Yubikey Backups - How to TOTP Across Multiple Yubikeys
HTML-код
- Опубликовано: 11 июл 2024
- In this video, we're going to show how to create Yubikey backups - you can't 'clone' an existing Yubikey, but that doesn't mean you can't have your TOTP (Time-based One-Time Password) codes across multiple 2FA devices (not just Yubikey).
In this video, we will show how to have your 2FA codes on 3 different Yubikeys as well as Google Authenticator - very easy to do!
** CHECK OUT THE YUBIKEY CYBER MONDAY SALES! **
Product links (some are affiliate):
Yubikey 5 series: geni.us/GunRC
USB-C to USB-A adapter: geni.us/tXvIIs
-------------------------------
Buy me a beer! ko-fi.com/crosstalk
Or donate some Crypto! crosstalksolutions.com/contact/
Follow me on Twitter: @crosstalksol
Crosstalk Solutions - RECOMMENDED PRODUCTS: crosstalksolutions.com/recomm...
Crosstalk Discord: / discord
Amazon Wish List: a.co/7dRXc67
Crosstalk Solutions offers best practice phone systems and network/wireless infrastructure design/deployment. Visit CrosstalkSolutions.com for details.
Connect with Chris:
Twitter: @CrosstalkSol
LinkedIn: goo.gl/j2Ucgg
RUclips: goo.gl/g4G58M 
Наука
"I'll put a link down below to my original video", checking description, only affiliate links. Great thanks man
For durability of Yubikeys: Many seasons ago, my metal keyring broke and my years-old Yubikey was released to the wild while I was running. 4 months later as the snow melted, I spotted it on the path frozen into a muddy puddle. Still worked fine. GPG key and all. (Yes, yes, I'd already moved to a replacement HOTP + GPG set on a new Yubikey in the intervening months ;-) )
I never really thought that if you lost your yubikey that someone would might be able to change your password and use your OTP to gain access to the account if your have previously been pwnd as they can see which email address you log in with due to it being stored on the yubikey for some accounts.
@@analogdistortionYou can also set a password on the Yubikey so if the device is lost someone does not have access to the contents.
A couple of side-notes:
1) Up to a maximum of 32 TOTP codes can be saved per Yubikey. This can be a severe limitation for some people.
2) One can password protect the Yubikey in the event of loss or theft.
Great video. I spent hours looking around RUclips for this information and you laid it out properly. You probably saved me hours of downtime having been able to set up my backup key.
You can also transfer the google authenticator to your new phone through the built-in export feature. This will maintain your TOTP Keys. You will need to verify some or most, but its better than starting over.
Came here to say this as well - Three Dots in App > Transfer Accounts > Select Export/Import. Did it years ago when I switched devices.
I was gonna say that not blindly enabling a new device with all your 2FA data was a feature not a bug. Good to know they have an export feature, though.
Indeed
Used to be a diehard user of Google authenticator. Switched to Authy and it's so much better, all data securely backed up with zero knowledge based encryption to the cloud, PIN / biometric protection for the app, instant update of codes across multiple devices, super secure after turning off multiple devices option so only existing devices can allow TOTP codes. Authy is everything an authenticator app should be.
Now everything is synced on cloud
Thanks man! I looked everywhere for that explanation!
Google authenticator is allowing to move to different phone and all related account are moved to new device in 1 go. At least I did so earlier this year
Coming to this video late, it rules. Thanks so much!
I do it exactly the same as you, perfectly explained!
Nicely done - happy to buy a backup key and set it up now.
Mine has been in the washing machine twice, still works
I would not add 4 different backups like e.g. software ones since each additional backup creates an additional vulnerability in terms of hacks (software) or stealing/loosing (hardware) . I would recommend one hardware key for daily usage, one hardware key stored in a safe and handwritten recovery codes for each account at another safe place. I think 1 HW-key + 2 backups are more than enough and everything beyond this creates more risk! My humble 2 cents ;-)
Agreed. I keep my google auth codes on an back up security iPhone I keep offline. I don’t agree with the 1 time passwords to print either. to easy for hackers to get.
