Debunking 5 MYTHS About Yubikey

There is some confusion since I decided to combine the explanation of the three less secure alternatives together by saying "Codes are sent to you over text message, over email, or thru an app on your phone." While SMS and email codes are sent to you via those communication platforms, apps "generate" them locally on your phone and you "receive" this code when you look at your phone and look at the app. Sorry I wasn't pedantic enough for the techies watching this! I didn't deep dive this for two reasons: 1) this video is supposed to be an intro that you can easily share with friends or family who are not as tech savvy, and I don't want to scare them away with a bunch of technical jargon. 2) video length. I figured y'all wouldn't need a thorough explanation of how this part works since I've already done reviews of 2fa authenticator apps before, and this video gives a basic overview but the topic is obviously about hardware keys. 2nd: the Yubico authenticator app does work a little differently. It doesn't "store" any of the codes, it just shows them to you from your hardware key. :)

Bought a Yubikey to keep my financial logins safe. Turns out most financial sites over here don't even support 2FA via a key. Only via SMS...

Mark or number your hardware keys! When you buy multiple of the same type and one is lost or stolen it's so much easier to figure out which key is missing. That makes it easier to delete the missing key.

It is so strange that banks in the US doesn't have a stronger security.
Here in Sweden we have had bank specific hardware tokens for a minimum of 15-20 years. No text messages.
Now we also have something called Bank ID which is an authenticator app that you can install on your phone to login to your bank or other services that needs to verify that you are you. Kinda like an digital id.

Thank you for a very clear and concise intro on the basic how’s and why’s for using a hardware device! I’m shocked that in this day and age, that more financial institutions are not using this technology. Keep up the great work!

I recently ordered 2 Yubi keys and then your video magically popped in my UA-cam feed. Thanks for all your useful and vital information.

Thank you so much!!! I just purchased one!! You always provide such great content and I appreciate you for it!!!

Thanks Shannon. Found you yesterday through Daniel Batal (thanks to you, Liron and Daniel for that soooo useful video). This video here has answered my questions about hardware keys. Thank you.

Nice job 👍 thx!
Question for you if I may.
Are the number of authentication # limited in each of those Yubikeys or they reproduce those codes?

This really helped with my MFA research for my job. Thank you!

Great video! Shared it with some of my circle. One word of warning, some older yubikeys may stop being supported (I have a yubikey 4 that nvidia did not accept)

Great information about using the Yubico app to get around 2fa limitations on some websites. Having just spent the last few hours learning all this the hard way, your video hits all the important points. One of the best vids I've seen covering this topic.

Phenomenal content as always. Timestamps would greatly compliment your video craftsmanship.

By the way, Windows RDP recently added support for FIDO2.0 port redirection. On 22H2, you can just check the box and it works as you would expect.

This video provided very complete information. It answered some questions that I had not thought of, such as deleting a key for an account.

‘You always have to have it on you!’ issue.
Well I already have to have my house key on me so… for me the bigger issue was the whole ‘but what if I lose it or it gets stolen?’ thing because I’m so used to ‘losing’ my password and then using my email to get in instead and if I lost or forgot a house key I could rely on family members or worse comes to worse brute forcing my way back into the house, not so much hack my way back into my own account, never mind the extra security, so I’m glad you covered those concerns as well!!

thx for the video. can two different keys like ledger and yubikey be use as backup if you loose one?

Thats awesome that the end user has the best security endpoints they can do within reason, but the companies holding your data also need to do the same.

I've been thinking about going to hardware key for a while. This video gave me some great information to help 'push' me forward. Don't really have a huge number of accounts or big security problems per se, but good to NOT be that 'low hanging fruit'.
As my father would say, 'locks only keep honest people honest, but if your lock is better than the neighbors...'

THANK YOU for this excellent concise overview. I started using Yubikeys late last year, and found some real resistance at work. Also, Bank of America is the only bank? I've switched to an email and password manager that use it, and feel much safer.

Hey Shannon
What key do u use now and why? I’m looking to get two
Thanks

Shannon nice & very informative video. Keep up the good work👍🏽

hi love can u pls pls pls tell me what camera are u filming this video with

Iv got a question can I use the adapter for the USB because I have (USb C , and lighting charger for the iphone) computer aswell and didn't want to get all three if I didn't want to buy all three if I didn't have to thanks for your time

@snubsie Did you ever make the PGP e-mail and yubikeys?

