We need close ups of the computer shots and more explanations on using the key . You added alot of knowledge i didnt have . The best yubikey video for me.
I own the yubikey 5ci. i brought mine last winter. im obsessed with it! its the coolest thing 2FA out there. no more adding your phone number for two factor. This is genius!
I absolutely use Yubikey, and have for at least 7-10 years now. I have my old Bluetooth keys back before iPhones had NFC, as well as the USB-A and Itty bitty mini that sits flush in the USB slot. I'm ordering some new 5s since all mine were the 4 series, and I'm really interested in their new authenticator app which bridges the gap of needing a software authenticator as most apps and sites are accepting, but being backed by your hardware yubikey. So the flexibility and security of an authenticator app with the robust security of a physical hardware key that only I can possess.
I have a series 4 Yubikey that I've used and loved for years. A few days ago I ordered a 5 UFC so I can use the NFC functions. I figure I'll just stash my old Yubikey 4 away as a backup. One of the things I love that wasn't mentioned in the video is that I also have my key programed with an obscenely long static password that I use for an encrypted hard drive. Keeps the hard drive secure, yet makes it super easy to unlock.
Terrific timing Shannon: Bank of America just announced support for any FIDO-certified key late next month (June 2021). I desperately hope that forces other financial services to support genuine 2FA. It’s been a complete and utter embarrassment that arguably our most important products have been so late to the game (when game companies have done it for years)!
For what it's worth, my main concern is forgetting which services I enabled this kind of tech on. Assuming I registered two keys on each service right away, main+backup, when I eventually lose a key, I'll have to get a replacement and register it again with all these services. I'm worried that by that point I'll have forgotten which services I need to go back to... But that's not to say this is bad tech! This is indeed great tech! Just requires some organization skills.
That's definitely a valid concern for something like this. For myself I add a "Yubikey" tag to any accounts in my password manager that I use it for so I can easily find and update them if something like that happens.
Excellent as always. I have heard of these for years. but haven't really seriously considered using them until now. Seems like things are getting more and more compromised. I have used 2FA for a long time, but now even that is an issue. So many orgs that don't use true 2FA (like security questions - uughhh!) or (sms or emailed 2FA key - NOOO) Thanks for doing this, it helped to understand what is going on with this.
You're crazy Shannon, you look as young now as in the old video linked on Yubico, you have not aged! But you do have more cool hair colors these days! Love your vids and so happy to see a Yuibikey video, thought about it but never mentioned it on your google 2fa video.
I’ve been meaning to ditch sms authentication for awhile. I’m interested in purchasing several Yubikeys. Shannon, could you do a demo on using multiple Yubikeys on a single account? I’d like to keep one in a safe and actively use the other.
This device also sounds like a good thing to have attached to a Last Will & Testament. You could spare your loved one the hassle of dealing with your digital breadcrumbs.
An important point is to not treat your email the same way you treat other credentials as email is used to reset credentials. My view: from strongest to weakest... hardware token with screen that get out of band (encrypted bluetooth or QR code) keypair of info about a transaction like amount and beneficiary, but very few sites supports it. Then hardware token (attacker needs sustained compromise of your main workstation to be able to impersonate you). Then mobile apps (you need your mobile to be compromised) on par with SMS OTP (depends on country, it is more or less easy to do SIM cloning via social engineering to telco). If you use a password manager, add few characters of something you know so if your workstation gets compromised, it is unlikely the attacker will go to the extend to keylog you as these type of attacks are usually done large scale.
I bought about $250 worth of Yubikeys last year because I was so obsessed with testing their use for security. I've been using a company issued old Yubikey for over 10 years for VPN access to our company network. I bought several USB-A NFC 5 type and several blue security key models. These devices are the best solution I have seen for nearly all security needs. The 5 NFC supports PIV SmartCard. You can use it with Putty-CAC to ssh to your servers (cloud instances or behind your firewall at home). All models support the Yubikey authenticator App. You can replace Microsoft/Google authenticator with the Yubikey authenticator. So you don't need your phone. This also eliminates the threat if you phone SIM card gets cloned. You should get at least 2 keys, though. One to carry around and use and the other to keep in a safe place. And you do need to have a management plan in place as well so you remember to authorize the backup key in addition to your main carry key. These keys support FIDO2, FIDO2UF, PIV SmartCard, OATH One Time Passwords, Open PGP, and also can carry a "master" password. I use the authenticator app for a bunch of accounts - Amazon, New Egg, Facebook, Google, and others like banking. I also use it for accessing my KeePassXC password safe on a PC and a MacBook. I have tested quite a few uses. I also gave my wife a spare one so that if something happens to me, she can access accounts. And since she has a key, she has a backup in case I need it. Yes, they are $20-70 per key depending on which model, but that is dirt cheap for what you are getting in the way of ease of use and security.
I have some questions. If a person uses the Yubikey authenticator app on both their windows desktop and their on their phone. And lets say the phone gets damaged or stolen, and the computer burns out or also stolen. Is there a way to recover? or are people SOL? I read the part when you said and I Quote, (You can replace Microsoft/Google authenticator with the Yubikey authenticator. , So you don't need your phone.) End-Quote Mind going more into detail about that please?
