None of the videos on this topic cover the most important aspect. Which is what are the events that require the key to be presented? Do I need to have a key with me or can I leave it at home? I am not worried about losing my phone. But I do want to have a contingency for being robbed. If it am robbed of both iPhone and key - which does seem likely - then what? I see the key has its own PIN. Is that always requested? I’ve started to use screentime to restrict Apple ID access with a separate PIN, the screentime PIN. How does that affect when the iPhone prompts for the hardware key? A video covering these aspects would be so much better than just walking through the settings.
1000% agree. All of these content creators really miss the mark when it comes to real use applications. Imagine their views and subs if they did a 5 minute video covering actual use scenarios with Google, Gmail, iCloud, windows, devices Etc. just the top 2-3 uses for each would be phenomenal content but they can’t get their head away from elementary school set up videos.
So I have yubikeys on the way. My question that I have before I plug them in and do what you did on this video is Did you do anything to the yubikeys before you did the procedure in your video? OR do I just run through like you have in the video ? Can I set up the yubikey pin or passcode after the fact from my iPhone or iPad??
@@aliancemd worse ever.. Having said that, i refuse use to use "Find my" on Apple devices, Perhaps it's just because i value some things more than others.
I dunno... i mean not many people i know have YubiKeys... Everyone is on the internet today.. You choose. There is no comparison as the choice is crystal clear.
This isn't a big deal for a few reasons: 1. Most accounts require at least 2 security keys to be registered. You're supposed to keep the backup somewhere safe in case 1 key is lost. In contrast, many TOTP apps have no backup or a code backup that hopefully is written down and not lost. 2. The key doesn't tell you where it's registered, so someone who acquires a lost security key needs to find out somehow what accounts the owner uses. In contrast, TOTP apps often tell you where the code is registered.
Chris - you missed out a few important issues - 1. If you have windows devices connected to you iCloud account this will not work. 2. If you have managed Apple ID this doesn’t work (school or Business) managed devices 3. Child Accounts and Older Devices of course - so some major concerns
Apple likes to do their stuff THEIR way.. If they do have it, it would be only local. I think its the same reason Apple wouldn't apply other apps access apart from Trusted Devices they like to enforce for the same reason.. As much as secure others wanna be, Apple thinks any link (like use of third party app to authenticate), can be missused... If the app got tamped with, downloaded from a malicious source., or on iOS "jailbraked". As good as iPhones are they really don't like to give people options either. The only way they can verify, if they do it directly...
Thank you so much for the advice ! Always relevant!🙏You mentioned something about two separate phones! I have been brewing this idea in my head for a while now but can’t seem to be able to find the following answers to: which phone holds which info?, can I have all my banking on one and the rest on the other? (Leave one at home ?) Can I use same appleid on both?, If someone steals one - can they break into both? The main question is what would be the best way to separate one category of info from another ! Sorry for the list but have hit a wall! 😂thank you and keep up the great work for us !!
I’m going to be using a separate dedicated device, either an iPad or iPhone, for banking / financial with a separate dedicated iCloud account used only on that device, not on any other devices. No web browsing. No clicking on links. No other activity, just the banking / financial. Only using the email that comes with that dedicated account, if I even use that email. I’ll be locking the account with a physical security key such as Yubikey. If something happens, such as losing all my security keys, then I’ll just start over again. It will be the iCloud account I’m locked out of, not the banking.
Thank god! Thank you! Having iPhone as 2FA for Apple Account is a horrible idea! What if my iPhone bricks? Then I’m screwed! You need to login to your Apple Account to check in for your iPhone repair or replacement. Using Yubikey as 2FA is way better and more secured!
The same can be said about these FOB keys.. what if you loose them ? Unlike a phone you CAN set up to track it, how can you track a secure token ?? If you could, wouldn't that break the secure model ?? etc... There are always trade-off's. This could be the reason why these FOB's will never be global standard for all by default.. They can;t... I don't see how when you have to give users options.
I was expecting prompt for a security key when changing my Apple ID password on a trusted device - but it doesn't. so if iPhone passcode is compromised, you can change Apple ID password and remove security keys because its already logged in as a trusted device - why is that ?
It’s not true that it’s “insecure”, if you use FaceID on your queried device. You are switching from 3FA(biometrics - “what you are” being the 3rd authentication mechanism) to 2FA…
@@vrbz That's the problem right... anything extra you have, even when its smaller, the risk of loosing it, increases While SMS is not secure, you have to go to great lengths to loose a mobile phone,. One way, would probably be attaching Yubikeys to your keyring, so where ever your car keys go, they go I have regular USB keys i store important stuff on, and i only keep them in my wallet... That's way, i always know where they are... (I'm not likely to loose my wallet) yet.... But IF that ever happens, i'lll deal with that when it happens.
2:01 “phones can be lost or stolen” - same goes for YubiKey, the only difference here is that modern phones are findable while you can say bye to your YubiKey. Technically, authenticating with iPhone FaceID is more secure(that’s besides the fact that it is findable in comparison to YubiKey), it’s 3FA: password(what you know) + phone(what you have) + biometrics(what you are).
I feel like TouchID or FaceID are just replacing the password: Phone AND (Password OR biometric). Also the YubiKey in this scenario ist just 2fa for the Apple ID itself, like, when you add a new device to your Apple ID. You still unlock your iPhone with PIN or biometrics. But I don't think the device itself where you logon is counted as a factor, or otherwise every login would be 2fa by default since you need a device (computer/phone) to put your login-data in. :P
@@emerelle3535 The devices are counted because somebody stealing(ex: random website database dump where you used the same password and email) your Apple login and password, gets access to 1 authentication mechanism but now needs to obtain your phone and biometrics, to be able to login into your account.
I guess ya, you can get addition hardware which would track this stuff, why why should you need to ? If something by design promises its secure, why is it let down by "oh right, you need something else to track it" Why isn't it part of Yubikey ?? If your gonna make promise sin security, do it.. In fact, i could argue loosing something is actually the "most important" thing. as everyone has the tenancy to loose stuff .. You can't fix that problem.
Can a single yubikey be used for multiple sites? This video is incomplete without a demonstration of how to use the key after you’ve added it to your Apple ID.
