Thank you for the video. I'm in the IT industry and to be honest, I wasn't sure what I needed to do with the key or how it works. So, that is kind of embarrassing to say. But, I guess once you do this once, then it's pretty straight forward from there on. Thanks for the explanation, makes sense!
Hi Andy, are you only using one Yubikey or did you purchase another as a backup. I have an iPhone 11 Pro and was wondering if I should just get the Yubikey 5 NFC version as appose to the 5Ci which has a lightning connection at one end and usb C at the other. The one you demonstrated looks more robust. Do I really need to buy a backup key ?
Yubikey actually sent me the 5Ci to try and it's pretty good. I'm lucky then as I have all types covered now... I guess only you will know which is more useful to you. If your PC has a Type C on it, maybe the 5Ci is the better choice for you?
@@Gadgetdad007 It doesn't really bother me... NFC is possible more reliable in my experience though I guess, but then it's limited to what devices it works with.
Super video thanks mate! Will be looking into this in more detail now. I'm really tight with my security, privacy and safety with all of my account I use.
Question: Once you have registered the Yubikey 5 nano on your laptop (or any of them) are you good to go, or do you need to go to each individual app, email account and website and register them with your key individually? And how do you register the 5 NFC on your Android?
You have to attach it to each account. Once it's attached, you're done. So, I add it to my Google account, any phone I log in on, I then use the key to authorise.
@@AAUK Thanks! I added my Outlook on Chrome with both the nano 5 and the 5 NFC, but when I tried to open it on Firefox it said it didn't recognize either key.
does the key work on any computer or just the computer you work with? You said to get a second key so that means that you go through the same process as the first key? Does the key work on your computer and it protects everything on it?
Interesting video. I have one of these keys, Yubikey 5 Fido, top of the range. Works well on windows laptop, cannot get it to work with NFC on android phone. ‘Something went wrong, please try again’, says Google. Any suggestions ? Have restarted, cleared cache, history etc , swapped browsers on both phone and laptop.
I wouldn't say its hard to set up, just that the lack of built-in support of apps and websites is very limited. I was hoping to unlock my phone or use it to access banking apps....nope not an option.
Great video, I think YubiKey should try and introduce a long phrase texts for a backup( that can be encrypted and stored by sysadmins at work for business version) and a secondary key that requires fingerpring tied authentication for regular users for a backup.
if you care about security and privacy, then may i suggest linux? I ditched windows 2 years ago and don't regret it for a moment, not even when it comes to gaming.
Personally I'm not so bothered about privacy (but then I am all over RUclips I guess!) but security should be everyone's concern. A good point though, although I've always struggled any time I try and use Linux 🙁
Can one stick be used on multiple Gmail, Twitter etc... accounts? Or do you need a separate sticks for each Gmail accounts or whatever multiple accounts on same platform.
Can you reprhrase the question? As it stands, you're asking if this key will stop someone taking a SIM out of their phone and putting a different one in? No, it can't stop that. If you're asking about SIM cloning, yes, it will stop that as long as you use the Yubikey and not a text authentication.
@@AAUK Hi Andy, yes I was asking if it will stop someone texting or calling up my mobile phone company and requesting them to send them a SIM with my current number.
@People don't use SMS 2FA, that is very weak, someone else can call phone company claiming to be you ("losing" your phone) and they get a replacement SIM, getting all your SMS verification. It happens VERY often.
Would you not recommend turning off text messaging for two-step authentication if you have the Key? or would it require both to get in, not just SMS messaging?
urbex2007, I don’t get what you mean at all. My 1Password app is FaceID and password protected. If you stole my iPhone, you wouldn’t unlock it to start with so I don’t know what you mean here.
Can you buy a replacement key when you lose one even if you have a backup key, so you'll always have 2 keys? Or do I need to buy a new set of 2 keys which will be different?
I don't get what you mean by buying a replacement? You can't replace the lost one directly I don't think as that would rather defeat the purpose surely? If someone can get a different key and access your accounts? You can buy a second key, attach it to accounts and keep it locked in a safe and use that if you lose the first.
Yes, you can buy another one and register it to your account. While you're at it registering, you might as well delete the data that corresponds to the key that you lost.
whats the point when you can just press cancel and pick another way to login? seems like a massive flaw to me (looking at the google example in this video)
As said in the video, remove the ones that you don't want as your security is only as good as your weakest barrier. Pretty simple. You control that yourself.