@@TwstedTV Yes. That is the great part about using the yubikey. The authenticator is actually the yubikey itself. So it doesn't matter if your device with the App dies or is lost. As long as you have the yubikey itself you are good to go. So all you do in that case is install the yubikey authenticator app on whatever new device you get and use the yubikey you have against that. The important point to remember is that you DON'T want to lose the yubikey itself. If you lost that, you are out of luck. So you need to have at LEAST 2 yubikeys and ALWAYS register each one with the login that requires 2FA. Keep the back up key in a safe spot. What you do for setting up 2FA for an account is make sure you have both (or more) of your yubikeys on hand each time you setup a new account. then you only carry one around with you and put the other in your safe. Or, in my case. I have 3. I have one for me, one for my wife, and one in a safe. If you ever lose a Yubikey, you need to redo any/all accounts for 2FA so that the old yubikey can no longer be used for your accounts. Hope this helps.
@@rexjuggler19 That there terrifies me of being locked out of accounts I've had for a decade or more. Because it is dependent on a tiny key that can get easily lost or damaged. I am wondering if I just purchase a normal fingerprint reader & use that for accounts instead for home use like my job has. Which would mean that a thief wont be able to unlock my account because they would need my actual fingerprint. For example where I work, they have a black box 3x3 sitting in front of the monitor of each station, and you need to use your fingerprint to log into accounts. And a few times the fingerprint reader box had problems and they just unplugged it and installed a new black box FP reader and everyone's FP still worked without doing anything else. Instead of being dependent on a tiny usb style device. The accounts would be tied to a finger, and not an actual tiny usb device.
Another scenario I forgot to mention is phone cloning. So if you're using google authenticator with your phone and your phone gets cloned, you are open to attack. As far as I'm aware, it is not possible to clone a yubikey. How could your phone get cloned? One scenario I have thought of would be if you take your phone in for service like a battery replacement or something. The person working on your phone has full access to it for the hour or two you leave it there and could easily clone the SIM. You are also dependent on Google or Microsoft to host the authenticator that works with your phone. For a reddit account or something fairly benign, I wouldn't care. But for a bank account or something, I want a yubikey. If you want simple and are worried about losing a yubikey, you can always decide not to use 2FA and keep all your passwords on a spread sheet or word document - NOT!
@@rexjuggler19 I was thinking about buying this from Amazon. the Kensington VeriMark Desktop USB Fingerprint Key Reader. Its FIDO and FIDO2, U2F and 2FA compliant. I was told by someone recommending this product to me, that if this device breaks or gets lost, All I need to do is buy another one and dont have to be worried about redoing everything all over again and it remembers the authorization of my fingerprint. Because its no5t dependent on the hardware itself. but rather on the fingerprint itself.
I love my yubikeys and got them after they were mentioned on Hak5. I was lucky enough to get 2 of the clear 5ci ones. I should get some of these new ones.
Hi Shannon. You have convinced me to look into Yubikey. Thank you! But what happens if, for some reason, you don't have any of the keys with you? Can you still use other 2F choices?
Also if you're into crypto and have a Trezor/Ledger/etc. cold storage wallet they may already support U2F/FIDO2 so yo may already be capable of hardware 2fa (if you're willing to connect your cold storage to authenticate).
Hey Shannon. Thank you for your helpful videos....I have seen you mostly on Hak 5 and didn't know you had your own channel...so I'm subscribed now. Anyway, I just bought a Yubikey 5 US A NFC token, mostly because my bank is a pain in the but about money transfers and transfer limits. Supposedly with this I key, I can have no transfer limits. I will go to the included website and see what other sites I may use, that also offer ubikey authentication. Again, thank you very much.
Can you use these with a authenticator app too? So if you don't have one handy, you can still use the app? I want that Lightning/USB-C combo one but with NFC too! Great video!
Yes you can, but it depends on the website. For example, google lets you add both an authenticator app AND a hardware key. Some sites don't let you do that.
@@ShannonMorse If you are given the option for multiple methods, wouldn't it be prudent to only use the physical key? A hacker could simply opt for the SMS if given the option at login.
Those buggers seem like very easy to loose. One video with indepth backup strategies and approaches would be very inteeesting to watch. For instance as far as I see i can associate only one key with bitwarden acc? Also demo how are they used with openpgp would be great as well
Thanks for this video. This is an interesting space and I'm curious about your thoughts on other MFA that companies have started offering like passive authentication or behavioral biometrics?
Titan only does FIDO2. Yubikey does that and also yubico OTP, their own OTP. Which simulates a keyboard and types out a string and works with any device that support USB keyboard. Yubico OTP is less popular than FIDO2 tho
Hi Shannon , I’ve just happened upon your channel so I subbed . Great info ℹ️ although I have a question ! I received a couple of yubikey 5 nfc’s in the post but the packages were damaged and I wondered is there a way of checking the yubikeys (to make sure they’ve not been tampered with) or even to reset them ? Or should I discard them . I hope 🤞 not because they’re expensive.
Hey, Shannon. Great video. I just ordered the YK5 NFC & YK5C NFC. I also ordered the mini USB-C. I'm pondering if the the Mini C is necessary. I'm new to this, my brother just got robbed, so I'm boning up on security. What do you recommend as far as the better 2 Keys I should have? I have PC/iOS. Work-PC/Phone/iOS. I figured I would't need the C/Lightning if I can just tap the back on the iPhone. Thanks.
What reasons would someone have to upgrade from say a yubikey 3 to a newer yubikey 5? Do yubikeys have known issues with using port adapters (ie, A to C/micro/lightning)?
