply beeps at me (as it does when an NFC device is placed near the phone). Google support is, predictably, entirely nonexistent. As it is I have the account setup to use two keys anyway so I guess it's kind of moot, but it'd be nice to have AAP as an option.
Are you on desktop or mobile? On mobile you need to download the Google Smart Lock app.
Unfortunately I can't bring a yubikey into work. Not getting into where I work but it's criminal justice related. I asked the boss and it's not allowed. What would you recommend for me? Just use Google authenticator?
That’s just odd. Would you need to access these accounts at work?
Google Authenticator isn’t bad. Definitely use that over nothing.
@@AllThingsSecured No, I don't need it at work. Just worried about not having it on my person. My job considers it an "electrical device". I can tell you more in a confidential chat or email.
Unfortunately there is a limit to otp codes the keys can hold I ran out of space many times.
That’s true. I mention in the video that they only hold 32 codes per key.
@@AllThingsSecured What's ur opinion on bit wardens otp option?
hi ATS! what do you think of 2fas?
For me yubikey makes no sense to guard authenticators codes, just use a keepassXC file to guard it and put it on a sd card. Yubikey makes sense only if you use it as the authenticator key. But for me Codes are enough... don't have to keep the phisical key with me. And btw yubikey and codes aren't enough anymore if your device is invaded, your browser carrys with then something that bypasses 2fa called SESSION COOKIES. So for me browsers have to create something to protect your cookies from being stolen.
I've started watching this security keys the last 2 days and find this all interesting, there is one thing that Im quite puzzled / worried is there some proper competitor or Yubico or is this the only viable option besides it ? If no smells a bit like a slowly growing monopoly. But still this looks beside saying this like a viable option for me which I might consider and leave 2fa for good. thx for sharing
There’s a few different key options yubico just seems to be the fan favorite atm
Bro This Too Expensive 5k to 15k Rupees on Amazon , Is there any Free Alternative
Great Video
I updated to Yubico Authenticator but I cant find a way to migrate from GA to Yubico Authenticator.
Is that possible to import or do I need to do each account again from scratch in Yubico Authenticator?
can you provide a tutorial at how to install yubico authenticator on linux, say LMDE? as due to recent windows excessive issue with privacy and telemetry, im moving away from it and using linux
Hi Josh, I love your channel and I've already learnt a lot. I wonder if you could make a video, in which you are more specific on how to set up a backup key? I think I might have an idea, but I'm not 100% sure and I am afraid of making a mistake. Or is there a video I'm unaware of?
Facebook gave you a QR code to scan and a key. You can use either of these two to register on your primary key. Once you're done with your primary key setup, use the same key to setup the secondary key.
The process of setting up one key or 2 or more keys is the same. The site you registered your keys does not care which one is the primary key and which one is the backup key.
Finally bit the bullet and got 2 keys. Thanks for the promo code and all the videos you put out!
Glad to hear it, Bret!
I didn't know there was a promo code 😭
I'm underutilizing my Yubico keys. I only use it to protect my BitWarden password manager.
So you would have to carry that usb key with you everywhere?
Yes. BUT, before you roll your eyes, it might help to understand that I use this as another way to intentionally make it hard for me access these sensitive accounts when I’m away from my home computer. It’s on purpose.
@@AllThingsSecuredthis is actually a very crucial point - reduce your entry points to your most valuable accounts. Your mobile phone shouldn't carry sensitive data (beyond your google account) imho
What if we are overseas temporarily?
Can you I store all my 2fa authorization codes on yubikey just as redundancy and then use app like Microsoft authenticator for primary use? I mean for same set of applications. So when something happens with mu phone (it happened to me as well) I can quickly recover?
You can, but there’s a limit to the number of codes you can keep on a Yubikey, so I think it’s better to see your key not as a backup for all your codes, but rather perhaps a backup for your most important ones.
Promo code won’t work :(
So if you go travelling, you will need to bring at least two Yubikeys, and keep them stored separately somehow..... I guess if you loose the keys you have no way back in??
Why bring two, since the key that generates the TOTP can also be used for FIDO2 authentication (insert and tap)? But yes if you lose all of your keys then you better have backup codes available to get into your accounts or you're kind of SOL. Or at least have quite a headache to get back in. This is probably why (most?) banks don't support using these keys.
@@FrazzleCat If I only bring one key and it is stolen..... how then to get in?... is there some alternative??
@@paul-erikhansen5769 That's a good point. No, you would be locked out of any account that you need to sign into. I'd suggest attaching the keys to your keyring (or its own keyring), and attaching the keyring(s) to your pant's belt loop via some kind of chain. This is what I do. The items sit comfortably into my pocket rather than dangling out in the open.
