Pinning this comment so y'all can easily find my previous videos about Yubikeys! ruclips.net/video/vjTA6DeD9y8/видео.html I'm seeing the same questions several times and I answered them in this video!
Sadly MOST financial institutions do not support FIDO keys. As of now None of my banks nor credit cards nor retirement or payroll sites support hardware keys. But pointless sites like social media do...
That's the exact reason I haven't bought a Yubikey yet. My bank account is one of the least protected because banks ironically don't seem to be interested in proper security. The only account I care about which supports yubikeys is the email account, which is important but it's just a single one.
Glad you made this point. Financial services have successfully externalized all of the costs to other parties, including us, their customer. Even Bank of America's WebAuthN implementation is pathetically lazy. By contrast, gaming companies have had to bear the burden of taking calls, creating tickets and recreating state in the game. In short, cost. So, they went looking for a better answer. TL;DR - incentives are for banks, sadly, to do nothing.
@@SaHaRaSquad I would recommend getting the cheaper fido keys( you should have at least two.. I have 3) and experiment with them on a site you do not care about so you can test the ins and outs
That's because they gotta cater for everyone... The larger population of users, the less secure it will have to be.. We always cater for the 'bottom line' the least secure.... The reason why banks usually won't adopt better security is "Our platform doesn't support it", or "it will be too costly". I would say its about bloody time users got educated.... We all wank bank to stop scammers for us as well, but going "so far" with anything, will force users to be better. To me, that is a good thing You can't expect a business to hold ya hand 100%..
@@Tech-geeky I am not sure I agree with your assessment. *That's because they gotta cater for everyone* Doesn't Social Media as well? If social media can manage to implement better security.. The banks should have no difficulty. And let us not forgot. This technology is available for those that want it. The broader clueless user base is not likely to forced to use this tech with obvious security benefits. But financial Institutions seem to be purposely taking steps that make accounts "Appear" secure without ACTUALLY being secure.
Yes! I was the victim of a SIM swap and haven't wanted to use my phone for anything since but am often forced to. Even though I invested in a hardware key, it's rarely an option on its own.
Hardware keys are a great idea in principle - but in reality, for large companies can be a nightmare to manage. Users lose their hardware keys or forget and leave them at home - so you security team is constantly issuing new keys or temporary keys. That is why phone auth apps reign supreme. Even the worst user will always remember their phone. Normally when I do 2FA deployments - I do phone apps as the primary option with yubikeys for those users who don't want o use their personal phones.
@@BDBD16 That's why phone apps are the primary option - but not the only option. For people without smartphones or who don't want to use their personal phones - the a yubikey covers those cases.
Hi, here is a simple trick. Give them the micro keys that will always stay plugged into their laptops/workstations. If you are trying to protect from stolen laptops, configure the yubikeys to also ask for a password, not just a tap. Another way I’ve seen it done was to suggest them to have them attached to their badge keyring or home keys.
I couldn't agree more. I work in IT Security and if you read my posted comment, it talks about people losing or forgetting their keys everywhere but on them.
Who are these people who are going to work without their keys?? The whole idea of these things is you keep one on the same key ring as your house key, so you're essentially never without it
“Use the for your most critical accounts” Too bad most banks don’t support it. My bank just finally added support for TOTP. If it takes them the same amount of time to add support for hardware keys as it did for TOTP, it’s gonna be quite a long time before it happens. Hardware keys are king. I use them on any site that supports it. I also use them for ssh access to my servers.
I wish they did this for online (and offline) credit and debit purchases - fraudulent charges would go to virtually zero. So just having the card number and details would not be enough for a purchase to go through. Some banks have started doing something like this using virtual card numbers.
heck... should never be "option". Generated passwords ought to be required. but alas, we have to cater for websites still that will never be 'as secure' as others.. Again, dragging through the dirt..... there is no solution .. You can have a really good password, but if the backend is weak, its not gonna matter. Anything IS better than nothing, but is it really worth it if it not gonna protect you anyway?
I wish more sites would allow setting up more than one hardware key. I'm absent-minded and prone to losing things. For every site I have a hardware key on I also need to leave TOTP enabled just so I don't lock myself out of the account by losing the key.
That's funny ... We have security in the use of hardware-keys, but then we make security less useful by having "multiple copies' where 'others' can get at them as well.. we THINK its safe, but its not. ideally i'd be more worried if my backup will be safe.. Just because we think its secret, doesn't mean it is... particularly when we do not have physical access. and its stored "off site" Makes it THAT much easier for others to get.. If people are determined, they'll get it Look at what happened with Lastpass... but it can happen anytime to any company.... ExpressVPN too.. But we always like to trade for convenience. We Need to change THAT. And until we do change, getting at security stuff will always be a problem.
Such a good video! Your work spreading knowledge on the greatness that is hardware keys (as well as your hard work in general) is very much appreciated.
TOTP keys in a 2FA app are not sent to you, they are generated based on the initial seed code which you get by scanning the QR code. A 2FA app is therefore more secure than 2FA via SMS or email
I'm surprised OP missed that. I don't consider SMS or email as 2FA. All my 2FA are TOTP keys which as you said cannot be intercepted provided you are smart with your secrets. If it wasn't for my aptitude to lose things from time to time I wouldn't be as afraid to invest in physical keys. At this time I see it as too risky to use a security device that small and potentially that easy to lose.
@@joseabraham777 There are two possibilities: - you backup your 2FA data in the app to the cloud - you use recovery keys which you can get from the site you login to (do this before losing your phone)
@@ericdere Please help me understand how these recovery keys don't completely undermine the concept of 2FA. A brute force attack can penetrate the static recovery keys even when the website tries to circumvent. Most of the recovery keys I have seen are 8 digits long max and the sites don't lock you out after multiple tries. Sometimes the recovery screen defaults back to the username/PW login screen after several failed attempts, but a crafty hacker can automate the brute force attack. At the very least, the recovery codes provided should be much much stronger.
still depends on weather people keep their device up-to-date and app(s). Apps depends on operating system and therefore device.. QR codes are not perfect either. and i wouldn't really reply on them for security. TouchID is better. Its all a stepping stone... How secure do you wanna be ??