At minute 5:00 you talk about the iPhone without a plan. Can you talk a bit about that? Is there a SIM card? Or does it just use home wifi? Where do you get them? Are they the unlocked phones I hear about?
People, please don’t do this… If you have FaceID enabled on the device receiving the code, you are using 3FA(password+findable hardware+biometrics/who you are). Please don’t switch from 3FA, to 2FA(password+non-findable hardware) because a guy made a video about it…
I also think about protecting my AppleID with three security keys but I’m still too concerned of locking myself out during vacation or when I’m not near at one key. :/
I have the same concern. Although, you could always carry a Yubikey on a keychain, as many do, in situations where you think you might need it. (It's seems very unlikely someone would steal both your iPhone and your Yubikey at the same time). And you could always leave your Yubikey at home (or in a hotel safe when on vacation) when there's a greater risk, e.g. when going out for the night or traveling.
Don’t get why you would go from 3FA(password+findable hardware+biometrics) to 2FA, “because a guy on the internet made a video saying it, so it must be true”
some things are 'secure enough'. Give me an option to disable 2FA while understanding the risks for 'individual's" account, and i'll turn it off within 2 minutes.. Forcing people down a road... Its a travesty against nature.. This little black duck goes his own way
I get locked out as is... How secure is secure ? No one like to use multiple methods just to access their Apple account. 2 may be ok, but not 3 or 5 ... That's going overboard.. People can say their the "most secure kid on the block" but at what cost ? If you have to go through multiple layers, it's not going to be very good, when you need it most, but loose one of those. Basically, the more you have, the more you have to rely on yourself too.
@@Tech-geeky "but not 3 or 5 ... That's going overboard..". 3FA with iPhone is easier to do(just pick your phone and look at it) than 2FA with YubiKey(insert into a USB port, wait a sec and then touch it).
I use a Mac but my phone is an Android and I don't want to switch to an iPhone or an iPad. Does this video tell me how to set up my Yubikeys with my setup; or can you tell me here?
@@NoSubstitute I’ve always struggled to understand the nano, I must be missing something. If it’s plugged into a pc or laptop & said item is stolen, they have your device & the key, so what protection is it providing? Sorry if I am too stupid to see something obvious here.
@@everyhandletaken No.. you are correct, but for some people, they have decided to balance security with convenience, leaning more toward the convenience side of things. It can prove to be very difficult and maybe frustrating enough to be a zealot at this that one might abandon use of the keys if it proves to be a frustrating endeavor. I did for a time.. I simply don't live with my housekeys physically on my person all the time, especially when using a computer at home. It had become a real pain as my keys were somewhere else too many times when I needed them to authenticate into a site/service. Almost walked away from using the keys, and did for a spell and went back to TOTP on authenticator app. It was later that I decided to cure my frustration by using YubiKey neo's in my desktops at home. I understand the risks, and have had the debate with myself, but in the everyday I find having to reach for the one key.. and at this point, it isnt one key, because my desktops are older units and only have USB-A ports, and my laptops and mobile phones have USB-C for android and laptops, and lightning for my iPhone, so even then, the solution that works for the desktops wont do anything for all the other devices I have. So, the desktops get Neo's and I have a series 5 C for all the rest that I use when generally out of the house. This is the solution I arrived at that works for me, with full knowledge and acceptance of the risks. I figure if I have a home invasion where those keys are taken, I can go into the accounts where they are used and remove those keys. I'm thinking it'll be some kind of epic day if that were to actually happen. Not impossible, admittedly, but... whew.. I don't think so.. So much more sensible swag in my house to swipe other than my computer keyboards (that is where the neo's are plugged into on my desktops).
@@garolstipock I really appreciate the in-depth response, super helpful for my understanding on this. You definitely raise a very good point that I had not thought of.. I just had in my mind that the nano would be plugged directly into a USB port, but having it plugged into a hub or keyboard, in your case, makes a lot of sense. As you say, thieves probably cares about stealing a keyboard or a USB hub! Definitely going to grab a couple a couple 5 series. Thanks.
thanks for the video! question, I have used the2 yubi key2 to lock my Apple ID on my Mac Pro and I phone! will that automatically lock it on my iPad or do I need to use the yubi keys to lock it out on my iPad? thanks
I'm using standard 2FA with my Apple devices. While some can run 16.3 others can't and none of my Macs can run Ventura. If I were to add Yubikeys to my account would the older devices still use the current 2FA method and the newer devices use the Yubikeys or would I have potentially locked myself out of using the older devices for 2FA or some other weird combinations of 2FA and Yubikeys depending on device?
I started using proton mail. Unfortunately unless you pay a premium you can only see one account at a time. Would it still be secure to add the PM accounts to Apple mail?
The problem with this is that they essentially remove your one time passcode option, or they make it very convoluted to get to because I could never find it. For example after I registered by 2 security keys i could NOT login to the website without them. Like at all. There was no send push notification to your your iPhone option like there usually is. So I promptly deleted them. I want these in ADDITION to the way I login now, not INSTEAD of.
I don't use apple products, but is this only securing your apple id so you need these keys to log into apple services, or does this also mean you can't unlock the phone without the hardware key?
I'm gonna assume 'services'.... Apple locks down their devices pretty good and they won't trust anyone, but themselves.. If they doi end-to-end security without a third party app, (fear of not able to verify) why would they allow it here to just unlock your device locally? Either way, your using 3rd party product/app etc. ... to unlock a product you bought from Apple. Still be the same situation, It would be convenient.
What I don't understand explained on this video is why the hell iphone needs a minimum of two yubikeys, aanyone here please care to explain? Was it just plainly really for redundancy in case you lose one of it or this is the default minimum for IOS 16.3 by default?
Good question. It's best to have a backup key, but I seriously don't think it's necessary if you have another backup method. For example google has 10 one use codes, or Authenticator that you could keep on an old backup phone. I think it's just laziness on Apple's behalf and they only have this method implemented. They probably think you should go full security gung-ho with two keys, because Apple products are overpriced anyway, you have the money to spare, so you can afford two yubikeys. If they DO have other methods, like Google has, well.. that's Apple for you. Btw I don't own Apple products but I work with them, that's why I watched the video. And.. I only have one yubikey.
