Pinning this comment so y'all can easily find my previous videos about Yubikeys! ruclips.net/video/vjTA6DeD9y8/видео.html I'm seeing the same questions several times and I answered them in this video!
Sadly MOST financial institutions do not support FIDO keys. As of now None of my banks nor credit cards nor retirement or payroll sites support hardware keys. But pointless sites like social media do...
That's the exact reason I haven't bought a Yubikey yet. My bank account is one of the least protected because banks ironically don't seem to be interested in proper security. The only account I care about which supports yubikeys is the email account, which is important but it's just a single one.
Glad you made this point. Financial services have successfully externalized all of the costs to other parties, including us, their customer. Even Bank of America's WebAuthN implementation is pathetically lazy. By contrast, gaming companies have had to bear the burden of taking calls, creating tickets and recreating state in the game. In short, cost. So, they went looking for a better answer. TL;DR - incentives are for banks, sadly, to do nothing.
@@SaHaRaSquad I would recommend getting the cheaper fido keys( you should have at least two.. I have 3) and experiment with them on a site you do not care about so you can test the ins and outs
That's because they gotta cater for everyone... The larger population of users, the less secure it will have to be.. We always cater for the 'bottom line' the least secure.... The reason why banks usually won't adopt better security is "Our platform doesn't support it", or "it will be too costly". I would say its about bloody time users got educated.... We all wank bank to stop scammers for us as well, but going "so far" with anything, will force users to be better. To me, that is a good thing You can't expect a business to hold ya hand 100%..
@@Tech-geeky I am not sure I agree with your assessment. *That's because they gotta cater for everyone* Doesn't Social Media as well? If social media can manage to implement better security.. The banks should have no difficulty. And let us not forgot. This technology is available for those that want it. The broader clueless user base is not likely to forced to use this tech with obvious security benefits. But financial Institutions seem to be purposely taking steps that make accounts "Appear" secure without ACTUALLY being secure.
Yes! I was the victim of a SIM swap and haven't wanted to use my phone for anything since but am often forced to. Even though I invested in a hardware key, it's rarely an option on its own.
Such a good video! Your work spreading knowledge on the greatness that is hardware keys (as well as your hard work in general) is very much appreciated.
Been following both this account and Sailorsnubs account for a while. Not only you just completely sold me on getting a personal hardware key but coincidently I am currently writing an essay about authentication vs. authorization for my cybersecurity class. I was just casually watching your up-to-date videos because I really enjoy your content! But when I heard you mentioned authentication / recent events and why Yubikeys are a must for 2FA. I was like wait a minute... Hold up! This is a good example for my essay! Write this down Write down! LOL Thank you for providing us important information! I will make sure to properly cite your video! Much Love
Thanks for the code! It works for EACH Yubikey you buy. Its best to buy 2 just in case you lose one and you wont get locked out of your accounts... I got $10 off my purchase. Thanks again Shannon!
Just found your channel, listened to 3-4 video in a row and i suscribed! Very good content and very well vulgarised/explained while maintaining some technical information for more tech savvy people! Good job!
TOTP keys in a 2FA app are not sent to you, they are generated based on the initial seed code which you get by scanning the QR code. A 2FA app is therefore more secure than 2FA via SMS or email
I'm surprised OP missed that. I don't consider SMS or email as 2FA. All my 2FA are TOTP keys which as you said cannot be intercepted provided you are smart with your secrets. If it wasn't for my aptitude to lose things from time to time I wouldn't be as afraid to invest in physical keys. At this time I see it as too risky to use a security device that small and potentially that easy to lose.
@@joseabraham777 There are two possibilities: - you backup your 2FA data in the app to the cloud - you use recovery keys which you can get from the site you login to (do this before losing your phone)
@@ericdere Please help me understand how these recovery keys don't completely undermine the concept of 2FA. A brute force attack can penetrate the static recovery keys even when the website tries to circumvent. Most of the recovery keys I have seen are 8 digits long max and the sites don't lock you out after multiple tries. Sometimes the recovery screen defaults back to the username/PW login screen after several failed attempts, but a crafty hacker can automate the brute force attack. At the very least, the recovery codes provided should be much much stronger.
still depends on weather people keep their device up-to-date and app(s). Apps depends on operating system and therefore device.. QR codes are not perfect either. and i wouldn't really reply on them for security. TouchID is better. Its all a stepping stone... How secure do you wanna be ??
For me, no linked videos at the end. Not sure what happened. Thank you for this content. You are the second person this week that I have seen addressing this topic. Each presentation was different, and yours more in depth on the physical keys. Thanks again.
“Use the for your most critical accounts” Too bad most banks don’t support it. My bank just finally added support for TOTP. If it takes them the same amount of time to add support for hardware keys as it did for TOTP, it’s gonna be quite a long time before it happens. Hardware keys are king. I use them on any site that supports it. I also use them for ssh access to my servers.
I wish they did this for online (and offline) credit and debit purchases - fraudulent charges would go to virtually zero. So just having the card number and details would not be enough for a purchase to go through. Some banks have started doing something like this using virtual card numbers.
I wish more sites would allow setting up more than one hardware key. I'm absent-minded and prone to losing things. For every site I have a hardware key on I also need to leave TOTP enabled just so I don't lock myself out of the account by losing the key.
That's funny ... We have security in the use of hardware-keys, but then we make security less useful by having "multiple copies' where 'others' can get at them as well.. we THINK its safe, but its not. ideally i'd be more worried if my backup will be safe.. Just because we think its secret, doesn't mean it is... particularly when we do not have physical access. and its stored "off site" Makes it THAT much easier for others to get.. If people are determined, they'll get it Look at what happened with Lastpass... but it can happen anytime to any company.... ExpressVPN too.. But we always like to trade for convenience. We Need to change THAT. And until we do change, getting at security stuff will always be a problem.
Great video, Shannon! Although I wish some companies would implement it fully rather than do it half-arsed. For example, some sites only allow 1 hardware key to be registered… By not allowing a backup key to be registered it just increases the risk of me getting locked out of my account if I lose/break my main key. Hopefully more and more sites will fix this issue in the future and it is videos like yours which will help increase awareness and adoption so that these problems are eventually solved ✊
We've seen websites that offer SMS and auth app. And the more rare SMS / key combo. If you're lucky you might get a website that offers one of each method or up to TWO keys. But, my favorite sites are the ones that allow you to use ALL methods and as many as you like. One change I would at least like to see is if you're required to have 2 methods to activate MFA, that you can use 2 keys and/or not have SMS be mandatory. But SMS is about "We know you're a human being"...at least that's what the American banks, etc, tell us. Are cybercrimes at the point where either phone companies or websites should be held responsible for sim swapping if SMS is the only 2FA method available? If the answer is "Yes", then what happens to users that refuse to use 2FA or websites that don't offer any? Like the recent password stuffing attack on PayPal.
