Це відео не доступне.
Перепрошуємо.
2FA Isn’t Secure - Here’s What You Need Instead!
Вставка
- Опубліковано 28 лют 2023
- Get $5 a Yubikey 5 NFC: www.yubi.co/shannon-2024
Get a Yubikey and protect your accounts! amzn.to/3S8BSLL *
FTC: Links marked with * are affiliate links, which means I make a small commission off any sales.
References:
fidoalliance.org/specs/u2f-sp...
www.pcmag.com/news/hacking-fi...
/ we_had_a_security_inci...
www.protocol.com/bulletins/ub...
blog.cloudflare.com/2022-07-s...
techcrunch.com/2022/10/28/twi...
www.zdnet.com/article/should-...
/ an-update-on-two-facto...
Becoming a Morse Code Member by checking out the perks linked here!:
/ @shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUBSCRIBE! 🌸 ua-cam.com/users/ShannonMorse?s...
TWITTER 🌸 / snubs
Patreon 🌸 / shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUPPORT MY WORK
Patreon 💛 / shannonmorse
Buy Me a Coffee 💛 www.buymeacoffee.com/snubs
Shop 💛 snubsie.com/shop
TeeSpring 💛 teespring.com/stores/morsecode
Coupon Codes 💛 snubsie.com/support
Tech I Use & Recommend 💛 kit.co/ShannonMorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
FOLLOW THE SOCIALS THINGS
Twitter 🌸 / snubs
Instagram 🌸 / snubs
UA-cam 🌸 ua-cam.com/users/ShannonMorse?s...
Website 🌸 www.shannonrmorse.com
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
TECH I USE AND RECOMMEND
My Kits, Builds, and Must Haves ✨ kit.co/ShannonMorse
My Amazon Influencer Page ✨ www.amazon.com/shop/shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
MY OTHER SHOWS
ThreatWire 🌙 ua-cam.com/users/hak5?sub_confi...
Sailor Snubs 🌙 ua-cam.com/users/sailorsnubs?s...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
GET IN TOUCH
Mail ✈
snubsie.com/contact
Email for Business and Sponsorship Inquiries ✈ Shannon@ShannonRMorse.com
My Media Kit ✈ snubsie.com/work-with-me
Sponsor This Channel ✈ snubsie.com/shannon-morse
Music from 🎵 Epidemic Sound: www.epidemicsound.com/referra...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
😍 FTC DISCLAIMER 😍
Affiliate links listed above allow me to receive a small commission. Any sponsorships for videos are noted in video and listed in descriptions. Any products provided as gifts are listed above. Thank you for your support!
Comment section code of conduct policy:
Constructive feedback is appreciated, but please leave unproductive, divisive and harmful conversation at the door. Hateful comments are not tolerated, and these kinds of messages will be automatically removed. Thank you for making this community a welcoming experience for all viewers :)
snubsie.com/code-of-conduct
Pinning this comment so y'all can easily find my previous videos about Yubikeys! ua-cam.com/video/vjTA6DeD9y8/v-deo.html
I'm seeing the same questions several times and I answered them in this video!
Sadly MOST financial institutions do not support FIDO keys.
As of now None of my banks nor credit cards nor retirement or payroll sites support hardware keys.
But pointless sites like social media do...
That's the exact reason I haven't bought a Yubikey yet. My bank account is one of the least protected because banks ironically don't seem to be interested in proper security. The only account I care about which supports yubikeys is the email account, which is important but it's just a single one.
Glad you made this point. Financial services have successfully externalized all of the costs to other parties, including us, their customer. Even Bank of America's WebAuthN implementation is pathetically lazy. By contrast, gaming companies have had to bear the burden of taking calls, creating tickets and recreating state in the game. In short, cost. So, they went looking for a better answer. TL;DR - incentives are for banks, sadly, to do nothing.
@@SaHaRaSquad I would recommend getting the cheaper fido keys( you should have at least two.. I have 3) and experiment with them on a site you do not care about so you can test the ins and outs
That's because they gotta cater for everyone... The larger population of users, the less secure it will have to be.. We always cater for the 'bottom line' the least secure....