Great video, Shannon! Although I wish some companies would implement it fully rather than do it half-arsed. For example, some sites only allow 1 hardware key to be registered… By not allowing a backup key to be registered it just increases the risk of me getting locked out of my account if I lose/break my main key. Hopefully more and more sites will fix this issue in the future and it is videos like yours which will help increase awareness and adoption so that these problems are eventually solved ✊
We've seen websites that offer SMS and auth app. And the more rare SMS / key combo. If you're lucky you might get a website that offers one of each method or up to TWO keys. But, my favorite sites are the ones that allow you to use ALL methods and as many as you like. One change I would at least like to see is if you're required to have 2 methods to activate MFA, that you can use 2 keys and/or not have SMS be mandatory. But SMS is about "We know you're a human being"...at least that's what the American banks, etc, tell us. Are cybercrimes at the point where either phone companies or websites should be held responsible for sim swapping if SMS is the only 2FA method available? If the answer is "Yes", then what happens to users that refuse to use 2FA or websites that don't offer any? Like the recent password stuffing attack on PayPal.
This is exactly why I stick with TOTP instead of pushing forward with hardware keys. I can't trust myself to not lose it and royally screw myself over.
@@SgtKilgore406 I totally agree with this. I can't have everything tied to a single key. These keys are tough but they can get damaged or lost. You either can't have a second key or you have to leave a backup to get in that someone could just use to bypass the key anyway.
Been following both this account and Sailorsnubs account for a while. Not only you just completely sold me on getting a personal hardware key but coincidently I am currently writing an essay about authentication vs. authorization for my cybersecurity class. I was just casually watching your up-to-date videos because I really enjoy your content! But when I heard you mentioned authentication / recent events and why Yubikeys are a must for 2FA. I was like wait a minute... Hold up! This is a good example for my essay! Write this down Write down! LOL Thank you for providing us important information! I will make sure to properly cite your video! Much Love
Thanks for the code! It works for EACH Yubikey you buy. Its best to buy 2 just in case you lose one and you wont get locked out of your accounts... I got $10 off my purchase. Thanks again Shannon!
Make sure to periodically check (like every year) that your key is still accepted. I have one key from around 2017 that is no longer accepted for some services. While newer keys I got the past year or so have been
For me, no linked videos at the end. Not sure what happened. Thank you for this content. You are the second person this week that I have seen addressing this topic. Each presentation was different, and yours more in depth on the physical keys. Thanks again.
Did not notice this in the video, these security keys work with the browser so that if a phishing site looks similar to the real website it still won't allow authentication, because the domain does not match.
Agreed. I was hesitant to get one... I didn't understand them, and I was worried I could lose one. So I bought two, eventually, and when I used them I was an instant convert.
Just found your channel, listened to 3-4 video in a row and i suscribed! Very good content and very well vulgarised/explained while maintaining some technical information for more tech savvy people! Good job!
Thanks for your content. Because of your explaning this over the yrs, I finally got my yubi key(s) several months ago along with setting up bitwarden and 2FA (at a minimum) l just wish more companies implemented hardware keys. Thanks again. 👍
ProTip: Don't keep your key / security dongle in the same place as your devices. (If a thief steals your purse or laptop bag and the key is inside it, they now have access to your accounts.)
set up a pin, disable key 1 asap in account with backup key. A thief would need to know your usernames and passwords unless you have it setup where you can login just using a key then you’re screwed 😬. You really do need a second key in case of doubts
One great use for hardware keys is for seniors. Some may not use cell phones at all and are still using land line. So this prevents many useable options (like sms, totp, cell phone itself, etc). Plus it's simple to use, and they don't have to constantly change their password. Dealing with senior who locked out of their account and educating them on this can be frustrating for you and them.
This video came at a perfect time. I've been wanting to get a Yubikey for years but never got round to doing so. Now finally ordered one, thanks for the $5 off! :D
Making it easier in case one gets damaged is not my idea of security..... Each to their own, i guess, but the more we have as "backups" the less secure we will be when they are found. We think we know where they are till someone finds them. There is no solution i think.. Constant game of cat'n'mouse... The % of someone else getting access will be small, BUT its still there.
Good luck using biometrics. You can not even change it If your access is compromised. (e.g. fingerprint copy) Which is a big no-no if you don't have human resource (military guard) checking the usage the interface (scanner installed at a door).
Hardware keys are useless, try to lose one and tell that to AWS or any other services that use on of those to see what happens, it is a stress you don't want in your life. In my case, I lost all my keys in a flood that destroyed my home, do not trust security hardware, use a password manager instead.
I'm trying to think through the scenario you described as the reddit compromise, which sounds to me like a mal-in-the-middle situation where the attacker convinced the mark to type in their TOTP code to the phishing site and then relayed it through to the target site in near-real-time. I watched the "debunking 5 myths", but this part still isn't clear to me yet: how does a key defeat that attack? does the protocol restrict the key from sending its response to a server other than the one designated for that account? How does that work?
I was a bit surprised this wasn't mentioned in the video since it seems to be what truly differentiates a FIDO2 key from for example an auth app or a "legacy" HW key. In my understanding FIDO2 protocol does protect from this type of attack, making it an "unphishable" authentication method.
@@gblargg Without getting into the standards documents (Apparently U2F was renamed CTAP is how far I got), the browser must pass on the web domain as part of the challenge.
I have a question/scenario what about when we have automatic login for discord or slack is there an application that can you sign you out automatically so it’s not saved when you login/boot again?
Thanks for making this video. But is there a way for someone to take our Yubikey and duplicate it? And if it is connected to the computer all the time (like the Yubikey nano) then is there a way to simulate the "touch" remotely without us having to touch it? Would like to know more. If you can talk about it, it would be great. Yes I am convinced that Yubikey is great, but what makes it unbreakable?
Hi! I mentioned cloning of keys at about 7:20 into this video 😊 you can also find the U2F standard info linked in my shownotes to read more about the in depth material on how this standard works.
You can reprogram the key. It comes with a key, but obviously, Yubico knew it when it was programmed, and could program a second key. Reprogramming the key requires generating new random numbers. I have two keys I programmed myself, and the generation was done on an air-gapped Raspberry Pi. But then, I need to provide the public key I created to anyplace I want to use it. I'm not sure if using the same physical key for multiple web sites causes problems or not.
@@johnhaller5851 It may only cause you problems if you want to keep one account isolated from another, eg you use the same key linked to your identity as one you used as a whistleblower. In that scenario the public key will link the two accounts, if I understand things correctly.