Ports and protocol compatibility. Some adapters have been tested and some worked, some didn't. support.yubico.com/hc/en-us/articles/360016614860-Using-a-YubiKey-with-USB-C-Adapters
I always been curious about these I may as well try it out. I saw that u answered a question below on some websites it can work also if software authentication is on which is good to know! thanks for the video on explaining them
Great video. I plan to buy a Yubikey for my Pixel7. Can I use the key right out of the box or do I have to start the process with my iMac desktop? Thanks
My keys worked fine but the nano wasnt get detected by some page so i used the authenticator and setup all the keys the same saving that manual login and taking screenshots from the QR code to set this up and this worked for all keys so now i have all backup keys and it feels great to have them..
I have them. I am not intimidated to set them up on different services as you have shown here.....BUT (!!!) I am completely flummoxed re setting PIN PUK Management key ????? Is all that necessary? I am assuming yes. Arg, it seems so complicated. 💥SMA (so many anachronisms)💥. Plus I am assuming we should download the Yubico authenticator app , but when, first thing or after the PIN PUK etc ? This set up part is the hardest for me to wrap my brain around. I'm trying to view lots of videos, but few address this. Shannon you would be so good at explaining this part I think!! (hint hint) 💪🏼🙏🏼😳
Thanks for the great review, @ShannonMorse I just have a question, did the packaging change? I mean, I noticed in the video that the package says "The #1 Security Key" on the top and the back is maybe blue, whereas I recently saw the packaging without "The #1 Security Key" sentence on the top and the back is in green. Is it a knockoff or something?
Do you need to create a new password when you are installing a new Yubikey? In other words, can you make a crazy complex 16-digit password for the new Yubikey. And if so, will you need to write that down and save this second password?
Do you know if consumers can use the 5C FIPS series keys? I'm wondering if the regular 5 NFC series differs from the 5 FIPS series other than the added level of security on the FIPS. I ask because I'm wondering if let's say you want to secure your gmail account with the regular 5 series, can you also do it with the 5 FIPS series? Or are most accounts the average user utilizes only compatible with the regular 5 series and not the FIPS series? If I can still use the FIPS series that has government level 3 encryption vs. the regular 5 series, which only has level 1 encryption, than I'd rather just make the investment and pay slightly more for the FIPS version and get added security but I'm not sure if it's ONLY for government use or can regular consumers use it to and for the most part it would still function like the regular 5 series but with the added protection? Thanks for making your content, it's valuable in today's digital world 👍❗
Love my yubikey. Had one for years and still sigh when a certain website does not allow hardware U2F keys. Although thankfully support for them has come ALONG way since I bought mine.
Hey Shannon, brought this Yubikey 5 NFC few days ago and your video show how easy to use and set up. Question what your thoughts on Yubico Authenictor? Is it nessesry to install them and use them for desktop?
hi, can you tell me wich you recomend to buy YubiKey 5 NFC FIPS or YubiKey 5 NFC as I understand it, the fips model is more secure and certified, but this is strange since Cryptographic Specifications RSA 2048, ECC p256, ECC p384 is YubiKey 5 NFC FIPS, and YubiKey 5 NFC Cryptographic Specifications RSA 2048, RSA 4096 (PGP), ECC p256, ECC p384 it seems like this encryption method is the best RSA 4096 (PGP) and the fips version does not have it.
Hi Shannon, thanks for your helpful video. Am I hearing you correctly, that once a device (pc or mobile) are registered with the key, we won't need to plug it in every time we log in on the same device? Also, how many g-mail accounts have you been able to protect with the same key? Thanks for your help, Pedro
Great video but got a question. Can these be compromised? And where should I purchase one? Worried about buying one on amazon if they can be compromised. Thanks. Live long and prosper 🖖
I have two keys, one is a Yubikey, the other is another brand. They work fine but they are never around when I need them. I don't carry keys, and the way these things are built, I don't think they would fare well hanging on a keychain. So, what do people do with their Yubikeys? How do you make sure that you have them with you wherever you go? That's been my struggle since buying them.
Great video! One question if I get two keys, can I clone me to the other or do I need to setup each one with every account configured for key tokens? Thx.
Do you also have a video to show us how to use a Yubikey for ssh access with FIDO (2) or U2F or with another type of 2FA or MFA? If you don't have such a video, then you might want to?
I want to hear how to guys keep track of and organize all of your 2FA accounts. How do you keep track of accounts that you have turned on a hardware token? And what do you do those backup codes for all of your accounts? I have been using Google Auth, Yubikey, and Bitwarden's authentication feature in the password manager app (for TOTP codes). Too often I cant remember where I have a specific account saved. Lately I have been just putting all TOTP codes into Bitwarden, and then everything else that can use YubiKey's HOTP functionality.
Nice explained. I have two Yukikey Security Key C NFC and NFC (USB ONLY) Devices. Facebook is no long Security Key Devices :-( Oh well I use Bitwarden for OPT (Once-Password at time). You uploaded youtube one year ago. How you do Facebook added your YubiKey Security Key devices? Where facebook website that allowed security key device added?
What are the security risks with the NFC integrated into the keys, doesn't that present a new attack vector to the hardware based keys? I like the functionality of the NFC but am also thinking about if its possible for someone with a really strong antenna to conduct some sort of relay attack or if they could somehow bump into you and gain access to your account with their phone against the NFC key. I know this is all highly unlikely and improbable, but theoretically speaking, doesn't NFC present these issues or am I missing something?
I bought the USB one with NFC like a year ago but couldnt get it to work out of the box on my Androids NFC so its just been sitting in a drawer for over a year. So maybe a tutorial on setting that function up? Also like that other guy said... maybe a "how to create a backup key" vid to leave in your safe? Great vid tho thank you!