The reason why banks usually won't adopt better security is "Our platform doesn't support it", or "it will be too costly". I would say its about bloody time users got educated.... We all wank bank to stop scammers for us as well, but going "so far" with anything, will force users to be better.
To me, that is a good thing You can't expect a business to hold ya hand 100%..
@@Tech-geeky I am not sure I agree with your assessment. *That's because they gotta cater for everyone*
Doesn't Social Media as well? If social media can manage to implement better security.. The banks should have no difficulty. And let us not forgot. This technology is available for those that want it. The broader clueless user base is not likely to forced to use this tech with obvious security benefits. But financial Institutions seem to be purposely taking steps that make accounts "Appear" secure without ACTUALLY being secure.
Great topic! I wish more companies would add this to their sites, particularly US Banks!
I agree. My current bank only uses SMS which is insecure. Better than nothing I agree but at least offer Google Auth as an option!
Yes! I was the victim of a SIM swap and haven't wanted to use my phone for anything since but am often forced to. Even though I invested in a hardware key, it's rarely an option on its own.
This is the real problem. So little support for hardware keys still.
Nah, my bank just asks for my dog’s name. I’m sure that safe.
@@notreallyme425 I generate random strings for each one of those. They are essentially passwords so you should make them secure.
Been following both this account and Sailorsnubs account for a while. Not only you just completely sold me on getting a personal hardware key but coincidently I am currently writing an essay about authentication vs. authorization for my cybersecurity class. I was just casually watching your up-to-date videos because I really enjoy your content! But when I heard you mentioned authentication / recent events and why Yubikeys are a must for 2FA. I was like wait a minute... Hold up! This is a good example for my essay! Write this down Write down! LOL Thank you for providing us important information! I will make sure to properly cite your video! Much Love
Such a good video! Your work spreading knowledge on the greatness that is hardware keys (as well as your hard work in general) is very much appreciated.
I appreciate that!
it should be a part of the device itself, inside TPM
@@ShannonMorse so once you fail IT and this platform, when are you making a o/f ?
“Use the for your most critical accounts”
Too bad most banks don’t support it. My bank just finally added support for TOTP. If it takes them the same amount of time to add support for hardware keys as it did for TOTP, it’s gonna be quite a long time before it happens.
Hardware keys are king. I use them on any site that supports it. I also use them for ssh access to my servers.
I wish they did this for online (and offline) credit and debit purchases - fraudulent charges would go to virtually zero. So just having the card number and details would not be enough for a purchase to go through. Some banks have started doing something like this using virtual card numbers.
Bank of America, at present is the ONLY U.S. bank I know of that permit their customers to secure their accounts with YubiKeys.
Hardware keys are a great idea in principle - but in reality, for large companies can be a nightmare to manage. Users lose their hardware keys or forget and leave them at home - so you security team is constantly issuing new keys or temporary keys. That is why phone auth apps reign supreme. Even the worst user will always remember their phone. Normally when I do 2FA deployments - I do phone apps as the primary option with yubikeys for those users who don't want o use their personal phones.
What about those non smart phone users....yup...encountered it before.....
@@BDBD16 That's why phone apps are the primary option - but not the only option. For people without smartphones or who don't want to use their personal phones - the a yubikey covers those cases.
Hi, here is a simple trick. Give them the micro keys that will always stay plugged into their laptops/workstations. If you are trying to protect from stolen laptops, configure the yubikeys to also ask for a password, not just a tap. Another way I’ve seen it done was to suggest them to have them attached to their badge keyring or home keys.
I couldn't agree more. I work in IT Security and if you read my posted comment, it talks about people losing or forgetting their keys everywhere but on them.
Who are these people who are going to work without their keys?? The whole idea of these things is you keep one on the same key ring as your house key, so you're essentially never without it
I bought two yubikeys after watching your previous videos on hardware keys, I'm excited for them to arrive!
YEP! the Physical is the way to go ! Don't forget to use generated passwords too !
heck... should never be "option". Generated passwords ought to be required. but alas, we have to cater for websites still that will never be 'as secure' as others..
Again, dragging through the dirt..... there is no solution .. You can have a really good password, but if the backend is weak, its not gonna matter. Anything IS better than nothing, but is it really worth it if it not gonna protect you anyway?
Thanks Shannon, I bit the bullet and used the promo code. Ordered 2 keys, one as a spare. :)
Smart!!