Too bad hardly any sites support this kind of thing. Another version of this is something like Google's Authenticator. Run it on an old air-gapped phone. More things support this. A big problem with all these is account recovery, which uses alternate less-secure means. What happens if you lose the key or it gets stolen? How do you get into your account or stop them from doing so? If you can do either of these without the key, an attacker can do this to your account without the key. (I had to dumb this down because RUclips was deleting my comment. I guess we can't discuss this topic.)
As I sit here in my living room, nodding my head in agreement to the statement 'hardware keys are a must', I look down and notice that I am currently wearing my green and blue yubikey socks.
I remember when Cubase went with a hardware key in order to use the software. It was via the serial port, brilliant right? Internet was flooded with codes/code generator sfor all softwares - Cubase included. At the end of the day there is a input of a/many string/int. I'm only a software, okay let's emulate that device. With that said, hardware keys are crucial for top security.
the yubikey code can still be intercepted on physical push. i tried this on myself in a browser while i had a prompt asking to tap my hardware device. if a threat actor is on your computer it can be intercepted.
Try using a hardware key without a mobile phone. Big Tech wants your IMEI number for authentication and cross device tracking - locking down the individual to specific hardware. Then there are the number of companies that simply don't support hardware token based 2FA. I know of one bank that doesn't even alow complex long passwords! A small amount of research seems to suggest that the reason 2FA is being advertised and pushed isn't for your security. It's for tracking who you are and what you do - especially those companies who don't allow 2FA without involving a mobile device
For all those who haven't seen or subscribe to the alliance for Responsible citizens check it out. A great start to ARC..... Thankyou Jordan Peterson and all the others involved in bringing this alliance to the world. This (ARC) is what we desperately need. Genuine facts and leadership. Now it is up to us, the public, to do our part. Spread the word, help grow the "Alliance for Responsible Citizenship", and do YOUR part to help bring about a better more positive world for all of humanity. Put an end to the distopian vision offered by the elites of Davos and the WEF gang. Bring individual Freedom and responsibility back to the forefront of a free and prosperous society. Thankyou.
I love the colours on what appears to be the "Shannon Morse Edition" of the Yubikey, but it doesn't look like something Yubikey offer in their online store. What a shame. :(
Thank you for your knowledge, I've been on the fence about getting a yubikey and your video did it for me. I got a mini already and I am thinking about getting a 2nd one as a spare and for my mobile devices. i am having some problems getting It to work but i am sure ill figure it out eventually.
I would add as a massive one to these other attacks, what happened to the LastPass dev that they just revealed. Their devops engineers were using two factor of the Microsoft app request instead of requiring a security key. A keylogger installed via what seems to be a rogue Plex server download or Plex server insecurity copied the password on a the dev's personal computer and they pushed an MS app auth request to the engineer, who accepted it. Last pass says in response to that breach: "We enabled Microsoft’s conditional access PIN-matching multifactor authentication using an upgrade to the Microsoft Authenticator application which became generally available during the incident." What?! So now they'll look at running malware on the phones to get the pins. WHY NOT USE THE KEYS?!?! Yubikey auth would have stopped this one!
@SME Pictures sure, but the difference is on the other side. Pressing accept on a prompt or having numbers flash on your phone is able to be seen/pushed/stolen by others without you doing anything if they have the right malware. Not the same for you taking a security key, inserting it into the device, and pressing the button. You can't screen capture or keylog that physical action.
recently the Microsoft Authenticator app has started asking for a 2 digit PIN instead of just asking to accept, in most cases. the PIN is shown on the website you are logging into. when the request arrives at the app, then the app asks for the PIN to be able accept the request. i think that might be what they mean. this way you can't unintentionally accept a request that someone else made, because you don't even know the PIN that you are suppsed to enter to accept it. the attacker can't even spam you with requests because, and make you eventually accept to make it stop because you don't even know the PIN
In case of phishing the attacker would be able to login though that one time. So that would still be a successful targeted attack, they would be able to collect data and/or perform certain actions.
When paired, the same YubiKey can be used to log into multiple computers. If the key stops working you are screwed UNLESS you followed Shannons advice & YubiCo's advice & buy at least 2 Yubikeys.
I like passive Phone Apps, that DON'T prompt you for a code, but rather you go into them and have to type the code on the website.. so mistaken authentication is unlikely. Also, I some are easy to have on backup devices. And the best is when you DON'T have an online backup for them.
Man, I was super hacked, May 29, 2023 and I just spent my first week trying to start a Reddit channel. Dang I didn’t know that every time I turn around and I see something else that could’ve possibly led to this hacker that I fought for three hours. He was had all my login information and all my emails and my phone trying to save my Apple ID and everything just a fail in the end.
Great video- So how do you prevent Google from using sms from being used? You can do it with a work account but not in public account. Would you have to use Google advance protection program on your personal account in order to prevent sms. Then you can't use an authenticator app.
I have two yubikey which I didn’t registered them at the same time. My question is: can I register them (both) anew (at same time)? Thank you for your kind answer.
But the issue with most sites is that they let you bypass the hardware key easily, where you can choose the option to not use it, and then the site falls back to SMS or email code etc.
Depends on the site. Some let you do that, some let you turn off backup options entirely. If you turn off the backup options though make sure to print out the backup one time use codes they give you during setup
Even if you have these keys, if you allow your machine be infected with malware, bad actors can steak the session cookie and use it as if you had logged in in their computer. So even these keys are not safe. It adds an extra layer of difficulty.
I'm the only person in my department that uses Keys (i have a Y5C NFC also setup in a locked fire safe bolted to my desk as a backup) my setting require key validation every 4 hrs on known logins and i have a Y5C bio on a cord I leave plugged in while working at the desk but it's attached to my phone so if i get up it will go with me plus it requires a finger print
@@Tech-geeky Of course I'm kidding. I'd have to keep them in a freezer and wait for them to thaw every time I wanted to login to GMail. Who has time for that?
HI Shannon, like i mentioned in another video using your code i got $10 off because i brought 2 yubikeys!! but i brought these because i thought since this can unlock cell from camera scan vs usb plug into macbook air2 finger print. i dont want to set up through macbook with finger print to open my wallet and if i die my daughter knows my wallet password but doesnt have my finger print!! cant i set up yubikey through macbook air2 camera scan?? if so do you know safe QR code app that wont steal or store my code to steal my wallet?
Physical security keys are the future. Just like your car and house keys, you'll have a Yubikey to login to your accounts. Yubikeys could even be used with smart locks to replace your car and house keys.
lmao, Car and House Keys are becoming obsolete with smart locks. You don't need a key to open your car anymore, you use a keyless fob. You also don't need a key to start you car anymore. Your comparison doesn't make sense.
