It needs to be normal indeed to have better digital security! It's however a really tough issue to solve as most people don't think they are hack worthy so they don't care too much until they do and realize too late that they do have something to protect. This whole security thing needs a massive reframe.
I bought 2 YubiKeys, as recommended & they are now paired on both of my Mac's & smart-card enabled, meaning the only way I can log onto either computer with with my YubiKey; passwords no longer work. I now believe my computers are secure vs Keyloggers or other malware. BitWarden, my Password Manager - The keys to the Kingdom are now safe & secure. Sadly, Banks & Brokerage firms have so far refused to change their security systems to allow users the option of 2FA with Hardware. Warm Regards from Reno, Nevada U.S.A.
I wish this would be implemented at banks here in Korea. To get into my Korean bank online, I have to download the bank/government's security key software, download the key to my PC/USB, create a password for it, send it to my phone with menus that are completely convoluted, and then it downloads a bunch of useless security software. And when I want to use it to send money back home, I put in the security key password, then get prompted for random codes off of a printed card they gave me, and enter the security password again. It's so convoluted. And ordering stuff online from sites involves getting a separate set of the same kinds of software again.
You would need physical access to the key to get the encryption key off of it, or you need to compromise the services servers, like Google or Facebook. Something like Google Authenticator can be stolen, because your phone can be cloned or something. So someone could have access to your account without you knowing. With the hardwarekey, there probably are measures in place to keep it from being cloned. So someone that does already have your credentials would need to physically steal your key, something you would probably notice. Tied in with that is, that your phone is connected to the internet basically all the time. So attackers have time to try and get your keys. With a Yubikey you could only get the data while it is plugged in and someone is touching the sensor. So, basically, you could still circumvent the key, but you would probably need physical access to it, which is hard to do, or you would need to fiddle with the service, which should be even harder. The key of the system in not that it is intrinsically uncrackable, but that doing so is basically impossible, and even more important, impossible to do automatically or on a big scale.
A trojan on your computer copying your session cookie and using your pc as a „proxy“ for communication with the service in order to not set off a potential location alarm.
It's ironic that the original pain point -- banking -- has shunned the technology and they refuse to implement it. Anyone have a bank that allows hardware keys?
Sadly, my bank wants $20 for a hardware key that only works with the bank and nothing else. I can’t use any of my keys for my bank only ones I buy from them. Sucks. I am happy that most websites take hardware keys that I bought online.
Wow this just hit my feed... 2+ years later... Yubikey is actually a pretty good idea as a 2nd form of authentication. BUT it cannot protect an idiot from a phishing attack. No doubt it can't hurt. and "might" help some people. If you are smart enough to use 2factor authentication on your own chances are you do not need help with phishing. Also if you follow this rule. (Never click on links to get to your finances. ALWAYS use your bookmarks (shortcuts) or saved addresses to the login pages.) You may never be a victim of phishing.
If I am setting up my key via internet after receiving it, can someone intercept the information being downloaded on my key? Then create a copy? Use it as if it as mine- cause it is same
Yes but the hack requires a physical device to that is a fake Yubikey and that device has to be physically used by the target. If you get your Yubikeys from a known authentic source you have a better chance of being safe. Nothing is 100% safe but until something like a Quantum key comes along Yubikey and other hardware keys are better than nothing. In addition there is a method of using Yubikey in common with a Password Manager and 2 step authentication that makes things a little bit harder for the hacker.
I presume you are talking about man in the middle attack, and the answer is yes, if your attacker has a key, your cookies session and probably same serial probably will act like the one you have; obviously this is hardly probable but, if your attacker has your key and a way to clone it then yes but, I as a security researcher I don't know anybody or any paper about cloning a yubi key due to it's cryptographic algorithm on it and the safe methods of preserving data. In other words, you are safe for now
I have been using the basic Yubico key for several years. Yubico does not store ANY passwords. It authenticates for you..for example, I use Last Pass to store and manage all my passwords and Yubico is (simply put) the gateway to authenticate it is me and that I go to the actual Last Pass server. Last Pass is password management software that works seamlessly with Yubico. Last Pass does an excellent job of organizing and storing your passwords, and will usually input your passwords in most sites. But if it does not, you will ALWAYS be able to know your password by checking in Last Pass.When you get the key, you must program it with their software which is found on the website (Yubico.com) under Support …. Downloads....Yubikey Manager. I use both and have been happy with both for years. If you use Yubikey always on the same computer or on a laptop, I recommend the nano which is very small. If you move it with you, you may want the larger one shown in the video. Last Pass only permits the registration of 5 keys. Hope this helps and lets you move forward. Larry
Douglas - The YubiKey can be programmed to emit a static password. It is one of the capabilities of the YubiKey personalization tool. The password can be up to 38 characters for version 2.2 hardware and above. I have programmed several YubiKeys this way for testing purposes, and you could come up with a strategy to use it that way if need be, such as augmentation to a basic password that you remember...
