MFA/2FA Showdown: Which Authentication Factor is Best?

Поділитися
Вставка
  • Опубліковано 19 гру 2024

КОМЕНТАРІ • 44

  • @TomNook.
    @TomNook. Рік тому +4

    This video needs to go viral in every company

    • @ProTechShow
      @ProTechShow  Рік тому

      Thanks! Make it happen, folks 😉

  • @jozefwoo8079
    @jozefwoo8079 Рік тому +3

    Couldn't be more timely! Great overview!

  • @mccannger
    @mccannger Рік тому

    Very happy with my new Yubikey and reassured with the additional layer of security its giving me. Many thanks for the inspiration to look into this!

    • @ProTechShow
      @ProTechShow  Рік тому

      You're welcome. Glad to hear it was useful!

  • @jazilos
    @jazilos Рік тому +1

    Great video! But for the MFA fatigue you could just disable notifications for certains apps at night for example, and just ignore the prompts.

    • @ProTechShow
      @ProTechShow  Рік тому

      Thanks. That method relies on end-users (i.e. the weak link) setting it up to match their working hours, and assumes the prompts come at night. Another tactic is to send them at the start of a working day when people are likely expecting a legitimate promot anyway.
      When I'm away from my desk it's not uncommon that something I'm logged in to will time out, reconnect, and I'll get a prompt. Without some form of matching there's no way to tell if it's legitimate, and there's a risk of people becoming conditioned to pressing "yes".

  • @Hiram8866
    @Hiram8866 Рік тому

    Thanks for this one Andy - very helpful. I will have to login to my HMRC account soon, pretty sure they use a SMS one time code for 2FA.

    • @ProTechShow
      @ProTechShow  Рік тому +1

      I'm sure they can use TOTP as well (they have their own app but it it's a standard TOTP that will work with any app)

  • @FancyTibor
    @FancyTibor 3 місяці тому

    Thank you so much for your hard work! 😊 I’ve got a question: 🤨 I have a set of words 🤷‍♂️. (behave today finger ski upon boy assault summer exhaust beauty stereo over). Not sure how to use them, would appreciate help. 🙏

  • @nonshatter7
    @nonshatter7 7 місяців тому

    I appreciate the copious amount of info, clearly laid out in sequence, on this video. Do you recommend getting the Yubikey directly from the manufacturer or will Amazon suffice?
    I ask because I see parallels with Crypto hardware wallets where it is universally recommended to buy directly from the manufacturer (thus removing the threat of tampering).

    • @ProTechShow
      @ProTechShow  7 місяців тому

      That's a good question. Yubico has a list of official reseller partners here: www.yubico.com/support/resellers/
      Any of these should be safe, having been vetted and approved by Yubico. The link in this video's description takes me to the Amazon UK store of Distology - one of Yubico's approved UK distributers. In other countries it may direct you to different Amazon store, appropriate on your location. If you check the seller is on Yubico's list you should be safe.

  • @petearmstrong2778
    @petearmstrong2778 Рік тому

    Demos from Google and Microsoft usually show passkeys being set up tied to devices eg mobile or PC. Now I see Password Managers are starting to store passkeys - how does this tie into devices? Is the passkey tied to the PWM and thus available to use on all devices where the PWM is installed?
    Hardware eg Yubikey has the hassle of creating 2 copies as backup and seems for the average user more hassle than software passkeys.

    • @ProTechShow
      @ProTechShow  Рік тому

      Passkeys tied to individual devices are perfectly good. I'm not so keen on passkeys that are synchronised between devices (e.g. sync'd to a Google account or a password manager). This makes them more convenient but it partially negates the security benefit of requiring access to a specific device if you only actually need access to a specfiic account to retrieve the passkey, and can access that account from anywhere. They're still better than using a password, but not as secure as a standalone FIDO2 device.
      What I find myself doing these days is registering a Windows Hello passkey for each of my regular computers, and then a YubiKey I can use if I'm using any other device or as a backup to Windows Hello. I think that's a good balance between security, convenience, and flexibility; but it requires more thought than just slapping in your Google account onto every device.

    • @petearmstrong2778
      @petearmstrong2778 Рік тому

      @@ProTechShow Thanks. For mass adoption of passkeys there really needs to be a single simple way to do it otherwise the mass market ie non-IT, won't adopt it. FIDO Alliance is aware of this but guess it will take some time to firstly adopt and secondly implement a consistent method.

