Public key security is awesome. Phil Zimmermann and others changed the world. God bless them. God bless you and your team, Naomi. You bring good knowledge to many seekers. Thank you.
I completely agree with this video. I setup a security key 4 years ago; plus a spare along with a security key compatible password manager. No regrets so far.
100%, I set them up and I am late to the game, total game changer, well worth it. Every site and everyone should have these in todays world of rampant fraud and scams.
I appreciate this video about security keys, you made it seem very simple. I think I am finally convinced to take the plunge, although password managers and security keys seem harder to implement when families are involved with shared passwords and access like they are in my household. I guess that sharing just makes the security more important, but it requires changing some habits as well as adding some new technology like security keys.
I have used yubikeys for years... Everyone should do the same, in fact some of my relatives and friends are going to receive yubikeys as Christmas' present.
That's only one thing I can say about this video, AMAZING, I have never thought about security on that way, it's shocking when you realize that you're unprotected
Man that was an incredible video great job! I am working on a video on my channel, wherein I had a dream where my son leaked all of my passwords and began the process of figuring out what to do, I think the more appropriate thing to do is to take measures before it goes that far. I have MFA enabled on most websites I use, but I need to increase the security on many others. Thanks so much for the video!!
I have thought about this level of security for quite some time. After this review, I think it’s an important addon to consider. I think I will order a Yubi
What happens when the security key malfunctions? To fix this two or more security keys should be made registered where either one of them can be used to unlock the user from the mess.
I was also worried about this... What if I loose it, or it is damaged... Will I be locked out of my accounts? Naomi didn't mention if there was a seed phrase or something similar to use to recover if those scenarios happen.
That's why they said to get multiple keys. Having a seed phrase somewhere is a risk. If one key breaks or gets lost, you can use the other. If you register multiple keys to an account, you can use any of them to access it.
Thank you sooooo much for doing this video! I use 2FA on my of my accounts but my old email was hacked recently, and it was devastating. I saw this security key option on some accounts, but it was very confusing. I will be ordering one of these options directly from the supplier tonight. Thank you again for helping to keep us safe.
@@edwardmacnab354 : The problem with have a code sent to a smart phone is, if I am outside my home country I don’t use my phone because of the high roaming cost. I once had to open my phone, in a different country, and after being closed for a month I received hundreds of emails and notices that were “parked” because the phone was closed. It cost me a fortune just to use my phone for five minutes. With email, I can use WiFi on my iPad to receive the authorization code without any cost. Using your cell phone is fine if you are within your provider’s territory.
@@Itsme-vo4fx I have two situations where my bank AND microsoft on windows 11 will not allow email or landline but only text and I do not have a mobile device that receives text. I have a landline that does not do text . Also, thanks for the heads up on that "parked" dam burst overcharge situation . with the backed up email . Terrible !
Excellent video and couldn't have come at a better time as I've just received a set of security keys but have not set them up yet. I have read online of people using the same code to register their main as well as backup keys while in the video, the backup key is registered with a different code from the main key. Maybe seasoned security key users here might be able to comment on which method is better? Or maybe it doesn't make a difference?
Naomi! I love your videos on security issues, always well researched and clearly presented. I’m hoping you will do an in depth video on PASSKEYS soon!?!? any clues as to when we can expect this? 🙏
Thanks...I got a Yubikey a couple of years ago and it wound up being more of a pain than anything else. Not really the key's fault but the number of websites that didn't support 2FA via a security key. Most of them did support one or more authenticator apps so that is the way I've gone when I could and SMS when that is the only thing available. Now If I could just get the rest of them to move away from re-Captcha
Yubikey 5 supports TOTP, which are the authenticator app codes. You can use it those as long as you have the Yubico app that supports them. That being said, I still think even the more basic Yubikeys are worth it for protecting your most sensitive accounts (email, password manager, bank if you can). Even if most regular things don't support it, the important things do, and that's what matters imo.
Great video. I have been using Yubikey on critical accounts for a while now and it helps me sleep at night. Still shocks me that Bank of America only allows 2FA via SMS or email. I have written the angry emails but they don’t care.
Every bank I've used has only ever allowed SMS as 2FA. It REALLY makes me mad, and I don't understand how institutions that handle sensitive, financial information don't have security keys or, at the very least, OTPs as a method of 2FA.
You didn't discuss the most important issue: compatibility with web sites that the individual needs to use. The much larger challenge is for web sites, enterprises, services, etc. to adopt a given mechanism for individuals to use for 2FA. What good is any of these security keys of web sites don't offer it as an option for 2FA? At the end of the video around 17:00, you briefly discuss this, but you could enhance the discussion by addressing the various protocols and the problem that, even if a web site offers security key 2FA, the problem is compatibility and support of specific systems and protocols.