I guess I should have been more clear or specific. Ron is correct. The key can emit a static password. It also can emit an OTP password (one time password). Your question was, will it input your passwords (I assume you meant on many sites across the internet) No. It does not store individual passwords. That is where a password manager comes into play - there are many, I only use Last Pass. I set Last Pass up for Two Factor authentication. The Password Manager works like and app (or plugin) in the browser. I click on the Last Pass icon in the browser and it asks for my Master Password (static password) The key emits a static password (the one Ron mentioned) when I contact the key for 3 seconds, then Last Pass asks for the second password which is OTP, I press the key again for one second and the key emits a one time password. When that is authenticated, Last Pass is opened and I have access to every password that is use on the internet. The OTP password is different every time and changes each time it is used. Again, the key authenticates but does not store or input passwords into websites, the password manager does that. That being said, there are some partner sites and I assume Google may be one that has their own two factor authentication and the key will work. But at this time, that is not common. I should also point out that they have introduced several new keys and I have not used the 2018 keys. If you go to the website, try the "find the right key for you" and walk thru the five or so steps. They will ask you if you have a password manager. If you select no, they will list several that you can use which work with the key so that you can select one. I also use the to log onto Windows 10. I use a few of my own characters then touch the key 3 seconds which enters the static password. That logs into Windows 10 because I set that up the static password in Windows as the password. Also, if you choose a password manager, check to see if it is compatible with the browser you use since is works like an app or plugin within the browser. I have used Last Pass with Edge, Firefox, not sure about Chrome. Best wishes, Larry
Nice commercial, but I'm not interested in giving Google anything they can personally identify me with. Just about any modern Password Manager prevents phishing by saving the Username, Password, and URI
@@victorialadybug1 SIM swapping is of zero concern if you don't use a smartphone. And, if you are concerned about security, you don't use a smartphone.
lol i don't think you understand how security keys work. also, password managers do *not* mitigate phishing. your password could be a thousand characters long and you'd be just as vulnerable to phishing
I never heard of it until this year (2021). But when I did, after a bit of research, I shelled out $50 US for a Yubikey...which is in my desktop but yet to be used. Then, I hear I need a spare. What, ANOTHER 50 bucks? It's time to lower the price tag for universal acceptance. I can't imagine why, in mass production, this device should be so pricey. Other than greed, that is.
@@azclaimjumper It would be worth the price if the technology was actually in use for more than ONE of my online accounts. And that single site is not my bank.
@@Vector_Ze BitWarden, my Password Manager is locked down with my YubiKey, along with Yahoo & Google. Both of my Mac's are smart-card enabled meaning the only way I can log in is with my YubiKey; passwords no longer work. Sadly banks & Brokerages first have so far not allowed their customers to use a Hardware device for 2FA.
@@Vector_Ze you can use the key as an authentication device as well (the OTP codes). Using the yubikey authenticator is better because if you computer or phone gets stolen without the key nothing appears in the authenticator app. That alone makes it safer.
@@einyv I bought the Yubico YubiKey 5 Nano for >$50. Sadly, the ONLY account of mine that takes advantage of it is Google! :-( This fact is the reason I have buyer's remorse. RE: authentication device...I know of no other use for the security key. My computer is a desktop and I do not live in a neighborhood where anyone is likely to burglerize the house...and I don't own a smartphone. I bought it for 2FA and, as stated, the only account I have that accepts it is Google. Not my Credit Union, Amazon (where I bought it), WalMart, not even PayPal. Actually, PayPal will utilize it, IF you have a smartphone to set up the 2FA. There is no alternative method provided to set it up.
I got one for free from wired and i ordered the Yubikey 5 and the Security key! Thank you Stina! You are lovely and very talented!
Greg, same here! Thank you WIRED! Stina, kudos to you and your spouse- Yubikey is unequivocally brilliant!
Thank you for advancing humanity with your creation!
It needs to be normal indeed to have better digital security! It's however a really tough issue to solve as most people don't think they are hack worthy so they don't care too much until they do and realize too late that they do have something to protect. This whole security thing needs a massive reframe.
I bought 2 YubiKeys, as recommended & they are now paired on both of my Mac's & smart-card enabled, meaning the only way I can log onto either computer with with my YubiKey; passwords no longer work. I now believe my computers are secure vs Keyloggers or other malware.
BitWarden, my Password Manager - The keys to the Kingdom are now safe & secure.