I've been trying to get my Yubikey5 NFC to work via the mobile via the Lastpass password manager, and it keeps asking for my master password to login. I was hoping to either just be able to use the nfc button, or require both the password and the button - but that doesn't seem to be working. Not sure what I am doing wrong.
You said they can phish your password and 2fa of 6 digits... Can't they do the same with your usb input redirecting the code of your yubikey on the target site?
I would assume the fake website wont know the key that the real website provides in order to generate the authentication, so I guess not. (Or something along those lines)
No, because fake site has different name, and has no yours public key (which was created when you added yubikey on original site at the begining) - so yubikey will not give the correct answer to the fake site.
@@signumtemporis3596 thanks a lot for the clarification! So, the six digits 2FA can be eluded by transporting the six digits I type from the phishing site to the real site but yubikey cannot be fucked this way right?
@@signumtemporis3596 I'm not well informed in this kind of topics but I try to use logic: I was thinking that the phishing site can be made by taking the yubikey request from the real website and redirect it to the phishing site so, the yubikey on the fake site will be authenticating the real public key so the attacker can redirect the auth on the real website and login on my behalf
@@tilde3904 Yubikey will not speak to fake site, because browser always give to yubikey the real site name, and fake site cannot have name exactly identical as real one. There is an option that you will have some 0-day on your browser, and then it will give false information for yubikey, but in most cases protection works. Well, if someone beat you on the street, stole your yubikey and force you to reveal password - he will also get access to your account, but this is less likely than to find phishing site on the internet :)
I was looking to buy one of these for enhanced security but now I'm not so sure. Really disappointed that it requires a backup method such as text message codes. It basically means if any would-be intruder tried to access an account they would just go straight to SIM Swapping or tricking my carrier into giving them access. It also sucks if you want to move away from things such as Microsoft or Google authentication. Let me, the customer, risk losing my data - it's mine after all. So instead of an enhanced security method it becomes more of a enhanced "convenience" method, having a key next to you instead of having to find a code.
The best backup is using a second key. Next best is one time recovery codes you put in a safe place. Requiring SMS codes to be sent to your phone # is stupid and hopefully most apps will allow you to kill that option or not even offer it.
Why use the Yubi key if you also have SMS and Google Authenticator setup on the same site... as you said yourself, security is only as strong as the weakest you setup.
1) I don't recall ever saying it was 'useless'. Please provide time stamp 2) Stated a few times you're only as strong as your weakest option and you should really remove the weaker ones.
Unfortunately ALL websites demand phone number or authenticator app to be setup alongside hardware key. So it CAN ALWAYS be taken over. So unless all websites let us only hardware keys they are just for convenience :(
@urbex2007 I'm too lazy to clarify things about law, so I'll trust you on that :) It doesn't change anything about Yubikey and similar to be just a convenience and not a something that increases security. I which they would clarify it in adds, because I need to always explain it to my coworkers and friends that overheard something. I'm using mine yubi to unlock password manager app with static password and sometimes for 2FA - if taking phone is too much effort, lol :)
so it´s just an 2 factor authenticator? Can use my Phone still not worth 50 bucks then. I thought it can login to my windows without the need of me typing in my password -.- Working as an IT-Systemadministrator and have an HP Notebook with Fingerprint sensor and I need to lock my PC always when I leave my place and log back in after I´m back and the Fingerprint sensor just fucks me up coz the sensor accepts my fingerprint with max. 10% success, and on windows you have 3 atempts until it forces you to type in your PIN or Password.... after years it just pisses off. Is there nothing like in modern cars with keyless function or something?? You just need to take the key in your pocket and after you move away from the PC it should auto lock the system and if you´re near it should auto login.... This would be so perfect... just that would make me happy. Nice to have would be this: We have a lot of VM´s and Client PC´s and a TON of passwords to manage all day.... just 1 fucking tool for everything... a master Key wich can autologin in all the systems we have in a secure way, this is my dream xDDD I´m tired of searching all the passwords in our Database with 10 other Administrators filling it up with their stupid mind... in example: Someone else of us sets up an Exchange Server and give it an password and he saves it in our Password database with the name "E-Mail Server Password". I don´t know the password because he did set it up by himself but next day a customer have trouble with his Email Account and I need to check the Exchange server so I first need to search for the Password to login to the server to help the customer. So I look in our Database for the keyword "Exchange" but I can´t find it because the other Admin saved it with another keyword "E-mail Server".... Shit like this cost a lot of time
The secret cannot be read by the user so Yubico can sell you more keys and waste your time. Look into Trezor if you want to back up your secret but are ok with only having 1 key active at a time (you can restore it with a 12 word seed + passphrase). If anyone gets ahold of your Trezor they can steal the seed but not the passphrase. I haven’t tried it but Trezor is the only security key I’ve come across that offers some way to back up the secret.