You can't state it enough. You need to be as secure as you can make yourself online. No one is going to take care of your online presence if you don't do it yourself. You may be just one fish in a huge ocean, but there are many people just looking for an opening to take whatever they can get from as many people that they can to benefit themselves. So, using any extra security just makes sense, even though it may be sometimes annoying to have to use it. Once you start using extra security and get used to using it all the time, you will not notice that inconvenience anymore. It'll just be habit.
I too was also a Contractor for many years in the communications industry. I literally got to install the very first real time Packet Sniffing Server on the West Coast of Canada Friday the 8th 2001. At that time the Co that i worked for handled about 99% of the Data on and off Vancouver Island British Columbia Canada. The Black box was mandated to be installed in every head end in Canada that sold the internet or lose the ability to sell the internet. Mandated by the CRTC just before 911. Funny part of that story i helped install that Black box Friday and then Tuesday this group of people flew planes into building and life changed for everyone almost instantly. Pretty funny story when only a couple of us new that 1/2 mill box was sitting in our head end. The going joke back then when someone was standing next to it.. We would mutter.. That's one hell of a Black Box. As of late we have been told that the federal police in Canada's Communications network is now compromised by overseas Countries, last week we were told that all Video surveillance security devices in North America also compromised. My bet is not one chip shipped in the last 50 years would not pass the new inspection process. Pretty funny story Bro.
I allways wanted to get a Key, but was overwhelmed by all the information, thanks for clearing this very important topic for nubs like me greeings form Switzerland
Reflections and observations.... 1) Showstopper bugs as more of these are deployed. Emergency patches for your little key. 2) Your primary and backup both get stolen/damaged/lost, especially when traveling internationally. 3) The joy of dealing with logins when traveling after both keys, for whatever reason, choke. 4) Designing security that relies on cheap, fragile dubious hardware. 5) Hacks to work around the root cause, which are operating systems that have horrible, creaking architectures baked in which invite endless flaws and bugs (0 day exploit du jour). 6) Making the login process so tedious and annoying that people just start avoiding doing business online as the overhead, stress and drama is intolerable. 7) You need a trusted friend or family member to log into your account during an emergency (like being detained by authorities in some borderline police state) and they have confiscated your keys. You are so screwed. The examples given above are all based on real events encountered over the years in my job. I've been in the computer security business for a long time. It continues to devolve. Hacks on top of hacks.
I'm halfway through Cory's "Attack Surface", so I'm inclined to believe you. Plus the other peeps above who mention the Security Keys are only ever an "option" for websites, with the fallback being phone text or email, which seems to render these keys of very little actual use.
Please start a channel ! ALSO--- I'm going to use phone text verification for all my online banking transactions , it seems reasonable but then, the bank gives me no other option anyway. I cannot say how well this works as I haven't even set it up yet . I wish I could just mail cash to people , far less risky !
I have a variety of devices on several platforms and the one that makes me hesitant about the YubiKey is the support for USB-C iPads isn't great. It's an Apple problem, not a Yubico problem, but still something to consider.
As far as I know, banks in India provide only SMS based 2FA, which is highly insecure and most government bodies don't have any form of 2FA at all. If they do, it's only SMS based 2FA again. 2FA and security in India really needs a big boost.
@@catchnkill Yeah that's not what I meant. I meant that you can't register to a site by giving them a public key so then only someone with the corresponding private key could then login to that account.
The main problem of these keys is that 1) it's physical, 2) you becomes a kidnapping target, 3) a criminal can cut your finger off to get easy access to all your accounts. And since these devices uses biometric data, it can be easily spoofed since apps like tiktok among others already have your biometric data (eyes, face and fingers). Another big issue with "security keys", if your biometric data leaks out, I can use that to have access to ALL YOUR ACCOUNTS. When your password leaks out, all you have to do is to change it. When your biometric data leaks out, what are you gonna do? Change your finger/eyes/face? These devices might look secure but ISN'T.