This is exactly why I stick with TOTP instead of pushing forward with hardware keys. I can't trust myself to not lose it and royally screw myself over.
@@SgtKilgore406 I totally agree with this. I can't have everything tied to a single key. These keys are tough but they can get damaged or lost. You either can't have a second key or you have to leave a backup to get in that someone could just use to bypass the key anyway.
Did not notice this in the video, these security keys work with the browser so that if a phishing site looks similar to the real website it still won't allow authentication, because the domain does not match.
heck... should never be "option". Generated passwords ought to be required. but alas, we have to cater for websites still that will never be 'as secure' as others.. Again, dragging through the dirt..... there is no solution .. You can have a really good password, but if the backend is weak, its not gonna matter. Anything IS better than nothing, but is it really worth it if it not gonna protect you anyway?
Hardware keys are a great idea in principle - but in reality, for large companies can be a nightmare to manage. Users lose their hardware keys or forget and leave them at home - so you security team is constantly issuing new keys or temporary keys. That is why phone auth apps reign supreme. Even the worst user will always remember their phone. Normally when I do 2FA deployments - I do phone apps as the primary option with yubikeys for those users who don't want o use their personal phones.
@@BDBD16 That's why phone apps are the primary option - but not the only option. For people without smartphones or who don't want to use their personal phones - the a yubikey covers those cases.
Hi, here is a simple trick. Give them the micro keys that will always stay plugged into their laptops/workstations. If you are trying to protect from stolen laptops, configure the yubikeys to also ask for a password, not just a tap. Another way I’ve seen it done was to suggest them to have them attached to their badge keyring or home keys.
I couldn't agree more. I work in IT Security and if you read my posted comment, it talks about people losing or forgetting their keys everywhere but on them.
Who are these people who are going to work without their keys?? The whole idea of these things is you keep one on the same key ring as your house key, so you're essentially never without it
Thanks for making this video. But is there a way for someone to take our Yubikey and duplicate it? And if it is connected to the computer all the time (like the Yubikey nano) then is there a way to simulate the "touch" remotely without us having to touch it? Would like to know more. If you can talk about it, it would be great. Yes I am convinced that Yubikey is great, but what makes it unbreakable?
Hi! I mentioned cloning of keys at about 7:20 into this video 😊 you can also find the U2F standard info linked in my shownotes to read more about the in depth material on how this standard works.
You can reprogram the key. It comes with a key, but obviously, Yubico knew it when it was programmed, and could program a second key. Reprogramming the key requires generating new random numbers. I have two keys I programmed myself, and the generation was done on an air-gapped Raspberry Pi. But then, I need to provide the public key I created to anyplace I want to use it. I'm not sure if using the same physical key for multiple web sites causes problems or not.
@@johnhaller5851 It may only cause you problems if you want to keep one account isolated from another, eg you use the same key linked to your identity as one you used as a whistleblower. In that scenario the public key will link the two accounts, if I understand things correctly.
Make sure to periodically check (like every year) that your key is still accepted. I have one key from around 2017 that is no longer accepted for some services. While newer keys I got the past year or so have been
Agreed. I was hesitant to get one... I didn't understand them, and I was worried I could lose one. So I bought two, eventually, and when I used them I was an instant convert.
This video came at a perfect time. I've been wanting to get a Yubikey for years but never got round to doing so. Now finally ordered one, thanks for the $5 off! :D
Making it easier in case one gets damaged is not my idea of security..... Each to their own, i guess, but the more we have as "backups" the less secure we will be when they are found. We think we know where they are till someone finds them. There is no solution i think.. Constant game of cat'n'mouse... The % of someone else getting access will be small, BUT its still there.
Thanks for your content. Because of your explaning this over the yrs, I finally got my yubi key(s) several months ago along with setting up bitwarden and 2FA (at a minimum) l just wish more companies implemented hardware keys. Thanks again. 👍
Wow, I am blown away by this post! The information provided is so helpful and informative. I never thought about it that way before. Thank you so much for sharing your knowledge with us. I can't wait to try out some of these tips and see the results for myself. Keep up the great work!
the yubikey code can still be intercepted on physical push. i tried this on myself in a browser while i had a prompt asking to tap my hardware device. if a threat actor is on your computer it can be intercepted.
I'm trying to think through the scenario you described as the reddit compromise, which sounds to me like a mal-in-the-middle situation where the attacker convinced the mark to type in their TOTP code to the phishing site and then relayed it through to the target site in near-real-time. I watched the "debunking 5 myths", but this part still isn't clear to me yet: how does a key defeat that attack? does the protocol restrict the key from sending its response to a server other than the one designated for that account? How does that work?
I was a bit surprised this wasn't mentioned in the video since it seems to be what truly differentiates a FIDO2 key from for example an auth app or a "legacy" HW key. In my understanding FIDO2 protocol does protect from this type of attack, making it an "unphishable" authentication method.
@@gblargg Without getting into the standards documents (Apparently U2F was renamed CTAP is how far I got), the browser must pass on the web domain as part of the challenge.
The problem with hardware keys is that they don't really work well for shops where the staff are not permitted on the premisses with USB devices to prevent theft of intellectual property or data...This is becoming common for product development campuses and government.
When paired, the same YubiKey can be used to log into multiple computers. If the key stops working you are screwed UNLESS you followed Shannons advice & YubiCo's advice & buy at least 2 Yubikeys.
But the issue with most sites is that they let you bypass the hardware key easily, where you can choose the option to not use it, and then the site falls back to SMS or email code etc.
Depends on the site. Some let you do that, some let you turn off backup options entirely. If you turn off the backup options though make sure to print out the backup one time use codes they give you during setup
I've been think of getting a Yubikey to protected by BitWarden vault, but the question I have is how do I set things up so if I lose the Yubikey how do I get access to the vault?
It's unfortunately not fully supported across device platforms. Like you can't use these to login from smartphones. At least not without an adapter and At least not IoS. I want this to be my only method to login. But I can't turn off other auth methods and still have my phone work
Yeah, same here. We tested this out at the company I worked for a while back, and mobile compatibility wasn't there to the point where we felt comfortable rolling it out to our users.
@@momentomori1747 My guess is a new tech will emerge to solve this. Something non USB, wireless way but to still require you to click a button to mitigate hijacking of the signal. Maybe over NFC, because Bluetooth would be impractical to always connect
@@funstuffonthenet5573 After playing with it more last night, a suitable alternative seems to be using the built-in webauthn key inside of your iOS/Mac device the same way you would use a key. I tried it out with my password manager. I went to the screen that would let me register a generic FIDO2 device and the my Mac automatically offered to generate and store a key. I was able to do the same with my Android phone, but evidently iOS 14+ supports it as well. I was able to register all of my devices separately as keys, which will let me stop using any of my other 2FA methods except as a backup. I think Apple passkeys in the latest version of iOS is supposed to support syncing them to your other Apple devices, but that wasn't the case with the key from my Mac syncing to my iPad. Other than that, though, the only thing you have to consider is how you're going to log in with a new phone to register it as a valid key for the first time. Backup codes stored in a fire safe are probably the best option for that. Also a physical security key in a fire safe for logging in from new computers. My password manager lets me register up to 5 keys, so it's not an issue to register my phone, tablet, and laptop separately as keys and have a physical backup key. Worth looking into for your use case.