This is actually a smart thing Apple did with this implementation. Yes, theres no technical reason why you cant just enroll a single key to your account, but to not enroll at least an additional backup key would be a very very bad idea. Having a 2-key minimum basically forces the user to not make that mistake. Unlike other 2FA mechanisms, theres no way for Apple to reset your Yubikey 2FA if you lose your key. Having an additional "backup code" method like Google does defeats the purpose of why youd want to use Yubikeys to begin with. The whole point of security keys is to minimize the possibility of having your 2FA codes phished or obtained by malware, etc. If you have a list of "backup codes" saved or printed out somewhere, they can be compromised without your knowledge. The Yubikey requires that you physically insert the key, AND that you touch the key when the site/service requests the authentication, so it's effectively malware/phish-proof.
@@melorama808 I agree it is the best, but not everyone, like me, is willing to buy two keys as I'm just trying it out for now. I think it's just patronizing. Typical Apple. And they already have other methods in place that are as insecure or worse than having only one key. So no. It straight patronizing, or laziness, or they hold yubico shares.
Question: I do have an iOS device with the requisite OS. Once I set this up on that device, is it possible to set up the Apple ID on an older device using an older iOS? Thank you in advance.
I have an iPad & iPhone 15 pro max There is no place to plug in anything but a charger. My phone I can hold the key to & it works The iPad, doesn’t work Help please
If you trust all the manufacturers, why not. Remember that every separate key is a door into your account. Using FaceID on the queried device is still more secure…
Can you delete the registered key with Iphone passcode. If you can then you are back to the current iphone security problem that if someone steal your phone with your passcode then they can change the Apple ID
its more secure ..... However, convenience always seems to over-ride everything now-a-days too, so i don't blame people for not using these dongles, because its dictated (like everything), "where" you can use them, Until you force users out of the 'comfort zone' nothing will change on a mass-scale. I mean, banks here in Australia, few offer Yubikey access and excuses start to boil over very quickly. "Don't use Westpac, because they still rely on SMS" just to make the point of course. You can say the same about anything. I'm sure credit union like P&N bank don't offer this either, but i don't care. Its extra security, thankfully
Problem with yubikey totp tht i found out is that there is a limit to how many they can have. 30 or 39 is the max if im not mistaken which was a huge bummer
So if I get the keys to add to iCloud, can use the same physical keys for other services as well? Like google. Or do I have to buy one key per accounts?
One key for multiple accounts! One key for multiple devices! But you should always get two, so you have a backup for when you lose the other (not break, as they are basically indestructible).
It seems as though you didn’t need to use one of your keys to add the third. Does that mean if someone steals your phone and Lock Screen passcode (it’s a thing) they could just add a new key to bypass this protection?
@@RobbieRobski IMHO, administrative changes that are only done occasionally should require more security. I was hoping Yubikeys would plug a security hole that thieves are taking advantage of. They secretly watch someone enter the lock screen passcode while out in public.(often at a bar restaurant), and then snatch the person’s phone. Within minutes they have changed the persons, iCloud, password and disabled. Find my iPhone. They then look at the persons, keychain defined all their passwords and transfer out all their money. The person is then permanently locked out of their iCloud account, losing all their photos if they’re backed up there. In some cases, they’re also permanently locked out of all the other Apple devices like MacBooks, and Apple, can’t help them, unlock them.
@@roger1818 I understand what you mean, but it's not ubikey or any u2f key mfgs responsibility. That would fall on apple or whatever service th provider that implements u2f.
@@RobbieRobski Agreed. I wasn’t suggesting that it was Yubikey’s responsibility. I was suggesting that it would be a good tool for Apple use to plug this hole. Apple allowing users to add additional keys (after the first 2 I’ve been set up) without requiring the use of a key is a hole.
@@roger1818 You can't disable Find My or those other things such as changing passwords without also knowing the Apple ID password. So it takes more than knowing the lock screen passcode. The YubiKey is required in addition to the Apple ID password, as I understand it, so the thief would need to know the passcode, Apple ID password and also have an authenticated YubiKey before a new one could be added.
The benefits of adding security keys appear to be nullified (or at least reduced) because iOS does not prompt for a key when attempting to change your Apple password from a device that is signed into iCloud and has passcode enabled.
@@jajuanyoung what i don't understand and i guess to me "it seems to be a flaw" in Apple's end to end. but with iCloud, why is the user asked to enter the 'same password that they use on the Mac to login" to encrypt files in iCloud?? Easy to remember, is the only reason, but if Apple heeded security, should it be a a random password each time ? And if they use encrypted data for already stored files, then it should be stored on decide to decrypt ? iOS has keychain equivalent, just like Mac. so why isn't it used for this ? Sometimes i refuse to login to iCloud on iOS, because (by design) your forced to enter your Mac''s password to encrypt files (weather you actually intend to use icloud storage or not) On the Mac you can choose to skip this part, but you still login *separately*. It should be separate but on IOS it's not. Just give me a ransom password to encrypt files, and it will work, instead of trading security for convenience.
Nonsense. I recently bought a Yubikey 5 Nano and a 5Ci. I can register the 5Ci as a security key with my iPhone SE2, but not the Nano. These products are too difficult. I wasted $135.
Even though ios may allow you to integrate the yubi to the phone, it still hasn't altered it's code for the fingerprint option to be triggered such as with a bank. Of course most banks allow win or ios app downloads, and as for the ios, even with active yubikeys it only offers the face signin and not fingerprint. Apple is still blocking access! It will not allow say: when your phone is locked and not in use and you want to sign in again, it will not allow a fingerprint option to be be triggered or preferred. Thus far, as for my ios device, the yubikey is literally useless. Also, when you try and add an account, it will say, there are no credentials for this device and or will not accept the QR scan, say when you attempt to integrate chrome account etc.
Using 2FA keys seems to lock me out of iTunes on my PC. I can’t play any of my music I pay for on Apple Music anymore on my PC. It’s a real down side. You can’t unlock iTunes with your 2FA keys because Apple are not supporting it on windows right now . So basically Apple is trying to force you to buy an iMac to get this basic functionality back. It’s a bad joke for everyone with a windows computer.