Great vid. Just subscribed. I've been looking into YubiKey for a cpl of weeks now but maybe for a different use. My father is starting to forget his PWs and I'm wondering if YK would also work for those pesky sites that do not support hardware security keys to simply store his UNs and PWs ? Can you tell me if this would be a good solution to help him?

First time viewer here! just wanted to say that this video was both, incredibly informative, and entertaining. Great Video!

How do you secure accounts that only provide SMS as a factor? Would you recommend getting a separate number? I hate sms..especially since my phone carrier has been hacked multiple times. Any recommendations would be great.

How do I check to see if my yubikey has been used previously please? I had one sent from overseas but the packaging was damaged .
Just want to be certain 😊

@shannon morse. Due to the risks with sim swapping I've been thinking of stopping my use of an app for banking and using laptop and browser instead. My bank provides two alternatives for 2FA when logging in - a code sent by text message (which doesn't seem like a good idea if you're worried about SIM swapping) or a code generated by a card reader. I assume this latter method operates like a gubi key without having to buy anything. Is this correct and are there any problems with this solution?

Thanks. I ordered mine a few days ago. Should we avoid keys "made" outside of the USA? Obviously, some companies say their products are assembled in the USA, so that word alone is a cautionary statement. What do you think?

Can you use the yubico app with any yubico key? or is it only for the new keys?

Yes! I’d definitely be down for seeing what the best 2023 password managers are.

is there a central api for integrating "all" hardware keys you can share? im looking at this from an enterprsie view and we dont want to code to a particular hardware set knowing that 2 months in some other tech harware company will build a new key with a specific API for ingest, i wont change it per new release. One NIST standard or something like that is what im fishing for.

You will love generic Fido2 keys, I have Yubikey, Onlykey, NeoWave Winkeo, Fido2 to the rescue in most cases, in those exceptions put a Loooong static password on a programmable key. Nice Vid, keep up the awareness!

Thank you for this amazing explanation. Can you make a video how the 2FA actually works in deep detail. Example how do they make each yubikey unique. Do they have a built-in software or just some mathematical formula.

There have been some attacks recently on the 2FA methods that require you to type a code, whether that's email, SMS, or app-based soft token codes. In these cases, someone will phish the user for their code, or present them with a fake login page that proxies to the real page, allowing them to steal your code as you're logging in.
Hardware tokens that implement FIDO2 (like the Yubikeys) are immune to these attacks, because there is no code to share with a phisher, and a man-in-the-middle attack would present an invalid origin making it impossible for them to intercept your codes (like TLS, but for your 2FA).
Hardware tokens that implement protocols like FIDO2 are the most secure option. The only downside is that they also require you to plug into a USB port, and in some workplaces that might not allowed for OTHER security reasons... (Looking at you Rubber Ducky and OMG Cable.)

I understand that unlike the more inexpensive Security key, a 5 series Yubikey can do whatever Authy or Google Authenticator does. Am I correct? I do everything on my Windows 10 desktop and not on my android phone. The financial sites I deal with send me a one time code via my phone (they do not recognize hardware keys. In 2023?. Whatever). If I purchase a 5 series, can I do everything necessary to authenticate using a OTP on my desktop computer without using my phone at all?

Shannon I bought 2 yubikeys about 6 months ago and have not been able to use them anywhere I''ve tried it with my microsoft account but get told every time to reset so i reset it then it still wont except it anyway I'll keep watching yow shows till i get it thankyou so much for all your HARD work Shannon take care

Many thanks for that information, at last I understand the use of the mysterious blue key a very techie friend sent me a while back.. put on the "solution to an unknown problem" pile.... until now... I found this channel from your excellent discussion with Sean Cannell on the Think Media Podcast, earlier... very useful resource. Best wishes.

This multilayered complexity is why most people throw up their hands. I used Authy until I got a new phone, then lost complete access to 5 major applications. Yubico has not training documentation. Great video.

One of my all-time favorite quotes: "good security is based on 2 things: something you know (password) AND something you have (hardware key)".

I have a question. in 2020 my phone took a swim in a lake and I had 2FA on Discord. I have not been able to get back on to discord ever since. do you know how to fix this problem?

