Yubico Authenticator App

Glad it helped!

Thanks for watching and glad it helped. In full transparency I actually do work for Yubico. All our employees are encouraged to help the community the best way we can. This was my way. As time permits I have a few other ideas for videos. Stay tuned! :)

I would be careful taking pictures of the QR code. If your image storage is compromised it could cause more issues than you want. Also note, it's not good to take pictures of credit cards, passports or any other ID. I personally know someone who did this, had their Google account hijacked via SMS hack and it cascaded to bank accounts being drained, cryptocurrency being taken, and lots of other time consuming and life impacting items.
+1 for printing off and storing in safe.

Thanks Grant, very much appreciate that.
Stay tuned as I will have a new video coming out on all the updates to Yubico Authenticator.

Glad it was helpful!

That depends on the service. Some services will ask for your MFA token (6 or 8 digit) the first time you log in from a new device. After that they create some kind of fingerprint of that device and will "trust" future logins without asking for an MFA token. The reason for this is for usability. As a user you most likely wouldn't want to be prompted at every login for a MFA token.
On the other side of the spectrum you have services that will ask each and every time you login for an MFA token. Most CryptoCurrency services do this today along with asking for the MFA token for any transaction you want to complete.
Bottom line is if the data has a higher sensitivity to it you might want the inconvenience of so many MFA requests.
Hopefully that helped.

Someone would need to get kind of close to read the code, but yes, NFC could read it. To protect against an NFC read you can simply set a PIN as outlined in the video. Now when you want to use it via NFC you need to touch the phone with the YubiKey, type in your PIN, and touch again to read the codes.
Hope that helps.

You are correct and I'm sorry I did't mention that critical piece of information.
My phone: iPhone 7 SW: 13.4.1
Please checkout this page on Yubico to get more information regarding Apple device capabilities
support.yubico.com/support/solutions/articles/15000006479-getting-started-on-ios

The beauty of using a YubiKey vs other Authenticator Apps is that portability of the secret. It's stored on the YubiKey so you can read the QR code at one computer or device and then generate the code on any computer you plug the YubiKey into. No need to reset on each device.
Hope this helps.

@@trebortech Yes it helps, thank you :)

Thanks for the question Aaron. The "password" pin (they are different but that's another video) that I spoke about in this video is strictly for the Authenticator App that provides the OTP codes. The YubiKey has several pins you can set, PGP, PIV, FIDO.
So my answer is for the Authenticator App only and that answer is you can NOT reset it if you lose it. That's a bummer, I know and which is why you should use something easy to remember or write it down and put that in a safe location, away from your YubiKey.
It's not the ultimate security but if that is the level you are striving for you should focus on the FIDO protocol. OTP has other exploits that are more likely such has phishing and MitM attacks.
Sorry for long winded answer but I didn't want to leave it with a "You can't change it".
Hope that helped!

Chris from CrosstalkSolutions just did a great video on YubiKey's and covers this topic. Here is a link to that section of the video but if you are new to YubiKey's I suggest watching the entire video.
ruclips.net/video/ybn9J4QCqK4/видео.html
Hope this helps!

Always have a backup

1password is awesome! The team over there are top notch and on it.
Here is a link on the Yubico website that explains how you can use the YubiKey with 1Password.
www.yubico.com/works-with-yubikey/catalog/1password/
My recommendation would be to set up FIDO for the 1Password MFA. (I would register at a minimum 2 different FIDO tokens) This is enabling strong authentication for your prized possession. On the same YubiKey you can store your OTP codes for websites.
32 OATH-TOTP codes can be stored on a single YubiKey.
Hope this helps!

Hey Chris,
Thanks for watching the video. Hopefully the following helps.
1. I have found that does occasionally happen and it seems to be a permission issue that has changed over time. To get past the automatic QR code scan you should have a link near the QR code or the page before that allows you to see the seed as text. You will just need to copy that string into the Yubico Authenticator app and put in the other information manually, most of that data is what you want it to be like account name and such. nothing critical for the auth to work.
2. In the next few weeks I plan on putting together an updated video on the Yubico Authenticator. A lot has changed over the year and I have a lot of common questions to the original video I want to answer. Stay tuned!

Yes, they are stored in a secure element.
I'm not aware of any brute force prevention for the PIN protection, good question. I'll need to look into that but either way, the code provided is only one part of the authentication process. An attack would need to compromise the password for the user account AND get possession of the YubiKey and THEN brute force the PIN. Seems like an edge case but I could be wrong.
Hope this helps. Sorry for the late reply.

So I believe the TOTPs are stored on the Yubikey, not the app. So if you have the app on different devices (including the computer app) it will read the codes from the Yubikey. No need to sync because the apps don’t save anything. HOWEVER, if you lose your Yubikey then you’re screwed. So you should have a second Yubikey and save yourTOTPs to both keys as a backup. There’s another video mentioned in another comment that shows how to add these to a second key, but basically when you add the TOTP to the first key leave the window open showing the QR code. Then insert the second key and add the code again to that key.