Developers need to be able to tap into the TPM module for security checks. It would accomplish the same thing without the need of a lanyard of hard tokens.
Wow, I am blown away by this post! The information provided is so helpful and informative. I never thought about it that way before. Thank you so much for sharing your knowledge with us. I can't wait to try out some of these tips and see the results for myself. Keep up the great work!
Thank you so much for this amazing video! A bit off-topic, but I wanted to ask: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How can I transfer them to Binance?
@@AnthonyGoodley You're welcome! Don't feel too bad about this one. When Twitter announced it and put up the alerts about it, it was so badly communicated to end-users that many of them would have reached the same conclusion you did when it was spelled out right to them. This led to a large amount of prominent Twitter users misunderstanding and reporting what you just did, which snowballs and propagates that misinformation. I think the other reason it was so believable was the logic that people wondered why Twitter thought people would want to pay for a less secure 2FA option. Which is a fair question. Why would they do that? It came down to cost-cutting to lower their bill with Twilio whenever any user would use SMS 2FA and most users not understanding the distinction.
Hi Shannon! Your videos are awesome. I would like to ask if few persons are using the same account, then should they have their own yubikey? or they can borrow it from me once i login to the account? Also does the yubikey needs to be injected on the device to stay logged in on the account? Thank you in advance!
I may be out of date but a yubikey is essentially just a tiny keyboard that inputs a long password when you touch the button. It appears to be the same all the time and is not a rotating code like some tokens such as RSA.
Incorrect. The yubikey comes with multiple security functions, or "protocols", to implement 2fa on whatever websites you're visiting. If a website only uses OTP, then that's what the yubikey will do. But more and more websites are implementing FIDO2/UTF instead, which does NOT print out any code. Check the link in my description or Google fido2 white paper to see more.
Cool and all, but until the used 2fa protecable accounts/ total accounts', and Key protectable accounts/ total accounts' number does not increase, i can try to use these, but will not be able. Also some sites staight up using keys stupidly: Not as a second factor, but an alternative single, and i clearly see the possibility for that someone uses password only, and a key, and those are not protecting each other. OR i have to have an other kind of 2fa so i can use my keys, but the other kind is the baseline, and i manually have to change, at every login.
I've been think of getting a Yubikey to protected by BitWarden vault, but the question I have is how do I set things up so if I lose the Yubikey how do I get access to the vault?
Pinning this comment so y'all can easily find my previous videos about Yubikeys! ruclips.net/video/vjTA6DeD9y8/видео.html
I'm seeing the same questions several times and I answered them in this video!
Sadly MOST financial institutions do not support FIDO keys.
As of now None of my banks nor credit cards nor retirement or payroll sites support hardware keys.
But pointless sites like social media do...
That's the exact reason I haven't bought a Yubikey yet. My bank account is one of the least protected because banks ironically don't seem to be interested in proper security. The only account I care about which supports yubikeys is the email account, which is important but it's just a single one.
Glad you made this point. Financial services have successfully externalized all of the costs to other parties, including us, their customer. Even Bank of America's WebAuthN implementation is pathetically lazy. By contrast, gaming companies have had to bear the burden of taking calls, creating tickets and recreating state in the game. In short, cost. So, they went looking for a better answer. TL;DR - incentives are for banks, sadly, to do nothing.
@@SaHaRaSquad I would recommend getting the cheaper fido keys( you should have at least two.. I have 3) and experiment with them on a site you do not care about so you can test the ins and outs
That's because they gotta cater for everyone... The larger population of users, the less secure it will have to be.. We always cater for the 'bottom line' the least secure....
The reason why banks usually won't adopt better security is "Our platform doesn't support it", or "it will be too costly". I would say its about bloody time users got educated.... We all wank bank to stop scammers for us as well, but going "so far" with anything, will force users to be better.
To me, that is a good thing You can't expect a business to hold ya hand 100%..
@@Tech-geeky I am not sure I agree with your assessment. *That's because they gotta cater for everyone*
Doesn't Social Media as well? If social media can manage to implement better security.. The banks should have no difficulty. And let us not forgot. This technology is available for those that want it. The broader clueless user base is not likely to forced to use this tech with obvious security benefits. But financial Institutions seem to be purposely taking steps that make accounts "Appear" secure without ACTUALLY being secure.
Great topic! I wish more companies would add this to their sites, particularly US Banks!
I agree. My current bank only uses SMS which is insecure. Better than nothing I agree but at least offer Google Auth as an option!
Yes! I was the victim of a SIM swap and haven't wanted to use my phone for anything since but am often forced to. Even though I invested in a hardware key, it's rarely an option on its own.
This is the real problem. So little support for hardware keys still.
Nah, my bank just asks for my dog’s name. I’m sure that safe.
@@notreallyme425 I generate random strings for each one of those. They are essentially passwords so you should make them secure.
Hardware keys are a great idea in principle - but in reality, for large companies can be a nightmare to manage. Users lose their hardware keys or forget and leave them at home - so you security team is constantly issuing new keys or temporary keys. That is why phone auth apps reign supreme. Even the worst user will always remember their phone. Normally when I do 2FA deployments - I do phone apps as the primary option with yubikeys for those users who don't want o use their personal phones.
What about those non smart phone users....yup...encountered it before.....
@@BDBD16 That's why phone apps are the primary option - but not the only option. For people without smartphones or who don't want to use their personal phones - the a yubikey covers those cases.
Hi, here is a simple trick. Give them the micro keys that will always stay plugged into their laptops/workstations. If you are trying to protect from stolen laptops, configure the yubikeys to also ask for a password, not just a tap. Another way I’ve seen it done was to suggest them to have them attached to their badge keyring or home keys.
I couldn't agree more. I work in IT Security and if you read my posted comment, it talks about people losing or forgetting their keys everywhere but on them.
Who are these people who are going to work without their keys?? The whole idea of these things is you keep one on the same key ring as your house key, so you're essentially never without it
“Use the for your most critical accounts”
Too bad most banks don’t support it. My bank just finally added support for TOTP. If it takes them the same amount of time to add support for hardware keys as it did for TOTP, it’s gonna be quite a long time before it happens.
Hardware keys are king. I use them on any site that supports it. I also use them for ssh access to my servers.