Thank you for the video. I'm in the IT industry and to be honest, I wasn't sure what I needed to do with the key or how it works. So, that is kind of embarrassing to say. But, I guess once you do this once, then it's pretty straight forward from there on. Thanks for the explanation, makes sense!
Hey, glad I could help! 😎
Surprised to see this in the open world..we cannot login to our work servers without them. Good review as always mate.
I understand the touch is required when USB plugged in. Does the NFC work without any touch of the gold button?
Yes, no need for touch with NFC.
Hi Andy, are you only using one Yubikey or did you purchase another as a backup. I have an iPhone 11 Pro and was wondering if I should just get the Yubikey 5 NFC version as appose to the 5Ci which has a lightning connection at one end and usb C at the other. The one you demonstrated looks more robust. Do I really need to buy a backup key ?
Yubikey actually sent me the 5Ci to try and it's pretty good. I'm lucky then as I have all types covered now... I guess only you will know which is more useful to you. If your PC has a Type C on it, maybe the 5Ci is the better choice for you?
AndroidAndyUK do you prefer NFC or physical plug in ?
@@Gadgetdad007 It doesn't really bother me... NFC is possible more reliable in my experience though I guess, but then it's limited to what devices it works with.
Super video thanks mate! Will be looking into this in more detail now. I'm really tight with my security, privacy and safety with all of my account I use.
Glad it was helpful!
Question: Once you have registered the Yubikey 5 nano on your laptop (or any of them) are you good to go, or do you need to go to each individual app, email account and website and register them with your key individually? And how do you register the 5 NFC on your Android?
You have to attach it to each account. Once it's attached, you're done. So, I add it to my Google account, any phone I log in on, I then use the key to authorise.
@@AAUK Thanks! I added my Outlook on Chrome with both the nano 5 and the 5 NFC, but when I tried to open it on Firefox it said it didn't recognize either key.
does the key work on any computer or just the computer you work with? You said to get a second key so that means that you go through the same process as the first key? Does the key work on your computer and it protects everything on it?
It works on any computer. Yes, add a second key in a similar way. No, it doesn't protect the computer at all, it protects your accounts 👍
Got one and indeed very easy to use. Not sure how you set up the backup key however??? I did get one but am not sure how to program it..
Nice vid, good info. What's your wallpaper background if i may ask?
Thanks for watching. Sorry, I don't remember where the wallpaper came from...
Interesting video. I have one of these keys, Yubikey 5 Fido, top of the range. Works well on windows laptop, cannot get it to work with NFC on android phone. ‘Something went wrong, please try again’, says Google. Any suggestions ? Have restarted, cleared cache, history etc , swapped browsers on both phone and laptop.
No sorry, I don't know what this would be.
Your phone might be not NFC compatible.
Nice review. Just the info I was looking.
I wouldn't say its hard to set up, just that the lack of built-in support of apps and websites is very limited. I was hoping to unlock my phone or use it to access banking apps....nope not an option.
Great video, I think YubiKey should try and introduce a long phrase texts for a backup( that can be encrypted and stored by sysadmins at work for business version) and a secondary key that requires fingerpring tied authentication for regular users for a backup.
if you care about security and privacy, then may i suggest linux? I ditched windows 2 years ago and don't regret it for a moment, not even when it comes to gaming.
Personally I'm not so bothered about privacy (but then I am all over RUclips I guess!) but security should be everyone's concern. A good point though, although I've always struggled any time I try and use Linux 🙁
Does it support Snapchat and Instagram ?
yes I agree you should only allow the key to be the 2FA , remove the number 2FA
Hmm, I don't think those two use 2FA.
To have other 2FA active when using Yubikey is rather pointless is it not? As it still keeps the possible area of attack larger than it has to be.
You can only have one or the other as the default 2FA.
Leaving sms 2fa defats the purpose of having a security key leaving a backdoor isn't good down load the backup codes and put them on a thumb drive
Can one stick be used on multiple Gmail, Twitter etc... accounts? Or do you need a separate sticks for each Gmail accounts or whatever multiple accounts on same platform.