I use a paper backup in a secure location. You can rescan them any time you need to add them to a new device.
Brother, quick tips:
#1 - If you screenshot the QR code and save it on the same secure place as the back-up codes, you can always re-scan it when new hardware is purchased.
#2 - Put a pin/password to access those TOTPs just in case you lose the Yubikey.
I make a screenshot of the QR code and keep it in a secure note in 1Password. That way I can add keys with the same code at different times.
Saving/printing the qr allows you to add new keys later for TOTP. Doesn't have to be all at once.
Agreed. I save mine in Bitwarden for this reason and added convenience.
@@jonnyzeeee does Bitwarden allow saving the QR code images or is there another way to save it?
@@futurecactus No, BW saves a URI which includes the code you need to add an account to your 2FA app.
And even better BW preps the TOTP in your clipboard so you can paste it when prompted for it. No need to use another app.
Doesn't this start to tarnish, maybe not defeat, the purpose though? I struggle with that and backup codes... Where to store them. In Bitwarden? But I need my Yubikey to get into Bitwarden in the first place. And then if my Bitwarden is compromised, is my 2FA then compromised too?
@@fonte935 All valid points. Some would describe this as putting too many eggs in one basket. But like you said, a Yubikey and a good master password will protect your BW vault. I am comfortable with this level of security, but to each their own.
Thank you!!! It really helps
This was really usefull! thanks you!
Love your videos Sir, thank you! May I ask about the rotary telephone in the background? Does that offer a form of security from alternate forms of phones? I've actually pondered the use of a rotary phone and wondered if it's disconnected nature could be of benefit, and here you have one at your desk! Could you please elaborate? Thanks!
in fact, not only can you move google authenticator tokens over to another phone through its built in export feature
but there is also a python script that can decode the 2 codes for transfering the keys so you can then insert them onto a yubikey
thats on the one hand a nice feature, but for some cases you want only one copy, thats when the yubikey is needed ;D
Great Video!!
Great video.
You don't have to do them at the same time. Just write down the numbers. Displayed when you pick can't use qrcode. Then can be entered manually on the other keys.
Great video
Great value great product, needs accessories
It is possible to add a Ubiquiti key later on. However, you will need to take a screenshot of the QR code and save it to an SD-card, USB-stick and safely store it outside your computer. When you want to add it to a different key, just insert the storage device into your computer, fire up the authenticator and let it find the QR code on your screen. It works fine 😊
Or just Right Click on the QR Code "Save this image" :)
Couldn't you just use the secret code? If not, maybe a QR generator of the secret code?
You can also program the 2nd slot with a static password.
Hey chris you can backup/migrate google authenticator to/from one device to another.
That was a very clear explanation. For some reason, I was having issues with scanning the QR. I did not want to use my camera as it will store that photo shot on google photos and it literally can be hacked.
I have a few questions that i really need some answer and would appreciate it very much if you can help.
the first concerns backing up my iphone. I currently am using an iPhone SE 2nd ed. I thought, what if i lost this thing or it broke?? This would be devastating to me. So my question is this, Do you know if it is possible to back up an exact image of my iphone to another iphone that i have if I were to take out the SIM card and put it in this backup iphone? I am guessing it would have to have the same number as my current iphone as that is how all these algorithms are configured for TOTP using Yubico Authenticator? I want to back it up exactly like the old iphone then pull out the SIM card and put back in my current iphone. If it breaks or I lose it, I can get another SIM card from my provider and it will still have the same number.
Is there any easier way to back this up with all these codes on it? Or not?
I will send PM for the second question but it would be nice to do a video on it as no one has ever even discussed how this can be done, and it can.