I wish they did this for online (and offline) credit and debit purchases - fraudulent charges would go to virtually zero. So just having the card number and details would not be enough for a purchase to go through. Some banks have started doing something like this using virtual card numbers.
Bank of America, at present is the ONLY U.S. bank I know of that permit their customers to secure their accounts with YubiKeys.
Thanks Shannon, I bit the bullet and used the promo code. Ordered 2 keys, one as a spare. :)
Smart!!
YEP! the Physical is the way to go ! Don't forget to use generated passwords too !
heck... should never be "option". Generated passwords ought to be required. but alas, we have to cater for websites still that will never be 'as secure' as others..
Again, dragging through the dirt..... there is no solution .. You can have a really good password, but if the backend is weak, its not gonna matter. Anything IS better than nothing, but is it really worth it if it not gonna protect you anyway?
I wish more sites would allow setting up more than one hardware key.
I'm absent-minded and prone to losing things. For every site I have a hardware key on I also need to leave TOTP enabled just so I don't lock myself out of the account by losing the key.
That's funny ...
We have security in the use of hardware-keys, but then we make security less useful by having "multiple copies' where 'others' can get at them as well.. we THINK its safe, but its not. ideally i'd be more worried if my backup will be safe..
Just because we think its secret, doesn't mean it is... particularly when we do not have physical access. and its stored "off site" Makes it THAT much easier for others to get.. If people are determined, they'll get it
Look at what happened with Lastpass... but it can happen anytime to any company.... ExpressVPN too.. But we always like to trade for convenience. We Need to change THAT. And until we do change, getting at security stuff will always be a problem.
Such a good video! Your work spreading knowledge on the greatness that is hardware keys (as well as your hard work in general) is very much appreciated.
I appreciate that!
it should be a part of the device itself, inside TPM
@@ShannonMorse so once you fail IT and this platform, when are you making a o/f ?
TOTP keys in a 2FA app are not sent to you, they are generated based on the initial seed code which you get by scanning the QR code. A 2FA app is therefore more secure than 2FA via SMS or email
I'm surprised OP missed that. I don't consider SMS or email as 2FA. All my 2FA are TOTP keys which as you said cannot be intercepted provided you are smart with your secrets.
If it wasn't for my aptitude to lose things from time to time I wouldn't be as afraid to invest in physical keys. At this time I see it as too risky to use a security device that small and potentially that easy to lose.
But what happens if I lost access to my phone? The websites offer an easy way to restore my logins? I have that doubt :/
@@joseabraham777 There are two possibilities:
- you backup your 2FA data in the app to the cloud
- you use recovery keys which you can get from the site you login to (do this before losing your phone)
@@ericdere Please help me understand how these recovery keys don't completely undermine the concept of 2FA. A brute force attack can penetrate the static recovery keys even when the website tries to circumvent. Most of the recovery keys I have seen are 8 digits long max and the sites don't lock you out after multiple tries. Sometimes the recovery screen defaults back to the username/PW login screen after several failed attempts, but a crafty hacker can automate the brute force attack. At the very least, the recovery codes provided should be much much stronger.
still depends on weather people keep their device up-to-date and app(s). Apps depends on operating system and therefore device.. QR codes are not perfect either. and i wouldn't really reply on them for security.
TouchID is better. Its all a stepping stone... How secure do you wanna be ??
Immediately after hearing your comment on art on the key, I grabbed mine and started looking for art supplies.
Great video, Shannon! Although I wish some companies would implement it fully rather than do it half-arsed.
For example, some sites only allow 1 hardware key to be registered…
By not allowing a backup key to be registered it just increases the risk of me getting locked out of my account if I lose/break my main key.
Hopefully more and more sites will fix this issue in the future and it is videos like yours which will help increase awareness and adoption so that these problems are eventually solved ✊
We've seen websites that offer SMS and auth app. And the more rare SMS / key combo.
If you're lucky you might get a website that offers one of each method or up to TWO keys.
But, my favorite sites are the ones that allow you to use ALL methods and as many as you like.
One change I would at least like to see is if you're required to have 2 methods to activate MFA, that you can use 2 keys and/or not have SMS be mandatory. But SMS is about "We know you're a human being"...at least that's what the American banks, etc, tell us.
Are cybercrimes at the point where either phone companies or websites should be held responsible for sim swapping if SMS is the only 2FA method available? If the answer is "Yes", then what happens to users that refuse to use 2FA or websites that don't offer any? Like the recent password stuffing attack on PayPal.
This is exactly why I stick with TOTP instead of pushing forward with hardware keys. I can't trust myself to not lose it and royally screw myself over.
Yes, this is a big missing part. What they do often allow: a list of 'recovery codes'.
@@SgtKilgore406 I totally agree with this. I can't have everything tied to a single key. These keys are tough but they can get damaged or lost. You either can't have a second key or you have to leave a backup to get in that someone could just use to bypass the key anyway.
THIS! I don't know if they fixed it, but a while ago even Amazon AWS only allowed you to register one (ONE!) security key!
Been following both this account and Sailorsnubs account for a while. Not only you just completely sold me on getting a personal hardware key but coincidently I am currently writing an essay about authentication vs. authorization for my cybersecurity class. I was just casually watching your up-to-date videos because I really enjoy your content! But when I heard you mentioned authentication / recent events and why Yubikeys are a must for 2FA. I was like wait a minute... Hold up! This is a good example for my essay! Write this down Write down! LOL Thank you for providing us important information! I will make sure to properly cite your video! Much Love
Thanks for the code! It works for EACH Yubikey you buy. Its best to buy 2 just in case you lose one and you wont get locked out of your accounts... I got $10 off my purchase. Thanks again Shannon!
Yesss this is the way!
This episode reminds me of that famous Hootie and the Blowfish song: "Every Time I Touch My Security Key, I Log In".
Make sure to periodically check (like every year) that your key is still accepted. I have one key from around 2017 that is no longer accepted for some services. While newer keys I got the past year or so have been
I do a yearly security audit to check for this. Good idea to have a different model backup key or to keep your backup codes handy in this case.
Are they the same model keys?
@@martinlutherkingjr.5582 No different models
For me, no linked videos at the end. Not sure what happened.
Thank you for this content. You are the second person this week that I have seen addressing this topic.
Each presentation was different, and yours more in depth on the physical keys. Thanks again.
Did not notice this in the video, these security keys work with the browser so that if a phishing site looks similar to the real website it still won't allow authentication, because the domain does not match.