Yubikey is probably the worst 2fa method. It is small, and far far far too easy to lose or destroy. To use my authy codes, a thief would have to bypass my phone’s faceid security.
Apple ID uses 3FA by default(password + hardware + biometrics on the receiving device), if you have FaceID enabled. He is encouraging people to switch away from the default 3FA, to 2FA(password + non-findable hardware).
@@aliancemd not everyone uses FaceID.... I still have my iPhone 6s Plus. and will continue to buy them as long as i can still get them... I don't need all the fancy crap of today... Its good technology, sure, but its a bloody phone, not a Swiss army pocket knife. If it wasn't for the fact mobile providers forcing everyone onto 4G (and up) as shutting down 3g network, i'd be still on their as well.
I hate to be the bearer of bad news, the ToTP is not bound to the key and your app, it is bound to the key only, anyone can download the app and access the TOTP codes, no authentication required.
@@everyhandletaken I think you can add a pin to be able to get the TOTP private key from the yubikey. But you must consider all this 2FA stuff is really to protect yourself from REMOTE attacks... hackers. Not really for cases when your phone or keys are stolen.
@@everyhandletaken That onlykey is nice, a bit expensive, but it does have a pin keyboard. There's also a yubikey with fingerprint scanner instead of a keyboard (and a pin backup in case you cut your finger) but I think it doesn't have NFC. In all yubikeys the pin input is "via software". I don't have a yubikey yet (it's on the way) so I can't say more. I'm still researching all this stuff 😅
@@sermarr yeah, I really like the idea of the physical pin pad.. you’re right, there is the Bio Yubikey.. very expensive & no NFC, as you mentioned. At least with the Onlykey, I could still type my pin with a stick between my teeth, if my finger fell off lol ..but it has no NFC either 😒 I haven’t made a purchase yet, but I think I will just end up going with the YK 5 series.
Just one simple thought!!! What a mess! Its 2023 and yet they still have not solved the security login problem? Do you want to know why? Because they want third parties in the middle for control and profit... the yubikey is a good solution tho.. but if all the websites dont use it or understand it everywhere then it really becomes expensive and pointless.. We need to see more info on the lock out situations.. Loosing the key, backup and solutions that do not require the bloody cloud...in addition non tech users are really getting left behind and confused big time... WHAT A HUGE MESS!
Great so when iPhone 15 comes out and has USB-C instead of lightning cuz lightning crap poor it's only USB 2.0 speeds You're not going to be able to use that
@@NoSubstitutenot a good idea! If your device is stolen along with the plugged in key then its pointless to have Security Key enabled in the first place You’d always want to have it unplugged and separated from the device incase of it being stolen
None of the videos on this topic cover the most important aspect. Which is what are the events that require the key to be presented? Do I need to have a key with me or can I leave it at home? I am not worried about losing my phone. But I do want to have a contingency for being robbed. If it am robbed of both iPhone and key - which does seem likely - then what? I see the key has its own PIN. Is that always requested?
I’ve started to use screentime to restrict Apple ID access with a separate PIN, the screentime PIN. How does that affect when the iPhone prompts for the hardware key? A video covering these aspects would be so much better than just walking through the settings.
Yes!
1000% agree. All of these content creators really miss the mark when it comes to real use applications. Imagine their views and subs if they did a 5 minute video covering actual use scenarios with Google, Gmail, iCloud, windows, devices Etc. just the top 2-3 uses for each would be phenomenal content but they can’t get their head away from elementary school set up videos.
Did you ever figure it out?
@@HazyIPA15 True.. did you know the answer to when will it be ever required btw? :P is it only to login to icloud/appstore?
Yubi keys don't work. This guy is just making money off of scamming them.
Could you share your idea on why do you use 2 different iPhones? Do you have a video about that? Can you make one? it's really interesting to know!
So I have yubikeys on the way. My question that I have before I plug them in and do what you did on this video is
Did you do anything to the yubikeys before you did the procedure in your video? OR do I just run through like you have in the video ? Can I set up the yubikey pin or passcode after the fact from my iPhone or iPad??
Did u ever get a answer from this guy or somewhere else?
I feel like losing hardware keys have a much higher chance of happening than being hacked despite using a TOTP
And in comparison with modern phones, these keys are not findable
@@aliancemd worse ever.. Having said that, i refuse use to use "Find my" on Apple devices, Perhaps it's just because i value some things more than others.
I dunno... i mean not many people i know have YubiKeys...
Everyone is on the internet today.. You choose. There is no comparison as the choice is crystal clear.
That’s why you must have redundancy
This isn't a big deal for a few reasons:
1. Most accounts require at least 2 security keys to be registered. You're supposed to keep the backup somewhere safe in case 1 key is lost. In contrast, many TOTP apps have no backup or a code backup that hopefully is written down and not lost.
2. The key doesn't tell you where it's registered, so someone who acquires a lost security key needs to find out somehow what accounts the owner uses. In contrast, TOTP apps often tell you where the code is registered.
Chris - you missed out a few important issues - 1. If you have windows devices connected to you iCloud account this will not work. 2. If you have managed Apple ID this doesn’t work (school or Business) managed devices 3. Child Accounts and Older Devices of course - so some major concerns
I enabled 2FA using Yubikeys and then launched iTunes on Windows and was able to log into my Apple account without any issues.
Apple likes to do their stuff THEIR way.. If they do have it, it would be only local.
I think its the same reason Apple wouldn't apply other apps access apart from Trusted Devices they like to enforce for the same reason.. As much as secure others wanna be, Apple thinks any link (like use of third party app to authenticate), can be missused... If the app got tamped with, downloaded from a malicious source., or on iOS "jailbraked". As good as iPhones are they really don't like to give people options either. The only way they can verify, if they do it directly...
The no windows sucks
Thank you so much for the advice ! Always relevant!🙏You mentioned something about two separate phones! I have been brewing this idea in my head for a while now but can’t seem to be able to find the following answers to: which phone holds which info?, can I have all my banking on one and the rest on the other? (Leave one at home ?) Can I use same appleid on both?, If someone steals one - can they break into both? The main question is what would be the best way to separate one category of info from another ! Sorry for the list but have hit a wall! 😂thank you and keep up the great work for us !!
