There is some confusion since I decided to combine the explanation of the three less secure alternatives together by saying "Codes are sent to you over text message, over email, or thru an app on your phone." While SMS and email codes are sent to you via those communication platforms, apps "generate" them locally on your phone and you "receive" this code when you look at your phone and look at the app. Sorry I wasn't pedantic enough for the techies watching this! I didn't deep dive this for two reasons: 1) this video is supposed to be an intro that you can easily share with friends or family who are not as tech savvy, and I don't want to scare them away with a bunch of technical jargon. 2) video length. I figured y'all wouldn't need a thorough explanation of how this part works since I've already done reviews of 2fa authenticator apps before, and this video gives a basic overview but the topic is obviously about hardware keys. 2nd: the Yubico authenticator app does work a little differently. It doesn't "store" any of the codes, it just shows them to you from your hardware key. :)
I'd love to have you talk about options regarding travel and YUBI key as changing your phone number is a must when adding a new SIM card. One loses access to their crypto accounts unless they use one of their a google back up codes. Bank of America is the only major bank that uses Yubi keys. I don't have a boa account so I Have to find a work around for my chase account when I want to add a SIM card which means I now have a diff phone number which also means I have to perform digital gymnastics so as to make sure I don’t lose access.
Nice video. Are you aware of an USB fingerprint key that runs an application? ie: after install you scan your finger multiple times, then whenever it it plugged in, you swipe your finger and it will automatically run an Application.exe, .bat, or powershell file on the USB-key? where that could be anykey, LastPass, etc, but more likely something that someone could make themselves
So I have Google Titan. Can I use this one hardware key with multiple websites and services? If yes how many, or is there a limit? I bought this Titan a few months ago so it should be the most recent version of the Titan. Thank you.
If your one time codes are compromised your account is compromised and your 2 factor was a waste of time. And if you don't set up those codes it's true that you'll lose the account. So these keys are not a panacea for security.
Mark or number your hardware keys! When you buy multiple of the same type and one is lost or stolen it's so much easier to figure out which key is missing. That makes it easier to delete the missing key.
It is so strange that banks in the US doesn't have a stronger security. Here in Sweden we have had bank specific hardware tokens for a minimum of 15-20 years. No text messages. Now we also have something called Bank ID which is an authenticator app that you can install on your phone to login to your bank or other services that needs to verify that you are you. Kinda like an digital id.
As a Canadian, making purchases in the US recently was bizarre to me. In Canada, if you're making a purchase with credit or debit you are given the machine, insert your card yourself to use the chip, input you PIN and follow the steps on screen. In the US it's still typical to hand the person your card which they insert or swipe and then you sign the receipt. I haven't signed a receipt in years and handing someone a card and it going out of sight felt like going back 10-15 years in time!
@@mackado i still beg the question on why people love to come to the US with all the things that go wrong and have been wrong over so many years, but what do i know...
Thank you for a very clear and concise intro on the basic how’s and why’s for using a hardware device! I’m shocked that in this day and age, that more financial institutions are not using this technology. Keep up the great work!
I've been thinking about going to hardware key for a while. This video gave me some great information to help 'push' me forward. Don't really have a huge number of accounts or big security problems per se, but good to NOT be that 'low hanging fruit'. As my father would say, 'locks only keep honest people honest, but if your lock is better than the neighbors...'
‘You always have to have it on you!’ issue. Well I already have to have my house key on me so… for me the bigger issue was the whole ‘but what if I lose it or it gets stolen?’ thing because I’m so used to ‘losing’ my password and then using my email to get in instead and if I lost or forgot a house key I could rely on family members or worse comes to worse brute forcing my way back into the house, not so much hack my way back into my own account, never mind the extra security, so I’m glad you covered those concerns as well!!
Great information about using the Yubico app to get around 2fa limitations on some websites. Having just spent the last few hours learning all this the hard way, your video hits all the important points. One of the best vids I've seen covering this topic.
Great video! Shared it with some of my circle. One word of warning, some older yubikeys may stop being supported (I have a yubikey 4 that nvidia did not accept)
Shannon I bought 2 yubikeys about 6 months ago and have not been able to use them anywhere I''ve tried it with my microsoft account but get told every time to reset so i reset it then it still wont except it anyway I'll keep watching yow shows till i get it thankyou so much for all your HARD work Shannon take care
Thats awesome that the end user has the best security endpoints they can do within reason, but the companies holding your data also need to do the same.
There have been some attacks recently on the 2FA methods that require you to type a code, whether that's email, SMS, or app-based soft token codes. In these cases, someone will phish the user for their code, or present them with a fake login page that proxies to the real page, allowing them to steal your code as you're logging in. Hardware tokens that implement FIDO2 (like the Yubikeys) are immune to these attacks, because there is no code to share with a phisher, and a man-in-the-middle attack would present an invalid origin making it impossible for them to intercept your codes (like TLS, but for your 2FA). Hardware tokens that implement protocols like FIDO2 are the most secure option. The only downside is that they also require you to plug into a USB port, and in some workplaces that might not allowed for OTHER security reasons... (Looking at you Rubber Ducky and OMG Cable.)
One problem I ran into using my Yubikey is that if I was remotely accessing my desktop PC with Anydesk and wanted to log in to a website on it, well, I wasn’t there to touch the key or if I had the key with me obviously touching it to my current device wouldn’t work. Then I had to revert back to using a TOTP.
This multilayered complexity is why most people throw up their hands. I used Authy until I got a new phone, then lost complete access to 5 major applications. Yubico has not training documentation. Great video.
Thanks Shannon. Found you yesterday through Daniel Batal (thanks to you, Liron and Daniel for that soooo useful video). This video here has answered my questions about hardware keys. Thank you.
I remember looking through vulnerabilities for different distros, and there was one with some server program that let you supply a yubikey for authentication, but instead of doing any checks it would just successfully log you in, so you could log in as root without any problem
At this point my yubikey mostly get used for my password manager and yubikey authenticator. I set up that google secure thing when I first got mine and was promptly horrified over just how much control google has over your phone.
Thank you for this amazing explanation. Can you make a video how the 2FA actually works in deep detail. Example how do they make each yubikey unique. Do they have a built-in software or just some mathematical formula.
You will love generic Fido2 keys, I have Yubikey, Onlykey, NeoWave Winkeo, Fido2 to the rescue in most cases, in those exceptions put a Loooong static password on a programmable key. Nice Vid, keep up the awareness!
THIS lADY HAS SUCH A WONDERFUL Personality I COULD LISTEN TO HER ALL DAY i WISH SHE WOULD DO A VIDEO ON HOW TO SET UP AND USE THE YUBIKEY MANAGER AND GET THE PIN
TOTP apps like Authenticator don't receive TOTP codes, they generate them locally. The only time anything is transferred to your phone is when you scan the QR code.