@@momentomori1747 Nice. Really appreciate you digging into this. A lot of helpful information in your post :) :) :). I'll definitely try to set this up. I would love to be able to turn off most modes of auth and just have yubikey for desktop and this technique you suggest for phones
One great use for hardware keys is for seniors. Some may not use cell phones at all and are still using land line. So this prevents many useable options (like sms, totp, cell phone itself, etc). Plus it's simple to use, and they don't have to constantly change their password. Dealing with senior who locked out of their account and educating them on this can be frustrating for you and them.
I have a question/scenario what about when we have automatic login for discord or slack is there an application that can you sign you out automatically so it’s not saved when you login/boot again?
I remember when Cubase went with a hardware key in order to use the software. It was via the serial port, brilliant right? Internet was flooded with codes/code generator sfor all softwares - Cubase included. At the end of the day there is a input of a/many string/int. I'm only a software, okay let's emulate that device. With that said, hardware keys are crucial for top security.
I may be out of date but a yubikey is essentially just a tiny keyboard that inputs a long password when you touch the button. It appears to be the same all the time and is not a rotating code like some tokens such as RSA.
Incorrect. The yubikey comes with multiple security functions, or "protocols", to implement 2fa on whatever websites you're visiting. If a website only uses OTP, then that's what the yubikey will do. But more and more websites are implementing FIDO2/UTF instead, which does NOT print out any code. Check the link in my description or Google fido2 white paper to see more.
Thank you for your knowledge, I've been on the fence about getting a yubikey and your video did it for me. I got a mini already and I am thinking about getting a 2nd one as a spare and for my mobile devices. i am having some problems getting It to work but i am sure ill figure it out eventually.
Cool and all, but until the used 2fa protecable accounts/ total accounts', and Key protectable accounts/ total accounts' number does not increase, i can try to use these, but will not be able. Also some sites staight up using keys stupidly: Not as a second factor, but an alternative single, and i clearly see the possibility for that someone uses password only, and a key, and those are not protecting each other. OR i have to have an other kind of 2fa so i can use my keys, but the other kind is the baseline, and i manually have to change, at every login.
Why do you need to fork out for those when you can use a cheap throwaway pendrive instead?...just need to point to the encrypted keys/login data on a specific port.
I'm the only person in my department that uses Keys (i have a Y5C NFC also setup in a locked fire safe bolted to my desk as a backup) my setting require key validation every 4 hrs on known logins and i have a Y5C bio on a cord I leave plugged in while working at the desk but it's attached to my phone so if i get up it will go with me plus it requires a finger print
Too bad hardly any sites support this kind of thing. Another version of this is something like Google's Authenticator. Run it on an old air-gapped phone. More things support this. A big problem with all these is account recovery, which uses alternate less-secure means. What happens if you lose the key or it gets stolen? How do you get into your account or stop them from doing so? If you can do either of these without the key, an attacker can do this to your account without the key. (I had to dumb this down because RUclips was deleting my comment. I guess we can't discuss this topic.)
Good luck using biometrics. You can not even change it If your access is compromised. (e.g. fingerprint copy) Which is a big no-no if you don't have human resource (military guard) checking the usage the interface (scanner installed at a door).
What works for the gaming like steam and blizzard and Escape from Tarkov, and, emails and stuff like that without having 100 of them Iv been looking but I haven't been able to find one to know exactly what I need and didn't want to buy the wrong one please help me?
I was using a hardware key (can't remember which one) a few years ago, but it failed suddenly after a few months of use. I haven't tried another one since.
I like passive Phone Apps, that DON'T prompt you for a code, but rather you go into them and have to type the code on the website.. so mistaken authentication is unlikely. Also, I some are easy to have on backup devices. And the best is when you DON'T have an online backup for them.
ProTip: Don't keep your key / security dongle in the same place as your devices. (If a thief steals your purse or laptop bag and the key is inside it, they now have access to your accounts.)
set up a pin, disable key 1 asap in account with backup key. A thief would need to know your usernames and passwords unless you have it setup where you can login just using a key then you’re screwed 😬. You really do need a second key in case of doubts
Man, I was super hacked, May 29, 2023 and I just spent my first week trying to start a Reddit channel. Dang I didn’t know that every time I turn around and I see something else that could’ve possibly led to this hacker that I fought for three hours. He was had all my login information and all my emails and my phone trying to save my Apple ID and everything just a fail in the end.
Websites generate Backup Codes when you enable MFA. These are only generated once so you have to copy them or print them out before leaving the setup. I've done previous video tutorials showing how to setup a yubikey which explain this process in depth. (I'd also recommend setting up a second yubikey and storing it somewhere safe in case your main one gets lost or destroyed).
What if you have employees at your organization who already detest 2FA / MFA. We're worried that if we give them a key they will just leave the key plugged into their work desktop or laptop docking station all the time. In other words what happens if someone just leaves their key plugged into a USB port every night when they leave work for the day. What about number matching MFA? I know number matching MFA isn't 100% secure either but it's probably a bit better than just MFA with an auth app or text message code.
Even if a person leaves the key inserted in their computer when they go home, someone else still won't be able to log onto the computer without the PIN & then they have to physically touch the Yubikey when asked to do so.
I love the colours on what appears to be the "Shannon Morse Edition" of the Yubikey, but it doesn't look like something Yubikey offer in their online store. What a shame. :(
Great video- So how do you prevent Google from using sms from being used? You can do it with a work account but not in public account. Would you have to use Google advance protection program on your personal account in order to prevent sms. Then you can't use an authenticator app.
So I have a question. How do I incorporate Yubikey with FIDO 2 protocol so that if something were to happen to me, my spouse could still gain access to accounts?
Only problem with this (I Like to use authenticator app for a similar reason) is that most websites will offer more than one choice for 2 factor authentication code, ie 2 Factor Authentication required do you want to use 1) authentication app, 2) email 3) or text message. Which means if my email or phone is hacked they still get in even if I have my real phone with me.
I have two yubikey which I didn’t registered them at the same time. My question is: can I register them (both) anew (at same time)? Thank you for your kind answer.
In case of phishing the attacker would be able to login though that one time. So that would still be a successful targeted attack, they would be able to collect data and/or perform certain actions.
im seriously curious about sidechannel attacks on these and what would happen if I lost my key? if i loose my car or house key...I can replace the lock or at least pick the lock.... there has to be a way to recover from lost or stolen keys im sure...it doesnt make sense to use them otherwise..... AES ha side channel attacks so at the verty least a whitehat can be trusted to recover the account if needed....so I just wonder about how hardware key companies are dealing with lost or stolen keys...