Did u ever get a answer here or anywhere?
I’m going to be using a separate dedicated device, either an iPad or iPhone, for banking / financial with a separate dedicated iCloud account used only on that device, not on any other devices. No web browsing. No clicking on links. No other activity, just the banking / financial. Only using the email that comes with that dedicated account, if I even use that email. I’ll be locking the account with a physical security key such as Yubikey. If something happens, such as losing all my security keys, then I’ll just start over again. It will be the iCloud account I’m locked out of, not the banking.
@@benalbritton999thanks for the guidance! Yes a separate device is I think the way to go!
Seriously, the hair looks a lot better than it did in 2020.
Something u are, something you know and something you have
That’s for FaceID. He is encouraging people here to switch away from 3FA, to 2FA(password + hardware)…
Thank god! Thank you! Having iPhone as 2FA for Apple Account is a horrible idea! What if my iPhone bricks? Then I’m screwed! You need to login to your Apple Account to check in for your iPhone repair or replacement. Using Yubikey as 2FA is way better and more secured!
The same can be said about these FOB keys.. what if you loose them ? Unlike a phone you CAN set up to track it, how can you track a secure token ?? If you could, wouldn't that break the secure model ?? etc... There are always trade-off's.
This could be the reason why these FOB's will never be global standard for all by default.. They can;t... I don't see how when you have to give users options.
@@Tech-geeky There was a tracker device for U2F Security Keys. And there are many more options out there!
ua-cam.com/video/Z92JMdPrbu0/v-deo.html
I was expecting prompt for a security key when changing my Apple ID password on a trusted device - but it doesn't. so if iPhone passcode is compromised, you can change Apple ID password and remove security keys because its already logged in as a trusted device - why is that ?
That part is up to us to not let any unsavory entity(s) get to close to our stuff
Did you remove your other forms of authentication or only use Yubikey as additional form of 2FA?
if you trust that you won't lose it then remove the rest, since others are actually quite insecure despite the name
It’s not true that it’s “insecure”, if you use FaceID on your queried device. You are switching from 3FA(biometrics - “what you are” being the 3rd authentication mechanism) to 2FA…
@@vrbz That's the problem right... anything extra you have, even when its smaller, the risk of loosing it, increases
While SMS is not secure, you have to go to great lengths to loose a mobile phone,. One way, would probably be attaching Yubikeys to your keyring, so where ever your car keys go, they go
I have regular USB keys i store important stuff on, and i only keep them in my wallet... That's way, i always know where they are... (I'm not likely to loose my wallet) yet.... But IF that ever happens, i'lll deal with that when it happens.
@@aliancemd The problem with FaceID is that, it can be bypassed to use passcode to unlock
@@vrbzTry removing your phone number as a 2FA option in your Apple account. I’ll wait.
2:01 “phones can be lost or stolen” - same goes for YubiKey, the only difference here is that modern phones are findable while you can say bye to your YubiKey.
Technically, authenticating with iPhone FaceID is more secure(that’s besides the fact that it is findable in comparison to YubiKey), it’s 3FA: password(what you know) + phone(what you have) + biometrics(what you are).
I feel like TouchID or FaceID are just replacing the password: Phone AND (Password OR biometric).
Also the YubiKey in this scenario ist just 2fa for the Apple ID itself, like, when you add a new device to your Apple ID. You still unlock your iPhone with PIN or biometrics.
But I don't think the device itself where you logon is counted as a factor, or otherwise every login would be 2fa by default since you need a device (computer/phone) to put your login-data in. :P
@@emerelle3535 The devices are counted because somebody stealing(ex: random website database dump where you used the same password and email) your Apple login and password, gets access to 1 authentication mechanism but now needs to obtain your phone and biometrics, to be able to login into your account.
I guess ya, you can get addition hardware which would track this stuff, why why should you need to ? If something by design promises its secure, why is it let down by "oh right, you need something else to track it"
Why isn't it part of Yubikey ?? If your gonna make promise sin security, do it.. In fact, i could argue loosing something is actually the "most important" thing. as everyone has the tenancy to loose stuff .. You can't fix that problem.
That’s not the only difference.
The a lost iPhone is a goldmine asset; a lost Yubikey is just a tiny bit of worthless junk.
“Yubi key security key pass code”. Where does that come from?
Where’s the old music? 😊
Can a single yubikey be used for multiple sites?
This video is incomplete without a demonstration of how to use the key after you’ve added it to your Apple ID.
Yes, it is
And what happens if your yubikey is lost?
Does enabling this on my Apple ID mean that it’s enabled on all devices or just this device that I enabled it on?
In your video, you mentioned about entering pin for Yubi keys. Where do I get the PIN?
When you first setup key they ask you to create a pin too
@@lewisdoe4137 Who’s they? Yubikey web site? Apple? Thanks
At minute 5:00 you talk about the iPhone without a plan. Can you talk a bit about that? Is there a SIM card? Or does it just use home wifi? Where do you get them? Are they the unlocked phones I hear about?
Did u get a answer? this seems to be a TERRABLE Channel for answering questions/
i have a question. ! how do you change or remove a yubekey after loosing one of them, wanted to replace with 3 keys.
People, please don’t do this…
If you have FaceID enabled on the device receiving the code, you are using 3FA(password+findable hardware+biometrics/who you are). Please don’t switch from 3FA, to 2FA(password+non-findable hardware) because a guy made a video about it…
I also think about protecting my AppleID with three security keys but I’m still too concerned of locking myself out during vacation or when I’m not near at one key. :/
I have the same concern. Although, you could always carry a Yubikey on a keychain, as many do, in situations where you think you might need it. (It's seems very unlikely someone would steal both your iPhone and your Yubikey at the same time).
And you could always leave your Yubikey at home (or in a hotel safe when on vacation) when there's a greater risk, e.g. when going out for the night or traveling.
Don’t get why you would go from 3FA(password+findable hardware+biometrics) to 2FA, “because a guy on the internet made a video saying it, so it must be true”
some things are 'secure enough'. Give me an option to disable 2FA while understanding the risks for 'individual's" account, and i'll turn it off within 2 minutes..