There is some confusion since I decided to combine the explanation of the three less secure alternatives together by saying "Codes are sent to you over text message, over email, or thru an app on your phone." But yes, you're right! While SMS and email codes are sent to you via those communication platforms, the app generates them locally on your phone and you "receive" this code when you look at your phone and look at the app. Sorry I wasn't pedantic enough! I figured y'all wouldn't need a thorough explanation of how this part works since I've already done reviews of 2fa authenticator apps before, and this video gives a basic overview but the topic is obviously about hardware keys. :)
Many thanks for that information, at last I understand the use of the mysterious blue key a very techie friend sent me a while back.. put on the "solution to an unknown problem" pile.... until now... I found this channel from your excellent discussion with Sean Cannell on the Think Media Podcast, earlier... very useful resource. Best wishes.
If you are into crypto you can use a ledger as a backup 2fa hardware key. The nice thing is that it is deterministic so even in the event that you lose your ledger, you can always restore your hardware key with the 24 word recovery phrase in the same way that you can restore your wallets.
I am waiting the delivery of 2 Yubi keys I brought a few days ago. I have not ever used security keys before. I am a newbie. They are very expansive though. I brought the Yubi 5 NFC and a Yubi 5C NFC keys for a desktop and mobile. A total of $135 USD including GST and shipping which will be close to $200 Australian and I should probably buy an extra one of each as back ups. I will need a real yubi key 101 when they arrive.
I have two issues with Hardware keys: 1. they are SUPER expensive (at least where i live. around 90 usd. there is a high import tax) and i would need 2 of them to feel safe 2. they are close source hardware, firmware and software (at least yubikey that is the higly recommended one and easly available in my country. I'd love the nitrokey 3)
your second issue is a non-issue, there's at least one key I've seen where you can assemble it yourself. Other than that there are a few open source options, probably cheaper than the yubikey too.
if you have a raspberry pi (zero preferably if you want small), you can flash a sdcard with pitrezor and emulate a trezor hw wallet wich provide also fido2: the emulator is foss, and the trezor is foss also
FIDO proofs that the connection isn't corrupt too. The only way to bypass this is targeting one of the both endpoints, the user device or the web server, to steal the session ID.
The only attack vector on the connection is to intercept the key exchange at the start of the connection between the user device and web server before the Security Key is registered to replace the public keys of the physical key as well as of the web service with your keys to break through but this is hard and inefficient because you need to do so with every single account and works only for unprotected accounts. When the Security Key is successfully registered, there's no breaking point in the line at the moment.
If you do setup your Yubico key on PayPal but use the last menu item on the list you called up, once in operation you get presented with 2 options, either to receive the PayPal 6 digit code via your mobile or use your Yubico key....if your laptop & mobile are breached which option does PayPal think would be chosen doh! Thanks learned more about the Yubico key!
Wait, why are there only 4 myths? Myth 1: 4:15 - You can't use 2FA if a site doesn't accept a hardware token like yubikey. Myth 2: 7:54 - You have to carry a hardware key with you everywhere 24/7. Myth 3: 8:46 - You need a different key for each and every account you have online. Myth 4: 9:57 - If you lose your key, you're screwed. If it stops working, you're screwed. Myth 5: ?????
Too many types? You only need two (one as a main, and one as a backup). Get yourself one that supports several protocols and you don't need anything else.
I heard about these keys recently while trying to change from Google Authenticator. I can't stand Time-Based One Time Password 2FA codes as I have a tremor and cutting and pasting, flicking between touch screens etc is a nightmare. I know these keys are only small and therefore still slightly problematic, if all I have to do is tap a key instead that would be helpful enough. I would like to see them with caps on so they can be a bit more protected. And I'd like to see banks get their act together! Thank you for your helpful videos!
How do you secure accounts that only provide SMS as a factor? Would you recommend getting a separate number? I hate sms..especially since my phone carrier has been hacked multiple times. Any recommendations would be great.
THANK YOU for this excellent concise overview. I started using Yubikeys late last year, and found some real resistance at work. Also, Bank of America is the only bank? I've switched to an email and password manager that use it, and feel much safer.
SHANON, SINCE YOU MADE THIS VIDEO THE KEY PRICES HAVE COME DOWN And the Level 2 keys are only a few dollars more than the Level 1 keys. SHOULD I GET A LEVEL 2 KEY?, Are they more complicated to set up??
Again: really interesting! :) There is one thing nice with the 2FA with text message: you'll received a text message if somebody is trying to access to your account.... ;)
The phone "that you could lose" is considered a secure device. Even if your configuration of your device is not secure. So someone could possibly see the SMS code on the lock screen but there's 2 issues with this. Your phone needs to secure the lock screen so it's only visible when unlocked. And TWO, whenever possible, never use SMS for MFA. SMS isn't secure.
Searched for it then this video popped up while scrolling down and kinda thought "hey could it be the hak5 girl" hell yea I was right! Damn I miss those good ol' days!
The Yubico Authenticator App does NOT store any data! The Token you enter is saved on the Yubikey, NOT the app. This has two major benefits. First, security. Even if the App was broken /hacked, an attacker couldn't get the tokens. Only the OTPs, and only if you physically touch the Yubikey. Second, convenience. You can authenticate yourself on ANY device without security panelties.
Authenticator Apps doesn't get a code from the web service you tried to login. This would be too much traffic and background calculation. Instead, the web service give a private key and the server time to the app over a QR code ones you set it up and than the authentication app calculate the codes by using cryptographic algorithm and the device time & date minus the time difference. The web service check the code by doing same and voila, you need on the authenticator device never ever Internet. It can from the beginning to the end of life disconnected from the internet. That's called a symmetrical encryption system, because both have the same key to generate the code. Unlike TOTP, FIDO is using a public-private-key with different keys on both side for each side (means 4 different keys, 2 public, two private) plus certificates from the browser and maybe the physical key manufacturer too. This is called an asymmetrical cryptographic systems. My bank uses a similar system for the device binding as 2fa.
Question about the "Trusted Device" concept: Once a device is Trusted (e.g. trust for 30 days), it seems like that you are back to just UserName & Password. So, for that time period, there really is NO MFA. My question: Is naming a device as a Trusted Device a good idea for those accounts that you want to be super safe?
As the commenter above pointed out, Trusted Device status would be assigned only to that physical device. But, yes, it definitely is a sacrifice of security for convenience. Therefore, it's up to you to decide where you draw the line.
@@udilschik Thanks Ud - That was what I was thinking. I have purchased the YubiKey, using it and I am liking it. However, since I am a new user, I didn't want to overlook something that was obvious to a veteran user.
It would be interesting if logins which don't support 2FA could somehow be rerouted via our prefered 2FA chain (Yubico app/ key included) and then be rerouted back to their unsecured login. It would be like a middle-man security addition and the banks and such would still think we were simply logging in. Could such software or app be made?