I've explained this on previous videos but the TLDR version is: setup a second key and store it somewhere safe. If your main key gets stolen, remove it from your accounts ASAP and replace it. Also when setting up MFA or 2FA on online accounts, make sure to copy down your backup keys. These are only generated and shown once during setup and can only be used once to get back into your accounts, so they're best stored for future emergencies.
My only issue with a hardware key is having to carry it around with me all the time. I've been trying to minimize the things I carry with me, I've eliminated keys from my life, only have to take my wallet, fob for the car, and cell phone. Next car I buy, I'll eliminate the fob and I hope the local govt will set up electronic ID sometime soon so I can leave my wallet at home. One thing you didn't mention was the time based code 2FA, needing an app on the phone. No notification to intercept or email, or SMS, the bad guy would have to steal both your phone and your ability to get into it (swipe/face/fingerprint)
" I hope the local govt will set up electronic ID sometime soon" EEK! Thats a scary thought....I don't understand people like you, watch security, talk about it but totally trust your government to do it?
@@BDBD16 The govt already produces my ID, already has it in electronic form for their own use, the only difference would be to add on the standard interface to link it to phones.
Yep, these hardware keys are pretty much the same as the onetime codes on an authenticator app or the older physical authentication dongles, or the card reader authentication many banks use. Its all part of MFA. And these hardware keys should still be used with other authentication methods never alone. The trifecta in security is something you know(username/password/pin), something you have(card/token/phone authenticator etc) and something you are(biometrics). Though you will most often only encounter these in practice with just two.
Hardware keys are useless, try to lose one and tell that to AWS or any other services that use on of those to see what happens, it is a stress you don't want in your life. In my case, I lost all my keys in a flood that destroyed my home, do not trust security hardware, use a password manager instead.
Looks small, I'm usually pretty good at keeping up with things but once in a blue moon I misplace items especially small items thus I'm nervous of what might happen if I lose the physical key is there another method of accessing our accounts if we accidentally misplace it? regardless this is something I'll definitely look further into I have 2FA on all accounts but if physical hardware keys are safer I'm open to trying them instead. thanks for the info ✨🔐
I keep mine on a lanyard, but yes, once you enable 2FA, most places will provide at least one "break glass" recovery code that you can use to authenticate if you lose your YubiKey. A lot of services also let you enroll more than 1 option, so you can use a YubiKey as your primary & an authenticator app as a backup. Ideally they'll let you enroll 2 YubiKeys: 1 for your "everyday carry" and 1 as a "break glass" backup - but that's highly dependent on the service in question.
I'm wondering... if someone steals or finds a yubikey what other information do they need to use it to access your accounts? Can you repudiate a lost key, just in case, and then revert to your backup key? Of so, what other info do you need to know to do so?
Will I be protected from session highjacking if I'm using a Yubikey as 2AF? It didn't get very clear if someone gets my cookies they'll be able do login even with the key. Thank you
Thank you so much for this amazing video! A bit off-topic, but I wanted to ask: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How can I transfer them to Binance?
Pinning this comment so y'all can easily find my previous videos about Yubikeys! ruclips.net/video/vjTA6DeD9y8/видео.html
I'm seeing the same questions several times and I answered them in this video!
Sadly MOST financial institutions do not support FIDO keys.
As of now None of my banks nor credit cards nor retirement or payroll sites support hardware keys.
But pointless sites like social media do...
That's the exact reason I haven't bought a Yubikey yet. My bank account is one of the least protected because banks ironically don't seem to be interested in proper security. The only account I care about which supports yubikeys is the email account, which is important but it's just a single one.
Glad you made this point. Financial services have successfully externalized all of the costs to other parties, including us, their customer. Even Bank of America's WebAuthN implementation is pathetically lazy. By contrast, gaming companies have had to bear the burden of taking calls, creating tickets and recreating state in the game. In short, cost. So, they went looking for a better answer. TL;DR - incentives are for banks, sadly, to do nothing.
@@SaHaRaSquad I would recommend getting the cheaper fido keys( you should have at least two.. I have 3) and experiment with them on a site you do not care about so you can test the ins and outs
That's because they gotta cater for everyone... The larger population of users, the less secure it will have to be.. We always cater for the 'bottom line' the least secure....
The reason why banks usually won't adopt better security is "Our platform doesn't support it", or "it will be too costly". I would say its about bloody time users got educated.... We all wank bank to stop scammers for us as well, but going "so far" with anything, will force users to be better.
To me, that is a good thing You can't expect a business to hold ya hand 100%..
@@Tech-geeky I am not sure I agree with your assessment. *That's because they gotta cater for everyone*
Doesn't Social Media as well? If social media can manage to implement better security.. The banks should have no difficulty. And let us not forgot. This technology is available for those that want it. The broader clueless user base is not likely to forced to use this tech with obvious security benefits. But financial Institutions seem to be purposely taking steps that make accounts "Appear" secure without ACTUALLY being secure.
Great topic! I wish more companies would add this to their sites, particularly US Banks!
I agree. My current bank only uses SMS which is insecure. Better than nothing I agree but at least offer Google Auth as an option!
Yes! I was the victim of a SIM swap and haven't wanted to use my phone for anything since but am often forced to. Even though I invested in a hardware key, it's rarely an option on its own.
This is the real problem. So little support for hardware keys still.
Nah, my bank just asks for my dog’s name. I’m sure that safe.
@@notreallyme425 I generate random strings for each one of those. They are essentially passwords so you should make them secure.
Such a good video! Your work spreading knowledge on the greatness that is hardware keys (as well as your hard work in general) is very much appreciated.
I appreciate that!
it should be a part of the device itself, inside TPM
@@ShannonMorse so once you fail IT and this platform, when are you making a o/f ?
Thanks Shannon, I bit the bullet and used the promo code. Ordered 2 keys, one as a spare. :)
Smart!!
Been following both this account and Sailorsnubs account for a while. Not only you just completely sold me on getting a personal hardware key but coincidently I am currently writing an essay about authentication vs. authorization for my cybersecurity class. I was just casually watching your up-to-date videos because I really enjoy your content! But when I heard you mentioned authentication / recent events and why Yubikeys are a must for 2FA. I was like wait a minute... Hold up! This is a good example for my essay! Write this down Write down! LOL Thank you for providing us important information! I will make sure to properly cite your video! Much Love
Thanks for the code! It works for EACH Yubikey you buy. Its best to buy 2 just in case you lose one and you wont get locked out of your accounts... I got $10 off my purchase. Thanks again Shannon!
Yesss this is the way!
Just found your channel, listened to 3-4 video in a row and i suscribed! Very good content and very well vulgarised/explained while maintaining some technical information for more tech savvy people! Good job!
