I think you're supposed to disable SMS as 2FA method after enabling one of these hardware token keys. Many people who migrate to these methods might forget this important step.
Absolutely right. You’re only as strong as the weakest link. You can get in with EITHER the SMS 2FA or the physical key. So you think you’re protected with the key but someone can still spoof your SIM (way easier than you’d think) and now your “security” text goes to them. They’re in. If you go the physical key route it’s imperative to DEACTIVATE any lesser 2FA such as SMS or even Google Authenticator. I prefer Google Auth as it’s local to your device vs stored in the cloud. But the physical Yubikey or Google Titan trumps all. Some people might think it’s expensive, but it’s nothing compared to the cost of having your accounts potentially hacked. But you’re totally right and I’m surprised Gary didn’t mention that. Overall great video though. I think people might be scared off thinking it’s more complicated than it is. I wish more people knew about physical security keys, I’ve bought a pair for my mom and gf and they’re using them whether they like it or not hahaha
Hi, Gary. Thanks for these videos. Although I've been using computers for over 30 years, there're somethings which I've haven't read up on or just don't know about. This is one of those occasions. I've found your channel will come up with gems with an easy explanation of tech every now and then. Well worth a subscribe. Keep up the good work.
Hello Gary....great vid.....not a tech savvy as everyone else. Can I leave the uf2 key in my PC? Do I have to sign in with usb key always plugged in? Do I need a separate version of the key to use on mobile device? How can I plug key in mobile device?.....usb adapter....or blue tooth?.... I bought the Hyperfido U2F Security Key.....on Amazon....thought there would somewhat of instructions.....nothing...and no support.....just good luck.......lol. Anyway......android boxes?......
Hi Gary thanks for the really clear explanation, I wonder if you recommend using the yubikey to generate passwords or in general what your best solution is for managing 30+ passwords ?. I was thinking along the lines of using physical keys to access my google account and then changing my passwords to autogenerated ones from google so I do not need to remember so many
I have the yubi key 4 from wired and i love it. I just bought a yubikey 5 and a security key for back up and the nfc will be my main. Im not messing around with these security data leaks.
I noticed that you still had the "More Options" available, does that mean you can still use mobile for 2-step authentication? If so, doesn't that make the keys a bit pointless on a phone?
If you set up Advanced Protection and you use a Samsung Galaxy smartphone, will you still be able to use the built-in Samsung calendar and contacts apps (since they are not actually Google apps)?
Just came across your video. I noticed you used a different key when using your phone. Does the nfc 5c not work on the phone? I'm very new to sorry if this is a stupid question
I appreciate the videos, and no, you don’t have to make them shorter. I watch them as you go into depth which is what we need to understand it. I have questions: 1) I bought 2 yubikey 5 NSD 2) outlook live was tested first ad worked fine after it asked to create code 3) added 2nd and was fine 4) tried google, failed 5) tried in chrome, failed with endless spinning until it gave a message stating it needed to be plugged in 6) restarted computer, gmail failed again to sync with same errors 7) I have never found anything that explains how many emails you can apply 8) I haven’t found anything that wipes the whole thing to start from scratch or updates that don’t require intense DOS style script for each “applet” where directions are difficult to follow 9) support to LastPass and yubico has been sent and have gotten zero responses 10) how far am I off? Is it a software thing? I saw a video where the thickness of the usb section varied and could be part of the problem, no? Thanks in advance.
With the wireless key towards the end, how does it work on iphone? Doesnt have NFC. Just connect to it like a normal wireless bluetooth headset or...? Couldnt someone near the radius hijack the account if they had your info? IE: Airport, Bar, etc.
You mention that intercepting an SMS code requires a higher level of sophistication. But my understanding is that someone could just call the phone company, pretend to be you and ask them to change the number to another phone (the hacker's phone in this case). This SIM swap is actually pretty easy. This scary scenario might light a fire under more of your viewers to follow your advice get the physical key.
Your phone is an Android one. How does this work on iOS? I've read at multiple places (including reviews on Amazon) that these keys don't play nicely with iOS
What is your opinion on biometric authentication systems. I am very interesting in understanding how safe/scalable the Indian unique ID program Adhaar is.
That is certainly better than just using the username/password combo, however there are some disadvantages when compared to Security Keys, namely you can still be tricked into typing in the OTP via a phishing attempt.
Here is a question I have, if I have this and enable to strictly use YubiKey to authenticate, does that mean that every time I want to check my emails via the phone's app I have to use this key?
Unless "Smart card Enabled" is programmed into & matched with your computer operating system you or anyone can still log into your computer with just your username & password. A PIN is required when you insert your Yubikey into a USB slot. If you don't insert a Yubikey, you or anyone can log into your computer with your username & password. I've locked down my BitWarden password Manager with YubiKey.