Before even adding 2FA to your accounts, consider deleting any that you don’t need or use. If it’s not there, it can’t be hacked*, and you won’t have to deal with trying to secure it. *If the service doesn’t fully delete your data after you close your account, then you could still get caught up in a data breach. However, emerging privacy laws like GDPR are requiring companies to actually delete user data when users choose to delete their accounts.
I never knew 2FA hardware keys existed. I will say the only hardware key I'm really opposed to are license dongles (e-Licenser/iLok); in that regard I prefer software. My reason is that hardware keys (at least those types) can get lost and broken. The software key is installed directly on the PC. I do like the 2FA/MFA concept, and maybe somewhere down the way, I'll consider the hardware approach...
@ShannonMorse I have a question. You mentioned that if ever you lost or someone stole your hardware key, you can just revoke them via the website. Can you RE-ACTIVATE the hardware key after you revoke it? Let us say for some reason you found your lost key. Thanks
I use the yubikey any place that takes the key or authenticator app. I use the Yubikey authenticator app because if my phone gets lost nothing is in my authenticator app without the key. One stays on me the other is in my safe. Both are labeled. Except for financial, which are behind the scene, I will remove sms from anything else since my email if they don't take authenticator app is locked down by security key.
This is a great example of how the yubikey app works differently than other 2fa apps. You physically need the key to see the codes, otherwise the app is blank!
@shannon morse. Due to the risks with sim swapping I've been thinking of stopping my use of an app for banking and using laptop and browser instead. My bank provides two alternatives for 2FA when logging in - a code sent by text message (which doesn't seem like a good idea if you're worried about SIM swapping) or a code generated by a card reader. I assume this latter method operates like a gubi key without having to buy anything. Is this correct and are there any problems with this solution?
I have a niece and nephew that continually bypass all her various measures when they are grounded. Any idea if there’s a physical device they’d have to “check out” from here?
Great vid. Just subscribed. I've been looking into YubiKey for a cpl of weeks now but maybe for a different use. My father is starting to forget his PWs and I'm wondering if YK would also work for those pesky sites that do not support hardware security keys to simply store his UNs and PWs ? Can you tell me if this would be a good solution to help him?
For someone who is starting to forgot their passwords, I'd highly recommend a password manager (1Password, Bitwarden, or Roboform are good, but Roboform itself can't be protected with a hardware key yet, fyi). You can then use a physical key to protect the app, and you could store his vault password somewhere safe for him.
Agreed with the commenters above. Reason being: unfortunately, there's a good chance that physical key will be forgotten/left behind(especially if the condition progresses). If 3rd party(managed on 3rd party cloud servers) password managers don't seem trustworthy to you, you have an option of building your own cloud password manager, btw. The exact software and steps for that are easily serchable, people on such forums are very open to help. Good on you for staying proactive with your loved ones' security, especially in the time of need!
I'm setting up my parents with 1password and YubiKey Security Keys (the blue ones). It's a bit of effort for me to set up, as they have a number of reused and weak passwords and other issues that need to be resolved. And I need to implement proper backup and redundancy so they don't get locked out by accident. But once they're set up it will be the easiest for them to actually use. No more multiple spreadsheets on disk and printouts without timestamps! They can touch YubiKey to verify with 1Password, Google, and BofA. I thought about getting a YubiKey 5 so they can use the YubiKey authenticator for TOTP, but in the end we're going to implement what they can use reliably: TOTPs will go to their gmail accounts. The thinking is that they are much more comfortable with email on their computers than authenticator apps and SMS messages on their phones. And since we're going to lock down gmail with a crazy long pw they don't know stored in 1Password and the YubiKey, they should be much more resilient to phishing attacks. And I like everyone else am stunned that only BofA supports FIDO2 hardware security keys. Stunned. Truly stunned.
Thanks. I ordered mine a few days ago. Should we avoid keys "made" outside of the USA? Obviously, some companies say their products are assembled in the USA, so that word alone is a cautionary statement. What do you think?
can i run multiple protocools on one yubikey? Like use the Yubico Authenticator, SSH Login, Email PGP encryption, Fido and Webauth with one single yubikey or is there a limit?
The problem I have with these keys is the opaqueness in their functioning. What added security does this have over having an ssh key on a flash drive, used to unlock a password manager? If we talk about logging in directly onto a website, why can't that be done without the physical key, ie, emulate the key via software? (Just like ssh keys work, with nothing to be phished because you don't enter a password.) How can I trust a brand new key I'm setting up is not actually malicious?
This would be more secure if every website didn't have a reset password via email function. If someone can get access to your email, then nothing you did to any of your other accounts matters. Security will never improve past the weakest link
You then have a lot of people permanently locked out of their accounts. It's similar to why a bank account is secured by mere digits while your social account requires a bunch of hoops.
@@JonatasAdoM Yes companies would have to hire more customer support for people who forget which costs more. It's a trade off. Do you want better security or better convenience? Until anything changes, email will always be as secure as it gets.
Or you just use 1Password which supports 2FA out of the box and even fills the 2FA code automatically into the form. I am a mac user and have a second layer of security since I am using finger print or face ID to open 1Password. No extra hardware needed. Plus, I can store ALL my passwords and security stuff like software licences and such and can use them on all my devices. I have hundreds of logins and passwords saved in 1Password even SSH keys. The best part about it is, that you can share certain passwords or even whole vaults with other people. I use this in my company to share certain logins with coworkers. And I can't lose 1Password like I can loose an USB Stick. It works on Windows too.
i took the yubikey quiz where i said i use an ipad w/lightning (9th gen, iPad 64gb MK2K3LL/A) 80% of the time and an imac 20% of the time. both do not leave the house. would you agree these are the two keys to get? or can i just get two of the less expensive one and just use a female usb to lightning adaptor for us on the ipad? 1 YubiKey 5Ci & 1 YubiKey 5 Nano.
is there a central api for integrating "all" hardware keys you can share? im looking at this from an enterprsie view and we dont want to code to a particular hardware set knowing that 2 months in some other tech harware company will build a new key with a specific API for ingest, i wont change it per new release. One NIST standard or something like that is what im fishing for.
Iv got a question can I use the adapter for the USB because I have (USb C , and lighting charger for the iphone) computer aswell and didn't want to get all three if I didn't want to buy all three if I didn't have to thanks for your time
The main problem currently, is that FIDO2, WebAuthn, etc are not being supported by a lot of banking websites, etc. Its a bad situation and super, ultra lame.
It's understandable, though, from the bank's perspective given that the cost and the support issues with FIDO2 are going to be high. People losing keys, not figuring out how to configure them, etc. Something like the "passkey" is much more likely to succeed in this space.