Thanks for your content.
Because of your explaning this over the yrs, I finally got my yubi key(s) several months ago along with setting up bitwarden and 2FA (at a minimum)
l just wish more companies implemented hardware keys.
Thanks again. 👍
YubiKey is required for me to log onto both of my computers (I don't have a so-called Smart Phone) BitWarden, GoDaddy, Yahoo, Google, Tutanota
For me, no linked videos at the end. Not sure what happened.
Thank you for this content. You are the second person this week that I have seen addressing this topic.
Each presentation was different, and yours more in depth on the physical keys. Thanks again.
This video came at a perfect time. I've been wanting to get a Yubikey for years but never got round to doing so. Now finally ordered one, thanks for the $5 off! :D
Do yourself a favor & follow YubiCo's STRONG RECOMMENDATION, go back & buy a 2nd Yubikey, incase you lose your first one.
Great overview! Thank you, Shannon!
Great content Shannon! Super informative too!
Just found your channel, listened to 3-4 video in a row and i suscribed! Very good content and very well vulgarised/explained while maintaining some technical information for more tech savvy people! Good job!
Hey welcome to my channel! I'm pretty active with the community here if you ever have questions or just wanna say hi 😄💓
Very insightful video! Btw I ❤your sailor moon shirt it compliments you and your setup beautifully ✨🤟🏾
Thank you for your knowledge, I've been on the fence about getting a yubikey and your video did it for me. I got a mini already and I am thinking about getting a 2nd one as a spare and for my mobile devices. i am having some problems getting It to work but i am sure ill figure it out eventually.
I wish more sites would allow setting up more than one hardware key.
I'm absent-minded and prone to losing things. For every site I have a hardware key on I also need to leave TOTP enabled just so I don't lock myself out of the account by losing the key.
That's funny ...
We have security in the use of hardware-keys, but then we make security less useful by having "multiple copies' where 'others' can get at them as well.. we THINK its safe, but its not. ideally i'd be more worried if my backup will be safe..
Just because we think its secret, doesn't mean it is... particularly when we do not have physical access. and its stored "off site" Makes it THAT much easier for others to get.. If people are determined, they'll get it
Look at what happened with Lastpass... but it can happen anytime to any company.... ExpressVPN too.. But we always like to trade for convenience. We Need to change THAT. And until we do change, getting at security stuff will always be a problem.
More great info. Long live Yubi.
Thanks again for keeping us up-to-date on security news and info. =)
or any other brand that does this lol
Great video, Shannon! Although I wish some companies would implement it fully rather than do it half-arsed.
For example, some sites only allow 1 hardware key to be registered…
By not allowing a backup key to be registered it just increases the risk of me getting locked out of my account if I lose/break my main key.
Hopefully more and more sites will fix this issue in the future and it is videos like yours which will help increase awareness and adoption so that these problems are eventually solved ✊
We've seen websites that offer SMS and auth app. And the more rare SMS / key combo.
If you're lucky you might get a website that offers one of each method or up to TWO keys.
But, my favorite sites are the ones that allow you to use ALL methods and as many as you like.
One change I would at least like to see is if you're required to have 2 methods to activate MFA, that you can use 2 keys and/or not have SMS be mandatory. But SMS is about "We know you're a human being"...at least that's what the American banks, etc, tell us.
Are cybercrimes at the point where either phone companies or websites should be held responsible for sim swapping if SMS is the only 2FA method available? If the answer is "Yes", then what happens to users that refuse to use 2FA or websites that don't offer any? Like the recent password stuffing attack on PayPal.
This is exactly why I stick with TOTP instead of pushing forward with hardware keys. I can't trust myself to not lose it and royally screw myself over.
Yes, this is a big missing part. What they do often allow: a list of 'recovery codes'.
@@SgtKilgore406 I totally agree with this. I can't have everything tied to a single key. These keys are tough but they can get damaged or lost. You either can't have a second key or you have to leave a backup to get in that someone could just use to bypass the key anyway.
THIS! I don't know if they fixed it, but a while ago even Amazon AWS only allowed you to register one (ONE!) security key!
Awesome video, Snubs. I've been thinking about this more lately with what recently has come out with companies such as Tmobile and Bank of America.