May I ask if can use YubiKey 5 NFC as the Main and Yubico Security Key NFC for back up or need to be same type ?

I have a niece and nephew that continually bypass all her various measures when they are grounded. Any idea if there’s a physical device they’d have to “check out” from here?

Absolutely adore your hair colour 😀😀🤗🤗🤗❤️❤️

Thanks for sharing your experience.
I am somewhat at odds with my Yubikey and the most secure way to use it.
I currently use TOTP 2FA which I think is using it via Yubico Authentication. Why? Because this verification is not tied to one device. No sure if that is a valid reason for me as I always have my mobile device.
The other way to secure your Yubikey is by register. Not sure what this security process is called but alot faster. No mistaken web page to click on. Only problem it works with that one registered device only.
What are your thoughts?

@ShannonMorse I have a question. You mentioned that if ever you lost or someone stole your hardware key, you can just revoke them via the website. Can you RE-ACTIVATE the hardware key after you revoke it? Let us say for some reason you found your lost key. Thanks

am i wrong if i say that is still a problem to use the key app to generate a code (like with Google auth) cause if you are entering the code on a transparent proxy faking the website you want to connect to you will provide the code to the hacker in real time ?

What if a hacker had access to my Computer through a trojaner and He copies the whole Browser with extentions and yubico App and the starts the Apps. Will this copy of Browser be treated like a known/own trustworthy Account so the hacker dont need the Hardware Key? or will it be detexted because of Different PC-Information and IP?

you said you dont have to log in with key on pc every time but what happens if your laptop gets stolen. and you dont have your key...do you use the codes you saved to block it?

This does get pretty expensive fast: £52 for each key * 4 for two people > £200, thats before you add in your kids! Great video - very informative.

One problem I ran into using my Yubikey is that if I was remotely accessing my desktop PC with Anydesk and wanted to log in to a website on it, well, I wasn’t there to touch the key or if I had the key with me obviously touching it to my current device wouldn’t work. Then I had to revert back to using a TOTP.

SHANON, SINCE YOU MADE THIS VIDEO THE KEY PRICES HAVE COME DOWN And the Level 2 keys are only a few dollars more than the Level 1 keys. SHOULD I GET A LEVEL 2 KEY?, Are they more complicated to set up??

Is it safe to buy used and already reset Yubikey 5 or any other 2fa keys?

Thanks for sharing: a lot of great information. Blessings on your day 👍🏻

I highly recommend getting a "nano" device. I often found myself frustrated with the larger style keys getting in the way when using with a laptop.

If you are into crypto you can use a ledger as a backup 2fa hardware key. The nice thing is that it is deterministic so even in the event that you lose your ledger, you can always restore your hardware key with the 24 word recovery phrase in the same way that you can restore your wallets.

I so love your hair!!!
In this video you have a Serenity model! Brown coat?

So I should disable phone verification after getting a key to prevent sim swap hacks?

I've heard you need to buy two one for primary and second for backup for accounts incase one goes missing? Is that a proper avenue to go?

Shannon - can Yubikey/ other 3rd parties see your password or any other personal data related to your accounts? For instance, if you used the key across multiple sites as well as Gmail, would Google be able to tell where you're logging in elsewhere on the web?

Yubikey 5C 5 NFC or 5C NFC...which one to buy? 5 NFC is not usb, so what are the differences?

is it same system what some banks have used like 20 yrs?

which yubikey do you recommend?

So what happens when u setup a mobile phone with email and login in the email app? You normally enter email and password, so how does yubikey work with that?

Very informative. Thank you!

2FA is a must and these keys are great. Only issue I have so far is the 32 TOTP limit.

at around 4:00 you say "yes, there are ways to get around 2FA but since those revolve around successful phishing attempts we're going to move past that."
Could you clarify? I assume that at this point in the video we're talking about 2FA with a hardware key, but as far as I know those are phish-proof. Doesn't this method of 2FA require the browser to present the website or app ID to the token, making it impossible to fool my key into answering a challenge from the wrong website?

Super helpful! Thank you!!

can you use 1 key for your different devices?

first yubikey set up.... thank you!