I dunno I use it on so many sites, but honestly reach out to them and suggest them, gotta me some IT manager, ir otherwise with a thread of sense there.
Thanks for sharing your experience. I am somewhat at odds with my Yubikey and the most secure way to use it. I currently use TOTP 2FA which I think is using it via Yubico Authentication. Why? Because this verification is not tied to one device. No sure if that is a valid reason for me as I always have my mobile device. The other way to secure your Yubikey is by register. Not sure what this security process is called but alot faster. No mistaken web page to click on. Only problem it works with that one registered device only. What are your thoughts?
If it wasn't for the fact that my phone is a Nokia C-01 low-end Android device that doesn't support these keys via NFC, USB or otherwise, I would seriously consider one of these to help secure all my accounts. That said, my bank (Bank of Queensland here in Australia) doesn't even do 2FA at all for the most part, let alone these keys. Why so many sites (including important sites like banks) don't support these (at least as an option) is beyond me...
the one important fact that people don't understand, is none of this helps at all if a website itself gets hacked and the data is stolen. Once the hacker has the data, he doesn't need your login or 2FA key. Most companies do not know their website was hacked until months or even years later, unless someone tells them all the data was on the dark web and even then, they try and hide it.
Is there a version of these that allows you to just leave the key in the computer and not press a button because I'm a quadriplegic and I can't really reach where it would plugged in, plus it's difficult to plug and unplug things in the first place, and pressing buttons can be difficult as well? I'm okay with any increase in security risk.
A couple ideas for reduced mobility use cases: 1. Mount the key: use a usb extension cable or dock to physically displace the key away from the computer to a location that's easier to reach. Typical keys are only signaling at 2.0 speeds, so you can easily and with a very cheap passive cable extend up to 20'. If dexterity is an issue that might cause damage, I'd suggest mounting the key flat to a sturdy surface so that extra pressure doesn't snap the key in half. The inverse of this would be to use a hardware NFC reader extended out and mounted to a convenient location and just tap the NFC-enabled key to it to authenticate (the key itself could be on a spring-loaded keychain so dropping/loss is less of an issue). 2. Use a Smart Card or RFID badge as the physical access token. This is hard/uncommon as an individual, as most systems require lots of ancillary tech/hardware/knowledge/cost as they are typically designed for enterprise use and scale. The hardware setup would look something like a reader you place/mount to a nearby surface or a laptop purchased with an integral reader (typically only higher end business models). The software would be some card-key to 2fa key generating software. 3. Go the TOTP route and use a phone or virtual machine to run a software solution like Google Authenticator on a nearby screen. The phone you could mount to just about anything in a nearby location using widely-available mounting solutions (e.g. clamps, goosenecks, stands, runner's velcro armbands). The VM solution means you could run the authenticator app on the same screen you're interacting with already, but in a way that nobody other than you would know where to look or interact with.
@@blahblahbob1000 Thank you for the impressive writeup. Number 3 might be the way for me but someone did say in other comments about a YubiKey configurator that allows you to disable the button press. Perhaps I will be able to search for that as well? Cheers.
I am also a fan of yubi keys but at the most of my account I can't remove text message or email as a 2fa option even I added two yubi keys. So actually the yubi keys are more a comfort feature instead a security feature compared to other 2fa options.
There is some confusion since I decided to combine the explanation of the three less secure alternatives together by saying "Codes are sent to you over text message, over email, or thru an app on your phone." While SMS and email codes are sent to you via those communication platforms, apps "generate" them locally on your phone and you "receive" this code when you look at your phone and look at the app. Sorry I wasn't pedantic enough for the techies watching this! I didn't deep dive this for two reasons: 1) this video is supposed to be an intro that you can easily share with friends or family who are not as tech savvy, and I don't want to scare them away with a bunch of technical jargon. 2) video length. I figured y'all wouldn't need a thorough explanation of how this part works since I've already done reviews of 2fa authenticator apps before, and this video gives a basic overview but the topic is obviously about hardware keys. 2nd: the Yubico authenticator app does work a little differently. It doesn't "store" any of the codes, it just shows them to you from your hardware key. :)
I was just about to make a comment pointing that out.
I'd love to have you talk about options regarding travel and YUBI key as changing your phone number is a must when adding a new SIM card. One loses access to their crypto accounts unless they use one of their a google back up codes. Bank of America is the only major bank that uses Yubi keys. I don't have a boa account so I Have to find a work around for my chase account when I want to add a SIM card which means I now have a diff phone number which also means I have to perform digital gymnastics so as to make sure I don’t lose access.
Nice video. Are you aware of an USB fingerprint key that runs an application? ie: after install you scan your finger multiple times, then whenever it it plugged in, you swipe your finger and it will automatically run an Application.exe, .bat, or powershell file on the USB-key? where that could be anykey, LastPass, etc, but more likely something that someone could make themselves
So I have Google Titan. Can I use this one hardware key with multiple websites and services? If yes how many, or is there a limit? I bought this Titan a few months ago so it should be the most recent version of the Titan. Thank you.
If your one time codes are compromised your account is compromised and your 2 factor was a waste of time. And if you don't set up those codes it's true that you'll lose the account. So these keys are not a panacea for security.
Bought a Yubikey to keep my financial logins safe. Turns out most financial sites over here don't even support 2FA via a key. Only via SMS...
It's sad isn't it? Like a phone number can't be cloned. There needs to be security standards applied across industries for this stuff.
@@leadfarmer5563 it can't exactly be cloned but you can trick and social engineer the ISP into thinking your the owner
It’s funny they only do sms. At least they should try to do totp. At least!
It's so it's your fault when they fail to protect you.
Bank of America is the only bank that supports the use of U2F.
Its appalling how most dont even support basic 2FA.
Mark or number your hardware keys! When you buy multiple of the same type and one is lost or stolen it's so much easier to figure out which key is missing. That makes it easier to delete the missing key.
Yes! I use stickers to identify mine and I give them all nicknames
@@ShannonMorse My names aren't creative. 1B 1A 😅
Also, keep them in different places. I have one in my wallet and one on my keychain
It is so strange that banks in the US doesn't have a stronger security.
Here in Sweden we have had bank specific hardware tokens for a minimum of 15-20 years. No text messages.
Now we also have something called Bank ID which is an authenticator app that you can install on your phone to login to your bank or other services that needs to verify that you are you. Kinda like an digital id.
think ive had some sort of authentication as long ive had "swedbank" and ive had my swedbank account for the past at least +25 years.
As a Canadian, making purchases in the US recently was bizarre to me. In Canada, if you're making a purchase with credit or debit you are given the machine, insert your card yourself to use the chip, input you PIN and follow the steps on screen. In the US it's still typical to hand the person your card which they insert or swipe and then you sign the receipt. I haven't signed a receipt in years and handing someone a card and it going out of sight felt like going back 10-15 years in time!