TOTP keys in a 2FA app are not sent to you, they are generated based on the initial seed code which you get by scanning the QR code. A 2FA app is therefore more secure than 2FA via SMS or email
I'm surprised OP missed that. I don't consider SMS or email as 2FA. All my 2FA are TOTP keys which as you said cannot be intercepted provided you are smart with your secrets.
If it wasn't for my aptitude to lose things from time to time I wouldn't be as afraid to invest in physical keys. At this time I see it as too risky to use a security device that small and potentially that easy to lose.
But what happens if I lost access to my phone? The websites offer an easy way to restore my logins? I have that doubt :/
@@joseabraham777 There are two possibilities:
- you backup your 2FA data in the app to the cloud
- you use recovery keys which you can get from the site you login to (do this before losing your phone)
@@ericdere Please help me understand how these recovery keys don't completely undermine the concept of 2FA. A brute force attack can penetrate the static recovery keys even when the website tries to circumvent. Most of the recovery keys I have seen are 8 digits long max and the sites don't lock you out after multiple tries. Sometimes the recovery screen defaults back to the username/PW login screen after several failed attempts, but a crafty hacker can automate the brute force attack. At the very least, the recovery codes provided should be much much stronger.
still depends on weather people keep their device up-to-date and app(s). Apps depends on operating system and therefore device.. QR codes are not perfect either. and i wouldn't really reply on them for security.
TouchID is better. Its all a stepping stone... How secure do you wanna be ??
Any time someone talks about Yubikeys, that's an instant like from me. Great video, Snubs!
Much appreciated!
Agreed. I was hesitant to get one... I didn't understand them, and I was worried I could lose one. So I bought two, eventually, and when I used them I was an instant convert.
@@mschwage I'm so glad you decided to invest in some Yubikeys! You're doing it right!
Wow, I am blown away by this post! The information provided is so helpful and informative. I never thought about it that way before. Thank you so much for sharing your knowledge with us. I can't wait to try out some of these tips and see the results for myself. Keep up the great work!
This episode reminds me of that famous Hootie and the Blowfish song: "Every Time I Touch My Security Key, I Log In".
Great video thanks 😊 Shannon hope your well
wish I saw your code before I bought them, but I will send it to my friend so you get credit for helping us secure our accounts!
One great use for hardware keys is for seniors. Some may not use cell phones at all and are still using land line. So this prevents many useable options (like sms, totp, cell phone itself, etc). Plus it's simple to use, and they don't have to constantly change their password.
Dealing with senior who locked out of their account and educating them on this can be frustrating for you and them.
Immediately after hearing your comment on art on the key, I grabbed mine and started looking for art supplies.
I need this, couldn't have uploaded at a better time.
I have a question/scenario what about when we have automatic login for discord or slack is there an application that can you sign you out automatically so it’s not saved when you login/boot again?
thank you so much. i definitely intend on getting one soon. 🔑
Got 2nd physical key like a week ago (Kensington USB-C with biometric layer) and I love it. I was finally able to add key to Windows/Outlook account!
Make sure to periodically check (like every year) that your key is still accepted. I have one key from around 2017 that is no longer accepted for some services. While newer keys I got the past year or so have been
I do a yearly security audit to check for this. Good idea to have a different model backup key or to keep your backup codes handy in this case.
Are they the same model keys?
@@martinlutherkingjr.5582 No different models
Thanks Shannon!
Thanks for this 🙏🏾
Just this week I have started gettng my team behind hardware keys great video to link if I start getting pushback.
You'll always get pushback, make it policy if you can
Fantastic shirt! As someone who stumbled onto the video randomly, that was quite unexpected. :D
Really useful info. & I love your t-shirt! It's so cute
Thanks so much!
Did not notice this in the video, these security keys work with the browser so that if a phishing site looks similar to the real website it still won't allow authentication, because the domain does not match.
That's correct!
How do you feel about authentication apps? My employer requires us to use one and that seems similar to me.
Thanks for the code! It works for EACH Yubikey you buy. Its best to buy 2 just in case you lose one and you wont get locked out of your accounts... I got $10 off my purchase. Thanks again Shannon!
Yesss this is the way!