Great video Gary! But I think that security keys should be cheaper so more people would use them. Manufacturing cost isn't higher than 2€ and Google has this authentication implemented anyway ...
I agree that a lower price will certainly help improve take up. However where do you get the 2€ cost from? I would be interested to see the data. Also does that factor in R&D?
It was just a guess, I don't think that the key contains some super dope chip, more money perhaps go to software. And clearly, Yubikey has to ask for 25€ (and I feel completely fine giving them the money), but Google could keep the prices lower.
I think the thing to remember is that the authentication part of the circuitry needs to be tamper proof and secure. It isn't just a simple circuit hat produces random numbers. But having said, neither is it as complex as a Raspberry Pi, and the Raspberry Pi Zero costs less!!!
That's exactly what I meant. When people see that you have some small keyring that only logs you to your PC (or Google etc) and that's all and you paid 25€ for it, they will laugh at you. On the other hand, these people tend to open presentations of kitties from strangers and use one password for all their services. My point is that if Google would make these keys in large, they could make it affordable for everyone. And don't forget that you actually need two keys ...
Nice video! Please wrote me if I get it right. Method that you mentioned is secure if someone tries to hack into your account from different device. But when you click the box "don't ask again for this device" this method of protection has no benefits if someone got physical access to your hardware? Am I right?
What u can do (which is what i will be doing) rather than having to buy two keys is use google authenticator as a backup authentication mechanism. Granted i don't think this will work for googles advanced protection program (which i assume most users won't do). Then of course you always have your backup codes they spit out when you set everything up. I'm going to a Yubikey 5 Neo which is $50 instead of $20 because not that many sites now support U2F (not even lastpass :( ). I think OTP support is very important. I might buy another key long term but for now i want of course try it out before i decide to sink $100.
Yes, but the battery life is quite long. According to the docs: The MultiPass FIDO® Security Key can be used for around 3 months for each full charging (Assuming using Bluetooth authentication 10 times / day).
Better to not have your computer or phone be a trusted device. That way if someone else gets a hold of one of them, they can't use them absent the Yubikey.
This is an extremely frustrating video. After watching five and a half minutes of explanation, you then say "Let's go quickly through those steps." Then the video jump cuts to where you have already registered your key! You did not go through the steps! I have no idea how to get the process started.
I show you how to register the second key, the steps for registering the first key are identical. I thought that would be obvious. Google has some great information on this, I found it with 1 search using Google, it isn't hard to find: support.google.com/accounts/answer/6103523
@@GaryExplains There are SEVERAL steps necessary prior to where you jump cut to. For example, you have to turn on 2-step verification on your Google account. You don't even mention it or how to do that. If I have to search for and watch other videos, then what is the point of watching yours?
@@LukeT1 OK, I really am sorry that you are struggling with this. However, I don't think the title of the video is "step by step guide to using a security key." It is about the idea/concept with a little bit of a tutorial to nudge you in the right direction and show how it works. I don't think you can get all uppity with me because the video doesn't show you what you don't know. The video does what it says in the title, it tells you why using a security key can help.
@@GaryExplains Your exact words: "With Google's advanced protection program, you go to their web site, and you register the two keys, and then you turn on the advanced protection system. SO LET'S GO QUICKLY THROUGH THOSE STEPS." Then you jump cut and have skipped most of those steps. If I am holding two new keys in my hand, and want to learn how to actually get started and make them work, your video is a waste of time. I need a FULL explanation of the steps. Here is what you skipped over: Go to your Google Account. On the left navigation panel, click Security. On the Signing in to Google panel, click 2-Step Verification. If you haven’t set up 2-Step Verification already, click Get started Click Choose another option and click Security Key. Follow the steps to add your Security key. Why would someone who needs a full explanation watch your video if it is not complete?
@@LukeT1 Wow, you really are upset with me. LOL. I was expecting people to watch the video so they could find out the benefits of using these keys, it was never intended to be a step by step guide. What is odd is that you have wasted more time ranting at me about this then you probably did looking up that you had to click on the Security tab! Now I think about it there were lots of other steps I missed out: 1) Make sure you PC is connected to the mains power. 2) Switch it on. 3) Start the web browser... But wait, what if you haven't bought a PC yet. I guess I should have included steps about where to buy one! 🙄
Yesssssss !!!! 1st view 1st comment !!!! 1st like !!!!! Hello !!!!! Very good evening professor !!!!! After sometime professor is back with a video !!!!! Knowledge at our home !!!!!