Hey welcome to my channel! I'm pretty active with the community here if you ever have questions or just wanna say hi 😄💓
TOTP keys in a 2FA app are not sent to you, they are generated based on the initial seed code which you get by scanning the QR code. A 2FA app is therefore more secure than 2FA via SMS or email
I'm surprised OP missed that. I don't consider SMS or email as 2FA. All my 2FA are TOTP keys which as you said cannot be intercepted provided you are smart with your secrets.
If it wasn't for my aptitude to lose things from time to time I wouldn't be as afraid to invest in physical keys. At this time I see it as too risky to use a security device that small and potentially that easy to lose.
But what happens if I lost access to my phone? The websites offer an easy way to restore my logins? I have that doubt :/
@@joseabraham777 There are two possibilities:
- you backup your 2FA data in the app to the cloud
- you use recovery keys which you can get from the site you login to (do this before losing your phone)
@@ericdere Please help me understand how these recovery keys don't completely undermine the concept of 2FA. A brute force attack can penetrate the static recovery keys even when the website tries to circumvent. Most of the recovery keys I have seen are 8 digits long max and the sites don't lock you out after multiple tries. Sometimes the recovery screen defaults back to the username/PW login screen after several failed attempts, but a crafty hacker can automate the brute force attack. At the very least, the recovery codes provided should be much much stronger.
still depends on weather people keep their device up-to-date and app(s). Apps depends on operating system and therefore device.. QR codes are not perfect either. and i wouldn't really reply on them for security.
TouchID is better. Its all a stepping stone... How secure do you wanna be ??
For me, no linked videos at the end. Not sure what happened.
Thank you for this content. You are the second person this week that I have seen addressing this topic.
Each presentation was different, and yours more in depth on the physical keys. Thanks again.
I bought two yubikeys after watching your previous videos on hardware keys, I'm excited for them to arrive!
“Use the for your most critical accounts”
Too bad most banks don’t support it. My bank just finally added support for TOTP. If it takes them the same amount of time to add support for hardware keys as it did for TOTP, it’s gonna be quite a long time before it happens.
Hardware keys are king. I use them on any site that supports it. I also use them for ssh access to my servers.
I wish they did this for online (and offline) credit and debit purchases - fraudulent charges would go to virtually zero. So just having the card number and details would not be enough for a purchase to go through. Some banks have started doing something like this using virtual card numbers.
Bank of America, at present is the ONLY U.S. bank I know of that permit their customers to secure their accounts with YubiKeys.
I wish more sites would allow setting up more than one hardware key.
I'm absent-minded and prone to losing things. For every site I have a hardware key on I also need to leave TOTP enabled just so I don't lock myself out of the account by losing the key.
That's funny ...
We have security in the use of hardware-keys, but then we make security less useful by having "multiple copies' where 'others' can get at them as well.. we THINK its safe, but its not. ideally i'd be more worried if my backup will be safe..
Just because we think its secret, doesn't mean it is... particularly when we do not have physical access. and its stored "off site" Makes it THAT much easier for others to get.. If people are determined, they'll get it
Look at what happened with Lastpass... but it can happen anytime to any company.... ExpressVPN too.. But we always like to trade for convenience. We Need to change THAT. And until we do change, getting at security stuff will always be a problem.
Immediately after hearing your comment on art on the key, I grabbed mine and started looking for art supplies.
Great video, Shannon! Although I wish some companies would implement it fully rather than do it half-arsed.
For example, some sites only allow 1 hardware key to be registered…
By not allowing a backup key to be registered it just increases the risk of me getting locked out of my account if I lose/break my main key.
Hopefully more and more sites will fix this issue in the future and it is videos like yours which will help increase awareness and adoption so that these problems are eventually solved ✊
We've seen websites that offer SMS and auth app. And the more rare SMS / key combo.
If you're lucky you might get a website that offers one of each method or up to TWO keys.
But, my favorite sites are the ones that allow you to use ALL methods and as many as you like.
One change I would at least like to see is if you're required to have 2 methods to activate MFA, that you can use 2 keys and/or not have SMS be mandatory. But SMS is about "We know you're a human being"...at least that's what the American banks, etc, tell us.
Are cybercrimes at the point where either phone companies or websites should be held responsible for sim swapping if SMS is the only 2FA method available? If the answer is "Yes", then what happens to users that refuse to use 2FA or websites that don't offer any? Like the recent password stuffing attack on PayPal.
This is exactly why I stick with TOTP instead of pushing forward with hardware keys. I can't trust myself to not lose it and royally screw myself over.
Yes, this is a big missing part. What they do often allow: a list of 'recovery codes'.
@@SgtKilgore406 I totally agree with this. I can't have everything tied to a single key. These keys are tough but they can get damaged or lost. You either can't have a second key or you have to leave a backup to get in that someone could just use to bypass the key anyway.
THIS! I don't know if they fixed it, but a while ago even Amazon AWS only allowed you to register one (ONE!) security key!
Very insightful video! Btw I ❤your sailor moon shirt it compliments you and your setup beautifully ✨🤟🏾
Did not notice this in the video, these security keys work with the browser so that if a phishing site looks similar to the real website it still won't allow authentication, because the domain does not match.
That's correct!
YEP! the Physical is the way to go ! Don't forget to use generated passwords too !
heck... should never be "option". Generated passwords ought to be required. but alas, we have to cater for websites still that will never be 'as secure' as others..
Again, dragging through the dirt..... there is no solution .. You can have a really good password, but if the backend is weak, its not gonna matter. Anything IS better than nothing, but is it really worth it if it not gonna protect you anyway?
Hardware keys are a great idea in principle - but in reality, for large companies can be a nightmare to manage. Users lose their hardware keys or forget and leave them at home - so you security team is constantly issuing new keys or temporary keys. That is why phone auth apps reign supreme. Even the worst user will always remember their phone. Normally when I do 2FA deployments - I do phone apps as the primary option with yubikeys for those users who don't want o use their personal phones.
What about those non smart phone users....yup...encountered it before.....
@@BDBD16 That's why phone apps are the primary option - but not the only option. For people without smartphones or who don't want to use their personal phones - the a yubikey covers those cases.
Hi, here is a simple trick. Give them the micro keys that will always stay plugged into their laptops/workstations. If you are trying to protect from stolen laptops, configure the yubikeys to also ask for a password, not just a tap. Another way I’ve seen it done was to suggest them to have them attached to their badge keyring or home keys.
I couldn't agree more. I work in IT Security and if you read my posted comment, it talks about people losing or forgetting their keys everywhere but on them.
Who are these people who are going to work without their keys?? The whole idea of these things is you keep one on the same key ring as your house key, so you're essentially never without it
Thanks for making this video. But is there a way for someone to take our Yubikey and duplicate it? And if it is connected to the computer all the time (like the Yubikey nano) then is there a way to simulate the "touch" remotely without us having to touch it? Would like to know more. If you can talk about it, it would be great. Yes I am convinced that Yubikey is great, but what makes it unbreakable?