This is correct. The "seed" is secured on the YubiKey so now it's portable between devices.
Chris from CrossTalkSolutions did a great deep dive into replicating credentials between multiple YubiKeys. Not going to lie, it's a PITA to keep this up over time. This is another reason to use something like FIDO.

1. Yes. I install the Yubico Authenticator app on all my computers and phones. I never know when I'm going to need the codes off my YubiKeys. btw, I also install the app on my wife's phone so if I can't find mine I have her phone. She also uses a YubiKey so it's not that big of deal.
2. You have no easy way of transferring this unless you grabbed the secret value and recorded them the first time. The most likely way to move forward is to log into a service that you want to transfer and reset your OATH authentication to the YubiKey.
Hope this helps and thanks for watching.

I'm guessing that your difficulty with the Pixel is that the YubiKey is not being seen via NFC when you place on the back of the phone. The only suggestion I can provide is try and locate where the NFC antenna is on the rear of the phone by moving it around. Once you locate it, put a sticker or something at that location for better reads. The iphone is simple, androids are all over the place.
If that is not your difficulty please provide more details and I'll do my best to help.

You can if you manually configure the YubiKey. Normally when setting up the OATH codes you are provided an option to see the secret key under the QR code. You can use this code on as many YubiKeys as you would like. Be careful with this code as it’s the most critical piece of information for your mfa. DO NOT RECORD THIS ON YOUR COMPUTER. Just treat it as very sensitive information and you should be good.
Hope this helps.

@@trebortech Yes Robert, you helped me a lot! Have you tested this hypothesis?

@@Leogcs great. Yes, I’ve tested this. I’m in the process of putting together the updated video I’ve been promising. This will be in that video to demonstrate making a backup key. Hope to have done later next week.

Not sure what you mean by Google being a bad example. The purpose of the video was to show how to setup and use TOTP with a YubiKey. Google is a great way to show this.
As for the FIDO alternative, I 100% agree with you. If you can use FIDO to protect your account use it and only it. Remove all other second factors since they will be the weak link in your security (don't forget to register multiple FIDO tokens for backup). Doesn't make sense to put a hardened steel door on your house and have a window next to it.
32 TOTP on YubiKey = True
Unlimited FIDO = Partially True (U2F True, FIDO2 Resident Credentials are limited)
Thanks for the comment.

@@trebortech just wanted to clarify that FIDO is better to use than TOTP and Google supports FIDO. I could see somebody watching this video and not realize that. No offense meant. Thanks for confirming the 32 limit on TOTP codes on Yubikey. I’ll have to research FIDO2 to understand the limits on that. Thanks for the response.

@@trebortech
With the options for Google accounts people should learn to delete SMS as an option... Otherwise the ideal two factor authentication using yubi is rendered moot If hackers can simply choose SMS, by far the worst 2FA

Yes but no... Let me explain. The Yubico authenticator app is only used to generate codes from the key, it doesn't store anything so it's not locked to any YubiKey. The benefit of using a YubiKey for OATH-TOTP codes is that you now have portable code generation.
Hope that answered your question.

​@@trebortech I truly appreciate your response! I am new to all of this so I apologize if my questions seem a bit basic.
So I downloaded the Yubico Authenticator App to add as 2FA on all my accounts that don't accept security keys as 2FA.
By the way, I have two Yubikeys 5 NFC. We'll call them Yubikey#1 & Yubikey #2.
Once I downloaded the Yubico Authenticator App, it asked me to scan my Yubikey, so I scanned Yubikey #1. Once I scanned it, it allowed me to start adding accounts. I added the accounts successfully. So now when I open the Yubico Authenticator App, and scan Yubikey#1, I see all of the TOTP of the accounts I added.
Now, when I open the authenticator app and scan Yubikey#2 , nothing is showing.
My question is, for all my accounts that only rely on the TOTP from the Yubico Authenticator App as its only 2FA option, wouldn't I in theory be locked out of all those accounts if I lost Yubikey#1?
And if so, what is the best backup method to never be locked out?
Again, sorry if my questions are basic stuff! My bank account was hacked 2 weeks ago, so I am taking my online security a lot more serious! So I am still new to all of this! Thanks in advance!

@@jonathanperez5941 I know my response is late but hopefully still useful: You can add multiple keys simply by using the same QR code for multiple keys. So you just follow the instructions in this video until you add the first key (don't close the QR window!), then you unplug key 1 and plug in key 2. At this point you might need to restart the authenticator app (not always necessary), so after that you use the same QR code to register to your second key. If you have even more keys you keep repeating this process until you added all keys. Then you finish the whole process just like in the video by entering the code from the authenticator app.
I just set up my 2 yubikeys like that and I can confirm this worked fine for me!

I believe when you set up one, you have to do one key first, add then do second key and then put your code in whatever service you want to use. or you can use your phone and laptop at same time. one key in each and set up at same time. I do this with my wife phone and me whenever I set up something that way.. If I lost one you have at least other.

The only way you can do that today is by getting the code during the creation and putting it on both YubiKeys. It's a bit time consuming and is one of my reasons for only suggesting OATH codes for applications that don't support FIDO.