I THINK this dude might just be trolling, but just to clarify for anyone reading this: With the exception of a few specific models of Yubikeys that do have a fingerprint reader, MOST of those security keys shown in this video do NOT have fingerprint sensors. Those circular gold contacts you see are simply just capacitive buttons to press in order to verify a human being is there using it on purpose. No biometrics are involved unless you specifically buy a Yubikey model that has one built-in.
i saw a project a long time ago about fake fingers that can trick biometrics into thinking its a real finger(and be registered as a valid finger) that way you can have biometrics without using any of yours, you can even go further and register one of your real finger as a panic button if you are held at gun point or someone use either your finger or a copy of your print so that either the device get cleaned or open a session with all you encrypted data hidden via steganography depending on your treat models( e.g you live in a nation-state where you don't have a right to not self incriminate)
Although it's true that being a physical item makes it vulnerable to losing it or getting stolen, this is basically the same as your other physical keys as well (from your house or your car). Because of that it's recommended to have more than one key, so you don't lose access to your accounts. And you're wrong saying that if you someone steals you key, they get instant access to all your accounts. This is an additional layer of security (unless we're talking about passwordless, but the implementation is very limited for now), they still need to know your password, and unless you use the same password for everything (bad idea btw), they still have "work" to do before owning all your accounts. And about being a kidnapping target only for using security keys, that doesn't make any sense. Nothing prevents that someone kidnap you to force to give them all your credentials and money or extort your family to getting more money, but they also get exposed to getting on jail. Most of the security attacks are done remotely and on a large scale (not diriged).
Very interesting videos about security. I have one doubt though: I feel these keys are really secure against online threads, but aren't they much less secure physically? I mean, what if your children take it while you're sleeping to buy stuff online? Or worse, why if during a break at work, you leave it plugged in your laptop and a college or boss use it to spy on you? My examples are quite simple, but I suspect there're some potential risks there, at least from a first look at it.
Well even if they had the yubikey they would need to have access to your open computer with an open email right? Just remember to log out and it is fine.... And if this still concerns you, get a bio yubikey that requires a fingerprint too
With the increasing number of websites that mandate you to download an app on your phone, and then scan an on-screen QR code for authentification, there needs to be a safer alternative for those who don't want the risk of a phone app. One better way of doing this would be a dedicated device, or just an updated login key device, that would have a camera that would allow to scan on-screen QR codes.
Год назад
Yubico's website suggested the bio series don't have PGP. I'm confused.
Thanks again for the great information! So do I understand that correctly that to back up your login method in case you lose/break your key, you still need a different (ideally 2FA) method to log in? (Be it another key, TOTP etc)
Yes. Backing up your 2FA is indeed a problem few people talk about. This area is where authenticator-apps based schemes actually have an advantage: most offer to back up your set of TOTP settings & secrets automatically & regularly. However, those backups have to be stored in a safe way, too. As for hardware tokens: I have several friends that actually have two sets of tokens: one for daily use, carried around with them; and another one for backup purposes, stored somewhat safely but still easily accessible. For each new site they want to access they enroll both hardware tokens. If you don't have any type of backup of your 2FA device/software, you implicitly rely on the site's password recovery functionality - and all the insecurity that might entail (mostly a question of how secure your email account is). Then again, I don't know a lot of sites that actually allow you to disable password recovery functionality for your account. It's all a bit… meh.
I would go with Series 5 if you can afford it. I bought two simple keys and one lightning key. You want to get at least two keys, the cheaper keys are worth it, any key is better than no key. I have 1 master key and two backup keys. I setup them up on my main providers Google, Apple, Facebook. Everything else I use an authentication app. Be aware only certain keys support the Yubico key authentication app (silly but true), so if you want to is their app, get a key that support which is typically the series 5 keys. I think every key should have access to the app.
It seems like the Webauthn passwordless technologies such as Apple Passkey eliminate the need for hardware keys such as the ones made by Yubico, at least for individual users. Do you agree?
I have to use a Yubikey hack via Yubico Authenticator for my banks ancient Symantec VIP. Ive been hassling them for years to implement Yubikey for their logins !
at 16:41 you say that if your key is lost/stolen, you just log into the affected accounts and delete that key. So I assume you have to use the backup key to log in, right? Thanks.
Now if they could make one with builtin key fob ability and schlag door locks that support ncf and fido and then just slap an airtag key chain on it and it would be the only thing and your phone you'd have to go out the door with.
Minute 16:30 if someone steals my bag that has my laptop and authentication key. How can I log into my account from somewhere else when I don't have the key and I didn't make a backup?
Good idea, perhaps I'll put out a supplementary video. In the meantime, whichever account you want to add this 2fa for, go to the security settings for that account, and it will tell you whether they support security keys or other 2fa methods!
Hi, thanks for the video. I would like to mention though that I come from Instagram and the title of your videos did not make it easy to find the one I was looking for 😅
What if my email is MSN and not Gmail AND the email is hidden in a Password Vault? AND, what if I want to only use a Security Key for the iPhone and NOT the Desktop Computer?