Edit to say i can't submit. Just beware that Google Authenticator can be hacked from your iphone or desktop. I don't know which one, but it happened to me and it was used to steal crypto accounts and they were able to produce correct 6 digit numbers even though my iphone was never out of my possession. This is why Yubikey is an absolute neccessity.
I hit subscribe when I saw that goblet of beer.
Yubikey rocks....the only thing that sucks is many entities STILL only allow for just SMS text 2 factor (total crap as we all know) or at the very best an authenticator app. Hopefully this will change by year 2024 or so.
Yea it really shocks me that none of my banking apps allow for the use of a 2FA app.
I think Google Auth will allow you to backup TOTP to the cloud now and restore to new phones. I was able to do that with Lastpass and Google Auth when I got my Pixel 6
A couple of questions, 1. isn't it possible for a RAT malware to notice when the QR code pops up and take a screenshot without you knowing and then pass that SS onto it's control server, therefore compromising your security? 2. Same question for the backup codes which you generated, also, you said "store these codes somewhere safe" well, how can you? If they are on your computer or you copied them to the clipboard, then why can't a RAT see them or look for them anywhere you store them on your HD? 3. By backing up further with Google auth, you've just made that the weakest link in your "2FA security chain", which means there was no point to use a hardware key. If an attacker can steal the QR code your end, or the same token generated on hack the company server and find the QR code, you can be hacked using that. Therefore the Ubikey is redundant. The whole point of using a Ubikey is to not then use things like Google auth because the Ubikey keeps everything on the key and nothing goes to the website. So even if the website is hacked, no one can get into your accounts. Please let me know where I'm going wrong if you think that I am and please tell us if a RAT can just screenshot the QR or the codes and make copies of the token. Thanks.
Muy buen vídeo.. pero si pudieras traducirlo al español te lo agradecería porque es un vídeo de gran utilidad!. Un saludo.
Good video!
I've some basic question: I'm using Yubico authenticator which opens when attaching my primary Yubikey to the smartphone. How do I add a backup Yubikey to the authenticator for the case the first key get lost?
Google authenticator can transfer the codes to new phones
Google Authenticator has a Export function that generates a high density QR style code with all the codes embedded in it, you scan what with your new phone's Google Authenticator. Transfer done. Easy as pie. Been there for years (video is a year plus old at this point). Now, I doubt anything but GA can understand the format of that QR code, you also can't screenshot it, GA Export disable screenshot while its on screen.
If you scan the QR code with multiple apps, say 2 yubikeys and 1 Microsoft authenticator. When it asks for the code in the next step you can only supply one, so will it work with codes from the other apps?
Do yubikeys work with Coinbase and other exchanges when you have buy / sell limit orders set up? Will they execute?
What happens if you get a new computer, how are the codes that are on Yubikey Authenticator transferred to the new computer?
The yubico authenticator app does not store anything. The keys themselves store the TOTP details, so all that you need is to install the app on a new machine and plug in your existing key(s)
You can export all codes from google authenticator very easily as long as you have both devices just by clicking the 3 dots on the top right. You then scan a QR code on the new phone, then you get back all codes that easy.
still not as reliable as the yubikeys and if a phone breaks or gets lost theres baiscally no bvackup.
@@abcuughklkj I personally have google authenticator as a backup and in the past I lost my phone. However I exported on my ipad and if you have an old iphone you can give it extra life.
@@abcuughklkj that's why Apple for example forces you to make 2 and that is why I have 3. I hope passkeys takes off we can so we won't need a bunch of passwords
First I will recommend you Bitwarden.
Second, once you have the codes INTO yubikey authenticator... how do you use them? You didn't mention that... Do I need only the key or I must copy the code from the program?
Ok thanks
Puedo tener una sola Yubikey para controlar 3 cuentas de Gmail y 3 de binance?
Are the codes actually stored in the keys? Or just on the account you log in with your key?