Hi! I mentioned cloning of keys at about 7:20 into this video 😊 you can also find the U2F standard info linked in my shownotes to read more about the in depth material on how this standard works.
It's only considered _unbreakable_ at this current point in time. Like all security technology, eventually it will be obsolete.
You can reprogram the key. It comes with a key, but obviously, Yubico knew it when it was programmed, and could program a second key. Reprogramming the key requires generating new random numbers. I have two keys I programmed myself, and the generation was done on an air-gapped Raspberry Pi. But then, I need to provide the public key I created to anyplace I want to use it.
I'm not sure if using the same physical key for multiple web sites causes problems or not.
@@johnhaller5851 It may only cause you problems if you want to keep one account isolated from another, eg you use the same key linked to your identity as one you used as a whistleblower. In that scenario the public key will link the two accounts, if I understand things correctly.
Make sure to periodically check (like every year) that your key is still accepted. I have one key from around 2017 that is no longer accepted for some services. While newer keys I got the past year or so have been
I do a yearly security audit to check for this. Good idea to have a different model backup key or to keep your backup codes handy in this case.
Are they the same model keys?
@@martinlutherkingjr.5582 No different models
Any time someone talks about Yubikeys, that's an instant like from me. Great video, Snubs!
Much appreciated!
Agreed. I was hesitant to get one... I didn't understand them, and I was worried I could lose one. So I bought two, eventually, and when I used them I was an instant convert.
@@mschwage I'm so glad you decided to invest in some Yubikeys! You're doing it right!
Great overview! Thank you, Shannon!
This video came at a perfect time. I've been wanting to get a Yubikey for years but never got round to doing so. Now finally ordered one, thanks for the $5 off! :D
Do yourself a favor & follow YubiCo's STRONG RECOMMENDATION, go back & buy a 2nd Yubikey, incase you lose your first one.
What happens when you lose the Yubikey or it gets damaged?
Straight to prison.
You really need a second one stored off-site in case that happens. (Or tedious one-time passwords also stored off-site.)
@@BDBD16 😆
Making it easier in case one gets damaged is not my idea of security..... Each to their own, i guess, but the more we have as "backups" the less secure we will be when they are found.
We think we know where they are till someone finds them. There is no solution i think.. Constant game of cat'n'mouse...
The % of someone else getting access will be small, BUT its still there.
Thanks for your content.
Because of your explaning this over the yrs, I finally got my yubi key(s) several months ago along with setting up bitwarden and 2FA (at a minimum)
l just wish more companies implemented hardware keys.
Thanks again. 👍
YubiKey is required for me to log onto both of my computers (I don't have a so-called Smart Phone) BitWarden, GoDaddy, Yahoo, Google, Tutanota
Wow, I am blown away by this post! The information provided is so helpful and informative. I never thought about it that way before. Thank you so much for sharing your knowledge with us. I can't wait to try out some of these tips and see the results for myself. Keep up the great work!
the yubikey code can still be intercepted on physical push. i tried this on myself in a browser while i had a prompt asking to tap my hardware device. if a threat actor is on your computer it can be intercepted.
I'm trying to think through the scenario you described as the reddit compromise, which sounds to me like a mal-in-the-middle situation where the attacker convinced the mark to type in their TOTP code to the phishing site and then relayed it through to the target site in near-real-time. I watched the "debunking 5 myths", but this part still isn't clear to me yet: how does a key defeat that attack? does the protocol restrict the key from sending its response to a server other than the one designated for that account? How does that work?
I was a bit surprised this wasn't mentioned in the video since it seems to be what truly differentiates a FIDO2 key from for example an auth app or a "legacy" HW key. In my understanding FIDO2 protocol does protect from this type of attack, making it an "unphishable" authentication method.
@@steamfox How can they defend against this? The middleman essentially relays everything until validated.
@@gblargg The middle-man uses a look-alike domain. So if the domain name is used in the challenge: the response won't be correct for the real website.
@@economicprisoner How does the USB device know where the challenge is coming from? Just forward the authentic challenge from the authentic site.
@@gblargg Without getting into the standards documents (Apparently U2F was renamed CTAP is how far I got), the browser must pass on the web domain as part of the challenge.
wish I saw your code before I bought them, but I will send it to my friend so you get credit for helping us secure our accounts!
Just this week I have started gettng my team behind hardware keys great video to link if I start getting pushback.
You'll always get pushback, make it policy if you can
Fantastic shirt! As someone who stumbled onto the video randomly, that was quite unexpected. :D
The problem with hardware keys is that they don't really work well for shops where the staff are not permitted on the premisses with USB devices to prevent theft of intellectual property or data...This is becoming common for product development campuses and government.
I need this, couldn't have uploaded at a better time.
I picked a key up a long time ago. Didn't use it very much. Now I am changing my opinion. Now I just have to figure out how to activate it again.
Great video thanks 😊 Shannon hope your well
Hardware keys are neat, no doubt. But for the default user TOTP codes are recommeded. Low barrier of entry, easy to explain and implement
If you have multiple computers, do you need a seperate key for each device?
What happens if the key stops working or is otherwise destroyed?
When paired, the same YubiKey can be used to log into multiple computers. If the key stops working you are screwed UNLESS you followed Shannons advice & YubiCo's advice & buy at least 2 Yubikeys.
But the issue with most sites is that they let you bypass the hardware key easily, where you can choose the option to not use it, and then the site falls back to SMS or email code etc.
Depends on the site. Some let you do that, some let you turn off backup options entirely. If you turn off the backup options though make sure to print out the backup one time use codes they give you during setup
Great content Shannon! Super informative too!
First thing I noticed was the Sailor Moon Tee!! Love it!
This episode reminds me of that famous Hootie and the Blowfish song: "Every Time I Touch My Security Key, I Log In".
Awesome video, Snubs. I've been thinking about this more lately with what recently has come out with companies such as Tmobile and Bank of America.
I've been think of getting a Yubikey to protected by BitWarden vault, but the question I have is how do I set things up so if I lose the Yubikey how do I get access to the vault?
Hi! I answered this in my previous videos, 5 Myths About Yubikeys. ruclips.net/video/vjTA6DeD9y8/видео.html
@@ShannonMorse Thanks. I must have missed that video - will go watch now :)
Its best to buy 2... 1 is your primary & 1 is backup in case you lose the other. Keep 1 in your safe or somewhere secure.
@@Macleod1617 @ShannonMorse Thanks for the help. Just placed an order for two Yubikeys.
Really useful info. & I love your t-shirt! It's so cute
Thanks so much!
It's unfortunately not fully supported across device platforms. Like you can't use these to login from smartphones. At least not without an adapter and At least not IoS.