Forcing people down a road... Its a travesty against nature.. This little black duck goes his own way
I get locked out as is... How secure is secure ? No one like to use multiple methods just to access their Apple account. 2 may be ok, but not 3 or 5 ... That's going overboard..
People can say their the "most secure kid on the block" but at what cost ? If you have to go through multiple layers, it's not going to be very good, when you need it most, but loose one of those. Basically, the more you have, the more you have to rely on yourself too.
@@Tech-geeky "but not 3 or 5 ... That's going overboard..". 3FA with iPhone is easier to do(just pick your phone and look at it) than 2FA with YubiKey(insert into a USB port, wait a sec and then touch it).
A good clear video. What is the mat on your desk?
When I’ll be asked to use the key? Only to setup new devices? Can I still have a security code? Dois this disable the Apple’s 2FA trusted devices?
Yes, when you want to sign in to your Apple ID. And no, you cannot use security codes anymore.
I use a Mac but my phone is an Android and I don't want to switch to an iPhone or an iPad. Does this video tell me how to set up my Yubikeys with my setup; or can you tell me here?
What do you use the 3rd YubiKey for? Primary, backup, off-site? Primary, backup, spouse?
Yes x 6. 🙂 Also, you may have systems that need a different kind of key, or you want a Nano that's always inserted in the device.
@@NoSubstitute I’ve always struggled to understand the nano, I must be missing something. If it’s plugged into a pc or laptop & said item is stolen, they have your device & the key, so what protection is it providing?
Sorry if I am too stupid to see something obvious here.
@@everyhandletaken No.. you are correct, but for some people, they have decided to balance security with convenience, leaning more toward the convenience side of things.
It can prove to be very difficult and maybe frustrating enough to be a zealot at this that one might abandon use of the keys if it proves to be a frustrating endeavor. I did for a time.. I simply don't live with my housekeys physically on my person all the time, especially when using a computer at home. It had become a real pain as my keys were somewhere else too many times when I needed them to authenticate into a site/service.
Almost walked away from using the keys, and did for a spell and went back to TOTP on authenticator app. It was later that I decided to cure my frustration by using YubiKey neo's in my desktops at home.
I understand the risks, and have had the debate with myself, but in the everyday I find having to reach for the one key.. and at this point, it isnt one key, because my desktops are older units and only have USB-A ports, and my laptops and mobile phones have USB-C for android and laptops, and lightning for my iPhone, so even then, the solution that works for the desktops wont do anything for all the other devices I have.
So, the desktops get Neo's and I have a series 5 C for all the rest that I use when generally out of the house.
This is the solution I arrived at that works for me, with full knowledge and acceptance of the risks. I figure if I have a home invasion where those keys are taken, I can go into the accounts where they are used and remove those keys. I'm thinking it'll be some kind of epic day if that were to actually happen. Not impossible, admittedly, but... whew.. I don't think so.. So much more sensible swag in my house to swipe other than my computer keyboards (that is where the neo's are plugged into on my desktops).
@@garolstipock I really appreciate the in-depth response, super helpful for my understanding on this.
You definitely raise a very good point that I had not thought of.. I just had in my mind that the nano would be plugged directly into a USB port, but having it plugged into a hub or keyboard, in your case, makes a lot of sense. As you say, thieves probably cares about stealing a keyboard or a USB hub!
Definitely going to grab a couple a couple 5 series. Thanks.
@@NoSubstitute "your in dongle heaven buddy" :)
Why is your one Yuba key without a black cover? Did you remove it? I don’t see that option on their website, but it looks cool. Can I buy it that way?
No answer?
I love your videos, but why are you no longer reviewing Ubiquity products?
What happens if I loose the key?
Question: Does the product support IOS 17??
Great Info thanks!
Where did the key PIN come from? "Once your Yubikey is detected, you’ll have to enter in your Yubikey PIN code and do the..."
thanks for the video! question, I have used the2 yubi key2 to lock my Apple ID on my Mac Pro and I phone! will that automatically lock it on my iPad or do I need to use the yubi keys to lock it out on my iPad? thanks
My yubikeys don’t seem to have pass codes. They were just recognised and worked without issues. What is this pass code about?
Yea, i too am wondering the same thing 🤔 lols
But don't support on Windows, so I can't enable it, or I will not able to login on Windows application.
I'm using standard 2FA with my Apple devices. While some can run 16.3 others can't and none of my Macs can run Ventura. If I were to add Yubikeys to my account would the older devices still use the current 2FA method and the newer devices use the Yubikeys or would I have potentially locked myself out of using the older devices for 2FA or some other weird combinations of 2FA and Yubikeys depending on device?
It's not going to let you enable it with older devices connected to your AppleID.
I have a feeling you have to update to log in. I tried to log an older Mac running Catalina into iCloud and it told me I’d need to update my OS!
You are actually using 3FA, if you get the code on a device with biometrics, like FaceID.
He suggests switching from 3FA, to 2FA
I started using proton mail. Unfortunately unless you pay a premium you can only see one account at a time. Would it still be secure to add the PM accounts to Apple mail?
You shouldn't be using other apps to manage secure email, like Proton.
Video start at 5:23 thank me later!
Where did you get the clear version? I’m not seeing it listed on their site.
It was a limited edition.
The problem with this is that they essentially remove your one time passcode option, or they make it very convoluted to get to because I could never find it. For example after I registered by 2 security keys i could NOT login to the website without them. Like at all. There was no send push notification to your your iPhone option like there usually is. So I promptly deleted them. I want these in ADDITION to the way I login now, not INSTEAD of.
Did you yry out YubiKey as a « Smart Card » for macOS login?
Can I use type C with iPhone when I want install it first time via NFC ?
Can you update with a new video? iOS 17.2 is not the same and there isn't an obvious place to add physical keys.
Does Pixel / Android support this natively too? If so, can you do a video on it?
I don't use apple products, but is this only securing your apple id so you need these keys to log into apple services, or does this also mean you can't unlock the phone without the hardware key?