How is tue google Titan thank yon makes one just like it and I want to upgrade possible

Thank you for this education, teaching Old Dogs New Tricks!

At this point my yubikey mostly get used for my password manager and yubikey authenticator. I set up that google secure thing when I first got mine and was promptly horrified over just how much control google has over your phone.

Where I'm from in a big tower block of apartments-the storage compartments at the with the biggest lock on it gets broken in first.

If you do setup your Yubico key on PayPal but use the last menu item on the list you called up, once in operation you get presented with 2 options, either to receive the PayPal 6 digit code via your mobile or use your Yubico key....if your laptop & mobile are breached which option does PayPal think would be chosen doh! Thanks learned more about the Yubico key!

This would be more secure if every website didn't have a reset password via email function. If someone can get access to your email, then nothing you did to any of your other accounts matters. Security will never improve past the weakest link

The problem I have with these keys is the opaqueness in their functioning. What added security does this have over having an ssh key on a flash drive, used to unlock a password manager? If we talk about logging in directly onto a website, why can't that be done without the physical key, ie, emulate the key via software? (Just like ssh keys work, with nothing to be phished because you don't enter a password.) How can I trust a brand new key I'm setting up is not actually malicious?

thank youuu

Is there a version of these that allows you to just leave the key in the computer and not press a button because I'm a quadriplegic and I can't really reach where it would plugged in, plus it's difficult to plug and unplug things in the first place, and pressing buttons can be difficult as well? I'm okay with any increase in security risk.

Switched from Yubi to Onlykey... cuz FOSS and more functionality.

i took the yubikey quiz where i said i use an ipad w/lightning (9th gen, iPad 64gb MK2K3LL/A) 80% of the time and an imac 20% of the time. both do not leave the house. would you agree these are the two keys to get? or can i just get two of the less expensive one and just use a female usb to lightning adaptor for us on the ipad? 1 YubiKey 5Ci & 1 YubiKey 5 Nano.

I am waiting the delivery of 2 Yubi keys I brought a few days ago. I have not ever used security keys before. I am a newbie. They are very expansive though. I brought the Yubi 5 NFC and a Yubi 5C NFC keys for a desktop and mobile. A total of $135 USD including GST and shipping which will be close to $200 Australian and I should probably buy an extra one of each as back ups. I will need a real yubi key 101 when they arrive.

Well you are sort of screwed if you lose your key. If a site has a backup system then what's the point of the key?

Yubikeys are awesome. Another great way to use the key is to configure the long touch. I use this to add salt to some of my password

Very good, Yubikey should buy your video.

My biggest annoyance with the great majority of services, is enforcing you to have a secondary, less secure login method defined.

As an almost victim of a SIM swap attack, I’d like to figure out a way to more securely receive SMS 2FA texts from my banks. Any suggestions?

Question Why do you have in your starting photo I counted 15 keys you have? When you said 2 is all you need!

Awesome video!!

I heard about these keys recently while trying to change from Google Authenticator. I can't stand Time-Based One Time Password 2FA codes as I have a tremor and cutting and pasting, flicking between touch screens etc is a nightmare. I know these keys are only small and therefore still slightly problematic, if all I have to do is tap a key instead that would be helpful enough. I would like to see them with caps on so they can be a bit more protected. And I'd like to see banks get their act together! Thank you for your helpful videos!

I first noticed the legendary ship "Serenity" Firefly class. Of course,

THIS lADY HAS SUCH A WONDERFUL Personality I COULD LISTEN TO HER ALL DAY i WISH SHE WOULD DO A VIDEO ON HOW TO SET UP AND USE THE YUBIKEY MANAGER AND GET THE PIN

What if I want to log into my account on a device where I can't access the USB ports?

How much of a problem is it to upgrade to a new one?

Again: really interesting! :) There is one thing nice with the 2FA with text message: you'll received a text message if somebody is trying to access to your account.... ;)

I never knew 2FA hardware keys existed. I will say the only hardware key I'm really opposed to are license dongles (e-Licenser/iLok); in that regard I prefer software. My reason is that hardware keys (at least those types) can get lost and broken. The software key is installed directly on the PC. I do like the 2FA/MFA concept, and maybe somewhere down the way, I'll consider the hardware approach...

Thanks, Shannon~

Love the Sailor Moon Tee Shirt!