Is there a hardware key that has a self destruct feature (like a button or switch to wipe/disable it)?
I picked a key up a long time ago. Didn't use it very much. Now I am changing my opinion. Now I just have to figure out how to activate it again.
What happens when you lose the Yubikey or it gets damaged?
Straight to prison.
You really need a second one stored off-site in case that happens. (Or tedious one-time passwords also stored off-site.)
@@BDBD16 😆
Making it easier in case one gets damaged is not my idea of security..... Each to their own, i guess, but the more we have as "backups" the less secure we will be when they are found.
We think we know where they are till someone finds them. There is no solution i think.. Constant game of cat'n'mouse...
The % of someone else getting access will be small, BUT its still there.
Hi Shannon! Your videos are awesome. I would like to ask if few persons are using the same account, then should they have their own yubikey? or they can borrow it from me once i login to the account? Also does the yubikey needs to be injected on the device to stay logged in on the account? Thank you in advance!
ProTip: Don't keep your key / security dongle in the same place as your devices. (If a thief steals your purse or laptop bag and the key is inside it, they now have access to your accounts.)
set up a pin, disable key 1 asap in account with backup key. A thief would need to know your usernames and passwords unless you have it setup where you can login just using a key then you’re screwed 😬. You really do need a second key in case of doubts
Yeah. Companies should have this mandatory. No matter what job role.
Absolutes are never the solution. The security required needs to be tailored to each specific case.
Example: someone who’s job is welding or some other construction work and they never need to log into a computer at work.
@@Lucy-dk5cz I agree. Well stated.
Here is a strange question. If I set up my iphone to use touch ID or face ID, can I set the phone to use the yubikey if either of those fails or does it have to have a passcode? I am trying to prevent someone from stealing my phone, running away and unlocking it with my passcode and locking me out of everything. My thought is that if I use face or touch ID, if someone grabbed the phone and ran, if I had the passcode set to the yubikey, instead of a passcode, would it stop them from accessing the phone due to the fact that they don't have the yubikey? I know, its a dumb question.
Shannon good video 👍👍. Can you use a Yubico key to protect a phone operating system.?
Great video. Great shirt!
Been looking at this for my personal computer. Work uses a RSA token (app based) and I was wondering how this compares to using something like a yubikey?
hi I have 2 yubikeys that I used to lock my Apple ID, on my lap top! will that also automatically lock my Apple ID on my iPhone and iPad or do I have to lock each device with a yubi key? thanks for you great content.
First thing I noticed was the Sailor Moon Tee!! Love it!
Hey if I used a secure key on google can I use that for a different service like apple?
I somehow ended up with 8 (eight) Ubikeys, don't ask me how 😅
the yubikey code can still be intercepted on physical push. i tried this on myself in a browser while i had a prompt asking to tap my hardware device. if a threat actor is on your computer it can be intercepted.
Thank you
Can you explain the difference between something like Yubikey and EveryKey?
Will I be protected from session highjacking if I'm using a Yubikey as 2AF?
It didn't get very clear if someone gets my cookies they'll be able do login even with the key.
Thank you
I have two yubikey which I didn’t registered them at the same time. My question is: can I register them (both) anew (at same time)?
Thank you for your kind answer.
I curious if theres a disadvantage or concern that should be considered when using the “Onlykey” over say the yubikey?
You can go one step further and get it as an implant. The key pair is generated on the chip inside your body
HI Shannon, like i mentioned in another video using your code i got $10 off because i brought 2 yubikeys!! but i brought these because i thought since this can unlock cell from camera scan vs usb plug into macbook air2 finger print. i dont want to set up through macbook with finger print to open my wallet and if i die my daughter knows my wallet password but doesnt have my finger print!! cant i set up yubikey through macbook air2 camera scan?? if so do you know safe QR code app that wont steal or store my code to steal my wallet?
What works for the gaming like steam and blizzard and Escape from Tarkov, and, emails and stuff like that without having 100 of them Iv been looking but I haven't been able to find one to know exactly what I need and didn't want to buy the wrong one please help me?
Another great video! I think I'll point this one out to others. :)
Can one key be used for several social media apps and emails?
Thank you!