Sadly, Banks & Brokerage firms have so far refused to change their security systems to allow users the option of 2FA with Hardware.
Warm Regards from Reno, Nevada U.S.A.
I wish this would be implemented at banks here in Korea.
To get into my Korean bank online, I have to download the bank/government's security key software, download the key to my PC/USB, create a password for it, send it to my phone with menus that are completely convoluted, and then it downloads a bunch of useless security software. And when I want to use it to send money back home, I put in the security key password, then get prompted for random codes off of a printed card they gave me, and enter the security password again.
It's so convoluted. And ordering stuff online from sites involves getting a separate set of the same kinds of software again.
And I hear it’s even worse in South Korea.
security cant be easy...
Is there anyway to bypass security keys like yubikey? There has to be and downsides to it right?
You would need physical access to the key to get the encryption key off of it, or you need to compromise the services servers, like Google or Facebook.
Something like Google Authenticator can be stolen, because your phone can be cloned or something. So someone could have access to your account without you knowing.
With the hardwarekey, there probably are measures in place to keep it from being cloned. So someone that does already have your credentials would need to physically steal your key, something you would probably notice.
Tied in with that is, that your phone is connected to the internet basically all the time. So attackers have time to try and get your keys. With a Yubikey you could only get the data while it is plugged in and someone is touching the sensor.
So, basically, you could still circumvent the key, but you would probably need physical access to it, which is hard to do, or you would need to fiddle with the service, which should be even harder. The key of the system in not that it is intrinsically uncrackable, but that doing so is basically impossible, and even more important, impossible to do automatically or on a big scale.
A trojan on your computer copying your session cookie and using your pc as a „proxy“ for communication with the service in order to not set off a potential location alarm.
the primary downside is that if you lose it, you can't recover your account.
It's ironic that the original pain point -- banking -- has shunned the technology and they refuse to implement it. Anyone have a bank that allows hardware keys?
Yes, there’s one in my region here.
Sadly, my bank wants $20 for a hardware key that only works with the bank and nothing else. I can’t use any of my keys for my bank only ones I buy from them. Sucks. I am happy that most websites take hardware keys that I bought online.
This is brilliant!
The title is misleading, it not only protects from phasing but Amy password based attacks given that your Yubikey is not compromised
From the name I thought it was a Chinese company
Yup that's why I never got one.
Wow this just hit my feed... 2+ years later... Yubikey is actually a pretty good idea as a 2nd form of authentication.
BUT it cannot protect an idiot from a phishing attack. No doubt it can't hurt. and "might" help some people.
If you are smart enough to use 2factor authentication on your own chances are you do not need help with phishing.
Also if you follow this rule. (Never click on links to get to your finances. ALWAYS use your bookmarks (shortcuts) or saved addresses to the login pages.)
You may never be a victim of phishing.
It could though, if you use FIDO instead of OTPs
What was the price to buy the keynote at Wired UK this year?
If I am setting up my key via internet after receiving it, can someone intercept the information being downloaded on my key? Then create a copy? Use it as if it as mine- cause it is same
Yes but the hack requires a physical device to that is a fake Yubikey and that device has to be physically used by the target. If you get your Yubikeys from a known authentic source you have a better chance of being safe. Nothing is 100% safe but until something like a Quantum key comes along Yubikey and other hardware keys are better than nothing. In addition there is a method of using Yubikey in common with a Password Manager and 2 step authentication that makes things a little bit harder for the hacker.
I presume you are talking about man in the middle attack, and the answer is yes, if your attacker has a key, your cookies session and probably same serial probably will act like the one you have; obviously this is hardly probable but, if your attacker has your key and a way to clone it then yes but, I as a security researcher I don't know anybody or any paper about cloning a yubi key due to it's cryptographic algorithm on it and the safe methods of preserving data. In other words, you are safe for now
Doesn't protect against session token hijacking though
Can it be setup to input your passwords?
I have been using the basic Yubico key for several years. Yubico does not store ANY passwords. It authenticates for you..for example, I use Last Pass to store and manage all my passwords and Yubico is (simply put) the gateway to authenticate it is me and that I go to the actual Last Pass server. Last Pass is password management software that works seamlessly with Yubico. Last Pass does an excellent job of organizing and storing your passwords, and will usually input your passwords in most sites. But if it does not, you will ALWAYS be able to know your password by checking in Last Pass.When you get the key, you must program it with their software which is found on the website (Yubico.com) under Support …. Downloads....Yubikey Manager. I use both and have been happy with both for years. If you use Yubikey always on the same computer or on a laptop, I recommend the nano which is very small. If you move it with you, you may want the larger one shown in the video. Last Pass only permits the registration of 5 keys. Hope this helps and lets you move forward. Larry
Douglas - The YubiKey can be programmed to emit a static password. It is one of the capabilities of the YubiKey personalization tool. The password can be up to 38 characters for version 2.2 hardware and above. I have programmed several YubiKeys this way for testing purposes, and you could come up with a strategy to use it that way if need be, such as augmentation to a basic password that you remember...