    • @ProTechShow
      @ProTechShow  Рік тому +2

      Yes, I agree. I suspect passkeys that sync to Microsoft/Google accounts will end up being the solution that gets adopted by most as they'll be built-in with a lot of devices and the respective vendors will shove them down people's throats.
      I'm not a big fan of syncing it to an online account, but it is the path of least resistance. There is already a problem with Google accounts being targeted to get at all of the sync'd passwords from Chrome, and this will increase the impact of thoses attacks if it exposes your passkeys as well. It also creates a chicken-and-egg probelm - if you need to log in to your Google (Or Microsoft, password manager, etc.) account to get you passkey, you can't use the passkey to protect the Google account that contains all of your keys. So I assume the account with all the keys will need to have a less secure way to log in...
      Still, I don't want to complain too much because it's an improvement over the basic passwords most people are actually using!

  • @Lili.B1380
    @Lili.B1380 20 днів тому

    Your tutorial video is great and thank you very much. However, it may be downgraded with the annoying background music that makes it hard to hear your talk clearly.

  • @lucsegers6931
    @lucsegers6931 Рік тому

    I'm still somewhat hesitant to these dongles because of practical use. Will you use them each time you login to your email/facebook/etc? you carry them around the whole time? Or do you accept some devices as trusted? There is always this trade between usability and safety.

    • @ProTechShow
      @ProTechShow  Рік тому +1

      Mine's on my keyring. I can't leave the house or get in my car without my keys, so it's always close to hand.
      There is a tradeoff when it comes to trusting devices. I'd say you always need MFA for the initial login, and if you trust a device it needs to have some protection on it, but other than that the duration you trust it for is based on risk. My Facebook account - don't really care, require MFA then let me stay logged in. Anything that can be used to access customers - require MFA every single time I switch on.

    • @lynetteford6063
      @lynetteford6063 Рік тому

      E

  • @QueenJNice1
    @QueenJNice1 Рік тому

    Hi there...Have a question for you. I bought (2) Yubikey NFC 5 series after watching your videos. I did the set up process on my Macbook Pro and iPhone. But I could still sign in using my laptop password only, Yubikey will only prompt me to enter my Yubikey code IF the key is inserted in the USB-C. Am I supposed to disable my laptop sign in? Same with my iPhone, I can still sign in with my phone passcode or face ID. It's not asking for the Yubikey. Kindly advise....Thanks much!

    • @ProTechShow
      @ProTechShow  Рік тому

      I'm not 100% sure what you're trying to do. The authentication method covered in the video was FIDO2/WebAuthn, which is used for authentication to websites. The YubiKey 5 can be used for other authentication methods as well, including acting as a USB smart card (also called PIV). If you're logging on to a Mac with it, I suspect that's what you're using. I don't have a Mac to test with, but the instructions here may be helpful if you've not already seen them: www.yubico.com/works-with-yubikey/catalog/macos/

  • @lynetteford6063
    @lynetteford6063 Рік тому

    I been at this a month now about the sms can be hack the email about the down side the voice mail thr Yubi key I am old school I am facing the unknowns it's like I am facing a nightmare it's something new to login.

  • @alexclegg1739
    @alexclegg1739 6 місяців тому

    What are your thoughts on 2fa browser extensions

    • @ProTechShow
      @ProTechShow  6 місяців тому

      Depends how it works. If it's storing a unique key securely on the device then it's a valid possession factor. It depends how securely the key is stored and how well it validates the identity of a target website before it passes through the authentication. I wouldn't be keen if it syncs with multiple devices as it partly undermines the proof of possession. If it's a password manger extension that includes 2FA then my thoughts are covered in this video about the way Bitwarden does it: ua-cam.com/video/646dlqdcbMk/v-deo.html

  • @johngorentz6409
    @johngorentz6409 Рік тому +2

    Any factor that requires me to have a phone with me is a no-go.

    • @ProTechShow
      @ProTechShow  Рік тому

      Fair point. There are a couple of places I've worked where phones aren't allowed onsite, so dongles it is.

  • @RakeshKumar-eb9re
    @RakeshKumar-eb9re 8 днів тому

    Great work

  • @asinheaven
    @asinheaven 9 місяців тому

    Yubikeys and similar physical keys seem to be poorly designed for their intended purpose of portability; in my pocket, it would end up with lint, sand, dog fur... Looks like a good market niche for yubikey cases...

    • @ProTechShow
      @ProTechShow  9 місяців тому +1

      I've had a YubiKey in my pocket for a couple of years. It's attached to my keyring so it goes everywhere - beach with the kids included. It doesn't really have any gaps for stuff to get stuck in so it hasn't been a problem for me. My car keys are more likely to collect dirt than the YubiKey.

    • @asinheaven
      @asinheaven 9 місяців тому

      Awesome!

  • @RT-fb6ty
    @RT-fb6ty Місяць тому

    I'm here to learn because Google will require MFA by mid 2025 for their cloud storage.

  • @numair3
    @numair3 Рік тому +1

    nice

  • @ThomasFlorence-y7o
    @ThomasFlorence-y7o 3 місяці тому

    Will Dam

  • @vmobile890
    @vmobile890 3 місяці тому

    My dongle 🤣