The key has a public and private key. The private key stays on the device and the public key is sent to the server.
hi, i used to use sms as 2FA, and then i added a yubico 5 as another 2FA. but i only have 1 key and i didn't remove the sms from the 2FA. so i am now as weak as on SMS, is it? thanks
Does this backup method also work with passkeys?
Nice for TOTP, but whats with Fido2? Backup is more complicated, so the service needs to allow to add anothe Key pair. But do you know one?
Most FIDO2 enabled sites and services allow for multiple hardware keys. Check my recent Yubikey Bio video.
@@CrosstalkSolutions Every site except AWS!
Microsoft Authenticator allows you to backup your TOTP and restore it, I stopped using Google's for this exact reason. I formatted my old phone and soon realized everything was gone on the new phone. Luckily I had all my backup codes, but definitely did not like the experience.
Can you also make a tutorial for Binance?
I can not find the link to the original video.
is there an update on that scammer? is your airtag still sitting in that warehouse?
Will this work for the BIO series as well or just NFC?
Just NFC, the BIO model doesn't have TOTP.
Nice video overview. Unfortunately, it's difficult to use the Yubico Authenticator app if you primarily use a Chromebook. The Android app downloaded on Chromebook doesn't seem to function properly and doesn't recognize my YubiKey from the USB port. I wish there was a good solution for Chromebooks. Also, the Authenticator app on my Android phone always gives an error when trying to use NFC. So, I can really only use it by plugging a USB-C key into my phone. This all sounds like a great system in concept, but just not working well for me. Oh well.
Using a chromebook deserves penalties.
@@niktonic5379 Don't be a jerk.
@@estusflask982 It does though.
You said you have to make these keys all at once, but couldn't you just use the secret code at a later date? I see "add account" under the "scan QR code" option. I use WinAuth to back up the secret code to an encrypted file and then you keep them for a later use. You can even use otpauth format to set up some authenticators to use 8 digit code such as the one used for Battle Net. BTW, when I close my eyes, you kind of sound like John Ritter.
Are Yubikeys durable? I accidentally drove over one of mine, so Yes, Yes they are durable. (Don't try this at home, or at a friends home)
I once lost my YubiKey at one of the airport exit lanes where I used to work. When I found it the following day, I could tell by the many dents that it had been run over several times. Still works.
Where to get the software. Mentioned ubiquiti network. I cannot find it.
If you want to transfer your authenticator apps and keys from one iPhone to another, then you need to use an encrypted backup of your phone!
How do you backup Yubikey BIO?
Hey, just a note why it's actually good not to be able to "copy" your second factor like that (and why usually software solutions do not offer an easy transfer of your tokens): security. If you can copy it, everyone else can too. Even worse when you do it via a cloud service like Google.
The idea behind that second factor is to use something that's in your possession. Also a reason why a software on the same device (not talking about the yubikey solution, that requires a hardware device) doesn't make a lot of sense.
Services should offer support for more than one device if you want to do it right, or, even better, use the security codes as is. If you lost one of your keys, do you know exactly what copies it holds? You would need to cycle all accounts on it again to ensure there is not a device out there that holds your tokens.
So instead of creating copies, which is against the idea of having a second factor only once, maybe store the Backup Codes in a (digital) safe you could protect with another Yubikey. And yes, not as convenient as having a copy on multiple devices, but this should be about security.
Hi, a couple of questions for you, 1. Isn't it possible for a RAT malware to notice when the QR code pops up and take a screenshot without you knowing and then pass that SS onto it's control server, therefore compromising your security?
2. Same question for the backup codes which you generated, also, the guy said "store these codes somewhere safe" well, how can you? If they are on your computer or you copied them to the clipboard, then why can't a RAT see them or look for them anywhere you store them on your HD? I know you said something about a "digital safe" but how cna that prevent the RAT from taking the code if it appears on the sceen even for one moment?
3. By backing up further with Google auth, he's just made that the weakest link in your "2FA security chain", which means there was no point using a hardware key right? If an attacker can steal the QR code your end, or your token by hacking the company server, which must store a copy, maybe even in plain text, you can be hacked using that. Therefore the Ubikey is redundant.
