Thank you for your explanation. I found Yubico's setup explanations to be incomplete -- they never discussed this Yubkey manager download. They tell you to just log in to a website you want and set up your key. For me, Windows Security had me set a password, which is what I use. But now I'm confused -- is that Windows Security password the same as the FIDO2 password? I'm afraid if I reset the FIDO2 password, it will mess up the website I already set up with my Yubkeys!! Yubico needs to do a better job of explaining for newbies how to set up, from the beginning. Thanks!
You can find all videos about yubikey on the appropriate playlist. I've covered various functionalities. ruclips.net/p/PLn9t_BnhwY0KXIqloOys7cCDFSHJycrDl
@@codewrecks hey my friend , i bought key 1 week ago and i dont have PIV options enabled , i can only click on FIDO2 , so i dont have even acces to set PUK , any help ?
Very good video CodeWrecks!! If i may ask, can i set it up after using my yubikey? And also i suppose i need to set up the manager tool also for the back up key?
Absolutely, you can change pin in any moment with the tool, even after you setup credentials. Changing the pin is not a destructive operation. Back Up Keys are simply other keys that you register on service, so basically, all keys you have are treated equals (even if in my situation not all keys contains TOTP seeds :) )
That's my question too -- I set up a Yubikey for a website and Windows Security had me make a password, which I use. Is that the FIDO2 password you discussed -- so if I change FIDO2 password, it will change my Windows Security password, or will I be locked out?!?!
Excellent video. Thanks for sharing. I have two Yubikeys on order. Can you use the same PIN on the primary key as the backup key? It would be less confusing. Or wouldn't you advise this? Thanks.
Ur Eng is really good I was hoping to find where I would use these things. When logging in kt asks me for a 4 digit pin, but i hadnt us d these in hears so i thought it was asking me for the pin/puk -_-
Hi! Love the video, quick question? What is the management key Used for? Does it keep a record of all the Data on the Yubikey? If so would somebody be able to create a clone with another Yubikey if they had access to the Management Key? Please let me know asap :)
Here is the documentation, but generally speaking, is not possible to clone a yubikey docs.yubico.com/yesdk/users-manual/application-piv/pin-puk-mgmt-key.html#:~:text=The%20management%20key%20is%20used,it%20is%2024%20bytes%20long.
Onestamente per le altre yubikey uso lo stesso pin, perché avere pin differenti è una complessità inutile secondo me. A meno che tu non lavori in un posto dove qualcuno può vederti digitare il pin tutti i giorni e sei particolarmente paranoico :).
Thanks for your explanation. One question. If I use my Yubikey mainly on my iphone, can these pins still be used in any way? I'm guessing they can't since you have no manager download available???
I've not an Iphone and I've always set my pin from computer, but usually the first time you use FIDO2 functions, is the operating system that is using the key that prompts you in changing the pin (I've tested on windows but no idea on iphone).
Hello, I just bought 2 yubikeys 5c nfc, I downloaded Yubikey Manager for MacOS, clicked on Applications --> PIV --> PIN Management --> and I did setup the PIN, PUK and management Key... all good, then after a while, I just went to (for curiosity) Applications --> FIDO2 PIN, and it states that a PIN is set, but I didn't set that FIDO2 PIN, is that PIN the same I set up in the PIV application? I am confused, thank you.
No they are different, usually they have a default. You just need to register your key with FIDO2 and if you did not setup a pin you will be prompted to setup one for the first time. support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs
I recently bought a Yubikey 5 Nano and a 5Ci. I can register the 5Ci as a security key with my iPhone SE2, but not the Nano. These products are too difficult. I wasted $135.
So the FIDO Pin is the password to be used for applications account, the PIV Pin is personal identifier password, the PUK is password to unlock the PIV and the PIV management is the encryption of the key that can be changed and can be protected by another PIN (optional). For that last PIN, is is an altogether new one or is it it the Fido or the PIV pin? Correct?
Basically you have FIDO PIN and open PGP PIN. Those two you will use every operation. Too many wrong pin attempts will invalidate credentials. Then you have PIV, for certificate management, etc. That part supports not only a PIN but also a PUK tò unblock the PIN if blocked.
When you add Yubikey on a site usually you use at least 2 different keys (to avoid being cutoff if you lost a key), but usually you have also some "one time use" recovery codes that you can use in case of emergency. Also for most accounts you can also left a standard authenticator code (I store the seed inside yubikeys but also save the QR inside a keepass archive to use in case of an emergency)
@@codewrecks I think what @JamieEyre is asking that if they started using the Yubikey for Authenticator security and signing onto Microsoft Office and other sites that do not use the Authenticator but some other security process - once the PIV pins are reset and regenerated, then will ALL the previous Yubikey access set up be erased and the key will not be able to access these sites unless the key is set up again from scratch ? IS this correct ? So all the sites setup with Yubkiey and do not have default pins changed have to be reset up again ?