@@mackado i still beg the question on why people love to come to the US with all the things that go wrong and have been wrong over so many years, but what do i know...
@@nauyv do you mean people shouldn't go to the US or that they shouldn't complain about it?
It's ridiculous but not surprising. We(US) took forever to implement chip and pin. Our physical security (locks and doors) is also terrible.
I recently ordered 2 Yubi keys and then your video magically popped in my UA-cam feed. Thanks for all your useful and vital information.
Thank you for a very clear and concise intro on the basic how’s and why’s for using a hardware device! I’m shocked that in this day and age, that more financial institutions are not using this technology. Keep up the great work!
I've been thinking about going to hardware key for a while. This video gave me some great information to help 'push' me forward. Don't really have a huge number of accounts or big security problems per se, but good to NOT be that 'low hanging fruit'.
As my father would say, 'locks only keep honest people honest, but if your lock is better than the neighbors...'
‘You always have to have it on you!’ issue.
Well I already have to have my house key on me so… for me the bigger issue was the whole ‘but what if I lose it or it gets stolen?’ thing because I’m so used to ‘losing’ my password and then using my email to get in instead and if I lost or forgot a house key I could rely on family members or worse comes to worse brute forcing my way back into the house, not so much hack my way back into my own account, never mind the extra security, so I’m glad you covered those concerns as well!!
Great information about using the Yubico app to get around 2fa limitations on some websites. Having just spent the last few hours learning all this the hard way, your video hits all the important points. One of the best vids I've seen covering this topic.
Glad it was helpful!
Great video! Shared it with some of my circle. One word of warning, some older yubikeys may stop being supported (I have a yubikey 4 that nvidia did not accept)
While I agree that this is a pain and expensive, it's also necessary. As attacks evolve, so must Security.
By the way, Windows RDP recently added support for FIDO2.0 port redirection. On 22H2, you can just check the box and it works as you would expect.
Shannon I bought 2 yubikeys about 6 months ago and have not been able to use them anywhere I''ve tried it with my microsoft account but get told every time to reset so i reset it then it still wont except it anyway I'll keep watching yow shows till i get it thankyou so much for all your HARD work Shannon take care
Thats awesome that the end user has the best security endpoints they can do within reason, but the companies holding your data also need to do the same.
There have been some attacks recently on the 2FA methods that require you to type a code, whether that's email, SMS, or app-based soft token codes. In these cases, someone will phish the user for their code, or present them with a fake login page that proxies to the real page, allowing them to steal your code as you're logging in.
Hardware tokens that implement FIDO2 (like the Yubikeys) are immune to these attacks, because there is no code to share with a phisher, and a man-in-the-middle attack would present an invalid origin making it impossible for them to intercept your codes (like TLS, but for your 2FA).
Hardware tokens that implement protocols like FIDO2 are the most secure option. The only downside is that they also require you to plug into a USB port, and in some workplaces that might not allowed for OTHER security reasons... (Looking at you Rubber Ducky and OMG Cable.)
There's also notification-based MFA such as with Microsoft Authenticator, but those are vulnerable to MFA fatigue attacks.
Many FIDO2 tokens also communicate via NFC, which makes it unnecessary to plug into the USB port.
@@joshuapk9808 in the environments I'm talking about, anything with a radio is also a no-go.
and very ironically, the same workplaces have zero 2FA and only basic password authentication
Phenomenal content as always. Timestamps would greatly compliment your video craftsmanship.
One of my all-time favorite quotes: "good security is based on 2 things: something you know (password) AND something you have (hardware key)".
One problem I ran into using my Yubikey is that if I was remotely accessing my desktop PC with Anydesk and wanted to log in to a website on it, well, I wasn’t there to touch the key or if I had the key with me obviously touching it to my current device wouldn’t work. Then I had to revert back to using a TOTP.
With AnyDesk VPN you might be able to hack some remote USB connection thingy?
but that’s the point of a hardware key - it’s proving its you with the physical key
Remote desktop environments should have USB passthrough so you should be able to use your key on your local device to authenticate on a remote desktop
This multilayered complexity is why most people throw up their hands. I used Authy until I got a new phone, then lost complete access to 5 major applications. Yubico has not training documentation. Great video.
You'll probably never read this but THANK YOU for making this so easy to understand. It's a gift. Cherish it. Subbed.
Thanks for the sub! I try to make all my videos easy to understand so I appreciate the compliment!
First time viewer here! just wanted to say that this video was both, incredibly informative, and entertaining. Great Video!
Thank you!
Thanks Shannon. Found you yesterday through Daniel Batal (thanks to you, Liron and Daniel for that soooo useful video). This video here has answered my questions about hardware keys. Thank you.
This does get pretty expensive fast: £52 for each key * 4 for two people > £200, thats before you add in your kids! Great video - very informative.
I remember looking through vulnerabilities for different distros, and there was one with some server program that let you supply a yubikey for authentication, but instead of doing any checks it would just successfully log you in, so you could log in as root without any problem
At this point my yubikey mostly get used for my password manager and yubikey authenticator. I set up that google secure thing when I first got mine and was promptly horrified over just how much control google has over your phone.
Thank you for this amazing explanation. Can you make a video how the 2FA actually works in deep detail. Example how do they make each yubikey unique. Do they have a built-in software or just some mathematical formula.
You will love generic Fido2 keys, I have Yubikey, Onlykey, NeoWave Winkeo, Fido2 to the rescue in most cases, in those exceptions put a Loooong static password on a programmable key. Nice Vid, keep up the awareness!
Thank you so much!!! I just purchased one!! You always provide such great content and I appreciate you for it!!!
Yes! I’d definitely be down for seeing what the best 2023 password managers are.
This really helped with my MFA research for my job. Thank you!
I highly recommend getting a "nano" device. I often found myself frustrated with the larger style keys getting in the way when using with a laptop.
The nano ones are great for that! I gave them a shout-out on an upcoming video posting this week 👀
This video provided very complete information. It answered some questions that I had not thought of, such as deleting a key for an account.
THIS lADY HAS SUCH A WONDERFUL Personality I COULD LISTEN TO HER ALL DAY i WISH SHE WOULD DO A VIDEO ON HOW TO SET UP AND USE THE YUBIKEY MANAGER AND GET THE PIN
Switched from Yubi to Onlykey... cuz FOSS and more functionality.
Yubico has its own authenticator that is unlockable with the key, for the sites needing codes.
@@alvallac2171 yep, I noticed later, didn't watch in one go
TOTP apps like Authenticator don't receive TOTP codes, they generate them locally. The only time anything is transferred to your phone is when you scan the QR code.