If I am using security keys do I turn off all other 2FA options (SMS and Authenticator App) to maximize security? Or is it okay to leave another option turned on (for example Authenticator App) in case I lose my security keys? In other words, what are the recommended best practices when, for example, an account like Facebook allows for several 2FA options to be turned on at the same time?
the problem that render this keys unless is that when You get your session cookie after you do your MFA. If your session cookie is long-lived, and the adversary steals it, then they can impersonate you without compromising your MFA.
Actually Yubikey BIO supports only U2F and FIDO2, its Security Key with biometric scanner in nutshell. Bad thing is that ALL this videos - they only tell about Yubikeys. While there is enough of other vendors.
@@westbccoast This makes you tied in to either apple or Google or Microsoft... what happens when you change platforms? .....no thanks I will just try an find a way for the security key....which I think their might be.
@@RobSnow-ui4sz What a joker you are, there is very few people not tied or using either Microsoft, Google, Apple or Facebook, one or all 4. No you DON'T have to use passkeys if you choose not to and yes you can only have a hardware key if you want/like or you can have both. As far as I have tested, hardware keys take priority over mechanisms, I found this out when I was asked to verify my apple account using my hardware key even though I believe I had other alternatives in place, this was good news to me. As with anything you always want to have a backup either codes or multiple keys. I have 3 keys on all my high accounts where they are support, the ones I mentioned above.
Your video has spurred me on to look in to these devices. A quick comparison on price with Yubico and Google's Titan shows the latter at 2/3rds the cost of Yubico and the Titan cost is for two devices. Now I know one usually gets what one pays for but these do look very simple solid state hardware devices so am wondering what would prompt someone to buy an expensive one.
@@NaomiBrockwellTV Thank you for prompt reply. Report does suggest physical possession of key is required to enact the vulnerability so guess it negates that weakness unless keyholder is a particular target.
Further to my earlier query, the Google Titan sales page is a wee bit misleading, under what's in the box it gives the impression two devices are included, it is actually just one which therefore negates any initial bargain impression.
Im sorry, but regarding the secrets which stay on the server side... First of all they should be all encrypted, so if a breach happens the attacker will get gibberish instead of secrets and second... I mean if someone got to the database where you store the auth server's secrets, you have way bigger issues to deal with than token secrets
I'm glad you focused on just one product. I'm "technologically challenged" and information overload is a real problem for me.
Public key security is awesome. Phil Zimmermann and others changed the world. God bless them. God bless you and your team, Naomi. You bring good knowledge to many seekers. Thank you.
Agreed, public key cryptography is amazing. Phil Zimmerman is a hero.
I completely agree with this video. I setup a security key 4 years ago; plus a spare along with a security key compatible password manager. No regrets so far.
100%, I set them up and I am late to the game, total game changer, well worth it. Every site and everyone should have these in todays world of rampant fraud and scams.
I appreciate this video about security keys, you made it seem very simple. I think I am finally convinced to take the plunge, although password managers and security keys seem harder to implement when families are involved with shared passwords and access like they are in my household. I guess that sharing just makes the security more important, but it requires changing some habits as well as adding some new technology like security keys.
Oh passwords managers make it even easier for families because you can share passwords super easily!
I have used yubikeys for years... Everyone should do the same, in fact some of my relatives and friends are going to receive yubikeys as Christmas' present.
That's only one thing I can say about this video, AMAZING, I have never thought about security on that way, it's shocking when you realize that you're unprotected
Man that was an incredible video great job! I am working on a video on my channel, wherein I had a dream where my son leaked all of my passwords and began the process of figuring out what to do, I think the more appropriate thing to do is to take measures before it goes that far. I have MFA enabled on most websites I use, but I need to increase the security on many others. Thanks so much for the video!!
I have thought about this level of security for quite some time. After this review, I think it’s an important addon to consider. I think I will order a Yubi
What happens when the security key malfunctions? To fix this two or more security keys should be made registered where either one of them can be used to unlock the user from the mess.
I was also worried about this... What if I loose it, or it is damaged... Will I be locked out of my accounts?
Naomi didn't mention if there was a seed phrase or something similar to use to recover if those scenarios happen.
That's why they said to get multiple keys. Having a seed phrase somewhere is a risk. If one key breaks or gets lost, you can use the other. If you register multiple keys to an account, you can use any of them to access it.
@@TMOC1977 That's why she said you need to get a minimum of 2 keys
Thank you sooooo much for doing this video! I use 2FA on my of my accounts but my old email was hacked recently, and it was devastating. I saw this security key option on some accounts, but it was very confusing. I will be ordering one of these options directly from the supplier tonight. Thank you again for helping to keep us safe.
💛
my bank has rescinded email and landline options for receiving verification codes and will do so only on smartphones
@@edwardmacnab354 : The problem with have a code sent to a smart phone is, if I am outside my home country I don’t use my phone because of the high roaming cost.