@@sak123utube I understand now. Pin does not reset contained credentials, you can change FIDO2 pin and still use the key in all the service you used the key before. The only problem is when you type WRONG pin for 8 times. In that situation the internal keys are reset, to avoid an attacker to be able to brute force the pin. I'm planning more video on the subject where I will show what happens if you change the pin (nothing) VS what changed if you digit wrong pin too many times.
I strongly suggest you to read the official documentation that will explain in detail when management key is used . docs.yubico.com/yesdk/users-manual/application-piv/pin-puk-mgmt-key.html
Most banks here in Australia, still rely on SMS. I often think the adoption of more security is not "black & while" as everyone makes it out to be.. Whats most compatible is the 'key' Most won't get a USB FOB just to login to their bank, they are will just use what they already have (a smartphone), not to metion you would have to switch banks just to be "more secure" So, its fine saying all of this as it should be easy, but in reality its not. Also perhaps most convenient, but all of these security products (even password managers like BitWarden) the weakest link is always "convenience" as a PIN is easy to remeber, but its used to unlock something that is moire secure.. I guess there is no other way to do it, but I always picture that as 'the weakest link" (I always liked that TV show)......*thinks*
is there an option to use the yubikey manager without a computer...mine is a surface pro and they dont support the ARM processors. so far cannot find another way to manage the key pin with out it...?
Try to read documentation at this address docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html they have a os independent using python and pip (never tried though so do not know if it can work for you)
Actually the application does not have a password, this is mainly because no operation is present to extract keys or other sensitive information. All you can do is reset the key or setting the pin the first time.
Actually this video is about setup of your key, no information is bound to the computer you are using. What operating system are you using? On windows you can use Yubikey with windows hello login, so you should remove from that section
@@codewrecks Its very difficult to unravel a persons misunderstanding ... then start again to make him/her understand. The key works to logon. Yubikey required, windows 10. I want to reset laptop back to pre- Yubikey setup, and login with normal startup... Clear? User, ...key reset does not work.
@@enrgz For windows 10 this is the official link for windows configuration. support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide You should have installed the YubiKey for Windows Hello app used to manage the login.
Yes, I have a keepass archive protected with yubikey, that is the important one. Then I have bitwarden with pin/puk and some less important stuff protected with a long password and Yubikey. I have 4 yubikey configured, so I'm pretty sure I'll not be cut off.
@@Golden2Talon Yeah you are probably right :D :D. But I have some credentials that are for customers VPN / Account where I'd like to have maximum security, and I'd like not to mix with other credentials that are everyday usage (like the shop where I buy food for pets) That allows me to choose settings for argon2 in keepass that makes the archive more secure, but virtually very difficult to open on a device :).
Finally someone who actually explains how to set up the damn thing... thank you!
The best - short and clear - video for starting in the right way! Thank you so much
This is a fabulous video and one I really needed after my Yubi purchase--ty!
Finally found what i needed
Thank you!!!
Great video. I was looking for the promised next one. Regardless, thanks for making this. These instructions will be very useful.
Thank you for your explanation. I found Yubico's setup explanations to be incomplete -- they never discussed this Yubkey manager download. They tell you to just log in to a website you want and set up your key. For me, Windows Security had me set a password, which is what I use. But now I'm confused -- is that Windows Security password the same as the FIDO2 password? I'm afraid if I reset the FIDO2 password, it will mess up the website I already set up with my Yubkeys!! Yubico needs to do a better job of explaining for newbies how to set up, from the beginning. Thanks!
Thank you so much for creating this video! It was extremely helpful! Have you produced a video explaining the OTP configuration options yet?
You can find all videos about yubikey on the appropriate playlist. I've covered various functionalities. ruclips.net/p/PLn9t_BnhwY0KXIqloOys7cCDFSHJycrDl
Thank you for all the yubikey video’s, very helpful, nice to hear you accent reminds me of my mamma. Regards Francò
Glad you like them!
@@codewrecks hey my friend , i bought key 1 week ago and i dont have PIV options enabled , i can only click on FIDO2 , so i dont have even acces to set PUK , any help ?
@NowyPolus which model of key have you bought? It seems to me you have bought basic security key ruclips.net/video/TABDv9436RI/видео.html
@NowyPolus which version of the key you have? It seems you have the basic security key and not the 5 version
Excellent video!