That's correct!
Any time someone talks about Yubikeys, that's an instant like from me. Great video, Snubs!
Much appreciated!
Agreed. I was hesitant to get one... I didn't understand them, and I was worried I could lose one. So I bought two, eventually, and when I used them I was an instant convert.
@@mschwage I'm so glad you decided to invest in some Yubikeys! You're doing it right!
Yeah. Companies should have this mandatory. No matter what job role.
Absolutes are never the solution. The security required needs to be tailored to each specific case.
Example: someone who’s job is welding or some other construction work and they never need to log into a computer at work.
@@Lucy-dk5cz I agree. Well stated.
I bought two yubikeys after watching your previous videos on hardware keys, I'm excited for them to arrive!
Just found your channel, listened to 3-4 video in a row and i suscribed! Very good content and very well vulgarised/explained while maintaining some technical information for more tech savvy people! Good job!
Hey welcome to my channel! I'm pretty active with the community here if you ever have questions or just wanna say hi 😄💓
Thanks for your content.
Because of your explaning this over the yrs, I finally got my yubi key(s) several months ago along with setting up bitwarden and 2FA (at a minimum)
l just wish more companies implemented hardware keys.
Thanks again. 👍
YubiKey is required for me to log onto both of my computers (I don't have a so-called Smart Phone) BitWarden, GoDaddy, Yahoo, Google, Tutanota
Great overview! Thank you, Shannon!
ProTip: Don't keep your key / security dongle in the same place as your devices. (If a thief steals your purse or laptop bag and the key is inside it, they now have access to your accounts.)
set up a pin, disable key 1 asap in account with backup key. A thief would need to know your usernames and passwords unless you have it setup where you can login just using a key then you’re screwed 😬. You really do need a second key in case of doubts
One great use for hardware keys is for seniors. Some may not use cell phones at all and are still using land line. So this prevents many useable options (like sms, totp, cell phone itself, etc). Plus it's simple to use, and they don't have to constantly change their password.
Dealing with senior who locked out of their account and educating them on this can be frustrating for you and them.
You can go one step further and get it as an implant. The key pair is generated on the chip inside your body
This video came at a perfect time. I've been wanting to get a Yubikey for years but never got round to doing so. Now finally ordered one, thanks for the $5 off! :D
Do yourself a favor & follow YubiCo's STRONG RECOMMENDATION, go back & buy a 2nd Yubikey, incase you lose your first one.
To sum up the video.... 2FA is not secure.... Use 2FA instead....
Got 2nd physical key like a week ago (Kensington USB-C with biometric layer) and I love it. I was finally able to add key to Windows/Outlook account!
First thing I noticed was the Sailor Moon Tee!! Love it!
Just this week I have started gettng my team behind hardware keys great video to link if I start getting pushback.
You'll always get pushback, make it policy if you can
Great video thanks 😊 Shannon hope your well
I need this, couldn't have uploaded at a better time.
Very insightful video! Btw I ❤your sailor moon shirt it compliments you and your setup beautifully ✨🤟🏾
I picked a key up a long time ago. Didn't use it very much. Now I am changing my opinion. Now I just have to figure out how to activate it again.
Hardware keys are neat, no doubt. But for the default user TOTP codes are recommeded. Low barrier of entry, easy to explain and implement
What happens when you lose the Yubikey or it gets damaged?
Straight to prison.
You really need a second one stored off-site in case that happens. (Or tedious one-time passwords also stored off-site.)
@@BDBD16 😆
Making it easier in case one gets damaged is not my idea of security..... Each to their own, i guess, but the more we have as "backups" the less secure we will be when they are found.
We think we know where they are till someone finds them. There is no solution i think.. Constant game of cat'n'mouse...
The % of someone else getting access will be small, BUT its still there.
Good luck using biometrics. You can not even change it If your access is compromised. (e.g. fingerprint copy)
Which is a big no-no if you don't have human resource (military guard) checking the usage the interface (scanner installed at a door).
Hardware keys are useless, try to lose one and tell that to AWS or any other services that use on of those to see what happens, it is a stress you don't want in your life. In my case, I lost all my keys in a flood that destroyed my home, do not trust security hardware, use a password manager instead.
I'm trying to think through the scenario you described as the reddit compromise, which sounds to me like a mal-in-the-middle situation where the attacker convinced the mark to type in their TOTP code to the phishing site and then relayed it through to the target site in near-real-time. I watched the "debunking 5 myths", but this part still isn't clear to me yet: how does a key defeat that attack? does the protocol restrict the key from sending its response to a server other than the one designated for that account? How does that work?
I was a bit surprised this wasn't mentioned in the video since it seems to be what truly differentiates a FIDO2 key from for example an auth app or a "legacy" HW key. In my understanding FIDO2 protocol does protect from this type of attack, making it an "unphishable" authentication method.
@@steamfox How can they defend against this? The middleman essentially relays everything until validated.
@@gblargg The middle-man uses a look-alike domain. So if the domain name is used in the challenge: the response won't be correct for the real website.
@@jamesphillips2285 How does the USB device know where the challenge is coming from? Just forward the authentic challenge from the authentic site.
@@gblargg Without getting into the standards documents (Apparently U2F was renamed CTAP is how far I got), the browser must pass on the web domain as part of the challenge.
I have a question/scenario what about when we have automatic login for discord or slack is there an application that can you sign you out automatically so it’s not saved when you login/boot again?
Thanks for making this video. But is there a way for someone to take our Yubikey and duplicate it? And if it is connected to the computer all the time (like the Yubikey nano) then is there a way to simulate the "touch" remotely without us having to touch it? Would like to know more. If you can talk about it, it would be great. Yes I am convinced that Yubikey is great, but what makes it unbreakable?
Hi! I mentioned cloning of keys at about 7:20 into this video 😊 you can also find the U2F standard info linked in my shownotes to read more about the in depth material on how this standard works.
It's only considered _unbreakable_ at this current point in time. Like all security technology, eventually it will be obsolete.
You can reprogram the key. It comes with a key, but obviously, Yubico knew it when it was programmed, and could program a second key. Reprogramming the key requires generating new random numbers. I have two keys I programmed myself, and the generation was done on an air-gapped Raspberry Pi. But then, I need to provide the public key I created to anyplace I want to use it.
I'm not sure if using the same physical key for multiple web sites causes problems or not.