I once had to open my phone, in a different country, and after being closed for a month I received hundreds of emails and notices that were “parked” because the phone was closed. It cost me a fortune just to use my phone for five minutes. With email, I can use WiFi on my iPad to receive the authorization code without any cost. Using your cell phone is fine if you are within your provider’s territory.
@@Itsme-vo4fx I have two situations where my bank AND microsoft on windows 11 will not allow email or landline but only text and I do not have a mobile device that receives text. I have a landline that does not do text . Also, thanks for the heads up on that "parked" dam burst overcharge situation . with the backed up email . Terrible !
Excellent video and couldn't have come at a better time as I've just received a set of security keys but have not set them up yet.
I have read online of people using the same code to register their main as well as backup keys while in the video, the backup key is registered with a different code from the main key. Maybe seasoned security key users here might be able to comment on which method is better? Or maybe it doesn't make a difference?
Naomi! I love your videos on security issues, always well researched and clearly presented. I’m hoping you will do an in depth video on PASSKEYS soon!?!? any clues as to when we can expect this?
🙏
Thanks...I got a Yubikey a couple of years ago and it wound up being more of a pain than anything else. Not really the key's fault but the number of websites that didn't support 2FA via a security key. Most of them did support one or more authenticator apps so that is the way I've gone when I could and SMS when that is the only thing available. Now If I could just get the rest of them to move away from re-Captcha
Yubikey 5 supports TOTP, which are the authenticator app codes. You can use it those as long as you have the Yubico app that supports them.
That being said, I still think even the more basic Yubikeys are worth it for protecting your most sensitive accounts (email, password manager, bank if you can). Even if most regular things don't support it, the important things do, and that's what matters imo.
Great video. I have been using Yubikey on critical accounts for a while now and it helps me sleep at night. Still shocks me that Bank of America only allows 2FA via SMS or email. I have written the angry emails but they don’t care.
Every bank I've used has only ever allowed SMS as 2FA. It REALLY makes me mad, and I don't understand how institutions that handle sensitive, financial information don't have security keys or, at the very least, OTPs as a method of 2FA.
Financial institutions (like banks and credit card companies) are notorious for not supporting physical keys as 2FA.
Bank Of America does support Yubikey.
Another great video to get my head around. Thank you Naomi
Nice content👍👍 can you secure a computer or mobile device operating system with a yubico key
Hello. I go through google translate (sorry, I'm French): Thank you for your video which is very instructive. You demystify computer security.
Thanks so much for watching! 🥐
Very very useful info Naomi. Thank you. I think losing these keys are going to be a problem....
Make a backup!
This channel is a blessing. Your videos are amazing! ♥️♥️✨
You didn't discuss the most important issue: compatibility with web sites that the individual needs to use. The much larger challenge is for web sites, enterprises, services, etc. to adopt a given mechanism for individuals to use for 2FA. What good is any of these security keys of web sites don't offer it as an option for 2FA?
At the end of the video around 17:00, you briefly discuss this, but you could enhance the discussion by addressing the various protocols and the problem that, even if a web site offers security key 2FA, the problem is compatibility and support of specific systems and protocols.
You can't state it enough. You need to be as secure as you can make yourself online. No one is going to take care of your online presence if you don't do it yourself. You may be just one fish in a huge ocean, but there are many people just looking for an opening to take whatever they can get from as many people that they can to benefit themselves. So, using any extra security just makes sense, even though it may be sometimes annoying to have to use it.
Once you start using extra security and get used to using it all the time, you will not notice that inconvenience anymore. It'll just be habit.
I too was also a Contractor for many years in the communications industry.
I literally got to install the very first real time Packet Sniffing Server on the West Coast of Canada Friday the 8th 2001. At that time the Co that i worked for handled about 99% of the Data on and off Vancouver Island British Columbia Canada.
The Black box was mandated to be installed in every head end in Canada that sold the internet or lose the ability to sell the internet. Mandated by the CRTC just before 911. Funny part of that story i helped install that Black box Friday and then Tuesday this group of people flew planes into building and life changed for everyone almost instantly. Pretty funny story when only a couple of us new that 1/2 mill box was sitting in our head end. The going joke back then when someone was standing next to it.. We would mutter.. That's one hell of a Black Box.
As of late we have been told that the federal police in Canada's Communications network is now compromised by overseas Countries, last week we were told that all Video surveillance security devices in North America also compromised. My bet is not one chip shipped in the last 50 years would not pass the new inspection process. Pretty funny story Bro.
What's RUclips doing not recommending this channel all those years?
Very helpful. Thank you.
Naomi represents greatness.