What about USB being the weakest connection on any computer. Also a physical key can get stolen and being used, not so with passwords in your head. High security OS's like qubes OS, aren't giving you easy access to USB. Same with NFC and Bluetooth. With a good phone and reader you can copy all of it in seconds. There is no such thing, that is secure, because it's programmed from/by human. The complete concept is for the bin and has nothing to do with security but with making it harder to access. So if someone wants your data/passwords then he/she will get it anyways... No need to pay 20-60$ for a now trendy useless unsecure gimmick ...
I think you're supposed to disable SMS as 2FA method after enabling one of these hardware token keys. Many people who migrate to these methods might forget this important step.
Absolutely right. You’re only as strong as the weakest link. You can get in with EITHER the SMS 2FA or the physical key. So you think you’re protected with the key but someone can still spoof your SIM (way easier than you’d think) and now your “security” text goes to them. They’re in. If you go the physical key route it’s imperative to DEACTIVATE any lesser 2FA such as SMS or even Google Authenticator. I prefer Google Auth as it’s local to your device vs stored in the cloud. But the physical Yubikey or Google Titan trumps all. Some people might think it’s expensive, but it’s nothing compared to the cost of having your accounts potentially hacked. But you’re totally right and I’m surprised Gary didn’t mention that. Overall great video though. I think people might be scared off thinking it’s more complicated than it is. I wish more people knew about physical security keys, I’ve bought a pair for my mom and gf and they’re using them whether they like it or not hahaha
@@michaellee8815 He needs to make an update EXPLAINING How to work setup the FULL process
Hi, Gary. Thanks for these videos. Although I've been using computers for over 30 years, there're somethings which I've haven't read up on or just don't know about. This is one of those occasions. I've found your channel will come up with gems with an easy explanation of tech every now and then. Well worth a subscribe. Keep up the good work.
*there are some things
Hello Gary....great vid.....not a tech savvy as everyone else. Can I leave the uf2 key in my PC? Do I have to sign in with usb key always plugged in? Do I need a separate version of the key to use on mobile device? How can I plug key in mobile device?.....usb adapter....or blue tooth?.... I bought the Hyperfido U2F Security Key.....on Amazon....thought there would somewhat of instructions.....nothing...and no support.....just good luck.......lol. Anyway......android boxes?......
Hi Gary thanks for the really clear explanation, I wonder if you recommend using the yubikey to generate passwords or in general what your best solution is for managing 30+ passwords ?. I was thinking along the lines of using physical keys to access my google account and then changing my passwords to autogenerated ones from google so I do not need to remember so many
I have the yubi key 4 from wired and i love it. I just bought a yubikey 5 and a security key for back up and the nfc will be my main. Im not messing around with these security data leaks.
I noticed that you still had the "More Options" available, does that mean you can still use mobile for 2-step authentication? If so, doesn't that make the keys a bit pointless on a phone?
If you set up Advanced Protection and you use a Samsung Galaxy smartphone, will you still be able to use the built-in Samsung calendar and contacts apps (since they are not actually Google apps)?
Just came across your video. I noticed you used a different key when using your phone. Does the nfc 5c not work on the phone? I'm very new to sorry if this is a stupid question
I appreciate the videos, and no, you don’t have to make them shorter. I watch them as you go into depth which is what we need to understand it. I have questions:
1) I bought 2 yubikey 5 NSD
2) outlook live was tested first ad worked fine after it asked to create code
3) added 2nd and was fine
4) tried google, failed
5) tried in chrome, failed with endless spinning until it gave a message stating it needed to be plugged in
6) restarted computer, gmail failed again to sync with same errors
7) I have never found anything that explains how many emails you can apply
8) I haven’t found anything that wipes the whole thing to start from scratch or updates that don’t require intense DOS style script for each “applet” where directions are difficult to follow
9) support to LastPass and yubico has been sent and have gotten zero responses
10) how far am I off? Is it a software thing? I saw a video where the thickness of the usb section varied and could be part of the problem, no?
Thanks in advance.
Your videos are fantastic and I'm very please you have your own channel now dedicated to them. Thank you!
With the wireless key towards the end, how does it work on iphone? Doesnt have NFC.
Just connect to it like a normal wireless bluetooth headset or...?
Couldnt someone near the radius hijack the account if they had your info? IE: Airport, Bar, etc.
Outstanding video...you are an excellent teacher. Thanks !!
You mention that intercepting an SMS code requires a higher level of sophistication. But my understanding is that someone could just call the phone company, pretend to be you and ask them to change the number to another phone (the hacker's phone in this case). This SIM swap is actually pretty easy. This scary scenario might light a fire under more of your viewers to follow your advice get the physical key.