@@johnhaller5851 It may only cause you problems if you want to keep one account isolated from another, eg you use the same key linked to your identity as one you used as a whistleblower. In that scenario the public key will link the two accounts, if I understand things correctly.
I somehow ended up with 8 (eight) Ubikeys, don't ask me how 😅
I've been nothing short of secure (and pleased) using my Google Titan key.
Too bad hardly any sites support this kind of thing. Another version of this is something like Google's Authenticator. Run it on an old air-gapped phone. More things support this. A big problem with all these is account recovery, which uses alternate less-secure means. What happens if you lose the key or it gets stolen? How do you get into your account or stop them from doing so? If you can do either of these without the key, an attacker can do this to your account without the key. (I had to dumb this down because RUclips was deleting my comment. I guess we can't discuss this topic.)
Fantastic shirt! As someone who stumbled onto the video randomly, that was quite unexpected. :D
Really useful info. & I love your t-shirt! It's so cute
Thanks so much!
wish I saw your code before I bought them, but I will send it to my friend so you get credit for helping us secure our accounts!
As I sit here in my living room, nodding my head in agreement to the statement 'hardware keys are a must', I look down and notice that I am currently wearing my green and blue yubikey socks.
its essentially a key fob. used in enterprise application since.. well I had them in 2001, so before that :)
I remember when Cubase went with a hardware key in order to use the software. It was via the serial port, brilliant right? Internet was flooded with codes/code generator sfor all softwares - Cubase included. At the end of the day there is a input of a/many string/int. I'm only a software, okay let's emulate that device. With that said, hardware keys are crucial for top security.
the yubikey code can still be intercepted on physical push. i tried this on myself in a browser while i had a prompt asking to tap my hardware device. if a threat actor is on your computer it can be intercepted.
Try using a hardware key without a mobile phone.
Big Tech wants your IMEI number for authentication and cross device tracking - locking down the individual to specific hardware.
Then there are the number of companies that simply don't support hardware token based 2FA. I know of one bank that doesn't even alow complex long passwords!
A small amount of research seems to suggest that the reason 2FA is being advertised and pushed isn't for your security. It's for tracking who you are and what you do - especially those companies who don't allow 2FA without involving a mobile device
(Timestamp for me)
1:43 username + password
2:15 biometrics
3:12 2FA
4:03 Hardware Keys
Thank you so much!!!
Can you explain the difference between something like Yubikey and EveryKey?
For all those who haven't seen or subscribe to the alliance for Responsible citizens check it out. A great start to ARC..... Thankyou Jordan Peterson and all the others involved in bringing this alliance to the world. This (ARC) is what we desperately need. Genuine facts and leadership. Now it is up to us, the public, to do our part. Spread the word, help grow the "Alliance for Responsible Citizenship", and do YOUR part to help bring about a better more positive world for all of humanity. Put an end to the distopian vision offered by the elites of Davos and the WEF gang. Bring individual Freedom and responsibility back to the forefront of a free and prosperous society. Thankyou.
I love the colours on what appears to be the "Shannon Morse Edition" of the Yubikey, but it doesn't look like something Yubikey offer in their online store. What a shame. :(
Thank you for your knowledge, I've been on the fence about getting a yubikey and your video did it for me. I got a mini already and I am thinking about getting a 2nd one as a spare and for my mobile devices. i am having some problems getting It to work but i am sure ill figure it out eventually.
Great content Shannon! Super informative too!
I would add as a massive one to these other attacks, what happened to the LastPass dev that they just revealed. Their devops engineers were using two factor of the Microsoft app request instead of requiring a security key. A keylogger installed via what seems to be a rogue Plex server download or Plex server insecurity copied the password on a the dev's personal computer and they pushed an MS app auth request to the engineer, who accepted it.
Last pass says in response to that breach: "We enabled Microsoft’s conditional access PIN-matching multifactor authentication using an upgrade to the Microsoft Authenticator application which became generally available during the incident." What?! So now they'll look at running malware on the phones to get the pins. WHY NOT USE THE KEYS?!?! Yubikey auth would have stopped this one!
I just read about that last night!
@SME Pictures sure, but the difference is on the other side. Pressing accept on a prompt or having numbers flash on your phone is able to be seen/pushed/stolen by others without you doing anything if they have the right malware. Not the same for you taking a security key, inserting it into the device, and pressing the button. You can't screen capture or keylog that physical action.
Lastpass' day is over. I have moved on.
recently the Microsoft Authenticator app has started asking for a 2 digit PIN instead of just asking to accept, in most cases. the PIN is shown on the website you are logging into. when the request arrives at the app, then the app asks for the PIN to be able accept the request. i think that might be what they mean. this way you can't unintentionally accept a request that someone else made, because you don't even know the PIN that you are suppsed to enter to accept it. the attacker can't even spam you with requests because, and make you eventually accept to make it stop because you don't even know the PIN
LMAO, yeah that is on the Engineer who accepted the push not a flaw in MFA.
In case of phishing the attacker would be able to login though that one time.
So that would still be a successful targeted attack, they would be able to collect data and/or perform certain actions.
If you have multiple computers, do you need a seperate key for each device?
What happens if the key stops working or is otherwise destroyed?
When paired, the same YubiKey can be used to log into multiple computers. If the key stops working you are screwed UNLESS you followed Shannons advice & YubiCo's advice & buy at least 2 Yubikeys.
I like passive Phone Apps, that DON'T prompt you for a code, but rather you go into them and have to type the code on the website.. so mistaken authentication is unlikely.
Also, I some are easy to have on backup devices. And the best is when you DON'T have an online backup for them.
Oh thank God I thought I was compromised! I've had a yubikey for years!
good to set up a Voice Mail PIN too .
and yet none of these company's will ever allow these to be used with any product because they don't really care about your data and its security.
Man, I was super hacked, May 29, 2023 and I just spent my first week trying to start a Reddit channel. Dang I didn’t know that every time I turn around and I see something else that could’ve possibly led to this hacker that I fought for three hours. He was had all my login information and all my emails and my phone trying to save my Apple ID and everything just a fail in the end.
Great video Shannon - on the subject of accidentally losing this key... what do you do then? Can you buy them in pairs so you always have a spare?
Hey, I did a video about this! ruclips.net/video/0iq0BgiKlWM/видео.htmlsi=bH7HqS8xGnVOAZZc
I would be using it, but most of the critical sites I use (like my banking), do not support it.