Hang on... so you have to enter your regular password, touch the Yubikey AND enter a PIN every time? All three ? (assuming you are on a new device or don't store cookies) Secondly; I work in 3 places - I'd like to leave a key in all three - once you have enabled 2FA on a service, can you add additional 2FA devices without having access to the first one (which I've left in my other office) ?
A lot of modern phone have these security chips embedded and you can get away without caring USB dongle with you all the time. Though I would buy one of those USB dongles as a backup
I’m new to all of this so please forgive me if my questions seem foolish. I am basing these questions on what might be a false assumption. That like the text message code that I receive from sites that offer 2FA, the Yubi key sends a numeric code to the backend server. 1. Does the Yubi key eliminate the need to enter username/password or does the Yubi key take the place of the sites need to text you a code? 2. Is this the same exact code that say Amazon would text me so that Amazon knows that I am who I say I am, or does it generate its own unique code, and sites like Amazon that interface with Yubi key know to use the Yubi keys code instead of the code that their site generates? 3. If I have a backup key or I buy a new device, how does a backend server like Amazon know that the code which is generated by this new key can authenticate me as being me since the code generated by the backup key surely can’t be the same as the old key? Thanks
You still need to enter your username and password. When you register your YubiKey(s) to a site like Amazon as your 2FA, your YubiKey would insert a unique pre-programmed text (I don't know how many alpha-numeric characters, I'm guessing 128 or 256 characters). After registering your YubiKey(s) to a site, (in this case, Amazon) it would ask you to insert your YubiKey, then the YubiKey would input the pre-programmed text when you touch it when prompted. Most sites allow you to register 3 or more hardware keys (YubiKeys). The site does not differentiate between a primary key and backup keys. All the site does is to check if the key provided a pre-programmed text and it is listed in its database against your username/password? If it does, it let you in. If not then, of course, it won't let you in.
Would simply keeping the Yubokey 5C Nano always plugged into my Anthroid Samsung galaxy be an ideal option? You mentioned best ued in a pc....? I don't have a c port in my pc..?
Does the 5C USB-C device have a light similar to the 5C USB-A device? I am referring to the device with two side buttons instead of the single top button. The device with a single top button lights up when prompted, but I did not see a light for the side button version. Can you confirm if it has a light?
Hi Shannon! Is it possible to enable mandatory tap on the yubikey when using mobile device? I don't like the idea of just putting yubikey in front of device to authenticate.
A question that popup in the last second of the video, you use different hardware keys for different set of websites? Why is that? For more security or any other reason?
Is there one I can use for a tablet? And I don't want anything that will copy my fingerprint. Also can I use this to login to my laptop, tablet and other devices in order to keep hackers out?
I can lock down my useless Twitter account with these, but my bank and 401k account ask me my dog’s name.
or sends you a sms to who knows who.
We need close ups of the computer shots and more explanations on using the key . You added alot of knowledge i didnt have . The best yubikey video for me.
Thats Ruff
Woof! Woof!
@@rickknowles9620 😆😂🤣 Classic 👌🏽
I own the yubikey 5ci. i brought mine last winter. im obsessed with it! its the coolest thing 2FA out there. no more adding your phone number for two factor. This is genius!
Couldn't agree more!
My Yubikey is here this week. It was your videos that told me I needed it.
I absolutely use Yubikey, and have for at least 7-10 years now. I have my old Bluetooth keys back before iPhones had NFC, as well as the USB-A and Itty bitty mini that sits flush in the USB slot. I'm ordering some new 5s since all mine were the 4 series, and I'm really interested in their new authenticator app which bridges the gap of needing a software authenticator as most apps and sites are accepting, but being backed by your hardware yubikey. So the flexibility and security of an authenticator app with the robust security of a physical hardware key that only I can possess.
I have a series 4 Yubikey that I've used and loved for years. A few days ago I ordered a 5 UFC so I can use the NFC functions. I figure I'll just stash my old Yubikey 4 away as a backup. One of the things I love that wasn't mentioned in the video is that I also have my key programed with an obscenely long static password that I use for an encrypted hard drive. Keeps the hard drive secure, yet makes it super easy to unlock.
Terrific timing Shannon: Bank of America just announced support for any FIDO-certified key late next month (June 2021). I desperately hope that forces other financial services to support genuine 2FA. It’s been a complete and utter embarrassment that arguably our most important products have been so late to the game (when game companies have done it for years)!
It is about time Bank of America no longer requires a dumb phone number to be entered in for two factor auth.
Really? I am in 2022 and I have not seen FIDO support. Or OTP applications.
Where did you read this? I
Imagine getting an sms code lmao
For what it's worth, my main concern is forgetting which services I enabled this kind of tech on.
Assuming I registered two keys on each service right away, main+backup, when I eventually lose a key, I'll have to get a replacement and register it again with all these services.
I'm worried that by that point I'll have forgotten which services I need to go back to...
But that's not to say this is bad tech! This is indeed great tech! Just requires some organization skills.
That's definitely a valid concern for something like this. For myself I add a "Yubikey" tag to any accounts in my password manager that I use it for so I can easily find and update them if something like that happens.
Excellent as always. I have heard of these for years. but haven't really seriously considered using them until now. Seems like things are getting more and more compromised. I have used 2FA for a long time, but now even that is an issue. So many orgs that don't use true 2FA (like security questions - uughhh!) or (sms or emailed 2FA key - NOOO) Thanks for doing this, it helped to understand what is going on with this.
Glad to help! Lmk if you have any questions!