Great video, I'll definitely be looking at buying 2 in future. 😁
Your phone is an Android one. How does this work on iOS? I've read at multiple places (including reviews on Amazon) that these keys don't play nicely with iOS
I am using only Google prompt and backup codes so i am safe right?
Can the key be used for more than one online identity, e.g. both a personal and a commerce account?
Awesome video Gary
For the wireless mode for the key, can it be compromised ?
Great video. Nicely explained.
What is your opinion on biometric authentication systems. I am very interesting in understanding how safe/scalable the Indian unique ID program Adhaar is.
Thanks for a good informative video, not one that seems like a commercial.
Can you use the same key on more than one account?
yes
I am using password manager and 2FA with OTP. Is that secure enough on the era we live in right now?
That is certainly better than just using the username/password combo, however there are some disadvantages when compared to Security Keys, namely you can still be tricked into typing in the OTP via a phishing attempt.
Here is a question I have, if I have this and enable to strictly use YubiKey to authenticate, does that mean that every time I want to check my emails via the phone's app I have to use this key?
You can set it to trust your device, so you will only need it once
Gary, will your suggestions work if you have 2 YubiKeys as opposed to a YubiKey and a bluetooth key fob?
Yes, it will work, but without a wireless key then it is harder to login on a smartphone.
Excellent job, Gary!
Hi there professor Gary I would like to know if that is available in Asia?
Unless "Smart card Enabled" is programmed into & matched with your computer operating system you or anyone can still log into your computer with just your username & password. A PIN is required when you insert your Yubikey into a USB slot. If you don't insert a Yubikey, you or anyone can log into your computer with your username & password.
I've locked down my BitWarden password Manager with YubiKey.
Great video Gary! But I think that security keys should be cheaper so more people would use them. Manufacturing cost isn't higher than 2€ and Google has this authentication implemented anyway ...
I agree that a lower price will certainly help improve take up. However where do you get the 2€ cost from? I would be interested to see the data. Also does that factor in R&D?
It was just a guess, I don't think that the key contains some super dope chip, more money perhaps go to software. And clearly, Yubikey has to ask for 25€ (and I feel completely fine giving them the money), but Google could keep the prices lower.
I think the thing to remember is that the authentication part of the circuitry needs to be tamper proof and secure. It isn't just a simple circuit hat produces random numbers. But having said, neither is it as complex as a Raspberry Pi, and the Raspberry Pi Zero costs less!!!
That's exactly what I meant. When people see that you have some small keyring that only logs you to your PC (or Google etc) and that's all and you paid 25€ for it, they will laugh at you. On the other hand, these people tend to open presentations of kitties from strangers and use one password for all their services. My point is that if Google would make these keys in large, they could make it affordable for everyone. And don't forget that you actually need two keys ...
Gary, have you made an update EXPLAINING what Michael Lee commented on below??
Michael Lee? I don't see a comment by him, but I am looking on my mobile. What did he ask?
Great as always, thank you Gary 😇
Hi professor..
Can you explain to us what is hardware wallet and how does it work.. and how secure it is
Are you referring to hardware based BitCoin wallets?
Gary Explains yes sir
*BLOO!*
Mark Keller yes?
It’s basically the same concept as U2F, private key is stored in the device, never exposed to your computer. Only the public key is exposed.
Hey man, thanks for the information. I will be moving over to this security setup.
Nice video! Please wrote me if I get it right. Method that you mentioned is secure if someone tries to hack into your account from different device. But when you click the box "don't ask again for this device" this method of protection has no benefits if someone got physical access to your hardware? Am I right?
Yes
Gary Explains thanks for explaining :)
Can i synchronize ubuntu with google with key process activated?
What u can do (which is what i will be doing) rather than having to buy two keys is use google authenticator as a backup authentication mechanism. Granted i don't think this will work for googles advanced protection program (which i assume most users won't do). Then of course you always have your backup codes they spit out when you set everything up. I'm going to a Yubikey 5 Neo which is $50 instead of $20 because not that many sites now support U2F (not even lastpass :( ). I think OTP support is very important. I might buy another key long term but for now i want of course try it out before i decide to sink $100.
Do u need to charge the wireless key ??
Yes, but the battery life is quite long. According to the docs: The MultiPass FIDO® Security Key can be used for around 3 months for each full charging (Assuming using Bluetooth authentication 10 times / day).
Cheers... Very Well Done. Thanks for the video !
*GARY!!!*
*Morning Professor!*
Such a shame we have to do all of this just to stay safe online ... and offline.
MARK!!!
Good evening Mark !!! Class mate !!!!