Too bad hardly any sites support this kind of thing. Another version of this is something like Google's Authenticator. Run it on an old air-gapped phone. More things support this. A big problem with all these is account recovery, which uses alternate less-secure means. What happens if you lose the key or it gets stolen? How do you get into your account or stop them from doing so? If you can do either of these without the key, an attacker can do this to your account without the key. (I had to dumb this down because UA-cam was deleting my comment. I guess we can't discuss this topic.)
Thanks for making this video. But is there a way for someone to take our Yubikey and duplicate it? And if it is connected to the computer all the time (like the Yubikey nano) then is there a way to simulate the "touch" remotely without us having to touch it? Would like to know more. If you can talk about it, it would be great. Yes I am convinced that Yubikey is great, but what makes it unbreakable?
Hi! I mentioned cloning of keys at about 7:20 into this video 😊 you can also find the U2F standard info linked in my shownotes to read more about the in depth material on how this standard works.
It's only considered _unbreakable_ at this current point in time. Like all security technology, eventually it will be obsolete.
You can reprogram the key. It comes with a key, but obviously, Yubico knew it when it was programmed, and could program a second key. Reprogramming the key requires generating new random numbers. I have two keys I programmed myself, and the generation was done on an air-gapped Raspberry Pi. But then, I need to provide the public key I created to anyplace I want to use it.
I'm not sure if using the same physical key for multiple web sites causes problems or not.
@@johnhaller5851 It may only cause you problems if you want to keep one account isolated from another, eg you use the same key linked to your identity as one you used as a whistleblower. In that scenario the public key will link the two accounts, if I understand things correctly.
Curious if I bought a USB a security key and wanted to use a USB a female to USB c plain jain adapter would this work or is it specific to the company
For all those who haven't seen or subscribe to the alliance for Responsible citizens check it out. A great start to ARC..... Thankyou Jordan Peterson and all the others involved in bringing this alliance to the world. This (ARC) is what we desperately need. Genuine facts and leadership. Now it is up to us, the public, to do our part. Spread the word, help grow the "Alliance for Responsible Citizenship", and do YOUR part to help bring about a better more positive world for all of humanity. Put an end to the distopian vision offered by the elites of Davos and the WEF gang. Bring individual Freedom and responsibility back to the forefront of a free and prosperous society. Thankyou.
Cool and all, but until the used 2fa protecable accounts/ total accounts', and Key protectable accounts/ total accounts' number does not increase, i can try to use these, but will not be able.
Also some sites staight up using keys stupidly: Not as a second factor, but an alternative single, and i clearly see the possibility for that someone uses password only, and a key, and those are not protecting each other. OR i have to have an other kind of 2fa so i can use my keys, but the other kind is the baseline, and i manually have to change, at every login.
Hey Shannon will the Yubikeys work with iOS devices including iOS tablets
Great video Shannon - on the subject of accidentally losing this key... what do you do then? Can you buy them in pairs so you always have a spare?
Hey, I did a video about this! ua-cam.com/video/0iq0BgiKlWM/v-deo.htmlsi=bH7HqS8xGnVOAZZc
If you have multiple computers, do you need a seperate key for each device?
What happens if the key stops working or is otherwise destroyed?
When paired, the same YubiKey can be used to log into multiple computers. If the key stops working you are screwed UNLESS you followed Shannons advice & YubiCo's advice & buy at least 2 Yubikeys.
I have a question what if the hacker got your token does MFA still relevant?
Is it possible that you can have two ubikeys so that they both are synced. So if you have one at home and one in your backpack.
Yes! Many (not all) sites support setting up 2 hardware keys. I do this for my most critical accounts
Shannon, I love my YubiKeys. What is that full callsign on the shelf? I'm a HAM Extra! And Ethical Hacker. Oh the fun we have on the air. LOL.
and yet none of these company's will ever allow these to be used with any product because they don't really care about your data and its security.
Great video! Is it possible to use Yubikeys security key when physically paralyzed?
As I sit here in my living room, nodding my head in agreement to the statement 'hardware keys are a must', I look down and notice that I am currently wearing my green and blue yubikey socks.
Hi great video!! Question how do you log into a website that doesn't use a key but wants you to use 2FA instead?