Great video- So how do you prevent Google from using sms from being used? You can do it with a work account but not in public account. Would you have to use Google advance protection program on your personal account in order to prevent sms. Then you can't use an authenticator app.
thank you so much. i definitely intend on getting one soon. 🔑
I have two yubikey which I didn’t registered them at the same time. My question is: can I register them (both) anew (at same time)?
Thank you for your kind answer.
But the issue with most sites is that they let you bypass the hardware key easily, where you can choose the option to not use it, and then the site falls back to SMS or email code etc.
Depends on the site. Some let you do that, some let you turn off backup options entirely. If you turn off the backup options though make sure to print out the backup one time use codes they give you during setup
Even if you have these keys, if you allow your machine be infected with malware, bad actors can steak the session cookie and use it as if you had logged in in their computer. So even these keys are not safe. It adds an extra layer of difficulty.
blaming user error on the software is like saying "Locks don't work because if you gave the key to a criminal they could open the lock"
I'm the only person in my department that uses Keys (i have a Y5C NFC also setup in a locked fire safe bolted to my desk as a backup) my setting require key validation every 4 hrs on known logins and i have a Y5C bio on a cord I leave plugged in while working at the desk but it's attached to my phone so if i get up it will go with me plus it requires a finger print
I prefer to use someone else's finger. That way I can keep it in a locked box in a secure location. 😆
lmao wat
😆 did i read that correct?
@@Tech-geeky Of course I'm kidding. I'd have to keep them in a freezer and wait for them to thaw every time I wanted to login to GMail. Who has time for that?
I curious if theres a disadvantage or concern that should be considered when using the “Onlykey” over say the yubikey?
HI Shannon, like i mentioned in another video using your code i got $10 off because i brought 2 yubikeys!! but i brought these because i thought since this can unlock cell from camera scan vs usb plug into macbook air2 finger print. i dont want to set up through macbook with finger print to open my wallet and if i die my daughter knows my wallet password but doesnt have my finger print!! cant i set up yubikey through macbook air2 camera scan?? if so do you know safe QR code app that wont steal or store my code to steal my wallet?
Physical security keys are the future. Just like your car and house keys, you'll have a Yubikey to login to your accounts. Yubikeys could even be used with smart locks to replace your car and house keys.
lmao, Car and House Keys are becoming obsolete with smart locks. You don't need a key to open your car anymore, you use a keyless fob. You also don't need a key to start you car anymore. Your comparison doesn't make sense.
Developers need to be able to tap into the TPM module for security checks. It would accomplish the same thing without the need of a lanyard of hard tokens.
I would like one, but they are almost impossible to buy in the UK.
Wow, I am blown away by this post! The information provided is so helpful and informative. I never thought about it that way before. Thank you so much for sharing your knowledge with us. I can't wait to try out some of these tips and see the results for myself. Keep up the great work!
So hardware keys aren't 2FA? Confused... I thought they were a 'second factor'
How do you feel about authentication apps? My employer requires us to use one and that seems similar to me.
Shannon, I love my YubiKeys. What is that full callsign on the shelf? I'm a HAM Extra! And Ethical Hacker. Oh the fun we have on the air. LOL.
More great info. Long live Yubi.
Thanks again for keeping us up-to-date on security news and info. =)
or any other brand that does this lol
Thank you so much for this amazing video! A bit off-topic, but I wanted to ask: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How can I transfer them to Binance?
Thanks Shannon!
The fact that Twitter is forcing users to to either pay for Twitter Blue or else you must remove 2FA is unbelievable.
This is not true. Twitter is only forcing you to pay to use SMS 2FA, not other forms of 2FA. TOTP and hardware keys are still possible for free.
@@dj_chateau Thanks for correcting me. I will research this further.
@@AnthonyGoodley You're welcome! Don't feel too bad about this one. When Twitter announced it and put up the alerts about it, it was so badly communicated to end-users that many of them would have reached the same conclusion you did when it was spelled out right to them.
This led to a large amount of prominent Twitter users misunderstanding and reporting what you just did, which snowballs and propagates that misinformation.
I think the other reason it was so believable was the logic that people wondered why Twitter thought people would want to pay for a less secure 2FA option. Which is a fair question. Why would they do that? It came down to cost-cutting to lower their bill with Twilio whenever any user would use SMS 2FA and most users not understanding the distinction.
Hi Shannon! Your videos are awesome. I would like to ask if few persons are using the same account, then should they have their own yubikey? or they can borrow it from me once i login to the account? Also does the yubikey needs to be injected on the device to stay logged in on the account? Thank you in advance!
Yubikey (and all other hardware keys) *are* 2FA.
I may be out of date but a yubikey is essentially just a tiny keyboard that inputs a long password when you touch the button.
It appears to be the same all the time and is not a rotating code like some tokens such as RSA.
Incorrect. The yubikey comes with multiple security functions, or "protocols", to implement 2fa on whatever websites you're visiting. If a website only uses OTP, then that's what the yubikey will do. But more and more websites are implementing FIDO2/UTF instead, which does NOT print out any code. Check the link in my description or Google fido2 white paper to see more.
@@ShannonMorse Thank You , I will look into the new ones. The yubikeys I have are from 2012 time frame.
Awesome video, Snubs. I've been thinking about this more lately with what recently has come out with companies such as Tmobile and Bank of America.
Cool and all, but until the used 2fa protecable accounts/ total accounts', and Key protectable accounts/ total accounts' number does not increase, i can try to use these, but will not be able.
Also some sites staight up using keys stupidly: Not as a second factor, but an alternative single, and i clearly see the possibility for that someone uses password only, and a key, and those are not protecting each other. OR i have to have an other kind of 2fa so i can use my keys, but the other kind is the baseline, and i manually have to change, at every login.
Sometimes fingerprints just don’t work so I wouldn’t want to be limited to needing it for validation.
I've been think of getting a Yubikey to protected by BitWarden vault, but the question I have is how do I set things up so if I lose the Yubikey how do I get access to the vault?
Hi! I answered this in my previous videos, 5 Myths About Yubikeys. ruclips.net/video/vjTA6DeD9y8/видео.html
@@ShannonMorse Thanks. I must have missed that video - will go watch now :)
Its best to buy 2... 1 is your primary & 1 is backup in case you lose the other. Keep 1 in your safe or somewhere secure.
@@Macleod1617 @ShannonMorse Thanks for the help. Just placed an order for two Yubikeys.
The physical device can be stolen, right?
They are what is called phishing resistant 2FA