I hate youtube videos that result in my buying things.
I'm buying these things.
😂
Have you tried linux support for this ?
Great Gary thanks!
Superb Video Gary, Keep it up
😁😁😁👍👍👍👍👍..thanks always wanted one..will sure be getting one .well 2 soon...
Unless it has been fixed, I heard Android TV boxes can't sign into their G accounts due to them not being able to use these keys.
Better to not have your computer or phone be a trusted device. That way if someone else gets a hold of one of them, they can't use them absent the Yubikey.
Have you made a video on VPNs? Why not make a playlist dedicated to online security and include this video and other methods?
I have a video on VPNs here: ruclips.net/video/xGjGQ24cXAY/видео.html
I hope these work because I've had these attacks happen to me for quite a while, it really can destroy your life, wish I knew about these earlier
great thx!
You're welcome!
Are those Fido keys?
Yes, FIDO U2F keys. The simple one is the Security Key by Yubico, and the other is the Fido Feitian Multipass Security Key.
A third problem are malwares you didn't mention.
Are these things really safe or is it just some other crap? Has anybody tried to hack them? Anything that sounds to good to be true...
“Advanced phishing attack”. - shit any teenager can do
He's in Romania?
hi gary , just got your email from the video ..
This is an extremely frustrating video. After watching five and a half minutes of explanation, you then say "Let's go quickly through those steps." Then the video jump cuts to where you have already registered your key! You did not go through the steps! I have no idea how to get the process started.
I show you how to register the second key, the steps for registering the first key are identical. I thought that would be obvious. Google has some great information on this, I found it with 1 search using Google, it isn't hard to find: support.google.com/accounts/answer/6103523
@@GaryExplains There are SEVERAL steps necessary prior to where you jump cut to. For example, you have to turn on 2-step verification on your Google account. You don't even mention it or how to do that. If I have to search for and watch other videos, then what is the point of watching yours?
@@LukeT1 OK, I really am sorry that you are struggling with this. However, I don't think the title of the video is "step by step guide to using a security key." It is about the idea/concept with a little bit of a tutorial to nudge you in the right direction and show how it works. I don't think you can get all uppity with me because the video doesn't show you what you don't know. The video does what it says in the title, it tells you why using a security key can help.
@@GaryExplains Your exact words: "With Google's advanced protection program, you go to their web site, and you register the two keys, and then you turn on the advanced protection system. SO LET'S GO QUICKLY THROUGH THOSE STEPS." Then you jump cut and have skipped most of those steps. If I am holding two new keys in my hand, and want to learn how to actually get started and make them work, your video is a waste of time. I need a FULL explanation of the steps. Here is what you skipped over:
Go to your Google Account.
On the left navigation panel, click Security.
On the Signing in to Google panel, click 2-Step Verification.
If you haven’t set up 2-Step Verification already, click Get started
Click Choose another option and click Security Key.
Follow the steps to add your Security key.
Why would someone who needs a full explanation watch your video if it is not complete?
@@LukeT1 Wow, you really are upset with me. LOL. I was expecting people to watch the video so they could find out the benefits of using these keys, it was never intended to be a step by step guide. What is odd is that you have wasted more time ranting at me about this then you probably did looking up that you had to click on the Security tab! Now I think about it there were lots of other steps I missed out: 1) Make sure you PC is connected to the mains power. 2) Switch it on. 3) Start the web browser... But wait, what if you haven't bought a PC yet. I guess I should have included steps about where to buy one! 🙄
Yesssssss !!!! 1st view 1st comment !!!! 1st like !!!!! Hello !!!!! Very good evening professor !!!!! After sometime professor is back with a video !!!!! Knowledge at our home !!!!!
Robby!!! Good to be back!
*ROBBY!*
*After some time,
Talking about overkill!
But in reality they are a hassle to use
What is this accent? Is it British?
Accent? I don't have an accent! Everyone else does, but not me!!!! LOL 🤣
Yubikeys are 46 quid
$45.00 Dollars (US)
What about USB being the weakest connection on any computer. Also a physical key can get stolen and being used, not so with passwords in your head.
High security OS's like qubes OS, aren't giving you easy access to USB.
Same with NFC and Bluetooth. With a good phone and reader you can copy all of it in seconds.
There is no such thing, that is secure, because it's programmed from/by human.
The complete concept is for the bin and has nothing to do with security but with making it harder to access. So if someone wants your data/passwords then he/she will get it anyways...
No need to pay 20-60$ for a now trendy useless unsecure gimmick ...
$20 is way too expensive IMO
20 for the pair would be nice
U2F for Jira marketplace.atlassian.com/1220048 is also available!
😎 See the results.