Thanks Naomi. Looking forward to your open source comparisons and options. Assuming Nitrokey and hopefully soon Mullvad.
PIV is definitely my favorite way to authenticate...
And I'll see myself out now.
Great idea, too much trouble, all my users forget or lose their keys unless you tie it to them.
Also it better be frost, heat, and water resistant.
Listening from Mackinac Island Michigan
I allways wanted to get a Key, but was overwhelmed by all the information, thanks for clearing this very important topic for nubs like me greeings form Switzerland
When you talked about TOTP you could have referred Aegis OTP android app, It's Foss! Great work regardless!
Brilliant so much information but very useful and helpful, thank you.
I been using them for years love these keys, btw love love your channel.
Excellent breakdown of security keys
Great explanation Naomi!!
Make a video about Google authenticator. Because Yubico key it's not selled in my country : (
Thanks for adding actual captions for the Deaf
Hi Naomi, best 2fa for iPhone, many options, don’t know how to choose. I’m little slow😂😂😂😂thank you
Great video Naomi, Yubico, what a great explanation......Thank you!!
Reflections and observations....
1) Showstopper bugs as more of these are deployed. Emergency patches for your little key.
2) Your primary and backup both get stolen/damaged/lost, especially when traveling internationally.
3) The joy of dealing with logins when traveling after both keys, for whatever reason, choke.
4) Designing security that relies on cheap, fragile dubious hardware.
5) Hacks to work around the root cause, which are operating systems that have horrible, creaking architectures baked in which invite endless flaws and bugs (0 day exploit du jour).
6) Making the login process so tedious and annoying that people just start avoiding doing business online as the overhead, stress and drama is intolerable.
7) You need a trusted friend or family member to log into your account during an emergency (like being detained by authorities in some borderline police state) and they have confiscated your keys. You are so screwed.
The examples given above are all based on real events encountered over the years in my job.
I've been in the computer security business for a long time. It continues to devolve. Hacks on top of hacks.
I'm halfway through Cory's "Attack Surface", so I'm inclined to believe you.
Plus the other peeps above who mention the Security Keys are only ever an "option" for websites, with the fallback being phone text or email, which seems to render these keys of very little actual use.
Please start a channel ! ALSO--- I'm going to use phone text verification for all my online banking transactions , it seems reasonable but then, the bank gives me no other option anyway. I cannot say how well this works as I haven't even set it up yet . I wish I could just mail cash to people , far less risky !
Naomi Is Awesome! Thanks for The Insights and Tips. I've learned A Lot watching Your Videos. Thanks
Thank you! Getting one today!
Yay!! Let me know what you think of it!
You are the BEST Naomi !!!
I have a variety of devices on several platforms and the one that makes me hesitant about the YubiKey is the support for USB-C iPads isn't great. It's an Apple problem, not a Yubico problem, but still something to consider.
Great video! Thanks to you and Yubico.
As far as I know, banks in India provide only SMS based 2FA, which is highly insecure and most government bodies don't have any form of 2FA at all. If they do, it's only SMS based 2FA again. 2FA and security in India really needs a big boost.
Banks everywhere are notoriously awful with customer security options
Canada too.
I'd always thought it was strange that asymetric keys weren't used for web site authentication. It's nice to know this tech is now being utilised.
It already does. Web sites now use https and it uses public key cryptology to prove that you are connecting to a site that it claims to be.
@@catchnkill Yeah that's not what I meant. I meant that you can't register to a site by giving them a public key so then only someone with the corresponding private key could then login to that account.
Great video, lots of useful stuff, thanks
they are quite expensive, but worth it
Can you make a video privacy focused NAS/Home cloud storage.
If an online service (primarily banks) only offers Email or SMS for 2FA, would Email be the better choice if it's locked down with a Yubikey?🤔
A service locked with a yubikey is going to be better protected I would presume
The main problem of these keys is that 1) it's physical, 2) you becomes a kidnapping target, 3) a criminal can cut your finger off to get easy access to all your accounts. And since these devices uses biometric data, it can be easily spoofed since apps like tiktok among others already have your biometric data (eyes, face and fingers). Another big issue with "security keys", if your biometric data leaks out, I can use that to have access to ALL YOUR ACCOUNTS.
When your password leaks out, all you have to do is to change it. When your biometric data leaks out, what are you gonna do? Change your finger/eyes/face?
These devices might look secure but ISN'T.
There is no biometrics involved in Webauthn. Its public keys.
I saw many times how many people advertise those keys as "best" security, but I doubt they are best...