No, one stick for all accounts is fine 👍
I am assuming this Yubikey will not be able to stop a mobile phone SIM swap?
Can you reprhrase the question? As it stands, you're asking if this key will stop someone taking a SIM out of their phone and putting a different one in? No, it can't stop that.
If you're asking about SIM cloning, yes, it will stop that as long as you use the Yubikey and not a text authentication.
@@AAUK Hi Andy, yes I was asking if it will stop someone texting or calling up my mobile phone company and requesting them to send them a SIM with my current number.
@People don't use SMS 2FA, that is very weak, someone else can call phone company claiming to be you ("losing" your phone) and they get a replacement SIM, getting all your SMS verification. It happens VERY often.
Well explane thank you.
Would you not recommend turning off text messaging for two-step authentication if you have the Key? or would it require both to get in, not just SMS messaging?
Hi, I think I did recommend turning off SMS authentication too. You're only as strong as your weakest auth method.
Jack Kerrison, use an authentication app instead of text msg’s anyway. Google have one, 1Password app also has one. 👍🏻🙂
Richard Barnes But would G keep your password? Who’s to say they don’t?
@@zerokool-2058 Reasonably sure no big tech security companies keep your password. They keep a hash of it.
urbex2007, I don’t get what you mean at all. My 1Password app is FaceID and password protected. If you stole my iPhone, you wouldn’t unlock it to start with so I don’t know what you mean here.
Holy crap man. Thanks for review.
Can you buy a replacement key when you lose one even if you have a backup key, so you'll always have 2 keys? Or do I need to buy a new set of 2 keys which will be different?
I don't get what you mean by buying a replacement? You can't replace the lost one directly I don't think as that would rather defeat the purpose surely? If someone can get a different key and access your accounts?
You can buy a second key, attach it to accounts and keep it locked in a safe and use that if you lose the first.
Yes, you can buy another one and register it to your account. While you're at it registering, you might as well delete the data that corresponds to the key that you lost.
Great review, most helpful.
Thanks, glad I could help 😎
whats the point when you can just press cancel and pick another way to login? seems like a massive flaw to me (looking at the google example in this video)
As said in the video, remove the ones that you don't want as your security is only as good as your weakest barrier. Pretty simple. You control that yourself.
I've been trying to get my Yubikey5 NFC to work via the mobile via the Lastpass password manager, and it keeps asking for my master password to login. I was hoping to either just be able to use the nfc button, or require both the password and the button - but that doesn't seem to be working. Not sure what I am doing wrong.
Isn't it LastPassword Premium feature? :)
You said they can phish your password and 2fa of 6 digits...
Can't they do the same with your usb input redirecting the code of your yubikey on the target site?
I would assume the fake website wont know the key that the real website provides in order to generate the authentication, so I guess not. (Or something along those lines)
No, because fake site has different name, and has no yours public key (which was created when you added yubikey on original site at the begining) - so yubikey will not give the correct answer to the fake site.
@@signumtemporis3596 thanks a lot for the clarification!
So, the six digits 2FA can be eluded by transporting the six digits I type from the phishing site to the real site but yubikey cannot be fucked this way right?
@@signumtemporis3596 I'm not well informed in this kind of topics but I try to use logic:
I was thinking that the phishing site can be made by taking the yubikey request from the real website and redirect it to the phishing site so, the yubikey on the fake site will be authenticating the real public key so the attacker can redirect the auth on the real website and login on my behalf
@@tilde3904 Yubikey will not speak to fake site, because browser always give to yubikey the real site name, and fake site cannot have name exactly identical as real one. There is an option that you will have some 0-day on your browser, and then it will give false information for yubikey, but in most cases protection works.
Well, if someone beat you on the street, stole your yubikey and force you to reveal password - he will also get access to your account, but this is less likely than to find phishing site on the internet :)
Got a question I have a yubikey series 5 but was think about getting another one as a backup, how do I go about setting up the second one?
You just add it as you did the first.
my Moto G7 [Android] does not support NFC. What other device do you recommend?
You can get a version with USB Type-C which works great 👍
what to do if you lose the key or it is destroyed?
Use your backup method.
Talking of Amazin you cant use it with them, I shop with them regularly n very annoyed. Its not true key compatible either, can it get any worse?