You're crazy Shannon, you look as young now as in the old video linked on Yubico, you have not aged! But you do have more cool hair colors these days! Love your vids and so happy to see a Yuibikey video, thought about it but never mentioned it on your google 2fa video.
I understood your explanation with the ATM analogy, after that I was lost.
Awesome thanks Shannon. I was looking at their website yesterday but got confused. Thanks for the video !
You are so welcome!
Yes, Shannon I love my Yubikey! I have been telling people about them for a while but nobody wants to listen
I’ve been meaning to ditch sms authentication for awhile. I’m interested in purchasing several Yubikeys. Shannon, could you do a demo on using multiple Yubikeys on a single account? I’d like to keep one in a safe and actively use the other.
Sure thing!
Thank you
This device also sounds like a good thing to have attached to a Last Will & Testament. You could spare your loved one the hassle of dealing with your digital breadcrumbs.
except, it is only for 2fa. your loved ones, and you, will still need a list of all your logins and passwords you used during your life.. PLUS a key
Na, you're dead you don't have to worry. As long as you have someone to erase your hard drive.
I would like to hear more about different threat scenarios and the pros and cons of different MFA methods/devices/standards with them.
Noted! That's a good idea for a video!
An important point is to not treat your email the same way you treat other credentials as email is used to reset credentials. My view: from strongest to weakest... hardware token with screen that get out of band (encrypted bluetooth or QR code) keypair of info about a transaction like amount and beneficiary, but very few sites supports it. Then hardware token (attacker needs sustained compromise of your main workstation to be able to impersonate you). Then mobile apps (you need your mobile to be compromised) on par with SMS OTP (depends on country, it is more or less easy to do SIM cloning via social engineering to telco). If you use a password manager, add few characters of something you know so if your workstation gets compromised, it is unlikely the attacker will go to the extend to keylog you as these type of attacks are usually done large scale.
Bought 2 yubikey 5 today so setup tomorrow. Thanks for a great video.
I love this kind of product for 2fa. Thanks for videos you do
Great video! Probably the most straightforward video out there on yubikeys.
Glad it was helpful!
It's always fun to see when the hair color on youtube catches up with the hair color on instagram.
The hair color on youtube is the most up to date one lol
That video is still UP on their website. Wow you do look so young when making that public service annoucement! 🤣🤣🤣. I still love you though.
Worth their weight in gold. I miss her and Patrick together they were a great team!
I’m actually making more content now than when I was on another channels schedule. Thanks for stopping by!
I bought about $250 worth of Yubikeys last year because I was so obsessed with testing their use for security. I've been using a company issued old Yubikey for over 10 years for VPN access to our company network. I bought several USB-A NFC 5 type and several blue security key models. These devices are the best solution I have seen for nearly all security needs. The 5 NFC supports PIV SmartCard. You can use it with Putty-CAC to ssh to your servers (cloud instances or behind your firewall at home). All models support the Yubikey authenticator App. You can replace Microsoft/Google authenticator with the Yubikey authenticator. So you don't need your phone. This also eliminates the threat if you phone SIM card gets cloned. You should get at least 2 keys, though. One to carry around and use and the other to keep in a safe place. And you do need to have a management plan in place as well so you remember to authorize the backup key in addition to your main carry key. These keys support FIDO2, FIDO2UF, PIV SmartCard, OATH One Time Passwords, Open PGP, and also can carry a "master" password. I use the authenticator app for a bunch of accounts - Amazon, New Egg, Facebook, Google, and others like banking. I also use it for accessing my KeePassXC password safe on a PC and a MacBook. I have tested quite a few uses. I also gave my wife a spare one so that if something happens to me, she can access accounts. And since she has a key, she has a backup in case I need it. Yes, they are $20-70 per key depending on which model, but that is dirt cheap for what you are getting in the way of ease of use and security.
I have some questions.
If a person uses the Yubikey authenticator app on both their windows desktop and their on their phone.
And lets say the phone gets damaged or stolen, and the computer burns out or also stolen. Is there a way to recover? or are people SOL?
I read the part when you said and I Quote, (You can replace Microsoft/Google authenticator with the Yubikey authenticator. , So you don't need your phone.) End-Quote
Mind going more into detail about that please?
@@TwstedTV Yes. That is the great part about using the yubikey. The authenticator is actually the yubikey itself. So it doesn't matter if your device with the App dies or is lost. As long as you have the yubikey itself you are good to go. So all you do in that case is install the yubikey authenticator app on whatever new device you get and use the yubikey you have against that. The important point to remember is that you DON'T want to lose the yubikey itself. If you lost that, you are out of luck. So you need to have at LEAST 2 yubikeys and ALWAYS register each one with the login that requires 2FA. Keep the back up key in a safe spot. What you do for setting up 2FA for an account is make sure you have both (or more) of your yubikeys on hand each time you setup a new account. then you only carry one around with you and put the other in your safe. Or, in my case. I have 3. I have one for me, one for my wife, and one in a safe. If you ever lose a Yubikey, you need to redo any/all accounts for 2FA so that the old yubikey can no longer be used for your accounts.
Hope this helps.
@@rexjuggler19
That there terrifies me of being locked out of accounts I've had for a decade or more.
Because it is dependent on a tiny key that can get easily lost or damaged.
I am wondering if I just purchase a normal fingerprint reader & use that for accounts instead for home use like my job has.
Which would mean that a thief wont be able to unlock my account because they would need my actual fingerprint.
For example where I work, they have a black box 3x3 sitting in front of the monitor of each station, and you need to use your fingerprint to log into accounts.