Good question
I'm gonna assume 'services'.... Apple locks down their devices pretty good and they won't trust anyone, but themselves.. If they doi end-to-end security without a third party app, (fear of not able to verify) why would they allow it here to just unlock your device locally? Either way, your using 3rd party product/app etc. ... to unlock a product you bought from Apple. Still be the same situation, It would be convenient.
Nice! Thanks.
I like the idea of them but honestly the convenience is not there.
What I don't understand explained on this video is why the hell iphone needs a minimum of two yubikeys, aanyone here please care to explain? Was it just plainly really for redundancy in case you lose one of it or this is the default minimum for IOS 16.3 by default?
Good question. It's best to have a backup key, but I seriously don't think it's necessary if you have another backup method. For example google has 10 one use codes, or Authenticator that you could keep on an old backup phone. I think it's just laziness on Apple's behalf and they only have this method implemented. They probably think you should go full security gung-ho with two keys, because Apple products are overpriced anyway, you have the money to spare, so you can afford two yubikeys. If they DO have other methods, like Google has, well.. that's Apple for you. Btw I don't own Apple products but I work with them, that's why I watched the video. And.. I only have one yubikey.
This is actually a smart thing Apple did with this implementation. Yes, theres no technical reason why you cant just enroll a single key to your account, but to not enroll at least an additional backup key would be a very very bad idea. Having a 2-key minimum basically forces the user to not make that mistake. Unlike other 2FA mechanisms, theres no way for Apple to reset your Yubikey 2FA if you lose your key. Having an additional "backup code" method like Google does defeats the purpose of why youd want to use Yubikeys to begin with. The whole point of security keys is to minimize the possibility of having your 2FA codes phished or obtained by malware, etc. If you have a list of "backup codes" saved or printed out somewhere, they can be compromised without your knowledge. The Yubikey requires that you physically insert the key, AND that you touch the key when the site/service requests the authentication, so it's effectively malware/phish-proof.
@@melorama808 I agree it is the best, but not everyone, like me, is willing to buy two keys as I'm just trying it out for now. I think it's just patronizing. Typical Apple. And they already have other methods in place that are as insecure or worse than having only one key. So no. It straight patronizing, or laziness, or they hold yubico shares.
Great video, one question after plugging it in I am not getting prompted for passcode/PIN for the Yubikey, do I have to set that up separately?
you can set a pin with yubikey manager
What’s the yubikey manager? Authentication app?
Question: I do have an iOS device with the requisite OS. Once I set this up on that device, is it possible to set up the Apple ID on an older device using an older iOS? Thank you in advance.
No
I have an iPad & iPhone 15 pro max There is no place to plug in anything but a charger.
My phone I can hold the key to & it works
The iPad, doesn’t work
Help please
I c some questions I would like answered also/ does this guy answer them? evidently not
Can I have security keys from different manufacturers for redundancy? Say a Yubikey and the backups are Feitian and a Trezor?
If you trust all the manufacturers, why not. Remember that every separate key is a door into your account.
Using FaceID on the queried device is still more secure…
Can you delete the registered key with Iphone passcode. If you can then you are back to the current iphone security problem that if someone steal your phone with your passcode then they can change the Apple ID
Why bother with hardware keys if you’re leaving SMS 2FA enabled?
its more secure ..... However, convenience always seems to over-ride everything now-a-days too, so i don't blame people for not using these dongles, because its dictated (like everything), "where" you can use them,
Until you force users out of the 'comfort zone' nothing will change on a mass-scale. I mean, banks here in Australia, few offer Yubikey access and excuses start to boil over very quickly. "Don't use Westpac, because they still rely on SMS"
just to make the point of course. You can say the same about anything. I'm sure credit union like P&N bank don't offer this either, but i don't care. Its extra security, thankfully
Technology changes over the years so it good to keep up with it
Problem with yubikey totp tht i found out is that there is a limit to how many they can have. 30 or 39 is the max if im not mistaken which was a huge bummer
Top - Thanks !
So if I get the keys to add to iCloud, can use the same physical keys for other services as well? Like google. Or do I have to buy one key per accounts?
One key for multiple accounts! One key for multiple devices! But you should always get two, so you have a backup for when you lose the other (not break, as they are basically indestructible).
Those keys can break it how to be really really really strong to do so
Does implementing Yubikey on the iPhone replace Face ID or passcode to unlock my iPhone?
Exactly that’s happened all my private phone it goes to . 😢😢.
Safety first.
It seems as though you didn’t need to use one of your keys to add the third. Does that mean if someone steals your phone and Lock Screen passcode (it’s a thing) they could just add a new key to bypass this protection?
Based on my experience with these and other services, once you are already authenticated then you can do whatever.
@@RobbieRobski IMHO, administrative changes that are only done occasionally should require more security. I was hoping Yubikeys would plug a security hole that thieves are taking advantage of. They secretly watch someone enter the lock screen passcode while out in public.(often at a bar restaurant), and then snatch the person’s phone. Within minutes they have changed the persons, iCloud, password and disabled. Find my iPhone. They then look at the persons, keychain defined all their passwords and transfer out all their money. The person is then permanently locked out of their iCloud account, losing all their photos if they’re backed up there. In some cases, they’re also permanently locked out of all the other Apple devices like MacBooks, and Apple, can’t help them, unlock them.
@@roger1818 I understand what you mean, but it's not ubikey or any u2f key mfgs responsibility. That would fall on apple or whatever service th provider that implements u2f.
@@RobbieRobski Agreed. I wasn’t suggesting that it was Yubikey’s responsibility. I was suggesting that it would be a good tool for Apple use to plug this hole. Apple allowing users to add additional keys (after the first 2 I’ve been set up) without requiring the use of a key is a hole.
@@roger1818 You can't disable Find My or those other things such as changing passwords without also knowing the Apple ID password. So it takes more than knowing the lock screen passcode. The YubiKey is required in addition to the Apple ID password, as I understand it, so the thief would need to know the passcode, Apple ID password and also have an authenticated YubiKey before a new one could be added.
Ps now a subscriber ✅
Hello guys, i don’t have “add security keys" in settings , but i have à iPhone 12 mini… and apple 16.0.3 . Help me please 😅☹️💪
You lose your phone together with this device & now you have the highest level of security 🤣
😆 I don't wanna be like that.. Its my number #1 worse fear, but i only have my USB keys as my 'protection"
If they go, so do I.