I was looking to buy one of these for enhanced security but now I'm not so sure. Really disappointed that it requires a backup method such as text message codes. It basically means if any would-be intruder tried to access an account they would just go straight to SIM Swapping or tricking my carrier into giving them access. It also sucks if you want to move away from things such as Microsoft or Google authentication. Let me, the customer, risk losing my data - it's mine after all. So instead of an enhanced security method it becomes more of a enhanced "convenience" method, having a key next to you instead of having to find a code.
The best backup is using a second key. Next best is one time recovery codes you put in a safe place. Requiring SMS codes to be sent to your phone # is stupid and hopefully most apps will allow you to kill that option or not even offer it.
thanks for this helped alot :)
Glad it helped 👍
Recommending a security product without understanding it dont seem to be a good recommendation.
As said to someone else. I don't know how a mobile phone works... I don't need to know. I explained roughly how this works, that's enough for me.
@@AAUK well then why even make a video like this if you don't care about security? "i don't need to know i just stick this USB in and it works" ...
@@hedicha How does that mean I don't care about security? One does not equal the other.
Keep getting error in communication on my android phone
Why use the Yubi key if you also have SMS and Google Authenticator setup on the same site... as you said yourself, security is only as strong as the weakest you setup.
noticed that 'Yubico' is spelled wrong in the video title, if you can update.
why isn't your name "andyroid"?
🤣🤣🤣
I don’t get it.... it just something to bypass my password and what if I lose it? Or my gf get it on my desk?
It's 2FA . You enter a password, and then you need to prove to you're "you" by using this key
Damn good socks
We can see your real email in the video :). You can use service like SimpleLogin to generate a random email address to avoid revealing your real one.
maybe it is a onetime Adress.
Lol, says that text messaging is useless and should buy the yubikey. Then proceeds to have text messaging as a backup for the google account
1) I don't recall ever saying it was 'useless'. Please provide time stamp 2) Stated a few times you're only as strong as your weakest option and you should really remove the weaker ones.
Unfortunately ALL websites demand phone number or authenticator app to be setup alongside hardware key. So it CAN ALWAYS be taken over. So unless all websites let us only hardware keys they are just for convenience :(
@urbex2007 I'm too lazy to clarify things about law, so I'll trust you on that :) It doesn't change anything about Yubikey and similar to be just a convenience and not a something that increases security. I which they would clarify it in adds, because I need to always explain it to my coworkers and friends that overheard something.
I'm using mine yubi to unlock password manager app with static password and sometimes for 2FA - if taking phone is too much effort, lol :)
so it´s just an 2 factor authenticator? Can use my Phone still not worth 50 bucks then. I thought it can login to my windows without the need of me typing in my password -.-
Working as an IT-Systemadministrator and have an HP Notebook with Fingerprint sensor and I need to lock my PC always when I leave my place and log back in after I´m back and the Fingerprint sensor just fucks me up coz the sensor accepts my fingerprint with max. 10% success, and on windows you have 3 atempts until it forces you to type in your PIN or Password.... after years it just pisses off. Is there nothing like in modern cars with keyless function or something?? You just need to take the key in your pocket and after you move away from the PC it should auto lock the system and if you´re near it should auto login.... This would be so perfect... just that would make me happy. Nice to have would be this:
We have a lot of VM´s and Client PC´s and a TON of passwords to manage all day.... just 1 fucking tool for everything... a master Key wich can autologin in all the systems we have in a secure way, this is my dream xDDD I´m tired of searching all the passwords in our Database with 10 other Administrators filling it up with their stupid mind...
in example: Someone else of us sets up an Exchange Server and give it an password and he saves it in our Password database with the name "E-Mail Server Password". I don´t know the password because he did set it up by himself but next day a customer have trouble with his Email Account and I need to check the Exchange server so I first need to search for the Password to login to the server to help the customer. So I look in our Database for the keyword "Exchange" but I can´t find it because the other Admin saved it with another keyword "E-mail Server"....
Shit like this cost a lot of time
text messaging is the weakest link. sim swap.
How to back up your key to a second key?
The secret cannot be read by the user so Yubico can sell you more keys and waste your time. Look into Trezor if you want to back up your secret but are ok with only having 1 key active at a time (you can restore it with a 12 word seed + passphrase). If anyone gets ahold of your Trezor they can steal the seed but not the passphrase. I haven’t tried it but Trezor is the only security key I’ve come across that offers some way to back up the secret.
3:30 actual start
Ff to 3:45 for the info, everything before that is fluff..