I want this to be my only method to login. But I can't turn off other auth methods and still have my phone work
Yeah, same here. We tested this out at the company I worked for a while back, and mobile compatibility wasn't there to the point where we felt comfortable rolling it out to our users.
@@momentomori1747 My guess is a new tech will emerge to solve this. Something non USB, wireless way but to still require you to click a button to mitigate hijacking of the signal. Maybe over NFC, because Bluetooth would be impractical to always connect
@@funstuffonthenet5573 After playing with it more last night, a suitable alternative seems to be using the built-in webauthn key inside of your iOS/Mac device the same way you would use a key.
I tried it out with my password manager. I went to the screen that would let me register a generic FIDO2 device and the my Mac automatically offered to generate and store a key. I was able to do the same with my Android phone, but evidently iOS 14+ supports it as well.
I was able to register all of my devices separately as keys, which will let me stop using any of my other 2FA methods except as a backup.
I think Apple passkeys in the latest version of iOS is supposed to support syncing them to your other Apple devices, but that wasn't the case with the key from my Mac syncing to my iPad.
Other than that, though, the only thing you have to consider is how you're going to log in with a new phone to register it as a valid key for the first time. Backup codes stored in a fire safe are probably the best option for that. Also a physical security key in a fire safe for logging in from new computers.
My password manager lets me register up to 5 keys, so it's not an issue to register my phone, tablet, and laptop separately as keys and have a physical backup key.
Worth looking into for your use case.
@@momentomori1747 Nice. Really appreciate you digging into this. A lot of helpful information in your post :) :) :). I'll definitely try to set this up. I would love to be able to turn off most modes of auth and just have yubikey for desktop and this technique you suggest for phones
One great use for hardware keys is for seniors. Some may not use cell phones at all and are still using land line. So this prevents many useable options (like sms, totp, cell phone itself, etc). Plus it's simple to use, and they don't have to constantly change their password.
Dealing with senior who locked out of their account and educating them on this can be frustrating for you and them.
You can go one step further and get it as an implant. The key pair is generated on the chip inside your body
Got 2nd physical key like a week ago (Kensington USB-C with biometric layer) and I love it. I was finally able to add key to Windows/Outlook account!
I have a question/scenario what about when we have automatic login for discord or slack is there an application that can you sign you out automatically so it’s not saved when you login/boot again?
I remember when Cubase went with a hardware key in order to use the software. It was via the serial port, brilliant right? Internet was flooded with codes/code generator sfor all softwares - Cubase included. At the end of the day there is a input of a/many string/int. I'm only a software, okay let's emulate that device. With that said, hardware keys are crucial for top security.
I would like one, but they are almost impossible to buy in the UK.
Can you explain the difference between something like Yubikey and EveryKey?
I may be out of date but a yubikey is essentially just a tiny keyboard that inputs a long password when you touch the button.
It appears to be the same all the time and is not a rotating code like some tokens such as RSA.
Incorrect. The yubikey comes with multiple security functions, or "protocols", to implement 2fa on whatever websites you're visiting. If a website only uses OTP, then that's what the yubikey will do. But more and more websites are implementing FIDO2/UTF instead, which does NOT print out any code. Check the link in my description or Google fido2 white paper to see more.
@@ShannonMorse Thank You , I will look into the new ones. The yubikeys I have are from 2012 time frame.
Thank you for your knowledge, I've been on the fence about getting a yubikey and your video did it for me. I got a mini already and I am thinking about getting a 2nd one as a spare and for my mobile devices. i am having some problems getting It to work but i am sure ill figure it out eventually.
Cool and all, but until the used 2fa protecable accounts/ total accounts', and Key protectable accounts/ total accounts' number does not increase, i can try to use these, but will not be able.
Also some sites staight up using keys stupidly: Not as a second factor, but an alternative single, and i clearly see the possibility for that someone uses password only, and a key, and those are not protecting each other. OR i have to have an other kind of 2fa so i can use my keys, but the other kind is the baseline, and i manually have to change, at every login.
Why do you need to fork out for those when you can use a cheap throwaway pendrive instead?...just need to point to the encrypted keys/login data on a specific port.
I would be using it, but most of the critical sites I use (like my banking), do not support it.
Shannon, I love my YubiKeys. What is that full callsign on the shelf? I'm a HAM Extra! And Ethical Hacker. Oh the fun we have on the air. LOL.
I'm the only person in my department that uses Keys (i have a Y5C NFC also setup in a locked fire safe bolted to my desk as a backup) my setting require key validation every 4 hrs on known logins and i have a Y5C bio on a cord I leave plugged in while working at the desk but it's attached to my phone so if i get up it will go with me plus it requires a finger print
What about stealing the key the validates your fingerprint. Not the finger. The auth that validates it.
More great info. Long live Yubi.
Thanks again for keeping us up-to-date on security news and info. =)
or any other brand that does this lol
Curious if I bought a USB a security key and wanted to use a USB a female to USB c plain jain adapter would this work or is it specific to the company
Too bad hardly any sites support this kind of thing. Another version of this is something like Google's Authenticator. Run it on an old air-gapped phone. More things support this. A big problem with all these is account recovery, which uses alternate less-secure means. What happens if you lose the key or it gets stolen? How do you get into your account or stop them from doing so? If you can do either of these without the key, an attacker can do this to your account without the key. (I had to dumb this down because RUclips was deleting my comment. I guess we can't discuss this topic.)
Is there a hardware key that has a self destruct feature (like a button or switch to wipe/disable it)?
Good luck using biometrics. You can not even change it If your access is compromised. (e.g. fingerprint copy)
Which is a big no-no if you don't have human resource (military guard) checking the usage the interface (scanner installed at a door).
What works for the gaming like steam and blizzard and Escape from Tarkov, and, emails and stuff like that without having 100 of them Iv been looking but I haven't been able to find one to know exactly what I need and didn't want to buy the wrong one please help me?
The physical device can be stolen, right?
Yeah. Companies should have this mandatory. No matter what job role.
Absolutes are never the solution. The security required needs to be tailored to each specific case.
Example: someone who’s job is welding or some other construction work and they never need to log into a computer at work.
@@Lucy-dk5cz I agree. Well stated.
How would this UbiKey prevent from hacker who planted malware on your machine from intercepting key/generating more auths on your behalf?
I was using a hardware key (can't remember which one) a few years ago, but it failed suddenly after a few months of use. I haven't tried another one since.
The only downside with keys is, what happened if your key gets lost, key get damaged, or that copper works out?
I did a video about all of these questions! ruclips.net/video/kq1Kt__eVTU/видео.htmlsi=coRfYNjUj-8n0rJw
I like passive Phone Apps, that DON'T prompt you for a code, but rather you go into them and have to type the code on the website.. so mistaken authentication is unlikely.
Also, I some are easy to have on backup devices. And the best is when you DON'T have an online backup for them.