And a few times the fingerprint reader box had problems and they just unplugged it and installed a new black box FP reader and everyone's FP still worked without doing anything else.
Instead of being dependent on a tiny usb style device. The accounts would be tied to a finger, and not an actual tiny usb device.
Another scenario I forgot to mention is phone cloning. So if you're using google authenticator with your phone and your phone gets cloned, you are open to attack. As far as I'm aware, it is not possible to clone a yubikey. How could your phone get cloned? One scenario I have thought of would be if you take your phone in for service like a battery replacement or something. The person working on your phone has full access to it for the hour or two you leave it there and could easily clone the SIM. You are also dependent on Google or Microsoft to host the authenticator that works with your phone. For a reddit account or something fairly benign, I wouldn't care. But for a bank account or something, I want a yubikey. If you want simple and are worried about losing a yubikey, you can always decide not to use 2FA and keep all your passwords on a spread sheet or word document - NOT!
@@rexjuggler19
I was thinking about buying this from Amazon. the Kensington VeriMark Desktop USB Fingerprint Key Reader. Its FIDO and FIDO2, U2F and 2FA compliant.
I was told by someone recommending this product to me, that if this device breaks or gets lost, All I need to do is buy another one and dont have to be worried about redoing everything all over again and it remembers the authorization of my fingerprint. Because its no5t dependent on the hardware itself. but rather on the fingerprint itself.
I love my yubikeys and got them after they were mentioned on Hak5. I was lucky enough to get 2 of the clear 5ci ones. I should get some of these new ones.
WHAAAT Clear ones?! Were those limited edition or something?
That heart sweater! Love it. And very good info thank you!
It’s amazing that all banks still don’t use this. I’m writing this in 2024 and almost no banks have compatibility with these types of devices!
That's funny. That's you in the 2UFA video at Yubico
Hi Shannon. You have convinced me to look into Yubikey. Thank you! But what happens if, for some reason, you don't have any of the keys with you? Can you still use other 2F choices?
these things are great, I've been learning how to do other kinds of authentication like ssh with them
Yes they are prefect for that!
Thanks Shannon. What are your thoughts on Yubikey versus open source options?
I got mine as a birthday gift! :) Then a transparent one for my girlfriend.
I'm trying to get my company to use them as well.
Also if you're into crypto and have a Trezor/Ledger/etc. cold storage wallet they may already support U2F/FIDO2 so yo may already be capable of hardware 2fa (if you're willing to connect your cold storage to authenticate).
Thanks, Shannon! Just subscribed and learned lots from your channel.
I bought the YubiKey experience pack not too long ago. I freaking love them.
Hey Shannon. Thank you for your helpful videos....I have seen you mostly on Hak 5 and didn't know you had your own channel...so I'm subscribed now. Anyway, I just bought a Yubikey 5 US A NFC token, mostly because my bank is a pain in the but about money transfers and transfer limits. Supposedly with this I key, I can have no transfer limits. I will go to the included website and see what other sites I may use, that also offer ubikey authentication. Again, thank you very much.
Can you use these with a authenticator app too? So if you don't have one handy, you can still use the app? I want that Lightning/USB-C combo one but with NFC too! Great video!
Yes you can, but it depends on the website. For example, google lets you add both an authenticator app AND a hardware key. Some sites don't let you do that.
@@ShannonMorse If you are given the option for multiple methods, wouldn't it be prudent to only use the physical key? A hacker could simply opt for the SMS if given the option at login.
Those buggers seem like very easy to loose. One video with indepth backup strategies and approaches would be very inteeesting to watch. For instance as far as I see i can associate only one key with bitwarden acc?
Also demo how are they used with openpgp would be great as well
I'm kinda late to your channel (yes, subscribed). I just ordered two Yubikeys. Thank you for the informative video.
Thanks for this video. This is an interesting space and I'm curious about your thoughts on other MFA that companies have started offering like passive authentication or behavioral biometrics?
Comparing the Yubikey and the Titan...is there any security reason to chose one over the other?
Titan only does FIDO2. Yubikey does that and also yubico OTP, their own OTP. Which simulates a keyboard and types out a string and works with any device that support USB keyboard. Yubico OTP is less popular than FIDO2 tho
@@zer0r00t Thanks!
Hi Shannon , I’ve just happened upon your channel so I subbed . Great info ℹ️ although I have a question !
I received a couple of yubikey 5 nfc’s in the post but the packages were damaged and I wondered is there a way of checking the yubikeys (to make sure they’ve not been tampered with) or even to reset them ? Or should I discard them . I hope 🤞 not because they’re expensive.
Hey, Shannon. Great video. I just ordered the YK5 NFC & YK5C NFC. I also ordered the mini USB-C. I'm pondering if the the Mini C is necessary. I'm new to this, my brother just got robbed, so I'm boning up on security. What do you recommend as far as the better 2 Keys I should have? I have PC/iOS. Work-PC/Phone/iOS. I figured I would't need the C/Lightning if I can just tap the back on the iPhone. Thanks.
Great video, especially in todays world of internet vulnerabilities
Good video, thank you! One question: Why didn’t you mention the Security Key series?
Those came out after this video was recorded. 😊
What reasons would someone have to upgrade from say a yubikey 3 to a newer yubikey 5? Do yubikeys have known issues with using port adapters (ie, A to C/micro/lightning)?