Thank you so much !
The benefits of adding security keys appear to be nullified (or at least reduced) because iOS does not prompt for a key when attempting to change your Apple password from a device that is signed into iCloud and has passcode enabled.
You can encrypt your iCloud can get a key for it.
@@jajuanyoung what i don't understand and i guess to me "it seems to be a flaw" in Apple's end to end. but with iCloud, why is the user asked to enter the 'same password that they use on the Mac to login" to encrypt files in iCloud?? Easy to remember, is the only reason, but if Apple heeded security, should it be a a random password each time ? And if they use encrypted data for already stored files, then it should be stored on decide to decrypt ?
iOS has keychain equivalent, just like Mac. so why isn't it used for this ? Sometimes i refuse to login to iCloud on iOS, because (by design) your forced to enter your Mac''s password to encrypt files (weather you actually intend to use icloud storage or not)
On the Mac you can choose to skip this part, but you still login *separately*. It should be separate but on IOS it's not. Just give me a ransom password to encrypt files, and it will work, instead of trading security for convenience.
Nonsense. I recently bought a Yubikey 5 Nano and a 5Ci. I can register the 5Ci as a security key with my iPhone SE2, but not the Nano. These products are too difficult. I wasted $135.
5:17 if you only came for the setup
Even though ios may allow you to integrate the yubi to the phone, it still hasn't altered it's code for the fingerprint option to be triggered such as with a bank. Of course most banks allow win or ios app downloads, and as for the ios, even with active yubikeys it only offers the face signin and not fingerprint. Apple is still blocking access! It will not allow say: when your phone is locked and not in use and you want to sign in again, it will not allow a fingerprint option to be be triggered or preferred. Thus far, as for my ios device, the yubikey is literally useless. Also, when you try and add an account, it will say, there are no credentials for this device and or will not accept the QR scan, say when you attempt to integrate chrome account etc.
Don't lose that key!
❤
I have no idea what the hell you’re talking about
bruh one step away from everyone being chipped
Bout time
I don't like apple, but glad that the Yubikey works in more places.
What if you’re iPhone got stolen as the same time of the security keys?
Keep a backup in another location.
Using 2FA keys seems to lock me out of iTunes on my PC. I can’t play any of my music I pay for on Apple Music anymore on my PC.
It’s a real down side. You can’t unlock iTunes with your 2FA keys because Apple are not supporting it on windows right now . So basically Apple is trying to force you to buy an iMac to get this basic functionality back. It’s a bad joke for everyone with a windows computer.
Bro you say it like it was a secret, they said It on there website clearly both apple and Yubico so next time read carefully
Yubikey is probably the worst 2fa method. It is small, and far far far too easy to lose or destroy.
To use my authy codes, a thief would have to bypass my phone’s faceid security.
Apple ID uses 3FA by default(password + hardware + biometrics on the receiving device), if you have FaceID enabled.
He is encouraging people to switch away from the default 3FA, to 2FA(password + non-findable hardware).
@@aliancemd not everyone uses FaceID.... I still have my iPhone 6s Plus. and will continue to buy them as long as i can still get them... I don't need all the fancy crap of today...
Its good technology, sure, but its a bloody phone, not a Swiss army pocket knife. If it wasn't for the fact mobile providers forcing everyone onto 4G (and up) as shutting down 3g network, i'd be still on their as well.
You can bypass faceID with the pass code. This adds another layer of security to your Apple ID.
I hate to be the bearer of bad news, the ToTP is not bound to the key and your app, it is bound to the key only, anyone can download the app and access the TOTP codes, no authentication required.
So, you don’t require they key in order to login (or hack in) to your totp account & access the codes?
@@everyhandletaken I think you can add a pin to be able to get the TOTP private key from the yubikey. But you must consider all this 2FA stuff is really to protect yourself from REMOTE attacks... hackers. Not really for cases when your phone or keys are stolen.
@@sermarr onlykey seems to fit both criteria
@@everyhandletaken That onlykey is nice, a bit expensive, but it does have a pin keyboard. There's also a yubikey with fingerprint scanner instead of a keyboard (and a pin backup in case you cut your finger) but I think it doesn't have NFC. In all yubikeys the pin input is "via software". I don't have a yubikey yet (it's on the way) so I can't say more. I'm still researching all this stuff 😅
@@sermarr yeah, I really like the idea of the physical pin pad.. you’re right, there is the Bio Yubikey.. very expensive & no NFC, as you mentioned.
At least with the Onlykey, I could still type my pin with a stick between my teeth, if my finger fell off lol
..but it has no NFC either 😒
I haven’t made a purchase yet, but I think I will just end up going with the YK 5 series.
Just one simple thought!!! What a mess! Its 2023 and yet they still have not solved the security login problem? Do you want to know why? Because they want third parties in the middle for control and profit... the yubikey is a good solution tho.. but if all the websites dont use it or understand it everywhere then it really becomes expensive and pointless.. We need to see more info on the lock out situations.. Loosing the key, backup and solutions that do not require the bloody cloud...in addition non tech users are really getting left behind and confused big time... WHAT A HUGE MESS!
So you need 3x keys for this nonsens expensive shit
Great so when iPhone 15 comes out and has USB-C instead of lightning cuz lightning crap poor it's only USB 2.0 speeds You're not going to be able to use that
Use the NFC version
The one with lightning is double sided with usb-c on the other end
My nfc stoped working what now
login from any device with a web browser and remove the keys
I’m not thrilled about having to drag around a key when not home to get into secure accounts
I wish they made them in a smart card form factor that I could keep in my wallet
@@mattv5281 you keep it in your keyring, or get a nano and keep it in your device always.
Tie it to your shoelace & then you have an NFC foot 🦶
@@NoSubstitutenot a good idea! If your device is stolen along with the plugged in key then its pointless to have Security Key enabled in the first place
You’d always want to have it unplugged and separated from the device incase of it being stolen
I have the 5c nfc, it's on my keychain which I generally always have with me. Not a horrible inconvenience for significantly stronger severely.