The whole point of using a Ubikey is to not then use things like Google auth because the Ubikey keeps everything on the key and nothing goes to the website. So even if the website is hacked, no one can get into your accounts. Please let me know where I'm going wrong if you think that I am and please tell us if a RAT can just screenshot the QR or the codes and make copies of the token. Thanks.
1. There is always a risk when doing things online. What’s important is we acknowledge the risk and find ways to reduce or mitigate it. I use my rapsberry for that. Its connection is behind a checkpoint router hardened to allow specific ports. Connection to the internet is very limited.Its offline and in a location (point 2) unless I have to enroll additional accounts to yubikey.
2. Back up codes, qr codes ,private keys can be stored on a safe location. “Safe” is based on your risk tolerance. It could under a kitchen sink or in a safety deposit box inside a bank.
Some websites do not present a QR code so it's not possible to configure a backup. Example: FTX.
LOL this comment didn't age well.
If you use Apple 2FA authentication, your codes come with you. but tbh. Why do you have your 4 backup on google etc.? Is they idea of an YubiKey not to storing your Passwords on servers which are connected with the Internet?
Hi i was wondering. Why isnt he using the Yubikey authenticator?
Isnt that way safer then using the google one?
You’ve got it wrong with google auth. I’ve moved all my 2factors google auth codes many times with the export function. I’ve been harassed by hackers for 5 months now and they still don’t have my google auth codes. Now I just keep them all on a phone I rarely use online with Face ID.
Can you delete a yubikey and reuse it?
How do all you Yubikey users integrate them into your life? It seems like people put them on keychains they otherwise carry everyday. I don't have one of those. It needs to be with me all the time but I don't want to have to constantly remember to bring one with me. Does it make sense to stash them all over the place? One in my office, one in my backpack, one in my car? That sees like it would get my 75% of the way but then I've got multiple copies of them which seems like a vulnerability to me.
It does not seem to work the same for me as it does for you.
I wish I knew this before somebody SIM-swapped/hacked my phone carrier and hi-jacked my phone/text/email/google authenticator.
Good luck with google authenticator if you got rid of your old phone with it still active
What will happen if i loset my yubikey ?
How can i access my account
When setting up TOTP there's a whole set of backup codes to keep for safe keeping.
MS authenticator will BKUP so you can restore on new device and if you were on android so would google Auth I assume. Some people dont like that I know
What if you have a laptop and desktop? How does the authenticator app work on both?
You lost me the first thing. What is the box to the right of the screen? Where did that come from? Thank I will pass for now.
Dude. This video is super confusing. What is Ubiquity. I have yubikey. I've never seen this Ubiquity thing and I've never had to input a passcode after inserting and touching the yubikey. Where does all of this come from?
google authenticator has no backup feature so its a no for me.
That’s such a pain in the butt why don’t they just allow you to add more than one yubikey to the auth app
The problem i am seeing here is every time i have to have all 3 devices next to when i register to new account
Not fantastic secure, but most password managers support TOTP …
6:30 Microsoft auth is better than Google auth.
algorithm
Never use Google authenticator. It doesn't have password
Cost way to much.
Depends on the price of what you're trying to protect...
25 bucks? seriously?
Yeah but here's the funny thing a lot of people think that 2FA can't be hacked and yes it can it's already been hacked a couple times
So do you use that as an excuse to NOT do 2FA then? I sure hope not. "People have died in car crashes even when wearing their seat belt, so why even wear it?" Not a good argument.
Can you site some examples where the exploit didn’t involve SMS?
@@jameshuegli3534 There were a few unique cases of hacking involving sniffing TOTP from smartphone apps, but it *always* involved some sort of malware like Android trojans. And to get trojan on Android or iOS you need to install some super shady crap from super shady untrusted sources. Basically, it almost always happens via social engineering.