OATH-TOTP is a time based one time passcode. It's based off a shared secret. During the registration process you just need to record the secret and manually add it to another key. Keep in mind, this secret is the golden ticket to your OTP code. If you don't secure it properly the entire security of the OTP is broken.
I don't recommend recording this secret or making backup keys for OTP. The best path forward is to find services that support FIDO or push the service your currently using to support FIDO. FIDO is not a Yubico only protocol. It provides the best method to support backup keys for accounts. IMHO.

Hi, Refer to my comment/s above... I'm not sure, but you should be able to put another Yubico key on the Authenticator App, as a back-up. In addition to this, the google email has got 'Back-up' Codes(i,e,: this backup code is different from the manual codes or QR image mentioned above. Backup the codes in the "Security section" in your email) and it's extremely important to print this up & store it off-line in a safe place. If you lose your key or it is damaged, I'm sure you can access your account without the Yubico/Google Authenticator App, using the 'Backup Codes' (i.e.: I'm not sure if Yahoo/live/etc have got Backup Codes). I hope that this was helpful.

To use the time based OTP codes, OATH-TOTP, you will need the app. The YubiKey has no battery so no clock. The app is used to provide the time to the YubiKey.
If you were using OATH-HOTP codes you do not need the app since those codes don’t expire so no time necessary.
Most systems will use the TOTP system, so the app is necessary.

@@trebortech ok thank you, I've been using authy when a physical key isn't an option, but I see Google reviews on the app for yubico and it seems negative , I think I'm wait for good reviews , lots of claims that the app just doesn't work. Thank you for the detailed explanation, right now I am running a nfc 5 black key and a standard blue. I may get another black cause the blue Is limited , when I got the black one, it was only one in stock and I needed it fast so got a blue as back up.

Not sure which reviews you are referring to. If you can provide a link I will review and see what I can help with. I've been using the app for around 6 years and no issues. I know Yubico has made lots of updates over the last few years but they stay on top of any issues. The engineering team is top tier.
Key difference between your YubiKeys. Blue will only have support for the FIDO (WebAuthn) protocol. The newest and most secure protocol available. I'll have a video coming out next month to explain it a bit more.
The Black YubiKeys have multiple protocols and is much more versatile. I highly recommend this YubiKey over the blue. The additional cost provides you more value for your money since many systems are still transitioning to FIDO.
Best of luck moving forward with your YubiKey. Stay tuned since I'll be providing more videos in the coming months.

Yes, that is a limitation. The YubiKey has limited memory so 32 codes it is. Most people will not get to the 32 because, unfortunately, most consumer sites still don't offer 2fa. In an ideal world sites will rollout fido and the 32 limit will be less of an issue.

Thanks for the question. No, not necessarily. If you change the Issuer and/or Account Name value when you add the token to something that you understand and can map to the service, then you are good to go. Those values are not utilized when creating the OTP.
I still highly suggest you use a PIN to protect your OTP. Also, just to be clear the PIN is stored on the YubiKey, not in the authenticator app.

My thought on 2FA is one you know and one you have. Even if they have the key. It is usless to access "your" specific account. They need to really research you. Like dumpster dive, monitor you, social hack you (ie mail diving), etc. If no password placed.

@@gr8hax That's true but I think @technobot was more concerned with privacy in his response. Privacy should also be a concern as you get more focused on your personal digital security. Imagine if you were hiking in the woods and a grizzly bear had an NFC reader and scanned your YubiKey to see that you have an account on www.Ihategrizzlybears.com. The hike could take a dangerous turn.

So with all the options available I feel I need to provide more than a Yes / No to this but it's basically a Yes.
If you are using NFC the flow would be as follows
1. Open the Authenticator App
2. Swipe down from the top to activate NFC
3. Touch an NFC enabled YubiKey to the back of the iPhone
4. Enter your PIN/Password
5. Touch the YubiKey again to present the list of codes
after 30 seconds the codes will need to be refreshed. If you need more codes you will need to touch the YubiKey again but you will not need to enter your PIN/Password unless you close and reopen the Authenticator App. The PIN/Password is cached for a period of time but I'm not sure how long that is.
If you are not using NFC and are directly plugged in the flow is slightly different
1. Open the Authenticator App
2. Plug YubiKey in to phone
3. Enter you PIN/Password
You will have your codes presented
Sorry for the long reply but wanted to be as complete as I can.
NOTE: An updated version of the Authenticator App has been released since this video that. takes advantage of the iPhone biometric system. I'll try and create an update to show how that changes the flow.

@@trebortech Thanks man! I really appreciate the time you took writing this! I'm getting my Yubikeys tomorrow!! excited.

@@af6727
He does a better job than yubico, He should get referral bonuses...

I actually get a paycheck from Yubico :) But I'm going to let my boss know I need a bigger bonus!!!

@Sammy Chan . Not sure what screen you are looking at or what is asking you for a password. If you are following my instructions in the video let me know what time spot to look at and we can go from there. Also, if you can put your next reply as a new item that will help me see it. For some reason I only see the new comments on my alerts, not the replies.

If you are using a YubiKey with Microsoft I would push you to use FIDO.
Not sure about the OATH-TOTP support with Microsoft. They have so many different ways to login it's hard to keep straight.