Ports and protocol compatibility. Some adapters have been tested and some worked, some didn't. support.yubico.com/hc/en-us/articles/360016614860-Using-a-YubiKey-with-USB-C-Adapters
I always been curious about these I may as well try it out. I saw that u answered a question below on some websites it can work also if software authentication is on which is good to know! thanks for the video on explaining them
Great video. I plan to buy a Yubikey for my Pixel7. Can I use the key right out of the box or do I have to start the process with my iMac desktop?
Thanks
My keys worked fine but the nano wasnt get detected by some page so i used the authenticator and setup all the keys the same saving that manual login and taking screenshots from the QR code to set this up and this worked for all keys so now i have all backup keys and it feels great to have them..
I have them. I am not intimidated to set them up on different services as you have shown here.....BUT (!!!)
I am completely flummoxed re setting PIN PUK Management key ????? Is all that necessary? I am assuming yes. Arg, it seems so complicated. 💥SMA (so many anachronisms)💥. Plus I am assuming we should download the Yubico authenticator app , but when, first thing or after the PIN PUK etc ? This set up part is the hardest for me to wrap my brain around. I'm trying to view lots of videos, but few address this. Shannon you would be so good at explaining this part I think!! (hint hint) 💪🏼🙏🏼😳
Love your hair. Awesome video. !!!
Thank you!!
Thanks so much for your content. Where do you get the stickers from? Thanks.
great intro. I love my yubikeys.
Thanks for the great review, @ShannonMorse
I just have a question, did the packaging change? I mean, I noticed in the video that the package says "The #1 Security Key" on the top and the back is maybe blue, whereas I recently saw the packaging without "The #1 Security Key" sentence on the top and the back is in green. Is it a knockoff or something?
Hello Shannon iam your new subscriber
I am going to buy yubikey 5 nano 😎
Do you need to create a new password when you are installing a new Yubikey?
In other words, can you make a crazy complex 16-digit password for the new Yubikey. And if so, will you need to write that down and save this second password?
Do you know if consumers can use the 5C FIPS series keys? I'm wondering if the regular 5 NFC series differs from the 5 FIPS series other than the added level of security on the FIPS. I ask because I'm wondering if let's say you want to secure your gmail account with the regular 5 series, can you also do it with the 5 FIPS series? Or are most accounts the average user utilizes only compatible with the regular 5 series and not the FIPS series? If I can still use the FIPS series that has government level 3 encryption vs. the regular 5 series, which only has level 1 encryption, than I'd rather just make the investment and pay slightly more for the FIPS version and get added security but I'm not sure if it's ONLY for government use or can regular consumers use it to and for the most part it would still function like the regular 5 series but with the added protection? Thanks for making your content, it's valuable in today's digital world 👍❗
Hi Shannon, would you please do one for setting up your youtube channel with Yubikey. Also please focus on the laptops
Love my yubikey. Had one for years and still sigh when a certain website does not allow hardware U2F keys. Although thankfully support for them has come ALONG way since I bought mine.
Totally agree
Your hair is from the future. I like it.
I use a previous gen Yubikey and the Yubico-made FIDO key (the blue one). I've been meaning to upgrade, though to a series 5 Yubikey, though.
Great product, very helpful explanation!
Thank you for the posting. Very helpful.
Great video Shannon I am about to buy my 1st Yubikey :)
Nice!
I assume they will work for USB passthrough for things like virtualbox so you can authenticate to the VM or applications on the VM ?
Hey Shannon, brought this Yubikey 5 NFC few days ago and your video show how easy to use and set up. Question what your thoughts on Yubico Authenictor? Is it nessesry to install them and use them for desktop?
hi, can you tell me wich you recomend to buy YubiKey 5 NFC FIPS or YubiKey 5 NFC as I understand it, the fips model is more secure and certified, but this is strange since Cryptographic Specifications RSA 2048, ECC p256, ECC p384 is YubiKey 5 NFC FIPS, and YubiKey 5 NFC Cryptographic Specifications RSA 2048, RSA 4096 (PGP), ECC p256, ECC p384 it seems like this encryption method is the best RSA 4096 (PGP) and the fips version does not have it.
Hi Shannon, thanks for your helpful video. Am I hearing you correctly, that once a device (pc or mobile) are registered with the key, we won't need to plug it in every time we log in on the same device?
Also, how many g-mail accounts have you been able to protect with the same key?
Thanks for your help,
Pedro
Great video but got a question. Can these be compromised? And where should I purchase one? Worried about buying one on amazon if they can be compromised. Thanks. Live long and prosper 🖖
You can use the links in my description to buy them directly thru yubico. Any hardware could potentially be compromised.
good clear explaination - well delivered communication
Can you generate the keys on it yourself or do you have to use the ones they put on there? Can you backup the key material?
You talk about A and C but what is the difference and what do the letters mean?
That is the kind of USB port you can put them in. USB C is smaller than USB A
@@ShannonMorse thank you, that was a great help!
i have been using yubico for years. I still do not understand why more online banks do not allow for Hardware 2fa or even software authenticators.
I don't get it either. I used to work for a bank and they couldn't answer my question when I asked about better authentication.
@@ShannonMorse I mean I can secure my world-altering Twitter account with 2FA but not the place that holds my money.....
I have two keys, one is a Yubikey, the other is another brand. They work fine but they are never around when I need them. I don't carry keys, and the way these things are built, I don't think they would fare well hanging on a keychain. So, what do people do with their Yubikeys? How do you make sure that you have them with you wherever you go? That's been my struggle since buying them.
great info, fantastic hair color
Thank you!
Great video! One question if I get two keys, can I clone me to the other or do I need to setup each one with every account configured for key tokens? Thx.