There is some confusion since I decided to combine the explanation of the three less secure alternatives together by saying "Codes are sent to you over text message, over email, or thru an app on your phone." But yes, you're right! While SMS and email codes are sent to you via those communication platforms, the app generates them locally on your phone and you "receive" this code when you look at your phone and look at the app. Sorry I wasn't pedantic enough! I figured y'all wouldn't need a thorough explanation of how this part works since I've already done reviews of 2fa authenticator apps before, and this video gives a basic overview but the topic is obviously about hardware keys. :)
Many thanks for that information, at last I understand the use of the mysterious blue key a very techie friend sent me a while back.. put on the "solution to an unknown problem" pile.... until now... I found this channel from your excellent discussion with Sean Cannell on the Think Media Podcast, earlier... very useful resource. Best wishes.
Glad it helped!
I first noticed the legendary ship "Serenity" Firefly class. Of course,
If you are into crypto you can use a ledger as a backup 2fa hardware key. The nice thing is that it is deterministic so even in the event that you lose your ledger, you can always restore your hardware key with the 24 word recovery phrase in the same way that you can restore your wallets.
Where I'm from in a big tower block of apartments-the storage compartments at the with the biggest lock on it gets broken in first.
I am waiting the delivery of 2 Yubi keys I brought a few days ago. I have not ever used security keys before. I am a newbie. They are very expansive though. I brought the Yubi 5 NFC and a Yubi 5C NFC keys for a desktop and mobile. A total of $135 USD including GST and shipping which will be close to $200 Australian and I should probably buy an extra one of each as back ups. I will need a real yubi key 101 when they arrive.
I have two issues with Hardware keys:
1. they are SUPER expensive (at least where i live. around 90 usd. there is a high import tax) and i would need 2 of them to feel safe
2. they are close source hardware, firmware and software (at least yubikey that is the higly recommended one and easly available in my country. I'd love the nitrokey 3)
I'm glad you're looking into it and considering the value. I hope you have access to one someday!
your second issue is a non-issue, there's at least one key I've seen where you can assemble it yourself. Other than that there are a few open source options, probably cheaper than the yubikey too.
if you have a raspberry pi (zero preferably if you want small), you can flash a sdcard with pitrezor and emulate a trezor hw wallet wich provide also fido2: the emulator is foss, and the trezor is foss also
I bought an open source FIDO2 token instead of buying a Yubikey.
Have yet to use it though. Lost it in a move before I was able to use it.
Trezor is open source but doesn’t use a secure element. Most products that use a secure element aren’t going to be open source.
My banks in the UK use their own phone apps for TFA for online banking and shopping
We have also had card readers for literal decades that use your bank card and on screen codes from mobile banking for TFA codes
FIDO proofs that the connection isn't corrupt too. The only way to bypass this is targeting one of the both endpoints, the user device or the web server, to steal the session ID.
The only attack vector on the connection is to intercept the key exchange at the start of the connection between the user device and web server before the Security Key is registered to replace the public keys of the physical key as well as of the web service with your keys to break through but this is hard and inefficient because you need to do so with every single account and works only for unprotected accounts. When the Security Key is successfully registered, there's no breaking point in the line at the moment.
This is a great video. Thanks for making the world a safer / more secure place :)
You bet!
If you do setup your Yubico key on PayPal but use the last menu item on the list you called up, once in operation you get presented with 2 options, either to receive the PayPal 6 digit code via your mobile or use your Yubico key....if your laptop & mobile are breached which option does PayPal think would be chosen doh! Thanks learned more about the Yubico key!
Wait, why are there only 4 myths?
Myth 1: 4:15 - You can't use 2FA if a site doesn't accept a hardware token like yubikey.
Myth 2: 7:54 - You have to carry a hardware key with you everywhere 24/7.
Myth 3: 8:46 - You need a different key for each and every account you have online.
Myth 4: 9:57 - If you lose your key, you're screwed. If it stops working, you're screwed.
Myth 5: ?????
🤣🤣🤣 you're the only one who noticed. Sometimes I do things to see if people are paying attention.
Great video, thank you! I learnt a lot.
Problem with physical keys is there are too many types. Security - convenience = NO security
Too many types? You only need two (one as a main, and one as a backup). Get yourself one that supports several protocols and you don't need anything else.
@@ShannonMorse USB-A, USB-B, USB-C, NFC...
TOO MANY TYPES for the variety of devices we interact with.
I heard about these keys recently while trying to change from Google Authenticator. I can't stand Time-Based One Time Password 2FA codes as I have a tremor and cutting and pasting, flicking between touch screens etc is a nightmare. I know these keys are only small and therefore still slightly problematic, if all I have to do is tap a key instead that would be helpful enough. I would like to see them with caps on so they can be a bit more protected. And I'd like to see banks get their act together! Thank you for your helpful videos!
How do you secure accounts that only provide SMS as a factor? Would you recommend getting a separate number? I hate sms..especially since my phone carrier has been hacked multiple times. Any recommendations would be great.
THANK YOU for this excellent concise overview. I started using Yubikeys late last year, and found some real resistance at work. Also, Bank of America is the only bank? I've switched to an email and password manager that use it, and feel much safer.
My biggest annoyance with the great majority of services, is enforcing you to have a secondary, less secure login method defined.
Yubikeys are awesome. Another great way to use the key is to configure the long touch. I use this to add salt to some of my password
Absolutely adore your hair colour 😀😀🤗🤗🤗❤️❤️
SHANON, SINCE YOU MADE THIS VIDEO THE KEY PRICES HAVE COME DOWN And the Level 2 keys are only a few dollars more than the Level 1 keys. SHOULD I GET A LEVEL 2 KEY?, Are they more complicated to set up??
Again: really interesting! :) There is one thing nice with the 2FA with text message: you'll received a text message if somebody is trying to access to your account.... ;)
Same could also easily be implemented with any 2FA. If a user enters your correct username and password from a new location, send an email alert.
Thank you for this education, teaching Old Dogs New Tricks!
The phone "that you could lose" is considered a secure device. Even if your configuration of your device is not secure. So someone could possibly see the SMS code on the lock screen but there's 2 issues with this. Your phone needs to secure the lock screen so it's only visible when unlocked. And TWO, whenever possible, never use SMS for MFA. SMS isn't secure.
Searched for it then this video popped up while scrolling down and kinda thought "hey could it be the hak5 girl" hell yea I was right! Damn I miss those good ol' days!
Shannon nice & very informative video. Keep up the good work👍🏽
The Yubico Authenticator App does NOT store any data! The Token you enter is saved on the Yubikey, NOT the app.
This has two major benefits. First, security. Even if the App was broken /hacked, an attacker couldn't get the tokens. Only the OTPs, and only if you physically touch the Yubikey.
Second, convenience. You can authenticate yourself on ANY device without security panelties.