I THINK this dude might just be trolling, but just to clarify for anyone reading this: With the exception of a few specific models of Yubikeys that do have a fingerprint reader, MOST of those security keys shown in this video do NOT have fingerprint sensors. Those circular gold contacts you see are simply just capacitive buttons to press in order to verify a human being is there using it on purpose. No biometrics are involved unless you specifically buy a Yubikey model that has one built-in.
i saw a project a long time ago about fake fingers that can trick biometrics into thinking its a real finger(and be registered as a valid finger) that way you can have biometrics without using any of yours, you can even go further and register one of your real finger as a panic button if you are held at gun point or someone use either your finger or a copy of your print so that either the device get cleaned or open a session with all you encrypted data hidden via steganography depending on your treat models( e.g you live in a nation-state where you don't have a right to not self incriminate)
Although it's true that being a physical item makes it vulnerable to losing it or getting stolen, this is basically the same as your other physical keys as well (from your house or your car). Because of that it's recommended to have more than one key, so you don't lose access to your accounts.
And you're wrong saying that if you someone steals you key, they get instant access to all your accounts. This is an additional layer of security (unless we're talking about passwordless, but the implementation is very limited for now), they still need to know your password, and unless you use the same password for everything (bad idea btw), they still have "work" to do before owning all your accounts.
And about being a kidnapping target only for using security keys, that doesn't make any sense. Nothing prevents that someone kidnap you to force to give them all your credentials and money or extort your family to getting more money, but they also get exposed to getting on jail. Most of the security attacks are done remotely and on a large scale (not diriged).
Great video. Thank you!!
Great info. Thank you Naomi.
I got 6 yubikeys, 2 security keys, 2 Yubikey 5C NFC USB-C and 2 Yubikey 5C NFC FIPS 140-2 USB-C. Not gonna lie it’s very addictive!
Excellent information!
I use these yubikey security keys and they can be a hassle to use. Especially if you want to make a backup key later.
Very interesting videos about security. I have one doubt though: I feel these keys are really secure against online threads, but aren't they much less secure physically? I mean, what if your children take it while you're sleeping to buy stuff online? Or worse, why if during a break at work, you leave it plugged in your laptop and a college or boss use it to spy on you?
My examples are quite simple, but I suspect there're some potential risks there, at least from a first look at it.
Well even if they had the yubikey they would need to have access to your open computer with an open email right? Just remember to log out and it is fine.... And if this still concerns you, get a bio yubikey that requires a fingerprint too
Loved you honest and easy to follow video , thank you ❤️
With the increasing number of websites that mandate you to download an app on your phone, and then scan an on-screen QR code for authentification, there needs to be a safer alternative for those who don't want the risk of a phone app. One better way of doing this would be a dedicated device, or just an updated login key device, that would have a camera that would allow to scan on-screen QR codes.
Yubico's website suggested the bio series don't have PGP. I'm confused.
Thanks again for the great information! So do I understand that correctly that to back up your login method in case you lose/break your key, you still need a different (ideally 2FA) method to log in? (Be it another key, TOTP etc)
Yes. Backing up your 2FA is indeed a problem few people talk about. This area is where authenticator-apps based schemes actually have an advantage: most offer to back up your set of TOTP settings & secrets automatically & regularly. However, those backups have to be stored in a safe way, too.
As for hardware tokens: I have several friends that actually have two sets of tokens: one for daily use, carried around with them; and another one for backup purposes, stored somewhat safely but still easily accessible. For each new site they want to access they enroll both hardware tokens.
If you don't have any type of backup of your 2FA device/software, you implicitly rely on the site's password recovery functionality - and all the insecurity that might entail (mostly a question of how secure your email account is). Then again, I don't know a lot of sites that actually allow you to disable password recovery functionality for your account. It's all a bit… meh.
@@mbunkus Oh, I didn't even think about the password recovery options, thanks a lot for your insights!
I love you so much Naomi!
Do you need multiple physical keys, for example, if you had more than one twitter or gmail account?
I'm not sure I understand if I should buy a "simple" security key or the 5 series. Can anybody help, please?
I would go with Series 5 if you can afford it. I bought two simple keys and one lightning key. You want to get at least two keys, the cheaper keys are worth it, any key is better than no key. I have 1 master key and two backup keys. I setup them up on my main providers Google, Apple, Facebook. Everything else I use an authentication app. Be aware only certain keys support the Yubico key authentication app (silly but true), so if you want to is their app, get a key that support which is typically the series 5 keys. I think every key should have access to the app.
It seems like the Webauthn passwordless technologies such as Apple Passkey eliminate the need for hardware keys such as the ones made by Yubico, at least for individual users. Do you agree?
I have to use a Yubikey hack via Yubico Authenticator for my banks ancient Symantec VIP. Ive been hassling them for years to implement Yubikey for their logins !
at 16:41 you say that if your key is lost/stolen, you just log into the affected accounts and delete that key. So I assume you have to use the backup key to log in, right? Thanks.