I guess I should have been more clear or specific. Ron is correct. The key can emit a static password. It also can emit an OTP password (one time password). Your question was, will it input your passwords (I assume you meant on many sites across the internet) No. It does not store individual passwords. That is where a password manager comes into play - there are many, I only use Last Pass. I set Last Pass up for Two Factor authentication. The Password Manager works like and app (or plugin) in the browser. I click on the Last Pass icon in the browser and it asks for my Master Password (static password) The key emits a static password (the one Ron mentioned) when I contact the key for 3 seconds, then Last Pass asks for the second password which is OTP, I press the key again for one second and the key emits a one time password. When that is authenticated, Last Pass is opened and I have access to every password that is use on the internet. The OTP password is different every time and changes each time it is used. Again, the key authenticates but does not store or input passwords into websites, the password manager does that. That being said, there are some partner sites and I assume Google may be one that has their own two factor authentication and the key will work. But at this time, that is not common. I should also point out that they have introduced several new keys and I have not used the 2018 keys. If you go to the website, try the "find the right key for you" and walk thru the five or so steps. They will ask you if you have a password manager. If you select no, they will list several that you can use which work with the key so that you can select one. I also use the to log onto Windows 10. I use a few of my own characters then touch the key 3 seconds which enters the static password. That logs into Windows 10 because I set that up the static password in Windows as the password. Also, if you choose a password manager, check to see if it is compatible with the browser you use since is works like an app or plugin within the browser. I have used Last Pass with Edge, Firefox, not sure about Chrome. Best wishes, Larry
@@orangepeel796 Id look at staying away from lastpass and look at bitwarden - open source and half 1/4 the price
Nice commercial, but I'm not interested in giving Google anything they can personally identify me with. Just about any modern Password Manager prevents phishing by saving the Username, Password, and URI
It won't stop sim swapping. Yubikey can stop sim swapping. I would consider getting one, even if you don't like Google.
@@victorialadybug1 SIM swapping is of zero concern if you don't use a smartphone. And, if you are concerned about security, you don't use a smartphone.
lol i don't think you understand how security keys work. also, password managers do *not* mitigate phishing. your password could be a thousand characters long and you'd be just as vulnerable to phishing
yay!
Whatever
OWP+++
"Google, Facebook don't really care who you are", um, oh yes they do. Great product nonetheless.
I never heard of it until this year (2021). But when I did, after a bit of research, I shelled out $50 US for a Yubikey...which is in my desktop but yet to be used.
Then, I hear I need a spare. What, ANOTHER 50 bucks?
It's time to lower the price tag for universal acceptance. I can't imagine why, in mass production, this device should be so pricey. Other than greed, that is.
If YubiKeys were 3 times more, they would still be a bargain compared to having your cash assets taken from your accounts.
@@azclaimjumper It would be worth the price if the technology was actually in use for more than ONE of my online accounts. And that single site is not my bank.
@@Vector_Ze BitWarden, my Password Manager is locked down with my YubiKey, along with Yahoo & Google.
Both of my Mac's are smart-card enabled meaning the only way I can log in is with my YubiKey; passwords no longer work.
Sadly banks & Brokerages first have so far not allowed their customers to use a Hardware device for 2FA.
@@Vector_Ze you can use the key as an authentication device as well (the OTP codes). Using the yubikey authenticator is better because if you computer or phone gets stolen without the key nothing appears in the authenticator app. That alone makes it safer.
@@einyv I bought the Yubico YubiKey 5 Nano for >$50. Sadly, the ONLY account of mine that takes advantage of it is Google! :-(
This fact is the reason I have buyer's remorse.
RE: authentication device...I know of no other use for the security key. My computer is a desktop and I do not live in a neighborhood where anyone is likely to burglerize the house...and I don't own a smartphone.
I bought it for 2FA and, as stated, the only account I have that accepts it is Google. Not my Credit Union, Amazon (where I bought it), WalMart, not even PayPal.
Actually, PayPal will utilize it, IF you have a smartphone to set up the 2FA. There is no alternative method provided to set it up.
IT DOES NOT WORK FOR ANYONE IF YOU CAN NOT SET IT UP!!!!!!!!!
NEVER TAKE ADVICE from an old woman who wears a weird hat on stage.
the key is being used to hack peoples everything, the hacked code is on github ,
Source?
Where's your source on this? Where did you read this?