Thank you very much!
Very good video CodeWrecks!! If i may ask, can i set it up after using my yubikey? And also i suppose i need to set up the manager tool also for the back up key?
Absolutely, you can change pin in any moment with the tool, even after you setup credentials. Changing the pin is not a destructive operation. Back Up Keys are simply other keys that you register on service, so basically, all keys you have are treated equals (even if in my situation not all keys contains TOTP seeds :) )
@@codewrecks Thanks!
That's my question too -- I set up a Yubikey for a website and Windows Security had me make a password, which I use. Is that the FIDO2 password you discussed -- so if I change FIDO2 password, it will change my Windows Security password, or will I be locked out?!?!
Excellent video. Thanks for sharing. I have two Yubikeys on order. Can you use the same PIN on the primary key as the backup key? It would be less confusing. Or wouldn't you advise this? Thanks.
I use the same PIN, i do not think that Is a problem, and i agree that Is less confusiong
Depends if its the PIV or Fido. Most accounts wont let you use the same Fido Pin if your use 2 keys (one being the backup of the other).
Ur Eng is really good
I was hoping to find where I would use these things. When logging in kt asks me for a 4 digit pin, but i hadnt us d these in hears so i thought it was asking me for the pin/puk -_-
Thanks for the info!
Good stuff!
Thank you sir.
Hi! Love the video, quick question? What is the management key Used for? Does it keep a record of all the Data on the Yubikey? If so would somebody be able to create a clone with another Yubikey if they had access to the Management Key? Please let me know asap :)
Here is the documentation, but generally speaking, is not possible to clone a yubikey
docs.yubico.com/yesdk/users-manual/application-piv/pin-puk-mgmt-key.html#:~:text=The%20management%20key%20is%20used,it%20is%2024%20bytes%20long.
Ottimo video, vorrei chiederti quale strategia suggerisci per la configurazione della seconda yubikey, stessi codici o diversi? Grazie
Onestamente per le altre yubikey uso lo stesso pin, perché avere pin differenti è una complessità inutile secondo me. A meno che tu non lavori in un posto dove qualcuno può vederti digitare il pin tutti i giorni e sei particolarmente paranoico :).
Thanks for your explanation.
One question. If I use my Yubikey mainly on my iphone, can these pins still be used in any way? I'm guessing they can't since you have no manager download available???
I've not an Iphone and I've always set my pin from computer, but usually the first time you use FIDO2 functions, is the operating system that is using the key that prompts you in changing the pin (I've tested on windows but no idea on iphone).
Hello, I just bought 2 yubikeys 5c nfc, I downloaded Yubikey Manager for MacOS, clicked on Applications --> PIV --> PIN Management --> and I did setup the PIN, PUK and management Key... all good, then after a while, I just went to (for curiosity) Applications --> FIDO2 PIN, and it states that a PIN is set, but I didn't set that FIDO2 PIN, is that PIN the same I set up in the PIV application? I am confused, thank you.
No they are different, usually they have a default. You just need to register your key with FIDO2 and if you did not setup a pin you will be prompted to setup one for the first time.
support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs
The Yubico app doesn't seem to recognize the password manager. But thanks for this
Which password manager? Thanks.
@codewrecks 1password but I got it working, thanks
@codewrecks 1password, but I managed to get it working. Thanks. It does scare me to use it since it can lock up if I make too many mistakes lol
I recently bought a Yubikey 5 Nano and a 5Ci. I can register the 5Ci as a security key with my iPhone SE2, but not the Nano. These products are too difficult. I wasted $135.
So the FIDO Pin is the password to be used for applications account, the PIV Pin is personal identifier password, the PUK is password to unlock the PIV and the PIV management is the encryption of the key that can be changed and can be protected by another PIN (optional). For that last PIN, is is an altogether new one or is it it the Fido or the PIV pin? Correct?
Basically you have
FIDO PIN and open PGP PIN. Those two you will use every operation. Too many wrong pin attempts will invalidate credentials.
Then you have PIV, for certificate management, etc. That part supports not only a PIN but also a PUK tò unblock the PIN if blocked.
Can you change all these things if you already use the FIDO and OTP for different websites? Or will I not be able to access these sites anymore?