Very informative, thank you
Now if they could make one with builtin key fob ability and schlag door locks that support ncf and fido and then just slap an airtag key chain on it and it would be the only thing and your phone you'd have to go out the door with.
You look amazing without glasses.
Minute 16:30 if someone steals my bag that has my laptop and authentication key. How can I log into my account from somewhere else when I don't have the key and I didn't make a backup?
I like this vid. Good insight.
I'm using Google titan keys , with Google advanced protection enabled , I found yubi to be a bit tricky on android
If someone gets hands on your security key( yubikey) can it be modified?
Thanks for your expert research and information! ❤
Can you show us how to set it up? It’s hard to understand
Good idea, perhaps I'll put out a supplementary video. In the meantime, whichever account you want to add this 2fa for, go to the security settings for that account, and it will tell you whether they support security keys or other 2fa methods!
Where do i make the purchase for those security keys? 😮
It's the best 👌 thanks alot
Hi, thanks for the video. I would like to mention though that I come from Instagram and the title of your videos did not make it easy to find the one I was looking for 😅
So two or more keys can be tied to any one account at any one time, and any one of the keys can grant account access?
Can using a security break siloing/isolation by being linked through the Key ID?
I use my Yubikey 5 for my Windows login also.
So where are all of the follow up videos going over keys other than YubiKey and Fido2 authentication???
What if Last Layer would have Weakness for messing everything around and no point for previous Inputs?
What if my email is MSN and not Gmail AND the email is hidden in a Password Vault? AND, what if I want to only use a Security Key for the iPhone and NOT the Desktop Computer?
GREAT INFORMATION!👔😀
If I am using security keys do I turn off all other 2FA options (SMS and Authenticator App) to maximize security? Or is it okay to leave another option turned on (for example Authenticator App) in case I lose my security keys? In other words, what are the recommended best practices when, for example, an account like Facebook allows for several 2FA options to be turned on at the same time?
I would turn off sms where you can
SOOOOO helpful!
Great video!
Would be even better if they allowed people to choose this as the first factor of authentication before the password can be tried.
the problem that render this keys unless is that when You get your session cookie after you do your MFA. If your session cookie is long-lived, and the adversary steals it, then they can impersonate you without compromising your MFA.
Actually Yubikey BIO supports only U2F and FIDO2, its Security Key with biometric scanner in nutshell.
Bad thing is that ALL this videos - they only tell about Yubikeys. While there is enough of other vendors.
My social media is always protected.
Now you have to use passkey in Google so how do I go back to only using a security key.
You can still use both, but you can delete passkeys just like you can remove a hardware key.
@@westbccoast This makes you tied in to either apple or Google or Microsoft... what happens when you change platforms? .....no thanks I will just try an find a way for the security key....which I think their might be.
@@RobSnow-ui4sz What a joker you are, there is very few people not tied or using either Microsoft, Google, Apple or Facebook, one or all 4. No you DON'T have to use passkeys if you choose not to and yes you can only have a hardware key if you want/like or you can have both. As far as I have tested, hardware keys take priority over mechanisms, I found this out when I was asked to verify my apple account using my hardware key even though I believe I had other alternatives in place, this was good news to me. As with anything you always want to have a backup either codes or multiple keys. I have 3 keys on all my high accounts where they are support, the ones I mentioned above.
The only issue is that not many websites use these hardware keys so its very limited.
Thank you!
Your video has spurred me on to look in to these devices. A quick comparison on price with Yubico and Google's Titan shows the latter at 2/3rds the cost of Yubico and the Titan cost is for two devices.
Now I know one usually gets what one pays for but these do look very simple solid state hardware devices so am wondering what would prompt someone to buy an expensive one.
www.zdnet.com/article/new-side-channel-attack-can-recover-encryption-keys-from-google-titan-security-keys/
@@NaomiBrockwellTV Thank you for prompt reply. Report does suggest physical possession of key is required to enact the vulnerability so guess it negates that weakness unless keyholder is a particular target.
Further to my earlier query, the Google Titan sales page is a wee bit misleading, under what's in the box it gives the impression two devices are included, it is actually just one which therefore negates any initial bargain impression.
yubi is nifty tech. but be realistic. if i can't use it with "the banking system" its basically useless. the *most* important use is banking.
Im sorry, but regarding the secrets which stay on the server side... First of all they should be all encrypted, so if a breach happens the attacker will get gibberish instead of secrets and second... I mean if someone got to the database where you store the auth server's secrets, you have way bigger issues to deal with than token secrets