I'm trying to think through the scenario you described as the reddit compromise, which sounds to me like a mal-in-the-middle situation where the attacker convinced the mark to type in their TOTP code to the phishing site and then relayed it through to the target site in near-real-time. I watched the "debunking 5 myths", but this part still isn't clear to me yet: how does a key defeat that attack? does the protocol restrict the key from sending its response to a server other than the one designated for that account? How does that work?
I was a bit surprised this wasn't mentioned in the video since it seems to be what truly differentiates a FIDO2 key from for example an auth app or a "legacy" HW key. In my understanding FIDO2 protocol does protect from this type of attack, making it an "unphishable" authentication method.
@@steamfox How can they defend against this? The middleman essentially relays everything until validated.
@@gblargg The middle-man uses a look-alike domain. So if the domain name is used in the challenge: the response won't be correct for the real website.
@@jamesphillips2285 How does the USB device know where the challenge is coming from? Just forward the authentic challenge from the authentic site.
@@gblargg Without getting into the standards documents (Apparently U2F was renamed CTAP is how far I got), the browser must pass on the web domain as part of the challenge.
So when the key fails, as hardware does, are you locked out?
Overall, great video. Industry needs more adoption of these hardware keys.
Just one nit though. The pattern unlock is not really behavioral authentication.. yeah, maybe if they implement it with more than just detecting which numbers were touched. Behavioral auth to me is more the like the key cadence measurement and mouse movement with detected reaction to small movement interference. They could do that with the number swipe pattern but how many implementations do that?
No we don't. The industry just need to use proper MFA practices.
I prefer to use someone else's finger. That way I can keep it in a locked box in a secure location. 😆
lmao wat
😆 did i read that correct?
@@Tech-geeky Of course I'm kidding. I'd have to keep them in a freezer and wait for them to thaw every time I wanted to login to GMail. Who has time for that?
Oh thank God I thought I was compromised! I've had a yubikey for years!
I was using a hardware key (can't remember which one) a few years ago, but it failed suddenly after a few months of use. I haven't tried another one since.
Nice video Shanon
it's two N's dude. Shannon. Kinda pay attention please.
Great video- So how do you prevent Google from using sms from being used? You can do it with a work account but not in public account. Would you have to use Google advance protection program on your personal account in order to prevent sms. Then you can't use an authenticator app.
Try using a hardware key without a mobile phone.
Big Tech wants your IMEI number for authentication and cross device tracking - locking down the individual to specific hardware.
Then there are the number of companies that simply don't support hardware token based 2FA. I know of one bank that doesn't even alow complex long passwords!
A small amount of research seems to suggest that the reason 2FA is being advertised and pushed isn't for your security. It's for tracking who you are and what you do - especially those companies who don't allow 2FA without involving a mobile device
Can you make your own Yubikey with a plan USB? Or something similar
I've been nothing short of secure (and pleased) using my Google Titan key.
I love the colours on what appears to be the "Shannon Morse Edition" of the Yubikey, but it doesn't look like something Yubikey offer in their online store. What a shame. :(
Looks small, I'm usually pretty good at keeping up with things but once in a blue moon I misplace items especially small items thus I'm nervous of what might happen if I lose the physical key is there another method of accessing our accounts if we accidentally misplace it? regardless this is something I'll definitely look further into I have 2FA on all accounts but if physical hardware keys are safer I'm open to trying them instead. thanks for the info ✨🔐
I keep mine on a lanyard, but yes, once you enable 2FA, most places will provide at least one "break glass" recovery code that you can use to authenticate if you lose your YubiKey. A lot of services also let you enroll more than 1 option, so you can use a YubiKey as your primary & an authenticator app as a backup. Ideally they'll let you enroll 2 YubiKeys: 1 for your "everyday carry" and 1 as a "break glass" backup - but that's highly dependent on the service in question.
I'm wondering... if someone steals or finds a yubikey what other information do they need to use it to access your accounts? Can you repudiate a lost key, just in case, and then revert to your backup key? Of so, what other info do you need to know to do so?
How would this UbiKey prevent from hacker who planted malware on your machine from intercepting key/generating more auths on your behalf?
So I have a question. How do I incorporate Yubikey with FIDO 2 protocol so that if something were to happen to me, my spouse could still gain access to accounts?
I would be using it, but most of the critical sites I use (like my banking), do not support it.