Authenticator Apps doesn't get a code from the web service you tried to login. This would be too much traffic and background calculation. Instead, the web service give a private key and the server time to the app over a QR code ones you set it up and than the authentication app calculate the codes by using cryptographic algorithm and the device time & date minus the time difference. The web service check the code by doing same and voila, you need on the authenticator device never ever Internet. It can from the beginning to the end of life disconnected from the internet. That's called a symmetrical encryption system, because both have the same key to generate the code. Unlike TOTP, FIDO is using a public-private-key with different keys on both side for each side (means 4 different keys, 2 public, two private) plus certificates from the browser and maybe the physical key manufacturer too. This is called an asymmetrical cryptographic systems. My bank uses a similar system for the device binding as 2fa.
Question about the "Trusted Device" concept: Once a device is Trusted (e.g. trust for 30 days), it seems like that you are back to just UserName & Password. So, for that time period, there really is NO MFA. My question: Is naming a device as a Trusted Device a good idea for those accounts that you want to be super safe?
Yes but 2FA would still be required on any unsigned device.
As the commenter above pointed out, Trusted Device status would be assigned only to that physical device.
But, yes, it definitely is a sacrifice of security for convenience. Therefore, it's up to you to decide where you draw the line.
@@udilschik Thanks Ud - That was what I was thinking. I have purchased the YubiKey, using it and I am liking it. However, since I am a new user, I didn't want to overlook something that was obvious to a veteran user.
It would be interesting if logins which don't support 2FA could somehow be rerouted via our prefered 2FA chain (Yubico app/ key included) and then be rerouted back to their unsecured login. It would be like a middle-man security addition and the banks and such would still think we were simply logging in. Could such software or app be made?
No. Not in the way that you want. A 3rd party without the chain could just bypass it. It would require the bank to force the redirect.
I so love your hair!!!
In this video you have a Serenity model! Brown coat?
Yes, I'm a leaf in the wind 🍂
Very good, Yubikey should buy your video.
Before even adding 2FA to your accounts, consider deleting any that you don’t need or use. If it’s not there, it can’t be hacked*, and you won’t have to deal with trying to secure it.
*If the service doesn’t fully delete your data after you close your account, then you could still get caught up in a data breach. However, emerging privacy laws like GDPR are requiring companies to actually delete user data when users choose to delete their accounts.
I never knew 2FA hardware keys existed. I will say the only hardware key I'm really opposed to are license dongles (e-Licenser/iLok); in that regard I prefer software. My reason is that hardware keys (at least those types) can get lost and broken. The software key is installed directly on the PC. I do like the 2FA/MFA concept, and maybe somewhere down the way, I'll consider the hardware approach...
You can use fingerprint sensor for 2FA if your computer have one, I do it on my MBP
Only for services that support it. AFAIK that's limited to Apple's services. This will work on any website that adopts WebAuthN.
I've heard you need to buy two one for primary and second for backup for accounts incase one goes missing? Is that a proper avenue to go?
Definitely recommended that you do! Just like your car keys-- you wanna make sure you have a second key.
I love this comparison!
Yes, get two, store one safely so you always have an easy backup for authentication
Love the Sailor Moon Tee Shirt!
Thank you!
@snubsie Did you ever make the PGP e-mail and yubikeys?
hi love can u pls pls pls tell me what camera are u filming this video with
@ShannonMorse I have a question. You mentioned that if ever you lost or someone stole your hardware key, you can just revoke them via the website. Can you RE-ACTIVATE the hardware key after you revoke it? Let us say for some reason you found your lost key. Thanks
Yes you can 😀 I've don't this before
I use the yubikey any place that takes the key or authenticator app. I use the Yubikey authenticator app because if my phone gets lost nothing is in my authenticator app without the key. One stays on me the other is in my safe. Both are labeled. Except for financial, which are behind the scene, I will remove sms from anything else since my email if they don't take authenticator app is locked down by security key.
This is a great example of how the yubikey app works differently than other 2fa apps. You physically need the key to see the codes, otherwise the app is blank!
first yubikey set up.... thank you!
thx for the video. can two different keys like ledger and yubikey be use as backup if you loose one?
@shannon morse. Due to the risks with sim swapping I've been thinking of stopping my use of an app for banking and using laptop and browser instead. My bank provides two alternatives for 2FA when logging in - a code sent by text message (which doesn't seem like a good idea if you're worried about SIM swapping) or a code generated by a card reader. I assume this latter method operates like a gubi key without having to buy anything. Is this correct and are there any problems with this solution?
I have a niece and nephew that continually bypass all her various measures when they are grounded. Any idea if there’s a physical device they’d have to “check out” from here?
Hey Shannon
What key do u use now and why? I’m looking to get two
Thanks
The last time I used a hardware key, Google wouldn't let me use it for my accounts unless I was using chrome 🤦♀️
Great vid. Just subscribed. I've been looking into YubiKey for a cpl of weeks now but maybe for a different use. My father is starting to forget his PWs and I'm wondering if YK would also work for those pesky sites that do not support hardware security keys to simply store his UNs and PWs ? Can you tell me if this would be a good solution to help him?
Hm, maybe a password manager like Bitwarden would be best. You could set it up as a family plan so that you can help assist/manage his credentials.
For someone who is starting to forgot their passwords, I'd highly recommend a password manager (1Password, Bitwarden, or Roboform are good, but Roboform itself can't be protected with a hardware key yet, fyi). You can then use a physical key to protect the app, and you could store his vault password somewhere safe for him.
Agreed with the commenters above. Reason being: unfortunately, there's a good chance that physical key will be forgotten/left behind(especially if the condition progresses). If 3rd party(managed on 3rd party cloud servers) password managers don't seem trustworthy to you, you have an option of building your own cloud password manager, btw. The exact software and steps for that are easily serchable, people on such forums are very open to help.
Good on you for staying proactive with your loved ones' security, especially in the time of need!
I'm setting up my parents with 1password and YubiKey Security Keys (the blue ones). It's a bit of effort for me to set up, as they have a number of reused and weak passwords and other issues that need to be resolved. And I need to implement proper backup and redundancy so they don't get locked out by accident. But once they're set up it will be the easiest for them to actually use.
No more multiple spreadsheets on disk and printouts without timestamps! They can touch YubiKey to verify with 1Password, Google, and BofA. I thought about getting a YubiKey 5 so they can use the YubiKey authenticator for TOTP, but in the end we're going to implement what they can use reliably: TOTPs will go to their gmail accounts. The thinking is that they are much more comfortable with email on their computers than authenticator apps and SMS messages on their phones. And since we're going to lock down gmail with a crazy long pw they don't know stored in 1Password and the YubiKey, they should be much more resilient to phishing attacks.
And I like everyone else am stunned that only BofA supports FIDO2 hardware security keys. Stunned. Truly stunned.