When you add Yubikey on a site usually you use at least 2 different keys (to avoid being cutoff if you lost a key), but usually you have also some "one time use" recovery codes that you can use in case of emergency. Also for most accounts you can also left a standard authenticator code (I store the seed inside yubikeys but also save the QR inside a keepass archive to use in case of an emergency)
@@codewrecks I think what @JamieEyre is asking that if they started using the Yubikey for Authenticator security and signing onto Microsoft Office and other sites that do not use the Authenticator but some other security process - once the PIV pins are reset and regenerated, then will ALL the previous Yubikey access set up be erased and the key will not be able to access these sites unless the key is set up again from scratch ? IS this correct ? So all the sites setup with Yubkiey and do not have default pins changed have to be reset up again ?
@@sak123utube I understand now. Pin does not reset contained credentials, you can change FIDO2 pin and still use the key in all the service you used the key before. The only problem is when you type WRONG pin for 8 times. In that situation the internal keys are reset, to avoid an attacker to be able to brute force the pin.
I'm planning more video on the subject where I will show what happens if you change the pin (nothing) VS what changed if you digit wrong pin too many times.
6:45 what exactly is this management key? and if I have 2 yubikey and copy the first management key to my 2nd yubikey what will happen?
I strongly suggest you to read the official documentation that will explain in detail when management key is used . docs.yubico.com/yesdk/users-manual/application-piv/pin-puk-mgmt-key.html
Most banks here in Australia, still rely on SMS. I often think the adoption of more security is not "black & while" as everyone makes it out to be.. Whats most compatible is the 'key'
Most won't get a USB FOB just to login to their bank, they are will just use what they already have (a smartphone), not to metion you would have to switch banks just to be "more secure"
So, its fine saying all of this as it should be easy, but in reality its not. Also perhaps most convenient, but all of these security products (even password managers like BitWarden) the weakest link is always "convenience" as a PIN is easy to remeber, but its used to unlock something that is moire secure.. I guess there is no other way to do it, but I always picture that as 'the weakest link" (I always liked that TV show)......*thinks*
Well they key can act as a backup or vice versa. I wouldn’t just only have my phone for two factor.
is there an option to use the yubikey manager without a computer...mine is a surface pro and they dont support the ARM processors. so far cannot find another way to manage the key pin with out it...?
Try to read documentation at this address docs.yubico.com/software/yubikey/tools/ykman/Install_ykman.html they have a os independent using python and pip (never tried though so do not know if it can work for you)
Can you use the same yubikey for windows and macOS?
Absolutely
Thanks for reply. Greetings from Puerto Rico!
What do i do if my Yubikey manager dashboard only show the firmware number but no serial number? It has detected my Yubikey
Are the other functions available?
Hi, when I add a yubikey I want the yubico admin app to ask for the password before accessing it. How can I do this like with Yubico authentication?
Actually the application does not have a password, this is mainly because no operation is present to extract keys or other sensitive information. All you can do is reset the key or setting the pin the first time.
How do you reverse the setup and deleate the key requirement from a laptop?
Is there another video that explains the process?
Actually this video is about setup of your key, no information is bound to the computer you are using.
What operating system are you using? On windows you can use Yubikey with windows hello login, so you should remove from that section
@@codewrecks Its very difficult to unravel a persons misunderstanding ... then start again to make him/her understand.
The key works to logon.
Yubikey required, windows 10.
I want to reset laptop back to pre- Yubikey setup, and login with normal startup...
Clear?
User, ...key reset does not work.
@@enrgz For windows 10 this is the official link for windows configuration. support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide
You should have installed the YubiKey for Windows Hello app used to manage the login.
I need use different PIN and PUNK for each key? I have 3 yubikeys
I use same pin for all of my keys, hardware protection that allows only for 8v tentatives is enough.
Excellent video, thank you very much 👍👍
Aish Af3aaaaaal
you always say password manager... but if you need the pin/puk for the passwort manager, you lock yourself out
Password manager where you keep pin and puk must be not protected with the yubi.
Also I wrote them and store in my house
@@codewrecks does that mean that you have two passwort managers?
Yes, I have a keepass archive protected with yubikey, that is the important one.
Then I have bitwarden with pin/puk and some less important stuff protected with a long password and Yubikey.
I have 4 yubikey configured, so I'm pretty sure I'll not be cut off.
@@codewrecks lol that's a bit too much for my taste
@@Golden2Talon Yeah you are probably right :D :D. But I have some credentials that are for customers VPN / Account where I'd like to have maximum security, and I'd like not to mix with other credentials that are everyday usage (like the shop where I buy food for pets)
That allows me to choose settings for argon2 in keepass that makes the archive more secure, but virtually very difficult to open on a device :).
Useless really, you read whats in the app , don't explain what is the stuff!
Thank you, thank you CodeWrecks. I was a bit lost when I got the key but this video clarified everything for me! :)