ProTip: Don't keep your key / security dongle in the same place as your devices. (If a thief steals your purse or laptop bag and the key is inside it, they now have access to your accounts.)
set up a pin, disable key 1 asap in account with backup key. A thief would need to know your usernames and passwords unless you have it setup where you can login just using a key then you’re screwed 😬. You really do need a second key in case of doubts
So what happens if you accidentally damage you hardware keys ?
Backup keys and backups codes. If you want more info, I'm uploading videos about BOTH of these options in the coming weeks. Stay tuned!
Man, I was super hacked, May 29, 2023 and I just spent my first week trying to start a Reddit channel. Dang I didn’t know that every time I turn around and I see something else that could’ve possibly led to this hacker that I fought for three hours. He was had all my login information and all my emails and my phone trying to save my Apple ID and everything just a fail in the end.
What happens if a key stops working? 🤔 Just about anything wears out, after all.
Websites generate Backup Codes when you enable MFA. These are only generated once so you have to copy them or print them out before leaving the setup. I've done previous video tutorials showing how to setup a yubikey which explain this process in depth. (I'd also recommend setting up a second yubikey and storing it somewhere safe in case your main one gets lost or destroyed).
What if you have employees at your organization who already detest 2FA / MFA. We're worried that if we give them a key they will just leave the key plugged into their work desktop or laptop docking station all the time. In other words what happens if someone just leaves their key plugged into a USB port every night when they leave work for the day. What about number matching MFA? I know number matching MFA isn't 100% secure either but it's probably a bit better than just MFA with an auth app or text message code.
Even if a person leaves the key inserted in their computer when they go home, someone else still won't be able to log onto the computer without the PIN & then they have to physically touch the Yubikey when asked to do so.
thank you so much. i definitely intend on getting one soon. 🔑
I've never seen a static 2FA passcode. All mine are random generated and sent to me by text.
I love the colours on what appears to be the "Shannon Morse Edition" of the Yubikey, but it doesn't look like something Yubikey offer in their online store. What a shame. :(
Great video- So how do you prevent Google from using sms from being used? You can do it with a work account but not in public account. Would you have to use Google advance protection program on your personal account in order to prevent sms. Then you can't use an authenticator app.
I've been nothing short of secure (and pleased) using my Google Titan key.
So I have a question. How do I incorporate Yubikey with FIDO 2 protocol so that if something were to happen to me, my spouse could still gain access to accounts?
Only problem with this (I Like to use authenticator app for a similar reason) is that most websites will offer more than one choice for 2 factor authentication code, ie 2 Factor Authentication required do you want to use 1) authentication app, 2) email 3) or text message. Which means if my email or phone is hacked they still get in even if I have my real phone with me.
Sailor Moon shirt = automatic upvote!!!
So hardware keys aren't 2FA? Confused... I thought they were a 'second factor'
I have two yubikey which I didn’t registered them at the same time. My question is: can I register them (both) anew (at same time)?
Thank you for your kind answer.
In case of phishing the attacker would be able to login though that one time.
So that would still be a successful targeted attack, they would be able to collect data and/or perform certain actions.
So how did they get through the 2 factor authentication...?
the developer accepted the request, for some reason
How do you feel about authentication apps? My employer requires us to use one and that seems similar to me.
im seriously curious about sidechannel attacks on these and what would happen if I lost my key?
if i loose my car or house key...I can replace the lock or at least pick the lock....
there has to be a way to recover from lost or stolen keys im sure...it doesnt make sense to use them otherwise.....
AES ha side channel attacks so at the verty least a whitehat can be trusted to recover the account if needed....so I just wonder about how hardware key companies are dealing with lost or stolen keys...
I've explained this on previous videos but the TLDR version is: setup a second key and store it somewhere safe. If your main key gets stolen, remove it from your accounts ASAP and replace it. Also when setting up MFA or 2FA on online accounts, make sure to copy down your backup keys. These are only generated and shown once during setup and can only be used once to get back into your accounts, so they're best stored for future emergencies.
@@ShannonMorse thats awesome thank you soo much!!
My only issue with a hardware key is having to carry it around with me all the time.
I've been trying to minimize the things I carry with me, I've eliminated keys from my life, only have to take my wallet, fob for the car, and cell phone.
Next car I buy, I'll eliminate the fob and I hope the local govt will set up electronic ID sometime soon so I can leave my wallet at home.
One thing you didn't mention was the time based code 2FA, needing an app on the phone. No notification to intercept or email, or SMS, the bad guy would have to steal both your phone and your ability to get into it (swipe/face/fingerprint)
" I hope the local govt will set up electronic ID sometime soon" EEK! Thats a scary thought....I don't understand people like you, watch security, talk about it but totally trust your government to do it?
@@BDBD16 The govt already produces my ID, already has it in electronic form for their own use, the only difference would be to add on the standard interface to link it to phones.
Yep, these hardware keys are pretty much the same as the onetime codes on an authenticator app or the older physical authentication dongles, or the card reader authentication many banks use. Its all part of MFA. And these hardware keys should still be used with other authentication methods never alone. The trifecta in security is something you know(username/password/pin), something you have(card/token/phone authenticator etc) and something you are(biometrics). Though you will most often only encounter these in practice with just two.
Sounds like you might be considering a biometric implant.
Hardware keys are useless, try to lose one and tell that to AWS or any other services that use on of those to see what happens, it is a stress you don't want in your life. In my case, I lost all my keys in a flood that destroyed my home, do not trust security hardware, use a password manager instead.
Looks small, I'm usually pretty good at keeping up with things but once in a blue moon I misplace items especially small items thus I'm nervous of what might happen if I lose the physical key is there another method of accessing our accounts if we accidentally misplace it? regardless this is something I'll definitely look further into I have 2FA on all accounts but if physical hardware keys are safer I'm open to trying them instead. thanks for the info ✨🔐
I keep mine on a lanyard, but yes, once you enable 2FA, most places will provide at least one "break glass" recovery code that you can use to authenticate if you lose your YubiKey. A lot of services also let you enroll more than 1 option, so you can use a YubiKey as your primary & an authenticator app as a backup. Ideally they'll let you enroll 2 YubiKeys: 1 for your "everyday carry" and 1 as a "break glass" backup - but that's highly dependent on the service in question.
I'm wondering... if someone steals or finds a yubikey what other information do they need to use it to access your accounts? Can you repudiate a lost key, just in case, and then revert to your backup key? Of so, what other info do you need to know to do so?
Will I be protected from session highjacking if I'm using a Yubikey as 2AF?
It didn't get very clear if someone gets my cookies they'll be able do login even with the key.
Thank you
its essentially a key fob. used in enterprise application since.. well I had them in 2001, so before that :)
I curious if theres a disadvantage or concern that should be considered when using the “Onlykey” over say the yubikey?
Thank you so much for this amazing video! A bit off-topic, but I wanted to ask: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How can I transfer them to Binance?
Unsure if this was brought up, but what happens if the key breaks?
You need another way to log in.