@@FrazzleCat a bank ultimately relies on other authentication: you can go in person or mail various documents to authenticate; at the end of the day you’ll get access back. However, entities like Apple or Google that have zillions of customers and don’t have an off-line relationship with you will tell you to get bent. 😎
@@frankfurter7260 That's an excellent point. I bank online pretty much exclusively so the obvious in-person visit didn't come to mind 😁
Hi, as always excellent. But the promo code doesn't work. Greeting from argentina.
What if lose my yubikey. Will someone know all my 2FA codes
Only 35 accounts on a yubico. Not a way to go.
That’s changing now. Many, many more.
If i wanna buy 2 yubikeys, that will cost me MORE THAN €100 thats too expensive for me.
Maybe you can cut something in your life that is less important than your online data. I also have no money at all (but also no debts to pay) and started fasting months ago. I saved a bit of money every month this way and am able to buy 2 keys next month.
@@AlexanderPochertPiano 😂
How did u get that account?
How this works do not understand
Better? Only 32 keys? And what about backup, you still need to have one. There is no point to use such usb keys.
Doesn't work for everybody, but yes, an offline hardware solution is almost always going to have "better" security than software.
I usually find your videos very easy to understand, but you lost me on this one. I tried to follow along regarding my Linkedin account but it is not as straightforward as you make it seem.
Could also just use an SMS code.
32 codes. it's not worth it!
I lost my both my Yubi keys in a house fire. Lesson learned keep a backup at grandmas.
Yikes. It’s hard to plan for black swan events.
A house fire is definitely not a “black swan event.” A black swan event is not a low probability event. You can’t buy insurance for black swan events. A black swan event is not something we can calculate the risk of because existing models don’t account for their existence at all until after they happen. It seems very obvious that you should have a yubikey offsite (or recovery codes in the cloud, if you trust that) as you would keep a hard drive offsite (or cloud backup).
what if your yubikey is broken ?
You make sure you have a backup.
Thanks for the code, it's working from Europe store also ;-)
Awesome! Good to know 👍
For Microsoft Authenticator you can sign into your Microsoft account if you have one and you can sync all your recovery codes to the cloud
Exactly. And for some people, this online method of syncing is considered risky. I’d rather keep the keys to my kingdom (or the most important parts of it) instead of trusting Microsoft with it. Make sense?
What happens if you lose the Yubikey?
You have a backup. Then, you have your recovery codes.
The hammer reminds me of my son dropping a metal lamp base on mine. I've never seen glass fly like that.
Yikes. I hope you reacted well in the moment 😂
@@AllThingsSecured yeah, just ordered the iPhone 13 pro max to replace it lol.
Ouch 💰💰
@@AllThingsSecured Yes sir. Those Ben Q desk lamps have a very costly base that can easily come off.
Ok! You lost your key then what?
Did you find out?
@@Gamblingwmylife I didn’t 🤷♂️
Good video. It would be helpful if you then showed how you signed in to the dummy account using the key to access the account.
Hmm...I didn't that was necessary but I appreciate the feedback.
UNtil you wash the key, or leave it at a hotel.
That's what the backup key is for!
Hence, the backup.
@@AllThingsSecured the whole keeping track of physical items isn’t going to work for most people. It’s human nature. We lose stuff. There has to be a better way to authenticate people. Maybe Face ID? Or some other biometric?
Love your content man, wondering if you'd review Stash Password Manager (I think there technology is something you'd really like) I'm holding by a thread with traditional password managers but I ran into Stash Password Manager not to long ago and I'm actually reconsidering and using there technology.
Good video.
or u buy a new phone ?
Thanks
If I lose my key, I cannot come into my stuff
Where did you keep your backup key or recovery codes.
Not jus the app store, but Google Play store
Yes.
The prices are to dam High can't afford one $$$ €60+ Tax and import duty
What if he drops a hammer real hard on all your keys too 😂
That would be unfortunate.
so more of the same. if your phone breaks you lose your codes. if your usb key breaks you lose your code. you didnt show anything that solves the problem, you're just runnin that verbal diarrhea
what if your son drops a hammer on the key
😂 that’s why I have a backup.
@@AllThingsSecured 😁
I lost my key once at work in the airport parking lot but found it the next day. By the looked of it, several cars ran over it. It's badly beaten but it still works.
Please post ALL your videos on Odysee.
the cloud is better....
Algorithm.
I hope you watched the whole video for the algorithm too, Mike! 😂
@@AllThingsSecured Always!
👍🏻
🙌