Thanks. I ordered mine a few days ago. Should we avoid keys "made" outside of the USA? Obviously, some companies say their products are assembled in the USA, so that word alone is a cautionary statement. What do you think?
can i run multiple protocools on one yubikey? Like use the Yubico Authenticator, SSH Login, Email PGP encryption, Fido and Webauth with one single yubikey or is there a limit?
Is there any vulnerability with NFC capable Yubikeys?
Can you require 2 keys, like a missle launch. Where you might not want to trust a single person?
The problem I have with these keys is the opaqueness in their functioning. What added security does this have over having an ssh key on a flash drive, used to unlock a password manager? If we talk about logging in directly onto a website, why can't that be done without the physical key, ie, emulate the key via software? (Just like ssh keys work, with nothing to be phished because you don't enter a password.) How can I trust a brand new key I'm setting up is not actually malicious?
This would be more secure if every website didn't have a reset password via email function. If someone can get access to your email, then nothing you did to any of your other accounts matters. Security will never improve past the weakest link
You then have a lot of people permanently locked out of their accounts.
It's similar to why a bank account is secured by mere digits while your social account requires a bunch of hoops.
@@JonatasAdoM Yes companies would have to hire more customer support for people who forget which costs more. It's a trade off. Do you want better security or better convenience? Until anything changes, email will always be as secure as it gets.
Or you just use 1Password which supports 2FA out of the box and even fills the 2FA code automatically into the form. I am a mac user and have a second layer of security since I am using finger print or face ID to open 1Password. No extra hardware needed. Plus, I can store ALL my passwords and security stuff like software licences and such and can use them on all my devices. I have hundreds of logins and passwords saved in 1Password even SSH keys. The best part about it is, that you can share certain passwords or even whole vaults with other people. I use this in my company to share certain logins with coworkers. And I can't lose 1Password like I can loose an USB Stick. It works on Windows too.
I'm glad you have a system that works for your threat model!
i took the yubikey quiz where i said i use an ipad w/lightning (9th gen, iPad 64gb MK2K3LL/A) 80% of the time and an imac 20% of the time. both do not leave the house. would you agree these are the two keys to get? or can i just get two of the less expensive one and just use a female usb to lightning adaptor for us on the ipad? 1 YubiKey 5Ci & 1 YubiKey 5 Nano.
is there a central api for integrating "all" hardware keys you can share? im looking at this from an enterprsie view and we dont want to code to a particular hardware set knowing that 2 months in some other tech harware company will build a new key with a specific API for ingest, i wont change it per new release. One NIST standard or something like that is what im fishing for.
Iv got a question can I use the adapter for the USB because I have (USb C , and lighting charger for the iphone) computer aswell and didn't want to get all three if I didn't want to buy all three if I didn't have to thanks for your time
Thanks for sharing: a lot of great information. Blessings on your day 👍🏻
Thank you!
The main problem currently, is that FIDO2, WebAuthn, etc are not being supported by a lot of banking websites, etc. Its a bad situation and super, ultra lame.
It's understandable, though, from the bank's perspective given that the cost and the support issues with FIDO2 are going to be high. People losing keys, not figuring out how to configure them, etc.
Something like the "passkey" is much more likely to succeed in this space.
I dunno I use it on so many sites, but honestly reach out to them and suggest them, gotta me some IT manager, ir otherwise with a thread of sense there.
@@briancarnell I am gonna push back on that since it is an optional thing.
Thanks for sharing your experience.
I am somewhat at odds with my Yubikey and the most secure way to use it.
I currently use TOTP 2FA which I think is using it via Yubico Authentication. Why? Because this verification is not tied to one device. No sure if that is a valid reason for me as I always have my mobile device.
The other way to secure your Yubikey is by register. Not sure what this security process is called but alot faster. No mistaken web page to click on. Only problem it works with that one registered device only.
What are your thoughts?
If it wasn't for the fact that my phone is a Nokia C-01 low-end Android device that doesn't support these keys via NFC, USB or otherwise, I would seriously consider one of these to help secure all my accounts.
That said, my bank (Bank of Queensland here in Australia) doesn't even do 2FA at all for the most part, let alone these keys. Why so many sites (including important sites like banks) don't support these (at least as an option) is beyond me...
the one important fact that people don't understand, is none of this helps at all if a website itself gets hacked and the data is stolen. Once the hacker has the data, he doesn't need your login or 2FA key.
Most companies do not know their website was hacked until months or even years later, unless someone tells them all the data was on the dark web and even then, they try and hide it.
Why does PayPal and eBay only allow you to set up one key? That's ridiculous it should allow you to set up unlimited keys
Is there a version of these that allows you to just leave the key in the computer and not press a button because I'm a quadriplegic and I can't really reach where it would plugged in, plus it's difficult to plug and unplug things in the first place, and pressing buttons can be difficult as well? I'm okay with any increase in security risk.
A couple ideas for reduced mobility use cases:
1. Mount the key: use a usb extension cable or dock to physically displace the key away from the computer to a location that's easier to reach. Typical keys are only signaling at 2.0 speeds, so you can easily and with a very cheap passive cable extend up to 20'. If dexterity is an issue that might cause damage, I'd suggest mounting the key flat to a sturdy surface so that extra pressure doesn't snap the key in half. The inverse of this would be to use a hardware NFC reader extended out and mounted to a convenient location and just tap the NFC-enabled key to it to authenticate (the key itself could be on a spring-loaded keychain so dropping/loss is less of an issue).
2. Use a Smart Card or RFID badge as the physical access token. This is hard/uncommon as an individual, as most systems require lots of ancillary tech/hardware/knowledge/cost as they are typically designed for enterprise use and scale. The hardware setup would look something like a reader you place/mount to a nearby surface or a laptop purchased with an integral reader (typically only higher end business models). The software would be some card-key to 2fa key generating software.
3. Go the TOTP route and use a phone or virtual machine to run a software solution like Google Authenticator on a nearby screen. The phone you could mount to just about anything in a nearby location using widely-available mounting solutions (e.g. clamps, goosenecks, stands, runner's velcro armbands). The VM solution means you could run the authenticator app on the same screen you're interacting with already, but in a way that nobody other than you would know where to look or interact with.
NFC could possibly be an option🤔
Yubikey configurator has option to not need to push the button
@@amahlaka Thank you. Where do I find that? Is it the same as the YubiKey Personalization Tool?
@@blahblahbob1000 Thank you for the impressive writeup. Number 3 might be the way for me but someone did say in other comments about a YubiKey configurator that allows you to disable the button press. Perhaps I will be able to search for that as well? Cheers.
I am also a fan of yubi keys but at the most of my account I can't remove text message or email as a 2fa option even I added two yubi keys. So actually the yubi keys are more a comfort feature instead a security feature compared to other 2fa options.