Great question, did you find out the answer?
i think you need to configure each key for each account
As a Swede I’m shocked I haven’t heard that Yubikeys was founded in Sweden!
Kan lova dig att du inte är ensam om det 👍🏻
Do you also have a video to show us how to use a Yubikey for ssh access with FIDO (2) or U2F or with another type of 2FA or MFA? If you don't have such a video, then you might want to?
THX for this Video, great explained.
I want to hear how to guys keep track of and organize all of your 2FA accounts. How do you keep track of accounts that you have turned on a hardware token? And what do you do those backup codes for all of your accounts? I have been using Google Auth, Yubikey, and Bitwarden's authentication feature in the password manager app (for TOTP codes). Too often I cant remember where I have a specific account saved. Lately I have been just putting all TOTP codes into Bitwarden, and then everything else that can use YubiKey's HOTP functionality.
Very secure and a outstanding value.
Nice explained. I have two Yukikey Security Key C NFC and NFC (USB ONLY) Devices. Facebook is no long Security Key Devices :-( Oh well I use Bitwarden for OPT (Once-Password at time).
You uploaded youtube one year ago. How you do Facebook added your YubiKey Security Key devices? Where facebook website that allowed security key device added?
What are the security risks with the NFC integrated into the keys, doesn't that present a new attack vector to the hardware based keys? I like the functionality of the NFC but am also thinking about if its possible for someone with a really strong antenna to conduct some sort of relay attack or if they could somehow bump into you and gain access to your account with their phone against the NFC key. I know this is all highly unlikely and improbable, but theoretically speaking, doesn't NFC present these issues or am I missing something?
I bought the USB one with NFC like a year ago but couldnt get it to work out of the box on my Androids NFC so its just been sitting in a drawer for over a year. So maybe a tutorial on setting that function up? Also like that other guy said... maybe a "how to create a backup key" vid to leave in your safe? Great vid tho thank you!
Hang on... so you have to enter your regular password, touch the Yubikey AND enter a PIN every time? All three ? (assuming you are on a new device or don't store cookies)
Secondly; I work in 3 places - I'd like to leave a key in all three - once you have enabled 2FA on a service, can you add additional 2FA devices without having access to the first one (which I've left in my other office) ?
A lot of modern phone have these security chips embedded and you can get away without caring USB dongle with you all the time. Though I would buy one of those USB dongles as a backup
That's not what these do.
I'm surprised that someone being supported by Yubico didn't get the biometric options or the FIPS options.
Love the hair
I’m new to all of this so please forgive me if my questions seem foolish. I am basing these questions on what might be a false assumption. That like the text message code that I receive from sites that offer 2FA, the Yubi key sends a numeric code to the backend server.
1. Does the Yubi key eliminate the need to enter username/password or does the Yubi key take the place of the sites need to text you a code?
2. Is this the same exact code that say Amazon would text me so that Amazon knows that I am who I say I am, or does it generate its own unique code, and sites like Amazon that interface with Yubi key know to use the Yubi keys code instead of the code that their site generates?
3. If I have a backup key or I buy a new device, how does a backend server like Amazon know that the code which is generated by this new key can authenticate me as being me since the code generated by the backup key surely can’t be the same as the old key?
Thanks
You still need to enter your username and password.
When you register your YubiKey(s) to a site like Amazon as your 2FA, your YubiKey would insert a unique pre-programmed text (I don't know how many alpha-numeric characters, I'm guessing 128 or 256 characters). After registering your YubiKey(s) to a site, (in this case, Amazon) it would ask you to insert your YubiKey, then the YubiKey would input the pre-programmed text when you touch it when prompted.
Most sites allow you to register 3 or more hardware keys (YubiKeys). The site does not differentiate between a primary key and backup keys. All the site does is to check if the key provided a pre-programmed text and it is listed in its database against your username/password? If it does, it let you in. If not then, of course, it won't let you in.
Would simply keeping the Yubokey 5C Nano always plugged into my Anthroid Samsung galaxy be an ideal option? You mentioned best ued in a pc....? I don't have a c port in my pc..?
Do you know if there’s a case/cover for these Yubikeys? Mine is all scratched up after 4 years and need to replace it.
How do you think the USB-A/NFC Yubikey compares to the equivalent Google Titan security key?
So, re the nano series. By touching the key, is it merely a toggle switch or is the product indeed scanning, reading my fingerprint??
What's the Best yubikey 5 NFC or yubikey NFC?
Awesome shannon you are the one 🙂👌
Thank you 😁
Is the Security Key Series good to use as a Windows 11 Sign-in option. It's FIDO2 certified as required by Microsoft.
Please can you do a single video ONLY about how to use the "YubiKey 5C" key?
Does the 5C USB-C device have a light similar to the 5C USB-A device? I am referring to the device with two side buttons instead of the single top button. The device with a single top button lights up when prompted, but I did not see a light for the side button version. Can you confirm if it has a light?
Hi Shannon! Is it possible to enable mandatory tap on the yubikey when using mobile device? I don't like the idea of just putting yubikey in front of device to authenticate.
A question that popup in the last second of the video, you use different hardware keys for different set of websites? Why is that? For more security or any other reason?
man i love yubikey!!! i have 5 of them
WOW!
@@ShannonMorse Well its because of my IT work that i did and do and then with all the knowledge you share makes me keep thinking about security!
Is there one I can use for a tablet? And I don't want anything that will copy my fingerprint. Also can I use this to login to my laptop, tablet and other devices in order to keep hackers out?